What Is SASE (Secure Access Service Edge)?


Traditionally, users connect to a network within the perimeter at their desks, but the global move towards a home workforce has shifted the face of IT and cybersecurity. Secure Access Service Edge (SASE) is an emerging technology that merges traditional IT infrastructure with cloud services to support a range of users and their locations. Instead of requiring users to authenticate into multiple platforms individually, SASE provides users access to all cloud services via data centers. These data centers provide access controls where administrators can perform user management and manage cloud resources.

Difference Between Point Solutions & SASE

In a traditional WAN, administrators created point solutions across different locations. Each WAN (Wide Area Network) segment had its own firewalls, network components, and user management. Each segment came together in a centralized control segment where servers and other access management could be set up.

In a SASE design, these point solutions are moved to data centers where administrators no longer need to manage physical devices. The cloud provider offers firewalls and access management tools, so administrators have reduced overhead. Administrators still need to manage the cloud services, but the cloud provider manages the physical hardware.

Users connect to the network, but instead of using individual WAN devices, they connect to data centers where the business network is located. All services are monitored and controlled by administrators who can provision services in the cloud and authorize users to access them instead of managing different services across the Internet.

What Is the SASE Security Model?

When a change in IT infrastructure occurs, security must be designed around it to ensure the safety of applications and corporate data. The SASE security model attempts to solve cybersecurity issues surrounding traditional WAN architecture and any new cloud resources provisioned for the new environment.

The networking and security components used in a SASE model are mostly newer technology, but they are designed to work with WANs integrated into the cloud. Adding SASE functionality is necessary for a stable user environment. The technology used in the SASE model includes:

  • SD-WAN: A software-defined (SD)-WAN is used to connect all remote users and manage their private network. The SD-WAN connects users to data centers. Cloud service providers usually provide these data centers with multiple points of presence (PoP) locations. The data center (or the group of data centers) the user connects to depends on the user’s location. By connecting users to data centers near their location, performance is improved. Network traffic travels across data centers instead of the Internet, decreasing latency.
  • Zero trust: In a traditional environment, users connected to the network were trusted. Insider threats are a real concern for corporations where users intentionally or unintentionally install malware or disclose data to attackers. A zero-trust policy inside a WAN is essential. In a SASE security model, zero-trust is implemented across all network segments and data access where the standards of least privilege for authorization is practiced.
  • Cloud services: Implementing cloud services isn’t new to networking, but in a SASE model, users don’t connect directly to the cloud service from their work computers. Instead, they connect to the corporate network located at cloud data centers and use corporate network resources to connect to applications. This gives administrators the ability to monitor access and centralize access controls.
  • Identity access management (IAM): By forcing users to connect to the network before accessing cloud resources, administrators can control access using identity management instead of IP addresses. Administrators can add users to groups and grant groups authorized access. Organizing authorization by groups makes it easier for administrators to manage access across several resources and revoke privileges when necessary.

Benefits of SASE

A change in any IT structure has an upfront cost, so businesses want to know the benefits before they dive into restructuring the network. Even with its upfront costs, SASE eventually saves money, and businesses can leverage several other advantages:

Reduced Costs

Instead of managing and buying multiple point products to service and secure different WAN segments, the organization can save costs by using data center resources and a centralized management system.

Improved Performance

The business network within data centers is set up with its own network backbone and infrastructure. Users connect to a data center near their location, so network latency is reduced.

Reduced Complexity

With traditional infrastructure, IT must manage every component across WAN segments. With SASE, the network is in the cloud at the data center, which reduces the components administrators manage and the network's complexity.

Better IAM

Instead of managing IP addresses, administrators manage users and user groups. This centralized and organized IAM provides improved security and access controls.

SASE Challenges

Because SASE is a new network architecture methodology, some administrators fear the drawbacks. Chasing the latest technology or processes can be expensive, especially if they don’t prove to be a better alternative or save the organization any money. The wrong technology can be disastrous for IT and add complexity to the way systems are managed.

The SASE disadvantages are few, but administrators might see some challenges:

  • A single point of failure: If not appropriately configured, a SASE can be a single point of failure, especially for remote users. Users who cannot connect to the local network won’t be able to access any necessary productivity tools or services.
  • Relying on a single cloud provider: Once the network relies on cloud data centers, the business is locked into a single provider. Any price changes or changes to the cloud provider’s architecture affect the business and could force administrators to change the network's configuration.

These challenges can be overcome by using a multi-cloud design where one provider can be used as a failover, and another provider supports daily productivity, but this method is also expensive. Organizations that have several remote users and cloud resources can best benefit from SASE even with its challenges. The costs associated with a catastrophic failure will far surpass the cost of failover.