What is Secure Access Service Edge (SASE)?

Secure Access Service Edge, or SASE (pronounced “sassy”), is an enterprise security architectural model for networking that’s designed to support the fast application access needs of today’s workforce. SASE architectures converge networking and cloud-delivered security into a high-performance, single-pass architecture with unified management.

Explore additional SaaS topics:

What is SASE

What is SASE used for?

There are three primary market trends driving the shift to SASE in networking and security:

  1. Apps are moving to SaaS: In traditional on-premises network architectures, backhauling SaaS traffic to the datacenter for security worsens latency and increases network costs. As cloud environments become more prevalent, SASE allows organizations to move network security services from the datacenter closer to remote users.
  2. Workers are more mobile and remote: Employees expect the same experience and security regardless of their location. Unfortunately, traditional VPNs do not offer granular security controls and in turn worsen that experience.
  3. Threats are evolving rapidly: Security teams need to continually upgrade and update their infrastructure to keep pace with new threats. This is complex, time-consuming work that still often leaves many organizations open to zero-day threats.

Today’s enterprise needs to empower all employees with a fast, consistent, and secure digital workspace experience, regardless of location or device. At the same time, IT teams need to become more agile so they can focus on delivering new digital services—rather than spending the bulk of time managing complex networking and security stacks. By ensuring networking and security both evolve and converge, the SASE framework enables:

  • Agile, unified, single-pane-of-glass administration that includes provisioning as well as granular policy control and visibility.
  • Consistently fast and secure app access everywhere, by virtue of WAN capabilities that overcome the unpredictability of local internet breakouts.
  • Consistent enforcement of security compliance policies through a global security cloud, for all users, regardless of their locations.

What's included in SASE?

The SASE model converges comprehensive SD-WAN and network security functions into a single-pass architecture, administered via a unified management plane for networking and cybersecurity. Gartner, which coined the term SASE, has listed “Core” and “Recommended” capabilities for SASE architectures.1

Core SASE capabilities include:

SD-WAN

SD-WAN enables resilient, low-latency connectivity over any type of network transport, while allowing for reduced complexity compared with traditional router-based solutions. Cloud-native and real-time apps in particular benefit from SD-WANs. SD-WANs achieve this through capabilities such as path selection based on path quality assessment, WAN optimization, and peering with SaaS applications. In addition, some SD-WANs feature network security measures such as integrated intrusion detection/prevention systems (IDS/IPS) and simplified setup of VPN tunnels between branch offices and SaaS apps.

Secure web gateway

A secure web gateway (SWG) is an enterprise cybersecurity solution, typically implemented inline as a cloud service, that sits between users and the web. User traffic is forwarded to the SWG for inspection and further action as necessary, through built-in network security capabilities such as URL filtering, application control, and anti-malware defense.

Cloud access security broker

With a cloud access security broker (CASB), an enterprise can manage access control for all approved and unapproved SaaS apps. CASB security solutions are built upon four main pillars, including:

  • improved visibility, including across shadow IT applications
  • data security for shielding sensitive data from unauthorized access
  • threat prevention through capabilities like behavioral analysis
  • simplified proof of compliance

Zero trust network access

Zero trust network access (ZTNA) enforces the principle of least privilege for authorized users accessing sanctioned applications. It is also identity- and context-aware, evaluating access attempts based on identity information from cloud services like Microsoft Azure Active Directory and on parameters like time of day and location. Access may even be granted to applications instead of the underlying network, to prevent lateral movement of threat. Overall, ZTNA allows for a better user experience, tighter security controls and reduced complexity compared with traditional VPN solutions.

Firewall as a Service

Firewall as a Service (FWaaS) implements ingress and egress security controls across an enterprise network, to ensure that only trusted traffic may pass. More specifically, a FWaaS solution can integrate anomaly-based (signature-less) threat detection, network sandboxing, geolocation, anti-malware software and IDS/IPS solutions. FWaaS is often integrated with security analytics solutions for comprehensive protection for data centers, cloud instances and branch offices.

Data loss protection

Data loss protection (also referred to as threat prevention) is integrated into the single-pass architecture of a SASE platform. A data loss protection engine offers visibility into data in use, in motion, and at rest. It can quarantine risky data or activity, enforce encryption, and send network security alerts to lower the overall risk of a data breach.

Encryption/decryption of content at line speed, at scale

The single-pass architecture of SASE allows encrypted traffic to be opened and inspected just once, to reduce the latency of traditional security stacks with service-chained inspection engines.

Recommended SASE capabilities include:

Web application and API protection

As usage of web applications increases, it’s important to keep malicious traffic and requests at bay. Web application and API protection, or WAAP, may integrate security solutions such as advanced rate limiting, runtime application self protection, and DDoS mitigation.

Remote Browser Isolation

By using remote browser isolation, it’s possible to protect the enterprise network from browser-based attacks. Data from websites, including possibly compromised ones, is not transferred to end-user devices, lowering the possibility of a breach or infection.

Network sandbox

A network sandbox sends suspicious content to an isolated environment, where it can run without affecting other applications. FWaaS solutions within the SASE platform can then inspect it further and block any malicious files and assets, if they are discovered.

Support for managed and unmanaged devices

A SASE platform offers a better framework for securing enterprise- and employee-supplied devices, with multiple security solutions protecting against threats such as data loss, unauthorized access, and malware.

SASE capabilities are delivered in a unified “thin branch, heavy cloud” service model: SD-WAN functionality is offered as a “thin” branch appliance, while security functionality is provided as a “heavy” cloud service.

1Critical Capabilities for WAN Edge Infrastructure, Gartner, Sept 2020​

E-BOOK

7 must-haves for Secure Access Service Edge (SASE) architectures

Read the e-book to learn how Citrix's unified approach to SASE converges networking and security

What are the key benefits of SASE security?

SASE architectures were designed with the intent of enabling fast, reliable, and secure access to cloud applications by mobile and remote workers, while concurrently improving IT agility. Assuming enterprises pay attention to the nuances in functionality offered, such as unified management across networking and security, single-pass architectural design, and powerful SD-WAN functionality, organizations can achieve the following benefits from a SASE deployment:

A superior user experience. Direct internet access eliminates latency from backhauled connections. However, SD-WAN and WAN optimization functionality within SASE solutions is required to ensure consistent performance even as Internet performance fluctuates. Single-pass architectures ensure that the inspection and policy engines themselves do not add unnecessary latency.

Improved security. Identity-aware, zero-trust access is enabled for sanctioned applications. This reduces the attack surface and impedes lateral movement of malware within the enterprise network. For web and unsanctioned applications, comprehensive, cloud-delivered security ensures a consistent security posture, regardless of employee location.

Greater IT agility. SASE architectures can help consolidate point solutions across networking and security. Single-vendor solutions offer deeper integrations and unified management which simplifies deployment, configuration, reporting, and support services. Since SASE architectures require moving security to the cloud, the overall hardware footprint is reduced—which in turn improves architectural elasticity and scale.

What are the essential elements of a strong SASE framework?

While many service providers promote the individual components of a SASE architecture, delivering all of the requisite functionality is critical, as the unified whole is greater than the sum of the parts. Only with a full “SASE stack” can enterprises enable fast, consistent, and secure access to all apps, from any location and device, while also improving IT agility. The most powerful SASE architectures include the following nuances that differentiate them from the competition:

Deep integrations

A SASE platform combines cloud security with comprehensive WAN functionality, with both of these capabilities building upon one another. While cloud security enables local internet breakouts (for eliminating latency from backhauled architectures), it does nothing to overcome the overall unpredictability of internet connections. SD-WAN and WAN optimization ensure changes in network performance do not impact employee experience.

Single-pane-of-glass management

Through SASE, teams get unified views into infrastructure deployments (including for cybersecurity), network policy configurations, and comprehensive reports. It all adds up to more holistic and agile control across the entire enterprise architecture.

Single-pass architecture

The service chaining of functionality often forces traffic through multiple inspection and policy engines, adding latency and minimizing any performance improvements expected from the SASE architecture. In contrast, well-designed SASE architectures will follow a single-pass approach, under which traffic is opened and inspected just once by all policy engines in parallel.

Privacy

Privacy and regulatory requirements such as GDPR often require segregation of data, selective decryption and visibility and control over how and where data will flow. With cloud-delivered security, meeting these obligations can be challenging, making evaluation of compliance measures important for any potential SASE solution.

Unified vendor management

One of the primary goals of SASE is to improve IT agility. By consolidating vendors, you can minimize the number of conversations required to plan, deploy, manage, and support a comprehensive, unified architecture across networking and security solutions. This consolidation not only accelerates operations but also helps nurture cross-functional conversations in IT, leading to better, more strategic decision-making. Moreover, from a pure technology perspective, a single-vendor architecture offers deeper integrations across all functionality than possible through technology alliances between organizations.

What are some common use cases for SASE?

Organizations need to evolve their enterprise networking and security infrastructure in response to changing usage patterns—such as which apps are accessed, and from where—in order to meet employee expectations as well as business requirements. This evolution will support broader strategic initiatives, such as enabling a “work-from-anywhere” workforce and improving business continuity through agile, elastic, and efficient infrastructure deployment.

Broadly, the downstream IT use-cases can be broken into three categories:

Transforming networking and security architecture

Traditional hub-and-spoke appliance-based architectures add latency, increase WAN costs, and are complex to manage. Replacing them with a SASE architecture will allow secure local internet breakouts for fast, consistent, and secure access to all applications from any location. Unification of cloud-delivered cybersecurity and SD-WAN within the SASE architecture enables better application performance, agile management, and visibility without blind spots.

Securing SD-WAN deployment

While SD-WAN solutions are critical for improving the performance of applications, leveraging an SD-WAN alongside a datacenter-based security stack adds avoidable latency and reduces the overall benefits of SD-WAN. Appliance-based security in the branch location also requires frequent upgrades as the volume of encrypted traffic increases, raising costs and operational complexity. Cloud-delivered security is a viable alternative but must be delivered as a unified, single-pass SASE architecture in tandem with the SD-WAN solution. This setup ensures that the benefits expected from SD-WAN–faster app performance, operational agility, and reduced OpEx–are maximized.

Delivering a secure and productive digital workspace

Digital workspace solutions enable a streamlined and productive employee experience, for all work applications and desktops, regardless of the device being used. When supported by a SASE architecture, application performance can be further improved with intelligent traffic prioritization and WAN optimization, and security bolstered with identity-aware, zero-trust access and powerful malware protection for all traffic.

Citrix solutions for SASE

Citrix SASE solutions ensure users can access apps easily and securely, no matter where they work, by converging all Gartner core and recommended capabilities into a single, unified architecture. These unified SASE offerings provide five key benefits:

Learn how you can deliver fast, secure app access with Citrix SASE