/ Unified Security Guide / Chapter 3: Secure Access Service Edge

Secure Access Service Edge

Securing your organization’s infrastructure—including all software and hardware—is crucial to providing your hybrid workforce with an always-on and secure application experience. This is especially important as legacy networking and security architectures can’t adequately keep up with today’s business needs, such large remote workforces, the shift to the cloud, and protecting against zero-day threats.

Fortunately, the path towards modernizing your networking and security architecture is flexible, as technologies like cloud-delivered security, software-defined wide-area networks (SD-WAN), zero-trust network access (ZTNA), and more are converging into one unified solution: Secure Access Service Edge (SASE).

Created and defined by Gartner as a way to support the dynamic secure access needs of modern organizations. A SASE architecture makes it easier for you to configure, manage and scale networking and security policies across your entire workforce with better visibility and consistent user experience.

If you’re considering evolving your enterprise networking and security infrastructure to a Secure Access Service Edge architecture, this guide is here to help. Below, we will break down the key components that make up a full SASE stack, as well as how you can easily implement a SASE architecture with a unified solution.

SASE: A new approach to enterprise networking and security

Today’s employees need a fast, reliable, and secure application experience no matter where they are located or what device they are using. Successfully delivering these digital services requires IT teams to become nimble and agile, rather than wasting time managing disjointed or complicated networking and security solutions.

Illustration of companies’ needs to have secure application experience.

Fortunately, Secure Access Service Edge allows IT teams to implement a consolidated networking and security architecture that breaks down operational silos in IT and meets the needs of modern workforces. While cloud-delivered security can help mitigate challenges with traditional networking security architectures that backhaul software-as-a-service (SaaS) and general internet traffic through a data center, SASE’s consolidated framework moves security closer to users and apps, allowing you to provide employees with a secure, consistent application experience no matter where they are located.

Through SASE’s integration of technology like software-defined wide-area network (SD-WAN), your organization can also remove unpredictable performance of internet connectivity. This means that if internet performance varies across your network, application performance will remain consistent. A SASE architecture also allows IT to consistently enforce security policies for all users through globally distributed points of presence (PoP) that deliver a full stack of security capabilities. This keeps your organization safeguarded against unauthorized access and threats from the internet, like zero-day attacks, malware attacks and ransomware.

Components of a SASE architecture

Defined by Gartner, a comprehensive SASE architecture includes:


SD-WAN is a virtual WAN architecture that virtualizes and bonds any combination of network transport types, such as multiprotocol label switching (MPLS), broadband internet, cellular, and satellite. Centrally managed from the cloud, SD-WAN dynamically routes traffic based on current network conditions and organizational policies to ensure application accessibility and performance is never sacrificed.

SD-WAN simplifies network and security administration and streamlines the setup of branch offices through integrated network and security policy management and zero-touch provisioning—or automatic device configuration that frees up your IT team for more pressing tasks. With SD-WAN, it’s easy to modernize legacy infrastructure architectures that consist of edge routers and point security solutions.

Top enterprise benefits of SD-WAN

An SD-WAN provides your end users with a better application experience and offers comprehensive security policy controls that are designed to ensure your network is “cloud-ready.” Additionally, an SD-WAN can replace MPLS or work alongside it while adding broadband and 4G/LTE access. Simply put, the benefits of SD-WAN include:

Enhanced security

Consolidates network edge infrastructure and allows you to manage everything from a centralized location. This eliminates the chance for human error that can occur while manually configuring edge connections. Built-in security features like next-generation firewalls (NGFW) also safeguard data at your network edge.

Streamlined network administration

Centralized network management allows you to easily monitor end users and enhance app performance. Additionally, zero-touch provisioning allows your IT team to update WAN policies in real time or quickly add a new location.

Reduced networking expenses

Utilize low-cost internet and broadband, or LTE network connections in place of or addition to leased line MPLS links. You can also reduce dependency on private network services, consolidate your network architecture, and optimize bandwidth.

Optimized user experience

SD-WAN dynamically routes traffic to the fastest path between two points. This provides a better experience for your end users, and reduced downtimes lead to boosted productivity levels.

Secure web gateway (SWG)

An SWG is a cybersecurity solution that sits between the user and the internet to protect access to internet and SaaS applications. Using URL filtering, application control, and anti-malware security capabilities, SWGs filter out unwanted software or malware as a user browses the web—all the while enforcing corporate policies to meet regulatory compliance.

For example, a SWG can use URL filtering to block access to web pages and web categories—such as gambling websites or dark web marketplaces—that are deemed unsafe or against your organization's policies. If a user manages to gain access to a high-risk digital location, today’s comprehensive SWGs can provide malware protection to inspect malicious files and prevent downloads.

Many of today’s SWGs also provide internet access control for applications and browsers. This means that if your organization knows Windows 7 has vulnerabilities and is not a recommended operating system for your end users, your IT team can enforce that no Windows 7 devices are allowed to access web and SaaS applications. Native or integrated data loss prevention (DLP) is also increasingly included with modern SWGs.

Cloud access security broker (CASB)

CASBs are on-premises or cloud-based security policy enforcement points that are placed in line between users and applications (such as with Secure Internet Access) or in an out-of-band fashion through API integrations with applications (such as with Microsoft Cloud Application Service).

In both scenarios, CASBs focus on controlling SaaS app usage through four key methods:


Detects SaaS apps and identifies users accessing apps. Most enterprises deal with challenges around shadow IT, and CASBs are essential in helping identify SaaS apps in use and the employees accessing those apps. Once apps have been identified, control can be executed on their usage.


Limits access to specific apps and incorporates tenant restrictions to corporate domains. For example, if only corporate domains of Microsoft Office 365 need to be allowed, that can be enforced through CASB solutions.


Reporting and alignment with data residency requirements. Industry compliance requirements dictate logging and reporting of user level activity data, and control on access to sensitive information. CASB solutions help deliver on this.

Data Security

Data Loss Prevention for data stored in cloud services. CASBs can enforce data security by ensuring that data is not exfiltrated to personal SaaS accounts. This means that uploads to file sharing services like Google Drive or Dropbox can be restricted. Some CASB solutions also offer encryption of data at rest.

Zero-trust network access (ZTNA)

ZTNA is a security architecture that enforces adaptive access with the principle of least privilege (PoLP) for designated users who are utilizing approved applications. With a ZTNA framework, you can create a digital identity-based perimeter that continuously verifies users and devices in real time using parameters such as location and what time of day it is. Additionally, a zero-trust architecture prohibits lateral movement throughout the network, provides a more efficient user experience, and offers more robust and simplified security controls compared to traditional VPNs.

Firewall-as-a-service (FWaaS)

FWaaS enables you to allow or restrict bidirectional traffic into your network based on IP addresses, ports, and protocols on a per-packet basis. For example, these firewalls could be used for packet filtering to block all File Transfer Protocol (FTP) traffic into your network if it is deemed an insecure protocol by your IT team. Firewalls could also be used to block traffic coming from IP addresses in particular countries or regions.

Modern Next Generation Firewalls (NGFWs), however, add application intelligence and malware signature analysis to boost their security capabilities even further. They can also monitor the “state” of communication, which is also known as a stateful inspection. This ensures that when you connect to a web server and that server must respond to you, your stateful firewall already has the proper access open and ready for the responding connection. When the connection ends, that access opening is closed.

A common use-case would be for your enterprise IT teams to use NGFWs with a FWaaS provider to block Microsoft’s ActiveX controls and peer-to-peer applications, both of which have often been identified as risky by IT teams.

With FWaaS integration, you can deploy security controls like:

  • Anomaly-based threat detection
  • Sandboxing
  • Location-based filtering
  • Malware protection software
  • Intrusion detection and prevention systems (IDS and IPS)

Data loss prevention (DLP)

DLP solutions focus on protecting sensitive data-in-motion—such as such as credit card numbers, social security numbers, birthdates, physical addresses, and email addresses—from careless or malicious insiders or malware. This is done by analyzing data streams to identify pre-defined patterns or exact data matches.

For example, a credit card number may feature 15 digits, but any 15-digit string of characters is not always a credit card number. A DLP solution performs a calculation called a “checksum” to ensure credit card numbers match a recognized pattern used by multiple credit card brands.

During this checksum, the DLP solution also searches for keywords date values that could include the credit card expiration date. Robust DLP solutions also provide behavioral analytics that identify malicious insider behavior via event analysis, which could include database access at atypical hours.

Cloud sandbox

To protect against threats hidden in files being downloaded from the internet, a cloud sandbox establishes a secure environment that allows you to open suspicious files or run untrusted programs without affecting other applications in your network. You can utilize this secure environment at any time to inspect a file, program, or code that you suspect to be malware or a zero-day threat while ensuring it remains isolated from a device and your enterprise network apps.

Remote browser isolation

Unrestricted access to the internet using a browser can expose your organization to browser-based attacks. Remote browser isolation allows you to move browsing activity from a user’s device to a remote server that’s located in the cloud or on-premises in your enterprise network. This process makes it possible to prevent browser-based attacks on your network and lowers your vulnerability for a breach of infection, as data from compromised websites is not transmitted to user devices.

How to implement a SASE architecture

Establishing a full secure access service edge architecture for your enterprise can feel overwhelming, especially if you are already deploying disjointed networking and security solutions from multiple vendors. Today, 78 percent of organizations use more than 50 different cybersecurity tools, and adding even more to that number can create significant roadblocks. This includes attempting to manage and optimize siloed systems and converging these systems to create a single risk rating.

When you partner with a single vendor that offers a unified, ready-to-deploy SASE service, you can easily implement a comprehensive SASE architecture that:

  • Improves your IT department’s agility to respond to business needs
  • Provides deeper integrations across your current networking and security framework to simplify policy management
  • Offers single-pane-of-glass management that makes it easier to troubleshoot problems
  • Is designed with a single-pass architecture to maintain performance as your business grows
  • Incorporates privacy and data segregation to keep your customers and users intellectual property safe
  • Streamlines licensing and procurement so you can quickly add new functionality
  • Includes SASE architecture implementation, training, and tech support to help break down IT silos and reduce challenges to adoption

The benefits of the Citrix complete SASE solution

Citrix Secure Access Service Edge (SASE) brings together SD-WAN, zero-trust access and comprehensive, cloud-delivered security into a single, centralized architecture. Together, these unified solutions allow organizations to provide secure remote access to applications and the internet, without putting strain on IT. And they’re built to meet the complex needs of distributed workforces.

Citrix SD-WAN

Citrix SD-WAN delivers automated and secure connectivity to SaaS, cloud, and virtual apps. With a WAN Edge infrastructure, it safeguards corporate information and resources stored across multiple branches and cloud platforms, as well as provides end users with an always-on enterprise application experience.

Not only does Citrix SD-WAN simplify network management, optimize app performance and, and automate connectivity to both infrastructure-as-a-service (IaaS) and Software-as-a-service (SaaS) cloud workloads, but it also provides continuous protection across your organization's attack surface at the network edge. Additionally, with dynamic traffic routing, visualized reporting, and zero-touch provisioning, you can easily monitor connections in the cloud and roll out and scale new apps quickly.

Citrix Secure Internet Access

With Citrix Secure Internet Access, you unlock a cloud-delivered security solution with global reach that protects all applications and end users—no matter their location or device. This ensures your workforce can access apps using direct internet access (DIA) without compromising on security or performance. Our complete cloud-delivered security stack combines security capabilities such as SWG, CASB, Malware Protection with Sandboxing, Intrusion Prevention and Detection Systems, and DLP.

By implementing Citrix Secure Internet Access, you can protect users from malicious and compromised internet sites while replacing traditional on-premises SWGs. Additionally, you can safeguard data stored in both sanctioned and unsanctioned apps, as well as in files. You can also shield end-user devices and infrastructure from external threats like malware and zero-day attacks.

Citrix Web App and API Protection

Citrix Web App and API Protection is a cloud-based service that provides holistic protection for all your organization’s web apps and APIs across multi-cloud environments. With Citrix Web App Firewall, you can prevent both internal and external threats across all your web apps and APIs, data, and devices while reducing your overall susceptibility for malware, bots, volumetric and L7 DDoS attacks, and zero-day attacks. This allows you to effectively maintain a consistent security posture while reducing strain on your infrastructure.

Citrix Secure Private Access

Our unified SASE solution includes Citrix Secure Private Access, which provides continuous and dynamic ZTNA to sanctioned enterprise applications while providing granular security controls and protection against browser-based threats. Our zero-trust framework uses single sign-on (SSO) and real-time adaptive awareness to analyze patterns based on identity, time, and device posture.

This ensures only authorized users gain access to the applications or resources they need to complete their jobs. Not only does this increase the strength of access management security, but it also allows you to establish security policies for employees using managed, BYO, and unmanaged devices to access corporate applications and resources.

Citrix Analytics for Security

With Citrix Analytics for Security, you gain proactive security protection without interrupting your employees’ application experience. With built-in machine learning, you can easily detect and resolve security threats—such as data breaches or loss of intellectual property—with real-time, AI-powered security analytics.

Implement a unified SASE architecture with Citrix

Transforming your networking and security framework starts with Citrix’s unified secure access service edge solution. With our SASE architecture in place, you can modernize your IT infrastructure and ensure your workforce has uniform and secure access to all applications no matter their location or device.


What is SASE?

Secure access service edge (SASE) is a cybersecurity architecture created by Gartner that allows an organization to combine enterprise networking and cloud-delivered security into a highly visible, single-pane-of-glass solution with unified administration and granular policy control. Key components of a SASE architecture include a software-defined wide-area network (SD-WAN), secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), and firewall-as-a-service (FWaaS).

SASE ensures employees receive a consistent application experience and most appropriate security policies no matter where they are located or what device they are using.

What is the difference between SASE, SD-WAN, and cloud-delivered security?

A secure access service edge (SASE) architecture is the convergence of a software-defined wide-area network (SD-WAN) and cloud-delivered security. Simply put, SASE is a cybersecurity framework that combines enterprise networking and cloud-delivered security into a centralized solution with unified administration and network-wide policy control. Key components of a SASE architecture include SD-WAN, as well as other security strategies such as secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), and firewall-as-a-service (FWaaS).