What is Secure Access Service Edge (SASE)?
Secure Access Service Edge, or SASE (pronounced “sassy”), is an enterprise security architectural model for networking that’s designed to support the fast application access needs of today’s workforce. SASE architectures converge networking and cloud-delivered security into a high-performance, single-pass architecture with unified management.
Explore additional SaaS topics:
What is SASE
There are three primary market trends driving the shift to SASE in networking and security:
- Apps are moving to SaaS: In traditional on-premises network architectures, backhauling SaaS traffic to the datacenter for security worsens latency and increases network costs. As cloud environments become more prevalent, SASE allows organizations to move network security services from the datacenter closer to remote users.
- Workers are more mobile and remote: Employees expect the same experience and security regardless of their location. Unfortunately, traditional VPNs do not offer granular security controls and in turn worsen that experience.
- Threats are evolving rapidly: Security teams need to continually upgrade and update their infrastructure to keep pace with new threats. This is complex, time-consuming work that still often leaves many organizations open to zero-day threats.
Today’s enterprise needs to empower all employees with a fast, consistent, and secure digital workspace experience, regardless of location or device. At the same time, IT teams need to become more agile so they can focus on delivering new digital services—rather than spending the bulk of time managing complex networking and security stacks. By ensuring networking and security both evolve and converge, the SASE framework enables:
- Agile, unified, single-pane-of-glass administration that includes provisioning as well as granular policy control and visibility.
- Consistently fast and secure app access everywhere, by virtue of WAN capabilities that overcome the unpredictability of local internet breakouts.
- Consistent enforcement of security compliance policies through a global security cloud, for all users, regardless of their locations.
The SASE model converges comprehensive SD-WAN and network security functions into a single-pass architecture, administered via a unified management plane for networking and cybersecurity. Gartner, which coined the term SASE, has listed “Core” and “Recommended” capabilities for SASE architectures.1
Core SASE capabilities include:
SD-WAN enables resilient, low-latency connectivity over any type of network transport, while allowing for reduced complexity compared with traditional router-based solutions. Cloud-native and real-time apps in particular benefit from SD-WANs. SD-WANs achieve this through capabilities such as path selection based on path quality assessment, WAN optimization, and peering with SaaS applications. In addition, some SD-WANs feature network security measures such as integrated intrusion detection/prevention systems (IDS/IPS) and simplified setup of VPN tunnels between branch offices and SaaS apps.
Secure web gateway
A secure web gateway (SWG) is an enterprise cybersecurity solution, typically implemented inline as a cloud service, that sits between users and the web. User traffic is forwarded to the SWG for inspection and further action as necessary, through built-in network security capabilities such as URL filtering, application control, and anti-malware defense.
Cloud access security broker
With a cloud access security broker (CASB), an enterprise can manage access control for all approved and unapproved SaaS apps. CASB security solutions are built upon four main pillars, including:
- improved visibility, including across shadow IT applications
- data security for shielding sensitive data from unauthorized access
- threat prevention through capabilities like behavioral analysis
- simplified proof of compliance
Zero trust network access
Zero trust network access (ZTNA) enforces the principle of least privilege for authorized users accessing sanctioned applications. It is also identity- and context-aware, evaluating access attempts based on identity information from cloud services like Microsoft Azure Active Directory and on parameters like time of day and location. Access may even be granted to applications instead of the underlying network, to prevent lateral movement of threat. Overall, ZTNA allows for a better user experience, tighter security controls and reduced complexity compared with traditional VPN solutions.
Firewall as a Service
Firewall as a Service (FWaaS) implements ingress and egress security controls across an enterprise network, to ensure that only trusted traffic may pass. More specifically, a FWaaS solution can integrate anomaly-based (signature-less) threat detection, network sandboxing, geolocation, anti-malware software and IDS/IPS solutions. FWaaS is often integrated with security analytics solutions for comprehensive protection for data centers, cloud instances and branch offices.
Data loss protection
Data loss protection (also referred to as threat prevention) is integrated into the single-pass architecture of a SASE platform. A data loss protection engine offers visibility into data in use, in motion, and at rest. It can quarantine risky data or activity, enforce encryption, and send network security alerts to lower the overall risk of a data breach.
Encryption/decryption of content at line speed, at scale
The single-pass architecture of SASE allows encrypted traffic to be opened and inspected just once, to reduce the latency of traditional security stacks with service-chained inspection engines.
Recommended SASE capabilities include:
Web application and API protection
As usage of web applications increases, it’s important to keep malicious traffic and requests at bay. Web application and API protection, or WAAP, may integrate security solutions such as advanced rate limiting, runtime application self protection, and DDoS mitigation.
Remote Browser Isolation
By using remote browser isolation, it’s possible to protect the enterprise network from browser-based attacks. Data from websites, including possibly compromised ones, is not transferred to end-user devices, lowering the possibility of a breach or infection.
A network sandbox sends suspicious content to an isolated environment, where it can run without affecting other applications. FWaaS solutions within the SASE platform can then inspect it further and block any malicious files and assets, if they are discovered.
Support for managed and unmanaged devices
A SASE platform offers a better framework for securing enterprise- and employee-supplied devices, with multiple security solutions protecting against threats such as data loss, unauthorized access, and malware.
SASE capabilities are delivered in a unified “thin branch, heavy cloud” service model: SD-WAN functionality is offered as a “thin” branch appliance, while security functionality is provided as a “heavy” cloud service.
1Critical Capabilities for WAN Edge Infrastructure, Gartner, Sept 2020
How the approach to cybersecurity and zero trust network access has evolved
See how ZTNA has become mainstream to meet the needs of a hybrid organization.
SASE architectures were designed with the intent of enabling fast, reliable, and secure access to cloud applications by mobile and remote workers, while concurrently improving IT agility. Assuming enterprises pay attention to the nuances in functionality offered, such as unified management across networking and security, single-pass architectural design, and powerful SD-WAN functionality, organizations can achieve the following benefits from a SASE deployment:
A superior user experience. Direct internet access eliminates latency from backhauled connections. However, SD-WAN and WAN optimization functionality within SASE solutions is required to ensure consistent performance even as Internet performance fluctuates. Single-pass architectures ensure that the inspection and policy engines themselves do not add unnecessary latency.
Improved security. Identity-aware, zero-trust access is enabled for sanctioned applications. This reduces the attack surface and impedes lateral movement of malware within the enterprise network. For web and unsanctioned applications, comprehensive, cloud-delivered security ensures a consistent security posture, regardless of employee location.
Greater IT agility. SASE architectures can help consolidate point solutions across networking and security. Single-vendor solutions offer deeper integrations and unified management which simplifies deployment, configuration, reporting, and support services. Since SASE architectures require moving security to the cloud, the overall hardware footprint is reduced—which in turn improves architectural elasticity and scale.
While many service providers promote the individual components of a SASE architecture, delivering all of the requisite functionality is critical, as the unified whole is greater than the sum of the parts. Only with a full “SASE stack” can enterprises enable fast, consistent, and secure access to all apps, from any location and device, while also improving IT agility. The most powerful SASE architectures include the following nuances that differentiate them from the competition:
A SASE platform combines cloud security with comprehensive WAN functionality, with both of these capabilities building upon one another. While cloud security enables local internet breakouts (for eliminating latency from backhauled architectures), it does nothing to overcome the overall unpredictability of internet connections. SD-WAN and WAN optimization ensure changes in network performance do not impact employee experience.
Through SASE, teams get unified views into infrastructure deployments (including for cybersecurity), network policy configurations, and comprehensive reports. It all adds up to more holistic and agile control across the entire enterprise architecture.
The service chaining of functionality often forces traffic through multiple inspection and policy engines, adding latency and minimizing any performance improvements expected from the SASE architecture. In contrast, well-designed SASE architectures will follow a single-pass approach, under which traffic is opened and inspected just once by all policy engines in parallel.
Privacy and regulatory requirements such as GDPR often require segregation of data, selective decryption and visibility and control over how and where data will flow. With cloud-delivered security, meeting these obligations can be challenging, making evaluation of compliance measures important for any potential SASE solution.
Unified vendor management
One of the primary goals of SASE is to improve IT agility. By consolidating vendors, you can minimize the number of conversations required to plan, deploy, manage, and support a comprehensive, unified architecture across networking and security solutions. This consolidation not only accelerates operations but also helps nurture cross-functional conversations in IT, leading to better, more strategic decision-making. Moreover, from a pure technology perspective, a single-vendor architecture offers deeper integrations across all functionality than possible through technology alliances between organizations.
Organizations need to evolve their enterprise networking and security infrastructure in response to changing usage patterns—such as which apps are accessed, and from where—in order to meet employee expectations as well as business requirements. This evolution will support broader strategic initiatives, such as enabling a “work-from-anywhere” workforce and improving business continuity through agile, elastic, and efficient infrastructure deployment.
Broadly, the downstream IT use-cases can be broken into three categories:
Transforming networking and security architecture
Traditional hub-and-spoke appliance-based architectures add latency, increase WAN costs, and are complex to manage. Replacing them with a SASE architecture will allow secure local internet breakouts for fast, consistent, and secure access to all applications from any location. Unification of cloud-delivered cybersecurity and SD-WAN within the SASE architecture enables better application performance, agile management, and visibility without blind spots.
Securing SD-WAN deployment
While SD-WAN solutions are critical for improving the performance of applications, leveraging an SD-WAN alongside a datacenter-based security stack adds avoidable latency and reduces the overall benefits of SD-WAN. Appliance-based security in the branch location also requires frequent upgrades as the volume of encrypted traffic increases, raising costs and operational complexity. Cloud-delivered security is a viable alternative but must be delivered as a unified, single-pass SASE architecture in tandem with the SD-WAN solution. This setup ensures that the benefits expected from SD-WAN–faster app performance, operational agility, and reduced OpEx–are maximized.
Delivering a secure and productive digital workspace
Digital workspace solutions enable a streamlined and productive employee experience, for all work applications and desktops, regardless of the device being used. When supported by a SASE architecture, application performance can be further improved with intelligent traffic prioritization and WAN optimization, and security bolstered with identity-aware, zero-trust access and powerful malware protection for all traffic.
The secure access solution from Citrix ensures users can access applications easily and securely, no matter where they work. With Citrix Secure Private Access to deliver ZTNA access to corporate apps, the enterprise attack surface is minimized and cyberthreats are kept at bay. As an essential component of SASE architecture, it allows organizations to support the fast app access needs of today's workforce—without putting data at risk.