What is SASE?
In this article, we unpack the mystery around SASE - what it is, what is behind all the excitement, and what potential it holds for the future. We'll also explain our viewpoint on the SASE hype, and what challenges it has, and what alternative forms it may take, to help you cut through the noise.
Covered in this article:
- What is SASE?
- What's the potential of SASE?
- What are the key drivers of SASE?
- What's the difference between SASE and Zero Trust?
- What are the limitations of SASE?
- Are there alternate forms of SASE?
What is SASE?
Secure Access Service Edge, more commonly known by the acronym SASE, is one of the hottest trends among cybersecurity vendors today. As Gartner pointed out in a 2019 whitepaper (paywall), the current generation of network security (namely, firewalls, web proxies, and IDS/IPS) are poorly suited to handle the IT challenges of the modern business.
There's nothing inherently wrong with the security capabilities of those network security boxes; rather, the main issue with today's network security is that they are boxes, deploying at a fixed point inside a network built and controlled by corporate IT. As applications continue to move out of corporate datacenters and into cloud and users continue working from anywhere, forcing traffic to route through those fixed points for security and compliance is an increasingly untenable proposition.
SASE envisions a secure access layer, deployed from the cloud, to create a virtual service edge where arbitrary security functions are delivered. Some of the security features in this layer include ZTNA, FWaaS, and SWG.
To solve the problem of how to route packets through this secure access layer, the initial definition leverages SD-WAN, a technology originally intended to provide a more flexible alternative to MPLS for branch connectivity, to provide a security service insertion point. In this way, traffic from a branch office, datacenter, or cloud can be directed to the SASE cloud for security inspection before it heads off to its final destination. This definition may trigger certain limitations that should be considered when evaluating SASE options, as they may impact certain use cases or even offset some of the advertised benefits of SASE.
What's the potential of SASE?
SASE is a vision with huge potential impact.
For enterprises, it offers many tantalizing benefits, including standardization of security operations across multiple sites and clouds, which can help them adopt cloud computing in an elastic and scalable way. Additionally, it offers the promise of security-as-a-service, which can allow them to rapidly adapt to changing security requirements simply by updating policies.
For security vendors, however it is a hugely disruptive force. It triggers new opportunities for all vendors, but traditional network security in particular may find that it threatening to their existing technology and associated go-to-market models, as it has the potential to shift demand away from predictable upgrade and replacement cycles as customer effort and investment is shifted into new infrastructure build activities. This threat explains why so many vendors are rushing to claim the new SASE crown.
What are the key drivers of SASE?
Key drivers for SASE interest include:
- The rise of Work from Anywhere, driven by the COVID-19 global pandemic
- Growing acceptance and adoption of cloud computing among enterprises
- Steadily increasing cloud migration activity that pushes applications and data outside of the traditional corporate network perimeter
The effect of these trends is to de-emphasize centralized corporate facilities in favor of models that enable a distributed, service-oriented enterprise. This dramatically expands the attack surface that security and compliance teams need to consider, making SASE an attractive option.
What's the difference between SASE and Zero Trust?
The Zero Trust model replaces trust based on network zone and topology with authenticated identities and explicit authorization. As such, it is more of a philosophical approach to enhance security than a set of standards to follow. It is a next-generation best practice for cybersecurity implementation, and any modern enterprise initiative should align with the principles of Zero Trust. This is particularly true for cloud migration and digital transformation initiatives, because of their tendency to connect on-premises assets to new resources in the cloud, where the distributed network silos are no longer unified and trusted.
As outlined, SASE is an identity-centric secure access platform, and it should be able to offer Zero Trust capabilities. The details of how users, endpoints, and devices are identified, and how policies are specified and enforced is left up to each vendor. It's important for customers to thoroughly review and understand how a vendor's SASE implementation supports the implementation of a Zero Trust model for secure access among distributed users, applications, endpoints, and services.
For more information on Zero Trust, read our explainer article:
What are the limitations of SASE?
The vision of SASE is to enable agility and end-to-end secure access policy enforcement. However, SASE's definition creates several infrastructure and operations (I&O) challenges that need to be addressed for these goals to be realized.
- "Service edge" demarcation has to be at the application edge, not at the network edge
Using SD-WAN as an on-ramp to SASE firmly establishes existing the network edge as the service edge. In order to get to the service edge, traffic originating deep inside the enterprise in a different network zone or in a peered VPC needs to first get through existing networking and security edges before reaching the SASE on-ramp. This relies on traditional routing/switching and firewall techniques, creating friction in the process that negates some of the agility benefits. This also mingles identity with existing network infrastructure, which can create practical challenges for the adoption of Zero Trust models.
With the service edge at the network edge, security policy definitions can only be enforced from the network edge, rather than from the application edge. Additionally, such an implementation is only effective for north-south traffic; services like FWaaS cannot be applied to east-west traffic micro-segmentation, creating yet another infrastructure-related corner case.
Additionally, SD-WAN is not an ideal deployment model for all scenarios. Consider a remote user, who needs to work from home. Delivering SASE through a SD-WAN CPE only shifts the problem into the user's home network, and the low portability makes it clearly infeasible solution for allowing the same user to work from a coffee shop.
SASE coupled with networking requires effort to route through trusted zones to the demarcation point
- Security enforcement should not be coupled with networking topology, to support Zero Trust
Edge-to-edge security policies are sensitive to the configuration of the underlying networks, and require effort to maintain as the applications delivered over-the-top change. For example, bringing up a new cloud application and providing least-privilege access to a sensitive on-premises database may require the on-prem security settings to be modified later if there is a cloud VPC change for any reason.
This means that projects using SASE will need the full support of and coordination between the security, networking, and application I&O silo owners.
It's possible that some of these current limitations will be addressed in the future through orchestration. Already, efforts are underway to create SASE standards. Once complete, implemented and tested for interoperability, they may prove useful, however, there is a substantial existing installed base of enterprise networks which may not be able to benefit, or will never change. The world will always have brownfields.
Are there alternate forms of SASE?
Yes. SASE can also be implemented through an overlay connectivity technology, such as the CoIP SASE Overlay.
An overlay-based SASE takes an endpoint- and application-centric approach, and delivers the following improvements over SASE:
- Pushes the security service edge to the application edge, inside or adjacent to the endpoint
- Consistent security across all environments, reducing dependencies on existing network silos for improved agility
- Decouples security from networking with Zero Trust-based identity for users, applications, endpoints, and devices
- Enables security policies that do not change when they underlying network environment changes
- Enables security policies that apply to one application only, decoupled from other applications using shared network infrastructure
- Enables micro-segmentation on east-west, as well as north-south directions
These properties allow a SASE overlay to be deployed on top of any brownfield environment, in any datacenter environment, or in any public or private cloud. The security demarcation is at the endpoint, allowing Zero Trust policies to be enforced from end-to-end in any environment.
SASE overlay model with demarcation at the endpoint distrusts all underlying networks
By decoupling from the network, a SASE overlay allows the enterprise to upgrade and change applications independently and elastically. Even underlay networks can be upgraded, transparent to applications it serves – for example, to implement SD-WAN as a software-defined underlay – to improve network performance without changing security policies.
Furthermore, a SASE overlay, which is built on computing elements only, rather than a combination of computing and networking, can be implemented by the security and DevOps teams. The networking team can retain responsibility for the underlay network availability and performance, without having to be involved in application provisioning. The SASE overlay model provides another significant agility boost by allowing smooth and independent business and infrastructure operations.
Other technologies have undergone a similar progression that decouples the network from the applications and security that use it, and it is our opinion that SASE overlays are inevitable for enterprise operations. For a detailed analysis and some predictions, check out our white paper on SASE overlays.