Secure Access Service Edge, also called SASE (pronounced “sassy”), is an emerging technology to solve modern security problems in a scalable and efficient manner. The easiest way to think of this technology is as a next level VPN. This allows you to project a secure network out with a simple software client to connect in. You are given conditional access allowing the implementation of a zero trust architecture while having the process abstracted into XaaS.
While zero trust architecture is a strategy, SASE manifests as a solution. The general SASE stack combines solutions which address the following in some combination: Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall as a Service (FwaaS), and Zero Trust Network Architecture (ZTNA). We’ll get into exactly what these all are and why they matter or benefit security in a bit. In short, you’re addressing many of the cost prohibitive points of the cloud with minimal effort at scale with the right solution.
With continuous threats across the globe, and new work paradigms, security has taken a turn. It’s neither better nor worse, it’s just more complex for people who haven’t kept up. It’s a lateral move if you have managed to stay relevant, but it’s a lot of catch-up otherwise.
IaaS, XaaS, and Zero Trust
With infrastructure migrating to the cloud, the premium cost of a predictable bill has fallen below the risk of hardware failing. It can make sense to ensure that the liability is owned by a vendor even if it costs more long-term. We’ve reached the point that virtually everything technical is a service due to it being technically and economically feasible. Firewalls can live in the cloud because processing resources, bandwidth, and the cost of security have reached the point it’s commercially viable.
Infrastructure has gotten more abstract and more complex. You aren’t securing a site anymore, you’re securing a patchwork of vendors, clients, and even employee networks. A block of servers lives in Azure (some with Nerdio, a few with Crayon, others vanilla), another resource lives in AWS, and everything is tied in with a mixture of legacy on-premise systems and other cloud vendors. Throw in work from home, business travel needs, and ballooning security concerns and compliance measures and you get a recipe for complexity which can drive IT costs up rapidly.
It’s expensive and near impossible to build a system where every component can be trusted or even vetted. Add in external vendors and similar and traditional subnetting, VLANing, and similar measures break down quickly. This has led to the creation of zero trust architecture (as a strategy) and more technical SASE solutions implementing it (among other technologies).
The Technologies That Make Up SASE
SASE is IaaS on steroids with a focus on security which adds in zero trust architecture as a strategy with the technologies to enable everything to work seamlessly. Instead of your infrastructure being a network onsite where everyone needs to VPN in and deal with jump boxes and similar, they just use an application (for most solutions). You get something like a VPN where the rules just make sense and a network setup which makes the underlying infrastructure transparently in the cloud.
SD-WAN (Software Defined Wide Area Networking) has made it easy to tie together disparate LAN infrastructures and knit them together in a way which makes the process transparent. Networks have gotten more complex with BYOD, work from home, and branches all needing shared connectivity with enterprise resources. This connectivity can create a larger attack surface so companies turn to things like Secure Web Gateway (SWG) solutions to help block threats. Cloud Access Security Broker (CASB) solutions help control access to cloud resources to protect from internal threats.
Security continues to get more complicated with the need for layer 7 application firewalls. A Zero Trust Network Architecture (ZTNA) is virtually essential since there are so many moving parts that the best strategy is to never trust, always verify. Firewall as a Service (FwaaS) solutions help glue the security pieces together into an abstract network which jumps from cloud to cloud tying everything up to where there is secure access across the distributed network.
How SASE Solutions Work
With the complexity of the security landscapes, even security-oriented MSPs are having to leverage specialist solutions to build the right cybersecurity packages. SASE vendors like Palo Alto, Cato Networks, Cloudflare, Todyl (and more) have built easy, scalable, software-defined solutions to make everything easy. For many solutions, it feels like connecting to a VPN but it covers many security angles in one simple package. For instance, some tools cover SIEM (Security Information and Event Management) angles and more.
Cloud firewall solutions and SD-WAN solutions allow the service to unify disparate networks in an easy, scalable, ad-hoc method. Using a next-generation application firewall (our partner BLOKWORX uses Palo Alto firewalls) allows the infrastructure to become more locked down in a way that enables the establishment of a Zero Trust Architecture methodology that’s easily managed and easily scaled. CASB solutions help manage data in and out of the virtual network and between devices. SWG further protects the devices from the greater internet, but also limits their interaction with internal assets in a more granular, application-defined way.
The exact way they integrate with a site will vary depending on the vendor and what is available onsite. Some solutions may require an appliance for larger branches or similar, others may be completely cloud-based. The equipment required to get started is usually pretty minimal compared to trying to build your own solution to get the same results.
SASE isn’t really new, but the ability to manage so many disparate technologies in a unified manner makes it more practical to administer and scale for a business. You don’t need to jump between multiple consoles and tweak settings while tracking the changes between each and every item, it’s all done from a single pane of glass or at least in a single solution. This lowers the burden of setup and maintenance and makes it easier to audit changes.