Network architecture, and its protection, is a world that is ripe for – and rife with – comparisons to architects who exist outside of a data center. After all, doesn’t the castle and moat approach to network security remind you of medieval literature as much as your own IT department? For every 15th-century comparison to 21st-century technology, there is a new innovation waiting to take up its metaphorical mantle. In this case, secure access service edge (SASE).
The term was first used by two Gartner analysts in 2019. While those same analysts were quickly criticized for describing a combination of services that already exist, the term has grown in traction as vendors and companies seek to find different ways to describe their products as they adapt to the current cyber security landscape.
What is SASE?
Taking advantage of the network edge, working outside of the data center, SASE combines a number of already existing products and services to provide an all-in-one solution for network security. SASE is usually sold in the same manner as software as a service (SaaS) products.
Some of the individual components of a SASE offering include:
- Software-defined wide area network (SD-WAN): Instead of a traditional network model, which relies on routers and the data center interacting, an SD-WAN routes your web traffic to vetted existing technology providers – such as Amazon Web Services or Microsoft Azure. While increasing security and decreasing cost, this also reduces latency. If we’re extending the Middle Ages metaphor, then the SD-WAN is the drawbridge that allows traffic to enter the city that is your network infrastructure.
- Secure web gateway (SWG): An SWG product is the person at the gate asking for the secret passcode. It checks all traffic for nasty elements and requires the security policies that your company has implemented be followed. Its job is to keep your data safe.
- Cloud access security broker (CASB): A CASB is a product that manages your security protocols such as single sign on, user authentication, and token management. In our little medieval fantasy land, a CASB is a group of squires who are charged with making sure that the leadership of the community is properly up to speed on the castle’s defences.
- Next generation firewall (NGFW) and firewall as a service (FWaaS): These two products filter incoming traffic and stop any that have malicious intent. Rather than a simple yes or no, an NGFW uses tools like packet filtering and VPN identification to give a deeper and better level of defense. You can think of this like a battlement, a small segment of a castle’s walls that allows you to look out and identify incoming threats.
- Zero trust network access (ZTNA): Rather than a VPN, which gives the user access to a broad network environment, a zero trust network access system gives a user access to just one application. Tired of this medieval metaphor yet? Well, we can liken a ZTNA to the secret passageways that litter many castles, areas that allow servants to dip in and out of spaces without being seen.
One of the key selling points of SASE is its ability, within a cloud-native environment, to combine a wide variety of cyber security offerings into a product that can be implemented quickly and easily.
The benefits of SASE
Although SASE evangelists will offer up a wide variety of benefits, most boil down to four key elements: ease of use, expandability, reliability, and efficiency.
For one, instead of relying on a data center-focused approach, an SASE solution allows a company to lean on resources that are not as constrained and costly. In a world where time is money, an SASE solution that provides reduced latency when compared to other structures can decrease infrastructure cost significantly.
Second, in a remote work environment where creating additional users, workflows, and products, is an everyday business necessity, SASE bills itself as an inherently cheaper and faster solution to keep a business both running and evolving.
Lastly, most companies selling these products point to the fact that the structure of a SASE solution — where you’re covering vast swathes of network security within one ecosystem — allows you to easily monitor network traffic (and solve problems) rather than having to work through convoluted security solutions that are difficult to scale.
The downsides of SASE
Given that SASE is a term first coined just five years ago, this technology is still experiencing the growing pains that come with any developing technology. One concern is that, medieval comparisons aside, the entire topic can be confusing and cause internal chaos as it is implemented.
Another concern is that SASE can be difficult to add to a legacy environment that hasn’t been specifically crafted for newer network security. As with any cyber security solution, the cost of SASE implementation may be prohibitive for small and medium-sized businesses and it’s important that companies identify which parts of a SASE solution will be useful and which ones are not needed for any individual use case.
There is also concern among some industry experts that the nature of a SASE implementation – with network and security being combined – may not fit well with an individual company’s current IT staffing choices.