SASE Component Fundamentals
If you work in networking and security, you will likely encounter SASE. We pronounce it “sassy,” and it stands for Secure Access Service Edge. SASE is a modern security framework aiming to provide secure access to cloud and on-premises applications, corporate resources and Internet based on the identity of the user and the session context.
It comprises many different components, but there are 4 or 5 that are commonly implemented. They are CASB, SWG, FWaaS, ZTNA and SD-WAN. We want to explore what each of these pieces of the puzzle does and how adopting them can help you to use SASE to enhance your security posture and protect your applications, users and assets.
We will look at some features that make SASE attractive to organizations that need to expand securely by leveraging the technologies they trust and how you could implement something similar for your setup. We will also touch briefly on SSE technology and how it compares with SASE.
What problem does SASE solve?
Traditionally, Wide Area Networks were designed following a hub and spoke architecture. to access local resources or Internet, remote users would use a VPN connection. Their traffic would terminate on a hub site with a centralized security stack, security policies and traffic filtering apply before the user is granted or denied access to the internal or external resource. This model was very efficient since most of the applications were running on on-premises servers and the majority of users were working from the office and thus connecting directly to the applications and resources they need.
In the recent years however, there has been a major shift in the way applications are consumed, work habits and the security landscape:
Modern Applications are highly distributed and designed to be accessed via Geo-Based servers
Just like applications, the human workforce has become more distributed as well due to work from home policies and an increasing demand for a "work-from-anywhere" jobs.
Security threats and attack vectors have become more sophisticated and are constantly evolving. This makes it more and more difficult for the security teams to stay current and constantly update the configuration of the centralized security stack
The popularity and convenience of "Bring Your Own Device" (BYOD) solutions pushes the enterprises to think about solutions to securely onboard those devices into their networks
From a cost perspective, the acquisition, maintenance and upgrade of the hardware introduces lot of complexity to plan and predict budgets
The centralized hub and spoke design clearly does not respond to this new reality. It introduces higher latency, more demand on the network bandwidth, more bottlenecks and more complexity to manage the security policies on the centralized security stack.
In short, Legacy networks were not designed to support decentralized applications and distributed workforce.
SASE is a framework combining many network and security functions that aim to align the enterprise IT environment with the challenges described above.
At a high-level, SASE allows the organizations to adapt to the new reality of hybrid workforce and distributed applications by moving the security stack to different locations in the cloud.
This architecture has many advantages:
Lower latency and quicker access. The user traffic does not need to go via a centralized hub to be filtered. It is sent directly to the cloud or on-premises destination.
Secure access based on identity and context using a zero-trust model. users are granted access only to the resources they need instead of an entire network.
Ease of management, maintenance, and scalability since it is a cloud-native solution.
Better application performance and user experience, the security stack is distributed (closer to users and applications)
Lower TCO due to an OPEX model with predictable cost.
SASE Explained: What is it?
In simple terms, SASE uses a combination of WAN technologies and security services to help users connect to business and cloud services. These technologies are combined to give you a flexible and secure setup that allows your business to communicate securely across regions and with the cloud. The components and services that are often used in SASE environments are:
Cloud Access Security Broker (CASB): A CASB is a security tool that communicates between an organization and a cloud provider's infrastructure such as AWS, Azure or GCP and focuses mainly on access control to SaaS applications like Microsoft Office 365, for example. CASB helps ensure secure access to cloud resources and enforces security policies so that users can connect securely without sacrificing ease of use or safety. A large company could use CASB to provide employees only access to company-sanctioned online resources so that there is less risk to the organization.
Secure Web Gateway (SWG): SWGs provide web security by filtering unwanted software/malware from web traffic and enforcing policy compliance set out by the information security team. This is generally done through a firewall interface (See FWaaS), which makes the process seamlessly integrated into the network. SWGs are essential for implementing data loss prevention (DLP) and protecting against threats from the internet, and they also offer application ID and control.
Firewall as a Service (FWaaS): FWaaS is a cloud-based solution that delivers firewall capabilities. It helps protect against threats and enforces security policies across a company's network traffic, no matter where it originates or is going, and it can be integrated into your SASE solution.
Zero Trust Network Access (ZTNA): ZTNA is a security model that connects users to private resources and uses strict identity verification for every person and device trying to access data and applications on a private corporate network. It is based on a stringent 'never trust, always verify' methodology, shifting from the traditional 'trust but verify' model. Every request must be authenticated before access is granted, making applications and data safer and less susceptible to unauthorized activities.
Software-Defined Wide Area Network (SD-WAN): SD-WAN is a virtual WAN architecture that helps enterprises securely connect users to applications through any combination of transport services, either public or private. It offers improved application performance, agility, and advanced network configuration options.
SASE Benefits and Features
The way that SASE handles network security and management makes it a viable solution for organizations that need security and enhanced networking capabilities. It's not just about the individual components of SASE but how they form a cohesive, flexible, and secure network. Here's why organizations use SASE:
Integrated Security and Networking: SASE uses multiple security solutions and has advanced networking capabilities that provide a unified approach to secure user connectivity. The technologies combine to bring you SASE, unifying them into a single solution, even though they are separate services.
Scalability: As organizations grow, so does their need for secure, reliable connectivity. SASE's cloud-native architecture can easily scale to accommodate growth, making it an ideal solution for businesses of all sizes.
Performance Improvements and Optimizations: By using technologies like SD-WAN, SASE can optimize network performance, improving user experience. This is particularly important for organizations that rely on cloud applications and services.
Enabling Remote Work: With the rise of remote work, SASE provides a secure way for employees to access corporate resources from anywhere without traditional VPNs. This makes it easier for businesses to support a distributed workforce.
What is the difference between SASE and SSE?
We know the terminology can get confusing sometimes, so we thought now would be a good time to show the difference between SASE (Secure Access Service Edge) and SSE (Simplified Secure Edge).
The simplest way to think about how these two technologies differ is the involvement of the SD-WAN. SASE gives you network security and SD-WAN functionality, while SSE leans more heavily toward network security without SD-WAN capabilities.
We can think of SSE as only the security services SASE offers, without the SD-WAN technologies that give SASE its networking capabilities. However, SSE provides security features such as DLP, Sandboxing, Network access control, and other enhancements.
SASE and SSE: Diving Deeper
As we've seen, SASE and SSE are both crucial technologies for modern businesses, but they serve different functions. SASE combines network security functions and wide-area networking capabilities to provide secure, efficient access to resources from anywhere. It's a comprehensive solution that's well-suited to the needs of modern, distributed organizations.
On the other hand, SSE is essentially SASE minus the SD-WAN component. While it includes all the security components of SASE (CASB, SWG, FWaaS, ZTNA), it lacks wide area networking capabilities.
This makes SSE more focused on network security, and it may be a suitable option for organizations with existing networking solutions in place or do not require the network optimization and flexibility offered by SD-WAN.