SASE overview

Secure Access Service Edge (SASE) is a network security concept defined by Gartner that combines security functions with WAN capabilities to support the needs of modern, digitally reliant organizations. It is a transformation of networking and security that enables IT to provide a more secure, simplified and flexible package of services to the enterprise.

While adoption is just beginning to catch the attention of the mainstream, Gartner predicts that SASE will be as disruptive to network and network security architectures as IaaS was to the architecture for data center design. They predict that by 2024 at least 40% of enterprises will have a defined plan to adopt SASE architectures.

SASE (secure access service edge) combines network as a service with security as a service

The challenge

Today’s network and security architectures were designed for an era that has been slowly but steadily evolving. The rise of SaaS (and other cloud services) and the corresponding decline of traditional data centers have changed the IT landscape.

The focal point of an enterprise’s network and security has historically been the data center. But in today’s digitally driven organizations, access must be provided anywhere, anytime… and much of that now is enabled through the cloud.

By 2024, Gartner predicts 40% of companies will have a plan to adopt SASE architectures.

Today there are more workloads, sensitive data and traffic flowing through IaaS than the data center. More users, devices, apps and services now live outside the walls of an enterprise than inside.

Because these users, devices, apps, and data exist across a variety of locations and environments the enterprise itself is no longer a perimeter. The perimeter is now defined by identity. Securing these identities has become the focal point of protection and a central reason for a move to SASE. 

Whether connecting users to internal apps, cloud-based apps, or the internet, these all present variations of the same secure access challenge. A branch office is simply a place where multiple users are concentrated. Likewise, a field salesperson accessing Salesforce from their home is simply a branch office of one.

Solving these challenges with legacy network and security point solutions leads to technical silos that are complex and expensive to manage. This complexity slows down IT, impacts user experience and erodes the ability to quickly respond to new business needs. SASE changes this paradigm through a new integrated networking and security service that is identity-driven, cloud-native, globally distributed, and securely connects all edges (WAN, cloud, mobile, and IoT).

What is SASE?

At its core, SASE converges Zero Trust networking capabilities provided by SD-WANs and remote access software-defined perimeter’s (SDP) with security services such as next-generation firewall (NGFW), cloud access security brokers (CASB), secure web gateway (SWG) and remote browser isolation into a single cloud-delivered service.

By Gartner’s definition, “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.”

Components of SASE

In the name of speed, agility and simplicity, SASE converges network (SD-WAN, ZTNA) and network security services (SWG, CASB, FWaaS, etc). All of these services are integrated and delivered based on user and device identities, context, policies with continuous assessment of risk/trust throughout a session. This combination creates small perimeters around users, devices, and applications, that are then additionally hardened by security functions.

While these components can be manually assembled and managed, complexity, latency and the need to inspect encrypted traffic (one time instead of many) has driven the need for a deeper convergence of network and security capabilities.

SASE (secure access service edge) converges network and security services

Why SASE?

Cloud-centric businesses must secure access to users, devices, apps and services delivered from any location. To solve this, a mesh of network and security services can be applied across all entities. Leveraging a converged SASE architecture enables security teams to deliver network security in a consistent and integrated manner including:

SASE reduces costs and complexity
Reduced costs and complexity

The number of vendors, technology stacks and related management costs are reduced. By leveraging cloud resources instead of on-premise infrastructure, costs become elastic and scaling is simplified.

SASE helps with ease of use
Ease of use

Vendors benefit from integrated nature of SASE by producing a single source of truth for policy management, troubleshooting and compliance reporting. From an end-user perspective less agents per device simplify the user experience.

SASE offers increased performance
Improved performance

The integration of network and security allows the architecture to optimize services for latency-sensitive apps like video or VoIP while still applying proper security across all applications. Policies can also allow some users to be routed through a SASE providers high-bandwidth backbones.

SASE improves security
Improved security

SASE allows content inspection for sensitive data and potential malware to be applied to all sessions using a single set of policies. Whether the data is passing from a device to an application or between two cloud services, the same policy can be applied across all environments.

SASE enables greater agility
Greater agility

No longer limited by hardware capacity and refresh cycles, cloud based offerings update for new threats and policies as needed without new deployments. This makes it future proof and allows for faster adoption of new capabilities.

SASE enables zero trust network access
Enable Zero Trust network access

Basing network access around the identity of the user (instead of IP address) allows access controls to be applied to sessions both on and off the enterprise network. These micro-networks assume the network is hostile and secures all sessions with end to end encryption.

SASE increases effectiveness of staff
Increased effectiveness of staff

IT staff can focus on security and access requirements instead of routine tasks of setting up infrastructure.

SASE centralizes policy enforcement
Centralize policy with local enforcement

SASE provides cloud-based management of policies with enforcement points distributed at the edge. These agents running on managed devices can also be used for local decision making or routing to reduce the backhauling of traffic to centralized inspection points.

SASE examples

Conceptually SASE provides a superior approach to networking and network security. But the real value appears in everyday use cases.

Employee

A salesperson needs access to Salesforce via an airport Wi-Fi hotspot before she boards a flight. She is on her company issued managed device, while also browsing the internet. A SASE solution delivers a quality of service (QoS)-optimized and SaaS-accelerated connection with data loss prevention (DLP), malware inspection, user and entity behavior analytics (UEBA) for her Salesforce session. While her internet browsing is protected by a secure web gatesay (SWG) to ensure her device is protected from malicious traffic and her Spotify music streaming is routed directly to the internet without the need to haul it to an inspection point.

Contractor

A contractor comes to company XYZ’s offices to work for the day using his own laptop. During the day he needs to access the company HR system. The HR system is a web-enabled application that live in the company’s data center. The SASE solution assigns the contractor an identity and has her download a simple agent that provides Zero Trust network access to the HR data base, but only from the office’s location. During her session, all traffic is inspected by the DLP to prevent sensitive data loss and then encrypted before transit. The contractor is unable to access any other applications or gain access from any other device. And once he leaves the office he is unable to start another session.

Security Vendor

A solutions provider has security appliances deployed in data centers across the country. As more of its clients need to protect both data center and cloud resources, these appliances not only limit their addressable market, but also remain time consuming and logistically challenging to maintain. The bloat created by bolting on additional products, increases the complexity and management challenges. Moving to a SASE architecture allows security providers to manage all security functions under the same integrated platform. This platform, enabled by its underlying network infrastructure, is able to efficiently deliver security services to an unlimited number of users/customers.

Trustgrid enables SASE architectures

The components needed to complete a SASE vision currently reside in multiple silos. Security providers hold the domain expertise in things such as inspection, data loss prevention and secure web gateways… while networking companies provide the Zero Trust networking, routing, encryption and traffic optimization functions. As a platform providing integrated SD-WAN, Zero Trust remote access, and edge computing capabilities, Trustgrid simplifies the ability for security providers to quickly convert to ‘as-a-service’ security models and bring SASE solutions to market.

Trustgrid is the easiest way for security providers to move all of their solutions to a managed service model that addresses both cloud and legacy on-premise environments.

The Trustgrid platform provides:

  • Full L2 / L3 / Proxy SDN feature set
  • Networking-as-a-service to any user, device or environment
  • Cloud-based tools for troubleshooting and remote monitoring
  • Cloud-native control plane and elastic cloud gateways for scalability
  • Proprietary cloud PKI and CA for securing devices and cloud services
  • Cloud software repo for delivering continuous code and security updates at scale
  • Edge computing platform tools for rapid development and deployment of new features

Keep up with the latest SASE insights and updates

Resources / Content Library
SASE networking: Trustgrid vs SD-WAN
Learn why Trustgrid’s Zero Trust connectivity platform is superior to standard SD-WAN for SASE architectures.
Resources / Content Library
Building your SASE strategy
SASE combines components of SD-WAN, remote user access and edge computing with cloud delivered security. Learn how these pieces come together.
Resources / Content Library
The platform for SASE
Learn how the Trustgrid connectivity platform integrates with identity and security solutions to build robust SASE architectures.