SASE overview
Secure Access Service Edge (SASE) is a network security concept defined by Gartner that combines security functions with WAN capabilities to support the needs of modern, digitally reliant organizations. It is a transformation of networking and security that enables IT to provide a more secure, simplified and flexible package of services to the enterprise.
While adoption is just beginning to catch the attention of the mainstream, Gartner predicts that SASE will be as disruptive to network and network security architectures as IaaS was to the architecture for data center design. They predict that by 2024 at least 40% of enterprises will have a defined plan to adopt SASE architectures.
The challenge
Today’s network and security architectures were designed for an era that has been slowly but steadily evolving. The rise of SaaS (and other cloud services) and the corresponding decline of traditional data centers have changed the IT landscape.
The focal point of an enterprise’s network and security has historically been the data center. But in today’s digitally driven organizations, access must be provided anywhere, anytime… and much of that now is enabled through the cloud.
By 2024, Gartner predicts 40% of companies will have a plan to adopt SASE architectures.
Today there are more workloads, sensitive data and traffic flowing through IaaS than the data center. More users, devices, apps and services now live outside the walls of an enterprise than inside.
Because these users, devices, apps, and data exist across a variety of locations and environments the enterprise itself is no longer a perimeter. The perimeter is now defined by identity. Securing these identities has become the focal point of protection and a central reason for a move to SASE.
Whether connecting users to internal apps, cloud-based apps, or the internet, these all present variations of the same secure access challenge. A branch office is simply a place where multiple users are concentrated. Likewise, a field salesperson accessing Salesforce from their home is simply a branch office of one.
Solving these challenges with legacy network and security point solutions leads to technical silos that are complex and expensive to manage. This complexity slows down IT, impacts user experience and erodes the ability to quickly respond to new business needs. SASE changes this paradigm through a new integrated networking and security service that is identity-driven, cloud-native, globally distributed, and securely connects all edges (WAN, cloud, mobile, and IoT).
What is SASE?
At its core, SASE converges Zero Trust networking capabilities provided by SD-WANs and remote access software-defined perimeter’s (SDP) with security services such as next-generation firewall (NGFW), cloud access security brokers (CASB), secure web gateway (SWG) and remote browser isolation into a single cloud-delivered service.
By Gartner’s definition, “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.”
Components of SASE
In the name of speed, agility and simplicity, SASE converges network (SD-WAN, ZTNA) and network security services (SWG, CASB, FWaaS, etc). All of these services are integrated and delivered based on user and device identities, context, policies with continuous assessment of risk/trust throughout a session. This combination creates small perimeters around users, devices, and applications, that are then additionally hardened by security functions.
While these components can be manually assembled and managed, complexity, latency and the need to inspect encrypted traffic (one time instead of many) has driven the need for a deeper convergence of network and security capabilities.
Why SASE?
Cloud-centric businesses must secure access to users, devices, apps and services delivered from any location. To solve this, a mesh of network and security services can be applied across all entities. Leveraging a converged SASE architecture enables security teams to deliver network security in a consistent and integrated manner including:
Reduced costs and complexity
The number of vendors, technology stacks and related management costs are reduced. By leveraging cloud resources instead of on-premise infrastructure, costs become elastic and scaling is simplified.
Ease of use
Vendors benefit from integrated nature of SASE by producing a single source of truth for policy management, troubleshooting and compliance reporting. From an end-user perspective less agents per device simplify the user experience.
Improved performance
The integration of network and security allows the architecture to optimize services for latency-sensitive apps like video or VoIP while still applying proper security across all applications. Policies can also allow some users to be routed through a SASE providers high-bandwidth backbones.
Improved security
SASE allows content inspection for sensitive data and potential malware to be applied to all sessions using a single set of policies. Whether the data is passing from a device to an application or between two cloud services, the same policy can be applied across all environments.
Greater agility
No longer limited by hardware capacity and refresh cycles, cloud based offerings update for new threats and policies as needed without new deployments. This makes it future proof and allows for faster adoption of new capabilities.
Enable Zero Trust network access
Basing network access around the identity of the user (instead of IP address) allows access controls to be applied to sessions both on and off the enterprise network. These micro-networks assume the network is hostile and secures all sessions with end to end encryption.
Increased effectiveness of staff
IT staff can focus on security and access requirements instead of routine tasks of setting up infrastructure.
Centralize policy with local enforcement
SASE provides cloud-based management of policies with enforcement points distributed at the edge. These agents running on managed devices can also be used for local decision making or routing to reduce the backhauling of traffic to centralized inspection points.
SASE examples
Conceptually SASE provides a superior approach to networking and network security. But the real value appears in everyday use cases.
Employee
Contractor
Security Vendor
Trustgrid enables SASE architectures
The components needed to complete a SASE vision currently reside in multiple silos. Security providers hold the domain expertise in things such as inspection, data loss prevention and secure web gateways… while networking companies provide the Zero Trust networking, routing, encryption and traffic optimization functions. As a platform providing integrated SD-WAN, Zero Trust remote access, and edge computing capabilities, Trustgrid simplifies the ability for security providers to quickly convert to ‘as-a-service’ security models and bring SASE solutions to market.
Trustgrid is the easiest way for security providers to move all of their solutions to a managed service model that addresses both cloud and legacy on-premise environments.
The Trustgrid platform provides:
- Full L2 / L3 / Proxy SDN feature set
- Networking-as-a-service to any user, device or environment
- Cloud-based tools for troubleshooting and remote monitoring
- Cloud-native control plane and elastic cloud gateways for scalability
- Proprietary cloud PKI and CA for securing devices and cloud services
- Cloud software repo for delivering continuous code and security updates at scale
- Edge computing platform tools for rapid development and deployment of new features