Web Security

    SASE Envelops Users, Apps and Devices in Cloud-Native Security

    Secure access service edge (SASE) offers a cloud-native model for securing devices, users and applications everywhere, in boundaryless, zero-trust environments.

    by Bill Camarda

    Key Points

    • The SASE model holistically integrates key security and network services, leveraging identity, context and policies across all of them.
    • SASE makes it easier to provide exactly the right access at a more granular level than ever before.
    • SASE’s components should be cloud-native and designed to integrate — without establishing a risky security monoculture.


    Business technology boundaries are melting away. A shrinking proportion of traffic is funneling through legacy VPNs, shadow IT is proliferating and remote employees are often resorting to unvetted cloud applications. Organizations need a new approach for securing access to the right resources from anywhere, while reliably barring access to unauthorized individuals. And because attacks and data loss risks are growing more dangerous, organizations need to keep inspecting and logging user traffic beyond their perimeters.

    The most promising model for accomplishing all this in a boundaryless, zero-trust environment is known as secure access service edge (SASE).

    SASE Is a Model, Not a Product

    Don’t think of SASE (pronounced “sassy”) as a product: Think of it as a security model that integrates a wide and growing set of services, all native to the cloud and delivered through it. SASE’s “cloud-born” approach improves scalability and flexibility and makes it easier to safeguard any device, user or application.

    Gartner’s oft-cited definition of SASE is a good place to start. “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.”[1]

    SASE services typically include zero trust network access (ZTNA) to authenticate users and provide granular access to individual applications based on a user’s identity, context and adherence to relevant security policies — rather than, for instance, a device IP address or physical location. Once inside the network, users can’t move across applications without being authenticated for them.[2] SASE enhances cloud access security broker (CASB) services that make cloud-application usage visible and controllable, offering deeper inspections and context. In addition, it will typically integrate next-generation firewall services, secure web gateways, data loss protection and, crucially, network services such as software-defined wide area networks (SD-WANs).

    This integration helps to explain why SASE is often described as “holistic.” SASE supports more effective authentication, threat recognition and mitigation across all traffic, apps and users without requiring security teams to maintain separate security infrastructure for internet-based and private applications.[3] With SASE, it’s easier to leverage the security components of an IT infrastructure to support each other.

    For instance, organizations can deploy ZTNA and data loss prevention independently of a SASE architecture today. But when these capabilities are integrated into a SASE architecture, they can keep monitoring outbound traffic after a user has been authenticated into one cloud application — protecting more effectively against malicious behavior or stolen credentials.

    SASE Migration Is a Journey, Not a Cutover

    Most organizations are only beginning their migration toward SASE models and architectures. It’ll be a journey, not a sudden cutover. For example, it’s been common for organizations to deploy SD-WANs to simplify branch office connectivity, then add security overlays, and then look toward SASE to unify these and simplify management across both networking and security.[4],[5]

    It will take time, but SASE is coming. According to Gartner, in 2020, only 10% of enterprises had explicit strategies and timelines for adopting SASE across user, branch and edge access; by 2025, 60% will. Gartner recommends planning a gradual phaseout of on-premises perimeter and branch hardware, with the goal of delivering SASE capabilities via a smaller number of strategic vendor partners. Gartner also recommends ensuring solutions are truly cloud-native, not reworked from legacy premises technology.[6]

    An Integrated Ecosystem, Not a Monoculture

    Undertaking a SASE implementation requires your Ecosystem being central to your security posture – without the visibility and control Zero trust policies cannot be implemented, and the journey to SASE is effectively halted. Add to that two more considerations.

    First, your vendor partners should be investing in APIs and native integrations so that their offerings work together as one, drawing on all the real-time and near-real-time data streams available. Most importantly, this should include dynamic data about new attacks attempted first by email, which still accounts for the vast majority of emerging zero-day attacks, then by cloud applications and potentially all the way to the endpoint devices. This approach, described in-depth in The Mimecast-Netskope-CrowdStrike Triple Play white paper, will empower SASE environments with even more value.

    Second, don’t fall into the trap of a fully homogeneous security environment, where if attackers can evade one set of defenses they may lurk silently within your systems indefinitely, compromising more assets and becoming more dangerous. SASE, done right, helps unify management of all facets of security, using shared policies and identities, without sacrificing the robust and diverse security ecosystem necessary to resist tomorrow’s advanced attacks.

    The Bottom Line

    The SASE model offers a clear, long-term direction for security decision-makers seeking to achieve zero trust and to support environments where the cloud predominates. Done right, SASE will make it easier to apply policies consistently, scale and extend security wherever it’s needed, and simplify management. By understanding SASE now, you can solve immediate cybersecurity challenges — and be better prepared for the challenges yet to emerge.


    [1]What is SASE?,” Palo Alto Networks

    [2]Zero Trust Network Access,” Gartner

    [3]How Zero Trust and SASE Can Work Together,” Palo Alto Networks

    [4] The 10 Tenets of an Effective SASE Solution, Palo Alto Networks

    [5]How to Think About Gartner’s Strategic Roadmap for SASE Convergence,” Netskope

    [6]Top Actions from Gartner Hype Cycle for Cloud Security, 2020,” Gartner, 2020


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top