What is SASE?
SASE is a framework for the convergence of network and security. Learn how SASE transforms cloud security and how you can adopt it.
- SASE combines network and security-as-a-service functions and delivers them through the cloud via a unified service.
- SASE capabilities include integrated SD-WAN, secure web gateways, cloud access security brokers, next-generation firewalls, and zero-trust networks.
- Its benefits can include cost savings, improved performance, and protection for entities no matter how far the network edge stretches.
There has been a lot of talk about the ways in which the pandemic changed how, where, and when we work. There is no doubt that it has, but the workplace was already headed in a new direction before COVID-19. In August 2019 — about six months before the world effectively shut down — a Gartner Insights article predicted that the way we work “will change completely over the next decade and bear little resemblance to work as it stands today.”[i]
The pandemic may have accelerated and sharpened the shift, but employees were using their own devices for professional purposes and logging onto corporate networks from public hotspots in coffee shops and airports long before COVID-19. Their employers, meanwhile, were making increasing use of as-a-service platforms on the road toward digital transformation.
In short, the network perimeter as we once knew it had been blurring before the pandemic and has all but disappeared since. This makes a strong case for implementing SASE, or secure access service edge, which many companies are phasing into their security infrastructure. As they do, technology partners such as Mimecast, Netskope, and CrowdStrike have begun combining forces to deliver integrated secure edge solutions.
The secure access service edge concept was conceived by Gartner in 2019, and the term SASE has since entered the enterprise security lexicon. According to Gartner’s definition, SASE is a security model that delivers protection based on the identity of an entity, real-time context, a company’s security and compliance policies, and continuous risk assessment. Identities of entities can be based on people, groups of people, devices, applications, services or edge computing locations. SASE combines network and security-as-a-service functions and delivers them through the cloud via a unified service. SASE capabilities include integrated software-defined wide area networks (SD-WANs), secure web gateways, cloud access security brokers, next-generation firewalls, and zero-trust networks.
Secure service edge (SSE) is a subset of SASE that is focused primarily on the security aspects of SASE. Also defined by Gartner, SSE “secures access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring and acceptable use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components.”[ii]
SSE could be implemented more quickly than SASE, but Gartner recommends eventually moving to a complete SASE stack.[iii]
Top Seven SASE Benefits
The further along a company is on its digital transformation journey, the greater the value of building a SASE architecture. Indeed, SASE is as much a driver for digital transformation as digital transformation is for SASE.
With that said, no matter where an organization is on its journey to digital transformation, it can expect to see several key SASE benefits, including:
- Cost-effective security: With the SASE model, organizations can avoid the costs associated with multiple product vendors. SASE combines network and cloud-based protections in one or more integrated cloud-based services, saving licensing, maintenance, and management costs.
- Flexible security: SASE’s cloud-based model makes it easy for administrators to implement and deliver specific security services as needed. In addition, because SASE provides security based on the role of the connected entity, the model ensures security no matter how far the network edge stretches.
- More efficient use of IT resources: Using an integrated cloud service for network and cloud security rather than multiple, incompatible products from many different vendors will free up IT professionals’ time, enabling them to work on more mission-critical, business-focused tasks.
- Zero trust: SASE takes a zero-trust approach, validating users and device access and providing complete application session protection to users inside and outside of the corporate network.
- Threat prevention: SASE provides threat protection through integrated content inspection that provides visibility into the network.
- Data protection: SASE enables administrators to apply data protection policies designed to ensure that the right entities have access to the right data.
- Consolidated management: SASE provides an opportunity for organizations not only to consolidate the number of vendors they are working with, but also the management consoles they use to monitor their overall security posture.
What Are the Key Components of SASE Framework?
There are five key components of a SASE framework:
- SD-WAN: Software-defined WAN increases application performance through a centralized control function that dynamically directs traffic across the WAN directly to connections including trusted SaaS and IaaS providers. The use of SD-WAN can increase business productivity and reduce IT costs.
- Secure web gateways: A secure web gateway is a device, cloud service, or application deployed at the boundaries of a network to monitor and stop malicious traffic from entering the organization and to block users from accessing malicious or suspicious web resources.
- Zero-trust network access: The zero-trust model — where nothing is trusted, and everything is verified — is a direct response to the loss of a secure network perimeter. Zero trust provides a mechanism to secure new ways of working in the cloud and combat the risk of insider breach.
- CASB: Cloud access security brokers act as intermediaries between users and cloud service providers. CASBs, which can be on-premises or cloud-based software, monitor all activity and enforce security policies.
- Firewall-as-a-service: A cloud-based firewall, firewall-as-a-service (FWaaS) provides URL filtering, advanced threat prevention, intrusion prevention, and DNS security.
Key Security Capabilities of an SASE Framework
SASE is not a product or even a group of products. Rather, it is a security model that integrates network and security capabilities — ideally, from as few vendors as possible. The SASE model also is designed to apply network and security features as needed — and where needed — over time. SASE’s security capabilities, therefore, can scale up, down, and out as new technology is introduced. With that said, there are several key capabilities that organizations can expect, as SASE:
- Grants access dynamically based on authentication, identity, and business rules — regardless of an entity’s location.
- Enables organizations to easily and efficiently adjust and control security based on current and future needs.
- Extends protections to wherever the edge happens to be, protecting users on- and off-premises.
- Enables organizations to consistently enforce policies.
- Provides protection without affecting network performance.
- Reduces the risk associated with email-borne and other trust-based threats.
While there are many benefits to SASE, there are three major challenges to implementing the model.
- SASE is not a single product, but rather a network and security model. This is a benefit to organizations because it enables them to implement best-of-breed solutions for each of the elements of SASE, but it will also require a security architecture that can be fully integrated and managed. This is a significant challenge for many organizations that Mimecast aims to alleviate through its open APIs and ecosystem of partnerships that deliver off-the-shelf integrations of best-of-breed cybersecurity solutions.[kl1]
- The SASE model creates efficiencies that can reduce expenses over time, but the costs of implementing SASE — including updating legacy hardware, engaging with new vendors, and perhaps working with a systems integrator — may be cost prohibitive for many organizations.
- SASE will likely require an organizational shift. Most organizations’ network and security operations are separate groups. For SASE to be effectively implemented, these groups must be able to work closely together.
How Organizations Can Adopt SASE
Perhaps the biggest benefit and challenge of SASE is that it is not one product. SASE has the potential to protect organizations, their users, and their customers no matter how the security — and global — landscape changes, but it’s not something that companies can just easily spin up.
Organizations will be challenged to pick the right vendors, update legacy systems, and ensure that network and security operations professionals are on the same page. Understanding the structure and use cases of an organization’s IT environment is essential for ensuring a smooth migration to SASE and building effective test plans to verify services post-cutover.
Before even starting on the SASE journey, organizations should take stock of their users and the applications they use, as well as where they use them. This information will help identify which security and network features should be applied. As such, inventories of applications, users, and use cases should be conducted on an ongoing basis to ensure that current needs are being met (and future needs are being anticipated). Organizations likewise must apply SASE security controls with a solid understanding of industry, local, federal, and other compliance mandates.
Finally, organizations must develop a culture that supports the SASE model. This may require departments that never worked together to collaborate closely. Business, security, and IT managers will need to effectively communicate the reasons for implementing SASE, acknowledge the challenges that come with it, and offer thoughtful strategies and timelines for SASE adoption. Education will likely be required across the organization, including end users, as well as an ongoing dialog to ensure that implementation runs as smoothly as possible over time.
The Bottom Line
With the disappearance of the network perimeter comes a need for a new network and security model. SASE delivers protection and performance based on the way organizations work today, with the flexibility to adapt for the changes that are sure to come moving forward. SASE implementation will not be easy or quick, and Mimecast can help companies phase in SASE. Ultimately, organizations that can create a culture anchored in SASE will likely see benefits now and in the future.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!