What is SASE (Secure Access Service Edge)?
In August 2019 Gartner described the transformation at the heart of security in an article entitled “The Future of Network Security Is in the Cloud”. In the article, the strategic planning assumption mentioned was that 'by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.' But what is SASE?
The paper explains that user security needs are no longer found in the enterprise data centre, but with each user via their workstation and their identity. Now that users and services are increasingly mobile and externalized, the model of the data centre as the key element in enterprise security has become obsolete; worse, this approach can hamper business agility and restrict growth. The change gives rise to a new paradigm, which Gartner calls SASE (pronounced “sassi”) or “Secure Access Service Edge”.
What is SASE?
Gartner believes that the Secure Access Service Edge will be as revolutionary for security/network architecture as IaaS has been for data centre architecture. According to the company, by 2024 at least 40% of businesses will have explicit strategies for adopting SASE (compared with <1% at the end of 2018).
As stated in their article "complexity, latency and the need to decrypt and inspect encrypted traffic once will increase demand for consolidation of networking and security-as-a-service capabilities into a cloud-delivered Secure Access Service Edge."
The rise of cloud applications calls for a change in security solutions, which SASE architecture can provide:
- Data confidentiality for transferred and stored data
- Granular access control for these protean data (files, structured databases, unstructured databases)
- Latency when these applications are accessed from anywhere in the world
Recommendations from Gartner to those responsible for security and risk management are:
- To position the adoption of SASE as a digital business enabler in the name of speed and agility.
- Architect to move inspection engines to the sessions, not to reroute the sessions to the engines.
- Shift security staff from managing security boxes to delivering policy-based security services.
- Engage with network architects now to plan for SASE capabilities. Use software-defined WAN and MPLS offload projects as a catalyst to evaluate integrated network security services.
- Reduce complexity now on the network security side by moving to ideally one vendor for secure web gateway (SWG), cloud access security broker (CASB), DNS, zero-trust network access (ZTNA), and remote browser isolation capabilities.
Internet filters, web gateways and proxies
If you think about it, users have had external applications for a long time via their browsers, which give them file-sharing services, messaging systems, forms, and more. This type of use has always been secured by proxy servers offering authentication, authorization, and traceability.
The web filter market has evolved over the past few years in response to user mobility, with all suppliers switching to 100% cloud or hybrid solutions. Some visionary enterprises have opted for a native cloud solution that offers more agility and proximity to users.
CASB solutions to control cloud use
Over the past five years, cloud access security broker (CASB) software has appeared in response to the expansion of SaaS applications, particularly Office 365. These tools can control the use of Dropbox, Salesforce, Office 365, and other SaaS cloud apps. Users and applications have not waited for ISS or CISO authorization to migrate to the cloud.
However, security maturity around cloud application use has not been enough for companies to release the necessary budgets to support this change. CASB tools, which are overly specific, have therefore had limited success.
Workplace internet control
The two solutions combine quite naturally to develop more complete control over internet use. A simple “web filter” has become an essential commodity but is insufficient, as access to company data—from any device and no matter where the data are stored—must be fully traceable.
A SASE architecture can therefore be seen as the logical development of the proxy server, or the “next-generation proxy”.
Watch the SASE webinar
Do you want to learn more about SASE? Then watch our webinar 'Demystifying SASE' on YouTube. In this webinar, we discuss what SASE is, which problems it resolves and how that is done.