The Ins and Outs of SASE Solutions
In the modern age of edge computing, new offerings for cloud-based combinations of network and security services are becoming popular. Learn how these solutions are meant to work.
- By David Balaban
- November 12, 2021
Not all businesses understand what exactly "secure access service edge" (SASE) means. Is it a set of products or services, a comprehensive system, or simply a concept and methodology? We'll answer that question and look at the benefits such solutions and services bring to customers, who should be responsible for their functioning, and how much the marketing component of the SASE hype is contributing.
What is SASE?
Originally introduced by IT research giant Gartner, the term SASE denotes a convergence of network-as-a-service (NaaS) and security-as-a-service (SaaS) paradigms. In its simplest terms, SASE is a combination of network and security services. From a networking perspective, SASE allows you to optimize data transfer and redirect traffic in a frictionless way. From a security perspective, the optimal protection technique depends on the location of the resources the user is accessing.
The traditional security model is focused on fortifying the network perimeter by means of firewalls and various antimalware tools. Essentially, this approach revolves around preventing external threats from infiltrating an organization's digital environment. Nowadays, this security philosophy is becoming obsolete, as more users need to access their companies' critical applications and data from different locations and devices. For example, to protect remote users, edge computing services operate beyond traditional enterprise security mechanisms and safeguard users as they connect to the cloud.
Gartner coined the term "SASE" to describe the direction in which the telecommunications industry had been moving for a long time. It is a synergy of three domains: networks and backbones, security services, the cloud services that tie them together.
It is worth noting that in addition to Gartner, other analytics agencies (e.g., Forrester) have proposed architectures with cloud-based security features at their core. Operating in concert with improved access techniques, these services provide users with all the layers of protection they need.
Experts note that SASE is not a separate product. It is a concept and a strategy supported by a set of solutions that can be combined to fully meet a customer's needs. An example of edge security services in action could be a situation where a company's employee moves to another country or region. When connecting to the point of presence (PoP) at the new location, the employee will get high-quality routing and quick access along with all the necessary security services.
Gartner lists 17 elements that may be included in a SASE solution. In this regard, many experts wonder whether SASE can be considered full-fledged if some of these components are missing.
Several core entities make up the SASE stack. These are SD-WAN, secure web gateway, or cloud access security broker (CASB) solutions, firewall-as-a-service (FWaaS), and a zero-trust network access system (ZTNA). A series of other tools, such as data-loss prevention (DLP) mechanisms, sandboxing, web application and page isolation services in the browser, and Wi-Fi segment protection, are optional and can be purchased by the customer as needed.
Looking at SASE from the perspective of customer needs, three key services should be implemented:
- Data protection, both within the cloud and in transit between services
- Secure access based on cloud technology
- Local points of presence that meet regulatory requirements
It should be noted that there is no solution that fully and unconditionally meets all SASE requirements. Some vendors are stronger in networking technologies, while others are focused on security. Therefore, it is necessary to proceed from your organization's objectives, selecting the necessary configuration of SASE to meet them.
A key element of SASE that sets this concept apart from other access systems is the presence of ZTNA services. They are a decent alternative to the use of a firewall and can be accessed from anywhere around the globe thanks to the cloud.
Who Benefits Most From SASE?
The ratio of employees working in the office and those connecting to enterprise resources from home has changed dramatically since early 2020. Unsurprisingly, companies' security teams have to deal with a new category of devices -- home computers and laptops, which are often less protected and susceptible to various cyberattacks. This is why the ideology of edge services is relevant at the moment.
When it comes to the benefits of harnessing this technology, economic factors come to the fore. The game-changing advantage of an SASE environment is its ability to quickly provide new offices, stores, and other enterprise locations with secure access to cloud and corporate resources.
Retailer and any business with a large number of relatively small branches get the most mileage out of SASE. It is particularly convenient to use edge security services if the number of outlets is constantly changing, as is the case with businesses that frequently close and open stores.
Who Should Deploy and Maintain SASE?
An important factor that affects the success of SASE implementation is the distribution of roles for operation and configuration. The management of SASE solutions is typically the responsibility of IT specialists, who also configure VPNs and firewalls in most companies. At the same time, experts emphasize the importance of cooperation between an organization's IT and security departments. The former ensures network connectivity, remote connectivity, and seamless access to applications, while the latter controls access security as well as compliance with policies and corporate standards.
As far as what SASE providers are responsible for, all solutions have service-level agreements (SLAs) that specify cloud availability minimums and detail what compensation must be made when that uptime requirement isn't met. Providers also disclose the networking technologies and data processing rules they use. In addition, there is a logging system and the option for a third-party company to evaluate the reliability of the service. In some markets, there are contractual penalties for downtime.
At this point, it's not clear how SASE vendors inform customers in the case of data disclosure at the request of law enforcement agencies or other authorities vested with this right, or how they guarantee the effectiveness of their security features. Also, the advantages of using cloud-based secure access services over deploying similar on-premises systems remain opaque. These nuances may cause organizations' information security employees to distrust cloud services of this kind.
SASE Licensing Peculiarities
For most SASE providers, the price depends on the number of users and channel bandwidth, as well as the services that the customer will be using (DLP, host information profile, etc.). Some providers also factor in user distribution by region or data retention periods for certain services they offer. Another metric is the storage region. For specific locations, such as offices or branches, some providers offers a router whose price depends on the channel capacity.
A Final Word
The concept of the SASE is still raising many questions among potential customers. The providers have not always been able to explain the advantages of their solutions to clients so far. Nevertheless, big companies with a widely distributed network of branches, retail networks, and enterprises with many remote employees may get certain benefits from implementing SASE.