What you need to know about secure access service edge

Secure access service edge (SASE, for short) is a new framework that combines wide area networking (WAN) and security functions into a single cloud-delivered service. It’s designed to address the needs of today’s distributed enterprise, which is increasingly reliant on cloud-based applications and services.

SASE provides many benefits over traditional networking and security solutions, including simplified administration, increased agility, and improved security. This article will explain SASE, explore how it works and some of its key benefits, especially with regard to remote work.

What is SASE and how does SASE work?

Before we delve into our analysis, it’s essential to clarify that SASE is not a standard but a concept introduced by Gartner in “The Future of Network Security Is in the Cloud”. The report describes SASE as a combination of existing cloud networking and cloud security solutions to meet today’s corporate challenges — namely, securely connecting remote workers to cloud services, IoT devices, edge locations, or branch offices, regardless of the user’s location. It’s vital to keep this in mind, as SASE is an evolving architecture.

SASE is cloud-based

Although SASE uses edge computing technologies to minimize the connection latency between endpoints, infrastructure and security are handled by cloud-based services. This approach provides SASE solutions with benefits such as easy scalability, integration with other cloud services, better cost management, and ease of offering security regardless of the user’s location.

In this sense, the SASE framework combines a variety of cloud technologies to provide secure access to all edges, including identity and access management (IAM), secure web gateways (SWGs), firewall as a service (FWaaS), zero trust networking (ZTN), cloud access security brokers (CASBs), and software-defined WANs (SD-WANs). More details will be given on the role of these technologies shortly.

SASE provides secure access to enterprise WAN networks

The main objective of the SASE model is to extend enterprise networks to any endpoint that requires access to it without compromising security in the process. In other words, regardless of whether the endpoint is a user, an IoT device, a system, or a branch office, this model allows secure communication between the parties involved.

SASE grants access dynamically

One of the key aspects of SASE solutions is their ability to grant access privileges dynamically based on factors such as the following:

• User identity: This is crucial in any modern security strategy, especially in SASE, because the user’s identity is verified at the edge before connecting to the requested resource. This strategy is opposed to the traditional approach, where user verification is done after accessing the corporate network.
• Origin of traffic: Another key factor when granting permissions to a user is the origin of the traffic. Where is the user connecting from? The SASE model is designed for users working from any location, be it from a field office or their home, but it takes a nuanced approach. For example, the system could be instructed to flag users requesting access from a different state or country. Such users could be assigned reduced permissions or prevented from accessing the network altogether.
• Time of day: Similar to the previous point, the zero trust principle used by the SASE model can be extended to the time of day the user connects. For example, if a user in Central European Time tries to connect at an unusual hour, their access could be blocked because of the atypical access pattern — even if the origin of the traffic (location) and identity are correct.
• Device: Restricting network access to users connecting from unknown devices is another layer of security commonly used in SASE solutions.
• Data access permissions: Data access permissions can be fine-tuned based on the department or seniority of the user, limiting access to only those who have a legitimate need for it.

SASE combines SD-WAN with cloud security functions

The foundation of SASE solutions is SD-WAN, a technology that we will discuss in more detail in the next section. In simple terms, SD-WAN provides a secure software-defined network perimeter that integrates with other cloud-based security functions that we mentioned earlier:

• Identity and access management (IAM): IAM is a discipline used for managing digital identities. It includes the processes and technologies for creating, maintaining, and managing digital identities, including but not limited to single sign-on (SSO), multi-factor authentication (MFA), and privileged access management (PAM). In this sense, IAM helps organizations understand who has access to which resources, preventing unauthorized users from accessing key resources as well as revoking access to such resources.
• A secure web gateway (SWG): In simple terms, an SWG protects against web-based threats and provides web filtering and content controls. To do this, the SWG intercepts all web traffic and scans it for malicious content, using multiple virus and malware signatures, behavioral analysis, and reputation analysis. SWGs also help enforce corporate and compliance policies, such as content filtering and data-leak prevention.
• Firewall as a service (FWaaS): You can think of FWaaS as the cloud version of the conventional firewall used by organizations for decades. Some benefits of FWaaS over its counterparts are greater network visibility, ease of scaling, and less management complexity, making it easier to enforce security policies.
• Zero trust network access (ZTNA): ZTNA enables organizations to securely connect users to applications regardless of location. ZTNA verifies every user and device before allowing access to applications, granting permissions to them on a need-to-know, least-privileged basis. The verification is based on multiple factors, including identity, device posture, and location. ZTNA provides several benefits over traditional security models, including increased security, reduced costs, and improved user experience.
• Cloud access security brokers (CASBs): CASBs can be described as cloud-based security policy enforcement points placed between cloud service consumers and cloud service providers that guarantee said policies are complied with. More importantly, depending on how it’s implemented, a CASB can integrate some of the other technologies already described, such as SSO authentication as well as security logging, alerting, malware detection, and more.

SASE integrates multiple security functions

To a large extent, the value proposition of the SASE model has to do with how it tightly integrates different security capabilities mentioned above into a unified platform. This approach is not new: Over the years, major antivirus vendors have extended the capabilities of their original products with new features. Similarly, the SASE framework bundles many security functions into a centralized platform, reducing deployment complexity, providing greater agility, and improving security. Simply put, instead of having to deploy separate devices or services to protect your WAN, you can use a unified SASE security solution.

SASE and SD-WAN

The goal of SD-WAN revolves around connecting users to their applications anytime, anywhere, from any device, no matter where those applications reside. If this definition sounds similar to the objective of the SASE model, that’s because it is.

It’s important to understand that it’s incorrect to think in terms of SD-WAN versus SASE. If we go back to the Gartner report that conceptualized the model, we see that SASE is defined as the combination of SD-WAN and security functions delivered in the cloud. Simply put, SASE is an architecture that combines different elements, the most important being SD-WAN.

With that said, let’s quickly review the similarities and differences between SD-WAN and SASE.

Similarities between SASE and SD-WAN

Let’s start with the similarities between SD-WAN and SASE:

• Secure connection as a goal: As explained a moment ago, the ultimate goal of both SASE architecture and SD-WAN networking technology is to provide a secure connection between all the endpoints involved. In this sense, it may be the case that some security features of SD-WAN overlap with those of an SASE solution.
• Bandwidth optimization: Not everything related to SD-WAN and SASE has to do with security; the user experience is also important. To this end, both are responsible for enforcing performance policies (quality of service) and optimizing bandwidth for critical applications.
• Traffic inspection and prioritization: For both SD-WAN and SASE solutions, it’s critical to carry out first-packet identification and prioritization since this allows routing traffic across the network based on business requirements for any specific application. So, for instance, cloud-native applications are routed to the corresponding SaaS vendor while applications residing in corporate data centers are routed to the corresponding security endpoint.

As you can see, there are a lot of commonalities between SD-WAN and SASE. However, the differences between the two can be decisive when choosing between implementing an advanced SD-WAN or a complete SASE solution.

Differences between SASE and SD-WAN

Let’s now talk about how the SASE model differs from SD-WAN technology:

• In SASE, networking decisions are made by the user’s computer. A differentiating aspect between SD-WAN and SASE is the edge component of the latter. In SASE, the endpoints have security agents that are responsible for networking decisions, while in SD-WAN, this decision is usually made in the cloud.
• SASE provides more robust traffic inspection. As we will expand on in a moment, SASE is a model that combines multiple security functions on the same platform. This gives SASE solutions an advantage over SD-WAN regarding traffic inspection.
• In SASE, all security features run at once. Generally, SD-WAN uses single-point solutions, which can be limiting. For its part, the SASE architecture combines cloud and edge computing to run all the security features simultaneously.
• SASE can scan attachments for malware while inspecting sensitive data. Again, one of the advantages of SASE solutions is their ability to perform multiple tasks in parallel, which includes scanning for malware while simultaneously inspecting sensitive data.
• SASE provides the convergence of different security solutions. One way to think of the SASE model is as an orchestrator of cloud-based security services. This provides substantial flexibility over SD-WAN solutions since SASE allows enterprises to add new security features as they become available.

SASE’s architecture complements the security offered by SD-WAN by adding additional services such as SWGs, FWaaS, ZTNA, and CASBs, among others. Moreover, the SASE model efficiently integrates all these security solutions, so ping-ponging between different services is no longer necessary. This makes it easier to manage security policies, improves performance, and helps reduce costs since there’s no need to hire different vendors.

How can SASE help your business?

There are several reasons why enterprises might consider adopting SASE. The most common tends to be the need to connect securely to cloud-based applications and services. However, SASE also provides other advantages over traditional networking and security solutions, including simplified administration, increased agility, and improved security. In addition, SASE is well-suited for enterprises that are looking to adopt a cloud-first strategy or that have a highly distributed workforce.

Let’s go deeper into why your business may benefit from an SASE solution:

• All security services under one umbrella: As has been repeatedly mentioned, one of the SASE model’s most outstanding selling points is its simplicity regarding managing network security given the convenience of accessing all services from a central dashboard.
• Load balancing and automatic traffic routing: Among the many advantages of the SASE model is its ability to run apps in parallel and take advantage of both load balancing and advanced traffic routing.
• Multi-cloud capabilities: Multi-cloud deployments are the new trend largely due to their resiliency, a must-have for mission-critical applications. One of the advantages of the SASE model is its flexibility, which allows it to be deployed in any infrastructure and thus connect diverse digital workspaces.
• Speed and scalability: Given its cloud-native nature, the SASE model allows a rapid response to the demands of the users and endpoints involved, allowing the service to scale as required.
• Mobile support: The SASE model is device-agnostic, meaning enterprise-level security is offered even for mobile devices that must access an organization’s sensitive resources.

The list above summarizes the main technical reasons for adopting an SASE security architecture. But what about strategic reasons? Next, we will discuss how SASE can help with one of the most pressing challenges organizations face today: maintaining security in hybrid or remote work environments.

SASE and remote working

SASE is well-suited for enterprises with remote workers as it provides the security and performance that are essential for a successful work-from-home strategy. In addition, the cloud-based delivery model of SASE makes it easy to scale up or down as the needs of the workforce change.

Let’s review in more detail the advantages of the SASE model when it comes to working remotely:

• The new normal: The COVID-19 pandemic has resulted in a dramatic increase in the number of employees working from home. Even as offices are starting to gradually re-open, it’s clear that the work-from-home and hybrid work trends are here to stay. So it makes sense to consider the SASE model since it’s designed to provide secure access to the enterprise WAN from anywhere.
• Bring your own device (BYOD): Before the pandemic, allowing employees to use personal devices to access the internal network was considered untenable due to the inherent risk to security. Today, that has changed out of pure necessity. The technologies that make up the SASE model allow any device that has the appropriate agent installed to connect securely. This makes it easy for organizations to apply BYOD strategies and minimize the infrastructure cost associated with the remote-work model.
• Reliable and fast connections: Traffic patterns have changed with the introduction of cloud-based applications. This makes the current network architecture inefficient as all traffic must pass through central on-premises security devices for authentication and authorization, then return to the user’s device. Imagine hundreds of users trying to access different cloud applications during peak hours. There’s no way to provide adequate bandwidth for all of them, which results in lag and reduced productivity. The SASE model is an ideal solution here because it obviates the need for traffic to travel back and forth to the corporate office. All security services are distributed in the cloud, which allows you to take advantage of edge technology to improve latency and bandwidth. Low latencies and fast, stable connections ensure optimal performance for all types of applications, including real-time collaboration tools, videoconferencing, and more.

As you can see, SASE brings many benefits to companies that have embraced remote work as the new normal. At this point, however, it’s worth going back to what makes the SASE model superior to conventional security approaches.

What makes SASE a robust security solution?

SASE isn’t just a solid security solution; it’s in fact better than traditional network security solutions, and for several reasons. As discussed, SASE is much easier to deploy and manage than solutions that predate it, provides better visibility into network traffic and activity, is more scalable, and offers unsurpassed flexibility to meet the needs of a growing business. That includes secure remote work environments.

With that said, let’s analyze and compare the architectures to see how SASE mitigates the additional risk introduced by remote workers:

• The traditional security approach: Employed for decades, this approach focused on shielding corporate data centers and branch offices using secure web gateways and proxies, firewall appliances, and more recently, CASBs and zero trust networks. Note that the strategy revolves around creating secure WANs with limited remote access. The problem with this strategy is that it was not designed to support hundreds of remote workers, IoT devices, or SaaS solutions. Scaling this architecture is expensive and complex.
• The SASE approach: Unlike conventional solutions, SASE’s security model revolves around providing secure access to applications and data regardless of the location of the parties involved. This allows a user to access the company’s WAN from their laptop, mobile device, or an IoT device in order to communicate with a server located on the other side of the world. To achieve this goal, the SASE framework makes use of cloud-based services such as identity-centric systems, end-to-end encryption, firewalls, URL filtering, intrusion-detection systems, anti-malware, antiviruses, and so on.

As this brief overview of both architectures indicates, it’s clear that legacy solutions cannot compete with a comprehensive security solution such as the one provided by the SASE model. It’s not just about the security features but also the very design of each solution, as we will see below.

Zero trust and SASE

For decades, IT security has been based on the castle-and-moat model, whose main paradigm is to trust everyone inside the WAN but be wary of any connection from the outside. To that end, all efforts revolved around protecting the network from external threats, neglecting security within the WAN in the process. Over the years, this strategy was shown to have a fundamental design flaw. If an attacker managed to breach the perimeter security, then access to any resource was relatively easy.

Solutions based on SASE principles break this paradigm by implementing a zero trust philosophy. Let’s briefly review the implications of zero trust in SASE.

Zero trust changes everything

In a complete reversal of the castle-and-moat method, zero trust follows the principle of least privilege, whereby no user or service is trusted, even if it’s already inside the network. Moreover, after being verified, the user or service is granted the minimum privileges necessary to perform their job, and only for a limited amount of time.

Zero trust makes it more difficult to circumvent user authentication

Traditionally, authentication has been based on passwords and, in some cases, the IP address of the device from which the connection is made. Unfortunately, both of these security mechanisms can be circumvented by a hacker. On the other hand, solutions that are based on zero trust principles make it almost impossible for threat actors to gain access to the network. This is because the verification process considers aspects such as geolocation, the time of day, the context of the access request, and MFA, among others. On top of all this, zero trust systems can detect unusual patterns in traffic and flag them so that the security team can contain any potential threats.

Tailscale, a zero trust peer-to-peer mesh network

Under the castle-and-moat paradigm, accessing the WAN from the outside was only possible by establishing a secure connection between the corporate gateway and the user through a VPN. As pointed out above, however, this solution is only viable for a few connections, not for hundreds of remote workers accessing the WAN simultaneously.

This is where Tailscale can come into play. Tailscale creates secure peer-to-peer connections using the WireGuard VPN protocol and applying zero trust security principles between the parties involved. This zero trust peer-to-peer mesh network approach reduces latency, improves data transmission throughput, and minimizes network complexity. Moreover, since all users are managed from a central dashboard, enforcing access control policies is simpler, which helps improve security.

Conclusion

SASE is a top-notch security model that combines networking and cloud-based security functions into a single service. It’s designed to address the needs of distributed enterprises, which today more than ever rely on remote workers, edge computing, and cloud-based applications.

In this article, we reviewed the SASE model’s features, how it extends the functionality of SD-WAN technology, and how it’s an excellent solution to address the security challenges related to managing remote workers. Built on WireGuard®, Tailscale ensures that your remote workers can access applications and data safely and conveniently. Consider downloading Tailscale today.