SASE is another approach to information system client security, positioned close to the location of the user, rather than near the resources to be protected. Acronym of Secure Access Service Edge, SASE proposes to change the way organizations think of their remote access, VPN connections and access to applications located in modern enterprise multi-cloud or available in SaaS mode.
Enterprise IT architecture and topologies are evolving:
- more applications are hosted in external and public cloud
- more critical services are consumed as SaaS (email, CRM, communication, source repository, workflows, accounting)
- users are distributed on more sites, working from colocation and even from home
- data is available from everywhere, not just from central applications near datalakes
Security for remote access users and by extension for all users in modern enterprise design doesn’t need to be built only at the enterprise network perimeter, but increasingly within the datacenter. VPN and VDI are still valid solutions to bring back the users to the corporate network, but hub and spoke architectures are no longer valid. Multi datacenters (mostly hybrid) tend to complexify IP flows, and the bandwidth required to connect remote users to cloud and SaaS resources can be expensive.
Repositioning access security to applications at the edge of the network changes the way enterprises view security. No need to build VPN all converging to a central data center infrastructure which will always be of the wrong size, either too big when the bill is received or administration is required, or too small when events such as strikes, pandemics or climate-related events occur. The main issue with VPN and network sizing is the order of magnitude. When resources are lacking, the factor is big, more like 5 or 10 times, not just 10%.
User access connectivity can be consumed as a service, with different levels of coverage and security, but from a specific provider that proposes connectivity points near each user, at the edge of the networks. It is also the opportunity to transform cost expenditure from CAPEX to OPEX for this part and take advantage of scalability a cloud offer should propose.
The promise of SASE is to be able to position security for user to application access in multiple locations around the Internet in order to be located near the user, thus enabling suppression of unwanted traffic early in the path as well as applying a high level of security based on technologies and principles on two main topics:
- the network connectivity part – with solutions like software defined WAN (SD-WAN), Content Delivery Network access, WAN optimization to reduce bandwidth usage and optimize IP protocols, or network as a service.
- the security part – with CASB (Cloud Access Security Broker) to connect to SaaS applications, SWG (Secure Web Gateway) for URL filtering, ZTNA (Zero Trust Network Access) which is directly linked to SASE by inverting the risk assessment to “no-one is trusted”, FWaaS (Firewall as a service), and secure DNS as a first line of defense for accessing services and applications.
For enterprises, the main advantages of the SASE approach include:
- better performance through closer edge service location
- higher levels of security (will depend on provider offers)
- fewer solutions to manage by I&O teams, easier to focus on most important IT services
- ability to handle multiple populations (employees, internships, partners, suppliers, …)
- service level adaptable by user category
- service scalability
- transitioning CAPEX and internal maintenance services to pure service and OPEX
As SASE is not a technology, but rather a service grouping multiple technologies, specific providers need to work on their offers. Maturity of these offers is probably for 2023-2025 timeframe (see The Future of Network Security Is in the Cloud, Gartner G00441737), but specific events like Covid-19 may accelerate such offers and demand smooth transition for organizations towards this kind of approach.