Secure access service edge

Last updated March 01, 2024

A secure access service edge (SASE) is technology used to deliver wide area network (WAN) and security controls as a cloud computing service directly to the source of connection (user, device, Internet of things (IoT) device, or edge computing location) rather than a data center.^[1] It uses cloud and edge computing technologies to reduce the latency that results from backhauling all WAN traffic over long distances to one or a few corporate data centers, due to the increased movement off-premises of dispersed users and their applications.^[2] This also helps organizations support dispersed users and their devices with digital transformation and application modernization initiatives.

Security is based on digital identity, real-time context, and company and regulatory compliance policies, rather than a security appliance like a firewall. A digital identity may be attached to anything from a person to a device, cloud service, application software, IoT system, or any computing system.^[2]

The term was coined in 2019 by market analyst, Neil MacDonald of Gartner.^[3]

Overview

SASE combines SD-WAN with network security functions, including cloud access security brokers (CASB), Secure Web Gateways (SWG), antivirus/malware inspection, virtual private networking (VPN), firewall as a service (FWaaS), and data loss prevention (DLP), all delivered by a single cloud service at the network edge.

SASE SD-WAN functions may include traffic prioritization, WAN optimization, converged backbones and self-healing using artificial intelligence platforms AIOps to improve reliability and performance.^[4]^[5]

WAN and security functions are typically delivered as a single service at dispersed SASE points of presence (PoPs) located as close as possible to dispersed users, branch offices and cloud services.^[2] To access SASE services, edge locations or users connect to the closest available PoP. SASE vendors may contract with several backbone providers and peering partners to offer customers fast, low-latency WAN performance for long-distance PoP-to-PoP connections.^[2]

History

The term SASE was coined by Gartner analysts Neil McDonald and Joe Skorupa and described in a July 29, 2019 networking hype cycle ^[6] and market trends report,^[7] and an August 30, 2019 Gartner report.^[2]

In 2021, Gartner defined a subset of SASE capabilities, called Secure services edge (SSE).^[8] SSE is a collection of SASE security services that can be implemented together with network services, like SD-WAN, to provide a complete solution.^[8]

Drivers

SASE is driven by the rise of mobile, edge and cloud computing in the enterprise at the expense of the LAN and corporate data center. As users, applications and data move out of the enterprise data center to the cloud and network edge, moving security and the WAN to the edge as well is necessary to minimize latency and performance issues.^[9]

The cloud computing model is meant to delegate and simplify delivery of SD-WAN and security functions to multiple edge computing devices and locations. Based on policy, different security functions may also be applied to different connections and sessions from the same entity, whether SaaS applications, social media, data center applications or personal banking, according to Gartner.^[2]

The cloud architecture provides typical cloud enhancements such as elasticity, flexibility, agility, global reach and delegated management.

Characteristics

SASE principal elements are:

Convergence of WAN and network security functions.
A cloud-native architecture delivering converged WAN and security as a service that offers the scalability, elasticity, adaptability and self-healing typical of all cloud services.
Globally distributed fabric of PoPs delivering a full range of WAN and security capabilities with low latency, wherever business offices, cloud applications and mobile users are located. To deliver low latency at any location, SASE PoPs have to be more numerous and extensive than those offered by typical public cloud providers and SASE providers must have extensive peering relationships.
Identity-driven services. An identity can be attached to anything from a person or branch office to a device, application, service, IoT device or edge computing location at the source of connection. Identity is the most significant context affecting SASE security policy. However, location, time of day, risk/trust posture of the connecting device and application and data sensitivity will provide other real-time context determining the security services and policies applied to and throughout each WAN session.
Support for all edges equally, including physical locations, cloud data centers, users’ mobile devices and edge computing, with placement of all capabilities at the local PoP rather than the edge location. Edge connections to the local PoP may vary from an SD-WAN for a branch office to a VPN client or clientless Web access for a mobile user, to multiple tunnels from the cloud or direct cloud connections inside a global data center.^[9]

Gartner and others promote a SASE architecture for the mobile, cloud enabled enterprise. Benefits include:

Reduced complexity

SASE reduces complexity with its Cloud computing model and a single vendor for all WAN and security functions, vs. multiple security appliances from multiple vendors at each location. Reduced complexity also comes from a single-pass architecture that decrypts the traffic stream and inspects it once with multiple policy engines rather than chaining multiple inspection services together.^[10]

Universal access

A SASE architecture is architected to provide consistent fast, secure access to any resource from any entity at any location, as opposed to access primarily based on the corporate data center.

Cost efficiency

Cost efficiency of the cloud model, which shifts up-front capital costs to monthly subscription fees, consolidates providers and vendors, and reduces the number of physical and virtual branch appliances and software agents IT has to purchase manage and maintain in-house. Cost reduction also comes from delegation of maintenance, upgrades and hardware refreshes to the SASE provider.

Performance

Performance of applications and services enhanced by latency-optimized routing, which is particularly beneficial for latency-sensitive video, VoIP and collaboration applications. SASE providers can optimize and route traffic through high-performance backbones contracted with carrier and peering partners. Performance is also increased by implementing all security functions with a single-pass architecture inside a single PoP, to avoid unnecessary routing.^[10] Depending on the implementation, SASE may reduce the number of apps and agents required for a device to a single app, while providing a consistent experience to the user regardless of where they are or what they are accessing.^[10]

Consistent security

Consistent security via a single cloud service for all WAN security functions and WAN connections. Security is based on the same set of policies, with the same security functions delivered by the same cloud service to any access session, regardless of application, user or device location and destination (cloud, data center application). Once the SASE provider adapts to a new threat, the adaptation can be available to all the edges.^[2]

Criticism

Criticism of SASE has come from several sources, including IDC and IHS Markit, as cited in a November 9, 2019 sdxcentral post written by Tobias Mann.^[11] Both analyst firms criticize SASE as a Gartner term that is neither a new market, technology nor product, but rather an integration of existing technology with a single source of management.

Clifford Grossner of IHS Markit criticizes the lack of analytics, artificial intelligence and machine learning as part of the SASE concept and the likelihood that enterprises won't want to get all SD-WAN and security functions from a single vendor. Gartner counters that service chaining of security and SD-WAN functions from multiple vendors yields “inconsistent services, poor manageability and high latency.”^[11]

IDC analyst Brandon Butler cites IDC's position that SD-WAN will evolve to SD-Branch, defined as centralized deployment and management of virtualized SD-WAN and security functions at multiple branch office locations.

SASE technologies

SD-WAN

SD-WAN is a technology that simplifies wide area networking through centralized control of the networking hardware or software that directs traffic across the WAN. It also allows organizations to combine or replace private WAN connections with Internet broadband, LTE and/or 5g connections. The central controller sets policies and prioritizes, optimizes and routes WAN traffic, selecting the best link and path dynamically for optimum performance. SD-WAN vendors may offer some security functions with their SD-WAN virtual or physical appliances, which are typically deployed at the data center or branch office.

Typically SASE incorporates SD-WAN as part of a cloud service that also delivers mobile access and a full security stack delivered from a local PoP.

Next Generation Firewall (NGFW)

NGFW combines a traditional firewall with other security and networking functions geared to the virtualized data center. Security functions include application control, deep and encrypted packet inspection, intrusion prevention, Web site filtering, anti-malware, identity management, threat intelligence and even WAN quality of service and bandwidth management.^[12]

NGFW offers a subset of the security stack offered by SASE, and typically doesn't include SD-WAN services. NGFW may be deployed on premises or as a cloud service, while SASE is a cloud architecture by definition. While SASE focuses security on WAN connections, a NGFW can be deployed anywhere including internally in the data center.

Firewall as a Service (FWaaS)

FWaaS is a firewall offered as a cloud service, rather than on premises as software or hardware. Most FWaaS providers offer NGFW capabilities. Typically, an entire organization is connected to a single FWaaS cloud with no requirement for maintaining its own firewall infrastructure. SASE combines edge FWaaS with other security functions and SD-WAN.^[2]

Similar technology

Network as a Service (NaaS)

SASE and NaaS overlap in concept. NaaS delivers virtualized network infrastructure and services using a cloud subscription business model. Like SASE it offers reduced complexity and management costs. Typically, different NaaS providers offer different service packages, such as a package of WAN and secure VPN's as a service, bandwidth on demand, or hosted networks as a service. By contrast SASE is meant to be a single comprehensive secure SD-WAN solution for branch offices, mobile users, data centers and any other secure enterprise WAN requirement.

Zero Trust Edge

Research firm Forrester refers to a SASE-like type of converged network and security stack as Zero Trust Edge (ZTE).^[13] Forrester describes its model as similar to Gartner’s, but with additional emphasis on incorporating zero trust principles to authenticate and authorize users.^[13]

Marketplace

Gartner expects the market for SASE solutions to grow to $15 Billion in 2025 with buyers split between adopting a single or multiple vendor solution.^[14] Some vendors focus on the networking aspects while others focus on the security aspect which is now referred to as Secure Service Edge (SSE).^[14] A March 2022 study by Dell’Oro Group identified over 30 vendors offering SASE solutions, and identified vendors Cato Networks, Versa, and VMware as having a unified SASE platform.^[15]

Standards

MEF, originally known as the Metro Ethernet Forum, has become a next generation standards organization with a broad focus around software defined network and security infrastructure services for service provider, technology manufacturers, and enterprise network design. For the purpose of creating a future where interoperation between "best of breed" solutions is possible, MEF set out to create a number of industry standards that could be leveraged for training as well as integration. The MEF SASE Services Definition (MEF W117) committee was established and will be providing a draft technical specification for public use. This specification has been the work of a number of technology manufacturers as well as several service providers and is based on current MEF Technical Specifications such as MEF 70.1 Draft Release 1 SD-WAN Service Attributes and Service Framework.

MEF released a Working Draft; "MEF W117 draft 1.01 SASE (Secure Access Service Edge) SASE Service Attributes and Service Framework" August 2021. The document is available to MEF participating companies and members.

Related Research Articles

Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems. Fortinet has offices located all over the world.

Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS is also known as on-demand software, web-based software, or web-hosted software.

Edge computing is a distributed computing paradigm that brings computation and data storage closer to the sources of data, so that a user of a cloud application is likely to be physically closer to a server than if all servers were in one place. This is meant to make applications faster. More broadly, it refers to any design that pushes computation physically closer to a user, so as to reduce the latency compared to when an application runs on a single data centre. In the extreme case, this may simply refer to client-side computing.

Cloud storage is a model of computer data storage in which data, said to be on "the cloud", is stored remotely in logical pools and is accessible to users over a network, typically the Internet. The physical storage spans multiple servers, and the physical environment is typically owned and managed by a cloud computing provider. These cloud storage providers are responsible for keeping the data available and accessible, and the physical environment secured, protected, and running. People and organizations buy or lease storage capacity from the providers to store user, organization, or application data.

Infrastructure as a service (IaaS) is a cloud computing service model by means of which computing resources are supplied by a cloud services provider. The IaaS vendor provides the storage, network, servers, and virtualization. This service enables users to free themselves from maintaining an on-premises data center. The IaaS provider is hosting these resources in either the public cloud, the private cloud, or the hybrid cloud.

Ericom Software, Inc. is a Closter, New Jersey-based company that provides web isolation and remote application access software to businesses.

Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. Large clouds often have functions distributed over multiple locations, each of which is a data center. Cloud computing relies on sharing of resources to achieve coherence and typically uses a pay-as-you-go model, which can help in reducing capital expenses but may also lead to unexpected operating expenses for users.

Software-defined networking (SDN) is an approach to network management that enables dynamic and programmatically efficient network configuration to improve network performance and monitoring in a manner more akin to cloud computing than to traditional network management. SDN is meant to improve the static architecture of traditional networks and may be employed to centralize network intelligence in one network component by disassociating the forwarding process of network packets from the routing process. The control plane consists of one or more controllers, which are considered the brains of the SDN network, where the whole intelligence is incorporated. However, centralization has certain drawbacks related to security, scalability and elasticity.

In cloud computing, a carrier cloud is a class of cloud that integrates wide area networks (WAN) and other attributes of communications service providers’ carrier grade networks to enable the deployment of highly-complex applications in the cloud. In contrast, classic cloud computing focuses on the data centre, and does not address the network connecting data centres and cloud users. This may result in unpredictable response times and security issues when business critical data are transferred over the Internet.

Cloud collaboration is a method of sharing and co-authoring computer files via cloud computing, whereby documents are uploaded to a central "cloud" for storage, where they can then be accessed by other users. Cloud collaboration technologies allow users to upload, comment and collaborate on documents and even amend the document itself, evolving the document. Businesses in the last few years have increasingly been switching to use of cloud collaboration.

There are, in essence, three kinds of Cloud printing.

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

A software-defined perimeter (SDP), also called a "black cloud", is an approach to computer security which evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007. Software-defined perimeter (SDP) framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted. Application infrastructure is effectively “black”, without visible DNS information or IP addresses. The inventors of these systems claim that a Software Defined Perimeter mitigates the most common network-based attacks, including: server scanning, denial of service, SQL injection, operating system and application vulnerability exploits, man-in-the-middle, pass-the-hash, pass-the-ticket, and other attacks by unauthorized users.

A mobile workspace is a user's portable working environment that gives them access to the applications, files and services they need to do their job no matter where they are.

Cloud management is the management of cloud computing products and services.

Multi-access edge computing (MEC), formerly mobile edge computing, is an ETSI-defined network architecture concept that enables cloud computing capabilities and an IT service environment at the edge of the cellular network and, more in general at the edge of any network. The basic idea behind MEC is that by running applications and performing related processing tasks closer to the cellular customer, network congestion is reduced and applications perform better. MEC technology is designed to be implemented at the cellular base stations or other edge nodes, and enables flexible and rapid deployment of new applications and services for customers. Combining elements of information technology and telecommunications networking, MEC also allows cellular operators to open their radio access network (RAN) to authorized third parties, such as application developers and content providers.

"X as a service" is a phrasal template for any business model in which a product use is offered as a subscription-based service rather than as an artifact owned and maintained by the customer. Originating from the software as a service concept that appeared in the 2010s with the advent of cloud computing, the template has expanded to numerous offerings in the field of information technology and beyond it. The term XaaS can mean "anything as a service".

A software-defined wide area network (SD-WAN) is a wide area network that uses software-defined networking technology, such as communicating over the Internet using overlay tunnels which are encrypted when destined for internal organization locations.

Perimeter 81 is an Israeli cloud and network security company that develops secure remote networks, based on the zero trust architecture, for organizations. Its technology replaces legacy security appliances like VPNs and firewalls.

Cato Networks is a Tel Aviv, Israel-based network security company that develops Secure Access Service Edge (SASE) technology, which combines enterprise communication and security capabilities into a single cloud-based platform. The company was founded in 2015. After an October 2021 funding round, the company was a tech unicorn valued at $2.5 billion.

References

↑ "Invest Implications: 'The Future of Network Security Is in the Cloud'". Gartner. Retrieved 2020-04-05.
1 2 3 4 5 6 7 8 MacDonald, Neil; Orans, Lawrence; Skorupa, Joe (August 30, 2019). "The Future of Network Security Is in the Cloud". Gartner.
↑ Musthaler, Linda (November 12, 2019). "SASE is more than a buzzword for BioIVT". Gartner. Retrieved June 24, 2022.
↑ Conran, Matt (2019-10-24). "The evolution to Secure Access Service Edge (SASE) is being driven by necessity". Network World. Retrieved 2020-12-20.
↑ Mann, Tobias (January 21, 2021). "SASE is more than a buzzword for BioIVT" . Retrieved June 24, 2022.
↑ "Hype Cycle for Enterprise Networking, 2019". Gartner. Retrieved 2020-12-20.
↑ "Market Trends: How to Win as WAN Edge and Security Converge Into the Secure Access Service Edge". Gartner. Retrieved 2020-12-20.
1 2 Shackleford, Dave (March 1, 2022). "SASE is more than a buzzword for BioIVT". TechTarget. Retrieved June 24, 2022.
1 2 Conran, Matt (2019-10-03). "Secure Access Service Edge (SASE): A reflection of our times". Network World. Retrieved 2020-12-20.
1 2 3 Maria, Dave (September 7, 2020). "What is SASE? A cloud service that marries SD-WAN with security". Network World. Retrieved June 24, 2022.
1 2 "Analysts Debate SASE's Merits as Vendors Board Hype Train". SDxCentral. Retrieved 2019-11-18.
↑ "What is a Next Generation Firewall? Learn about the differences between NGFW and traditional firewalls". Digital Guardian. 2017-11-27. Retrieved 2020-12-20.
1 2 Mann, Tobias (February 16, 2021). "SASE is more than a buzzword for BioIVT". Forrester. Retrieved June 24, 2022.
1 2 "Forecast Analysis: Secure Access Service Edge, Worldwide". Gartner. March 1, 2022. Retrieved June 27, 2021.
↑ Mann, Tobias (March 1, 2022). "VMware, Cato, Versa Claim Unified SASE Title". Gartner. Retrieved June 24, 2022.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Invest Implications: 'The Future of Network Security Is in the Cloud'". Gartner. Retrieved 2020-04-05.

[:0-2] 1 2 3 4 5 6 7 8 MacDonald, Neil; Orans, Lawrence; Skorupa, Joe (August 30, 2019). "The Future of Network Security Is in the Cloud". Gartner.

[gartner1-3] Musthaler, Linda (November 12, 2019). "SASE is more than a buzzword for BioIVT". Gartner. Retrieved June 24, 2022.

[4] Conran, Matt (2019-10-24). "The evolution to Secure Access Service Edge (SASE) is being driven by necessity". Network World. Retrieved 2020-12-20.

[sdx1-5] Mann, Tobias (January 21, 2021). "SASE is more than a buzzword for BioIVT" . Retrieved June 24, 2022.

[6] "Hype Cycle for Enterprise Networking, 2019". Gartner. Retrieved 2020-12-20.

[7] "Market Trends: How to Win as WAN Edge and Security Converge Into the Secure Access Service Edge". Gartner. Retrieved 2020-12-20.

[tech1-8] 1 2 Shackleford, Dave (March 1, 2022). "SASE is more than a buzzword for BioIVT". TechTarget. Retrieved June 24, 2022.

[:1-9] 1 2 Conran, Matt (2019-10-03). "Secure Access Service Edge (SASE): A reflection of our times". Network World. Retrieved 2020-12-20.

[network2-10] 1 2 3 Maria, Dave (September 7, 2020). "What is SASE? A cloud service that marries SD-WAN with security". Network World. Retrieved June 24, 2022.

[sdxcentral-11] 1 2 "Analysts Debate SASE's Merits as Vendors Board Hype Train". SDxCentral. Retrieved 2019-11-18.

[12] "What is a Next Generation Firewall? Learn about the differences between NGFW and traditional firewalls". Digital Guardian. 2017-11-27. Retrieved 2020-12-20.

[forrest1-13] 1 2 Mann, Tobias (February 16, 2021). "SASE is more than a buzzword for BioIVT". Forrester. Retrieved June 24, 2022.

[gartner3-14] 1 2 "Forecast Analysis: Secure Access Service Edge, Worldwide". Gartner. March 1, 2022. Retrieved June 27, 2021.

[sdx2-15] Mann, Tobias (March 1, 2022). "VMware, Cato, Versa Claim Unified SASE Title". Gartner. Retrieved June 24, 2022.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]