Have you heard of SASE?

SASE, nice to meet you! For those unfamiliar, SASE is a concept designed by Gartner in 2019 with a new approach to network connection and security. The analyst firm’s report describes a set of technologies called Secure Access Service Edge (SASE) that aims to meet the organizations’ evolving demands for secure access in a world that is increasingly in the cloud.

According to Gartner, the growing digital businesses, the adoption of cloud-based services and the emergent edge computing platforms have ended up reversing the access demands, with more users, devices, applications, services and data now being located further outside than inside the corporate environments. What solution can keep up with this trend? As the report’s title suggests, the The future of network security is in the cloud – and based on the SASE model. The idea behind this concept is providing an access control and security stack for networks from the cloud itself.

Many existing technologies have not been developed to deal with all types of network traffic or cybersecurity threats. The result is that many IT environments are required to adopt specific solutions for each type of demand, such as firewalls, VPNs, and SD-WANs (Software-Defined Wide Area Networks used to create high-performance WANs through low-cost connections). In addition, companies find themselves at a crossroads, having to choose from performance, security, and cost savings.

The SASE approach combines WAN features with network security functions, such as SWG (Secure Web Gateway), CASB (Cloud Access Security Broker), FWaaS (Firewall as a Service), and ZTNA (Zero Trust Network Access; “never trust, always check”), among others, can be seen as the convergence of different access methods and security functions for networks.

Why is SASE different?

This concept is based on a cloud architecture that allows organizations to guarantee secure access, regardless of where users, applications, or devices are located. It focuses on the user, instead of the connection and protection mechanisms.

The SASE model aims to eliminate the required juggling do to route traffic to and from corporate data centers in the current scenario when users need very little of what is still located in those environments. Rather than forcing traffic towards the inspection mechanisms at data centers, SASE provides these mechanisms for users, devices, applications, or services – which we can call entities – from the cloud.

These entities’ identity is one of the most significant parts in this context. However, there is other relevant information to be known, such as location, time, assessment of risk or trust of the user’s device, and application or data criticality. Based on these criteria, technologies available in the SASE stack can be chosen to be applied in each situation.

Below are examples of the use of the SASE technology stack for three fictitious entities are described:

1. First entity Profile: Professional from a third party company that needs to access a corporate application hosted in a customer data center via Web using an unmanaged device;Technologies applied from the stack: ZTNA access to specific locations; protection against attacks using WAAP (Web Application and API Protection) services; monitoring to prevent loss of confidential data by inspecting encrypted traffic.
2. Second entity Profile: Sales professional who needs to access a CRM system using Wi-Fi at the airport, while surfing the Internet using a managed device;Technologies applied from the stack: QoS-optimized connection, which controls and manages network resources, defining priorities by data types; SaaS Accelerator with DLP (Data Loss Prevention); malware inspection; UEBA (User and Entity Behavior Analytics); Wi-Fi protection; SWG (Secure Web Gateway) protection with DLP for Internet browsing.
3. Third entity Profile: Set of wind turbines that need edge computing, access to analyze the data collected by sensors and means to transmit the results to AWS, without information on the turbine location;Technologies applied from the stack: Low latency ZTNA access that hides IP addresses and establishes an encrypted connection to AWS that is less sensitive to latency with protection for APIs; FWaaS to protect the edge computing environment from attacks.

What will change in other situations is the secure access policies to be applied.

Benefits

The SASE model provides a set of access and security services for networks in a consistent and integrated manner. As a result, it can bring the following benefits:

1. Flexibility: Based on the cloud, the SASE architecture can provide – on-demand, easily and quickly – access services – such as routing and caching – and security – such as threat prevention, filtering, sandboxing, protection against data loss, and state-of-the-art policies.
2. Reduction of costs and complexities: By contracting secure access services from SASE stack providers, based on the traditional cloud subscription model, organizations can reduce the costs of both acquisition and maintenance of IT assets and the respective complexities of a team and environment management.
3. Improved performance and latency: Leading SASE vendors will vie for the attention of organizations who work with critical applications in terms of performance and latency, such as videoconferencing, collaboration tools, and video streaming. For this type of use, data flow can be routed to structures with higher bandwidth, relieving the concern about these requirements.
4. More security and mobility: The SASE architecture provides consistent, fast, and secure access to any resource of any entity in any location.
5. Up-to-date access and security features: Protection mechanisms can evolve as more and more threats emerge, without usual headaches related to hardware capacity or the acquisition of tools with more functionalities. In addition, SASE suppliers can make the latest and most innovative technologies available in their stacks.

Life is not a bed of roses

For Gartner, SASE will be as disruptive for network access and security architectures as Infrastructure as a Service (IaaS) has been for data center design, by reducing the acquisition of hardware and software and associated complexities while allowing secure access regardless of users and devices are located. However, there are those who think differently.

One side states that SASE does not appear to be a new market, let alone a new technology or product. In addition, most companies are unlikely to want to acquire everything from a single vendor. The IDC research and consulting firm, as highlighted in the Five Key Enterprise Networking Trends to Watch in 2020 report, believes that SD-Branch, (Software-Defined Branch) will be the natural evolution of SD-WAN, an extension with resources for other networks aspects. SD-Branch, for example, can enable implementation of software-defined versions of devices, such as routers, switches and firewalls, but there are challenges related to the chaining of these applications. The Gartner report itself warns that the chaining practice should be avoided when it comes to SASE.

Perspectives and recommendations

Some of the first companies to join the SASE market are Cato Networks, Infoblox and Palo Alto Networks. VMware stated in 2019 that its VeloCloud SD-WAN would become a SASE platform. More players have taken the field over the months. Despite being a big name in the IT universe and having expertise in both networks and security, Cisco took a little longer to demonstrate its ambitions in the SASE market, doing so only in mid-2020.

The current outlook includes expansion for this market that combines security and vendor consolidation. The statement is part of a 650 Group report, released in February 2021, affirming that this market is expected to grow five times in the 2020-2025 period. Another study released in October 2020, this one by Dell’Oro Group, made growth forecasts for this market, highlighting a compound annual rate of 116% in 2019-2024 and an estimated value of US$ 5.1 billion at the end of the period.

On the customer side, Gartner predicts that at least 40% of companies will have explicit strategies to adopt SASE by 2024, compared to the share of less than 1% at the end of 2018.

Gartner recommends that organizations looking to move forward on this path exercise caution. Many companies have different teams for matters related to network and information security. Each one may impose restrictions on the SASE adoption or even may want to take the lead to manage this new architecture. To resolve this impasse, the initiative is expected to have a value proposition including different silos and be led by professionals at the CISO and CIO levels.