SASE is a mindset rather than a product. It's a way of thinking about and managing security that unites it with network infrastructure, empowering administrators to handle them both as a single entity in the cloud. It is location independent, securing assets wherever they are, even those outside the office. It is also device-independent, handling not only mobile devices and those found inside the server room, but also newer, more challenging ones such as IoT sensors and edge-computing systems.
SASE refocuses security on identity, explains Orange Cyberdefense CTO Peter Mesker. "You only allow access for identities that you know of, and only to those applications that they are allowed to use," he says, adding that SASE is a cloud-native approach to security. "You handle that access via a cloud-based security architecture."
Gartner originally conceived SASE in August 2019, publishing research positioning the future of network security in the cloud rather than in customer data centers. Its argument was simple: the traditional network perimeter had collapsed, and legacy approaches to security no longer worked.
Twenty years ago, enterprise IT infrastructures were protected by a ring of iron, built from firewalls and VPNs. Traffic was either outside the network and untrusted or inside the network and trusted. In 2004, a collection of CISOs called the Jericho Group predicted this model's demise, calling for a deperimeterization of enterprise IT. Organizations should focus less on traffic at the perimeter and more on the traffic reaching individual assets, it warned. All traffic would be untrusted, wherever it traveled. Everyone would have to prove their right of access.
As cloud services moved applications and storage outside the corporate network, Jericho's prediction became true, and the perimeter became less relevant. IoT and edge-computing deployments eroded it still further. By the time Gartner's paper dropped, companies had long been struggling with security models designed for the old order.
How SASE works
SASE redefines security for this cloud-based, perimeter-free era. It reduces complexity by replacing a scattered multi-vendor set of on-premise security services with a simpler set of cloud-based ones. These services range from firewalls and secure web gateways through to cloud access security brokers, DNS security solutions, and beyond.
Beyond this, SASE simplifies and accelerates the application of security policies by unifying security and network operations, applying security functions as container-based cloud services running at points of presence close to the user's location.
The SASE model applies these security measures not to specific devices but to all traffic passing across that network. Administrators can automatically apply security policies on a per-session basis, governed by parameters, including: who the user is, which location they're accessing from, and the properties of the device they're using. They can also adapt those policies based on the service that the user is accessing.
For this to work, the security service set must be closely integrated with the network infrastructure. That's why software-defined wide area networks (SD-WANs) complement containerized cloud-based security functions.
"SASE involves the same portal, the same orchestrator, and the same service provider for both networks (via SD-WAN) and network security," explains Thomas Sourdon, Strategic Marketing and Innovation Director of the Connectivity Business Unit at Orange Business.
SD-WANs give companies the flexibility they need to adapt traffic routes and network services. Their software-defined platforms support the software-defined security approach that underpins an SASE environment.
Integrating security and wide-area network services supports another key part of the SASE playbook by moving security and other network services closer to the point of consumption, explains Sourdon. That's critical in a world where more users are working remotely than ever before.
"You need local SD-WAN in order to do traffic steering, load balancing and application performance management on the remote site to ensure good performance," he continues.
Part of the performance boost from SD-WAN comes from secure, direct access to cloud-based applications. In traditional enterprise networks, companies pass cloud application traffic from remote users through their own security appliances in a hub-and-spoke model. This creates a bottleneck and introduces performance issues.
Putting security functions in a nearby SD-WAN PoP gives remote users direct access to cloud services without touching the data center. The enterprise still gets the identity-centric protections it needs.
Obstacles to SASE adoption
SASE may be attractive, but it also comes with challenges. It's a broad-ranging, multi-disciplinary project with many moving parts. Today, many vendors still have a security mindset rooted firmly in a legacy on-premise approach. Those that are cloud-native still can't provide all the necessary pieces. Many of them lack the understanding necessary to apply session policies based on the context of the data in play.
For this reason, companies should consider a mini-platform approach. It's unlikely that one vendor will support an entire end-to-end SASE service for a long time to come, but it will be possible to combine services from a handful of vendors, using an integrator to help craft a seamless service.
Faced with these challenges, Gartner's paper predicted a slow start for SASE. It said that at least 40% of enterprises will have SASE strategies by 2024. Since then, the world has experienced a generational crisis as the pandemic forced large swathes of people to work from home. This makes the SASE model more urgent, explains Mesker.
"This is a new way of working, and it will remain so. People will probably never come back to the office five days a week," he predicts. "So we see an acceleration of digital transformation as many applications and companies move to public cloud environments."
Companies that had to rush through remote working strategies now realize this need for longer-term planning. They are just beginning to explore SASE's possibilities. Given the broad nature of the initiatives to come, it is important that they begin having those conversations now, Mesker says, adding that the transformation will be incremental. "We must start those discussions with customers," he advises. "We have to start building parts of this architecture as we move forward."