If you work in cybersecurity, you’ve probably stumbled upon the term SASE but don’t necessarily know what it means or have had the time to research it yet. At least that was the case for me. So this week, I took a deeper look into the subject and decided to write about my learnings. Hopefully, this article will demystify the SASE concept for some of my readers.
Gartner defined the term SASE in 2019, and it is among the hottest topics in infosec. The concept addresses the recent challenges of increased remote work and the use of public cloud services. Users want instant access to resources located in the cloud and the on-premise data center from anywhere and with any device. SASE solves this by “combining comprehensive wide area network capabilities with tightly integrated network security functions” offered as one cloud service. While reading this, you’ve probably already thought of existing solutions that let users connect and access resources from anywhere and with any device. So why do we need SASE?
Security professionals have been building their security stack in the on-premise data center and network for decades. Employees have worked from the office locations, which means this security stack has protected them. In addition, most business applications have resided on-premise, which means most traffic going to the internet has been simple browsing, software updates, etc.
In recent years two significant changes have occurred that largely impact this pattern. First, there is the vast increase in remote work, partly forced upon us by the pandemic. Employees are now working from home and will usually connect to the organization’s network with a VPN connection. This enables access to on-premise applications and protection by the security stack.
The second change is the increased use of public cloud services. Gartner estimates an expected 18% growth in worldwide spending on public cloud services in 2021, and many organizations are moving their workloads from the on-premise data center to the public cloud. As a result, traffic previously destined for applications hosted on-premise are now routed through the data center and back to the internet. I\’ve tried to describe this flow in the illustration below.
Figure 1: Traditional hub and spoke network architecture
Our data center infrastructure was not designed for this type of traffic flow, and many have experienced scalability issues the previous year. Routing all traffic, including video conferencing and public cloud storage data, through the data center could lead to network congestion and delays. This again leads to a bad user experience and lost productivity. The quick fix to solve this is to throw money at the problem! Make an effort to scale up your network infrastructure. But does it make any sense to invest in increased on-premise infrastructure scalability while at the same time migrating your workloads and applications to the public cloud?
Another solution is using direct internet access to public cloud services and split-tunneling connections to on-premise resources. This solution gets rid of the network congestion issue but creates a gap in our security. Connections from remote clients and branch offices going from and to the internet no longer pass through our security stack. This means decreased visibility and no central policy enforcer. Security policies have to be defined at multiple locations when several clouds are involved, including on-premises, resulting in costly and inefficient design.
The secure access service edge (SASE)
Gartner proposes a secure access service edge as the solution to these challenges. The main concept of the model is to centralize networking and security capabilities into one cloud-native service. Instead of building a security stack consisting of multiple siloed point solutions in the on-premise data center, the security functions are bundled together and brought to the end-user. The goal is to provide secure access from anywhere to resources located anywhere based upon multiple factors such as identity, device, security policies, threat assessment, and more.
There is no minimum requirement or absolute answer to what components SASE should consist of. However, to achieve the goal of secure access, Gartner suggests combining a set of features from the following existing components:
- Software-defined WAN
- Cloud access security broker
- Secure web gateway
- Zero trust network access
- Firewall as a service
- Sensitive-data and malware inspection capabilities
- Line-rate operation
Gartner predicts that by 2024, 30% of enterprises will adopt cloud-delivered SWG, CASB, ZTNA, and branch office firewall as a service (FWaaS) capabilities from the same vendor, up from less than 5% in 2020. Merging features from all of these into one cloud service can reduce complexity and cost. The organization no longer has to deal with a cluster of point solutions delivered by different vendors. There is less hardware to operate and maintain at the data center and branch offices and fewer agents on the end-user devices.
Figure 2: The figure shows how the SASE framework puts the cloud at the center of the network.
I’ve created this figure to illustrate how SASE puts the cloud at the center of the network. No matter where you are connecting from, whether it is from the on-premise network, a branch office, or the local Starbucks, a connection is made to the SASE cloud service. Access to the resource goes through a series of security mechanisms in parallel. If granted, the request is forwarded using the most efficient route. This is why this design works so well. Every request has to go through the same security checks, independent of source location or requested resource. Security and compliance professionals also benefit from this as they now only have to deal with one service to write and enforce security policies.
Software clients or virtual appliances are responsible for connecting devices to the WANs’ nearest point of presence based on geographic location. Global distribution is necessary for the WAN so clients can connect to sites near them to reduce network latency.
Software clients (or the cloud service) make networking decisions, and many service providers have direct links to large cloud service providers like AWS, GCP, and Azure.
Current state and looking ahead
Here is another exciting prediction by Gartner: By 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch, and edge access, up from 10% in 2020. Adopting SASE is not something you will be able to do overnight, and even if you could, that might not be desirable. There is a limited SASE offering at the moment (Less than ten offer the core functionality listed previously). Many security capabilities are not at a sufficient maturity level yet, and some offered services are built on legacy architectures rather than being cloud-native.
Hopefully, this will change in the next couple of years. That is why Gartner recommends creating a migration plan that spans over the next 3-5 years. How to build the adoption plan is thoroughly described in the article “2021 Strategic Roadmap for SASE Convergence”. It is a great read that I recommend if you’re interested in further research.
As an ending, I just wanted to say that I am really excited to see how this trend develops in the following years. It is obvious with everyone taking on cloud services so rapidly that something needs to be done from a network and security perspective. SASE definitely seems like a clever solution. Now, if the vendors start living up to all the hype they are creating, the future of the cloud might not be so bad after all.
I hope this article has given you a better understanding of what SASE is. Feel free to message me on Linkedin if you found the article helpful, or have any questions or comments.