SASE: A New Frontier in Secure Enterprise Connectivity
You’ve almost certainly heard about secure access service edge (SASE) if you’ve been looking into upgrading your enterprise’s networking solution — or if you’re simply interested in the latest telecommunications trends and developments. But if you’ve asked what exactly SASE is … you may have gotten a number of confusing or even conflicting answers. If you’re trying to decide whether the technology is right for your organization, that’s not helpful.
Never fear — that’s why you’re in GTT’s Techtorials library. For this entry, we aim to explain the essential tenets of SASE, how it emerged on the scene, its relationship with software-defined wide area networking (SD-WAN), the ironclad cybersecurity capabilities it offers and its potential for widespread adoption in the years to come.
The fundamentals of SASE
The simplest way to think of SASE is as something similar to a wide area network (WAN), but one lacking a centralized architecture with a data center at its root. Instead, SASE architecture is based in the cloud. A branch office or individual device would connect to the SASE service edge through various distributed points of presence (PoPs).
As such, SASE does not have to deal very much with the public internet, aside from its occasional leveraging of public clouds like Amazon Web Services (AWS) and Google Cloud Platform (GCP). It also distinguishes itself from other WAN options through its native advanced network security functions, which are similar to the most cutting-edge cloud security features. (We will discuss these in much more detail below; they include highly advanced encryption and firewalling techniques, among other methods.)
SASE and SD-WAN are sometimes spoken about together, in part because there is still some murkiness about SASE: It is sometimes touted as an ideal replacement for SD-WAN, which — for reasons we’ll explore later in this Techtorial — is not necessarily true, at least not yet. SD-WAN can sometimes work alongside SASE, or it can function as a core element of a SASE service. The fundamental difference between the two lies in SD-WAN’s leveraging of the public internet (to create the virtualized overlay that serves as its connective tissue), which SASE largely avoids.
History of the SASE network model
SASE originated with Gartner: first in the research firm’s mid-2019 Hype Cycle report, and later (in considerably more detail) within the context of a now-famous white paper, “The Future of Network Security is in the Cloud.”
The latter, written by Neil MacDonald, Lawrence Orans and Joe Skorupa, posited that modern enterprises’ security needs and “dynamic access requirements” demanded that they break their dependence on the data center and focus on the cloud. Gartner’s analysts dictated many of the core tenets of SASE: the use of a worldwide network of PoPs to connect disparate branch officers and users via the cloud, convergence of high-end security features in a software stack at the edge and heavy emphasis on low latency.
In some ways, you can look at SASE as a culmination of — or a turning point in — the development of enterprise-scale wide area network (WAN) systems. You can certainly say the technology’s evolution is logical given the direction in which global business and communications have trended: Organizations have been thoroughly digitally transformed, their workforces distributed across a mixture of offices, homes and other locations. They are also heavily reliant on numerous software-as-a-service (SaaS) cloud applications, so it makes sense that a networking method so hyper-focused on the cloud would catch on quickly.
That said, SASE in some ways is still more of a concept than a specific technology. Aside from the conditions MacDonald, Orans and Skorupa set in their Gartner whitepaper, it has not been formally codified or standardized. As such, there is debate about certain aspects of the model: For example, some are adamant that Gartner’s focus on the cloud edge means the public cloud cannot be part of a SASE enterprise network, whereas others think hybrid and public clouds are just as useful for SASE as their private counterparts.
The lack of clarity also means that any major vendor in telecom can say that they are a SASE vendor, when what more than a few of them actually offer are solutions that can best be described as “almost-SASE.” Perhaps they observe the SASE network model but have higher-than-optimal latency, or aren’t as secure as Gartner’s concept would dictate. In other cases, vendors like Fortinet and Palo Alto Networks have taken their security backgrounds to devise SASE platforms that meet or exceed Gartner’s (somewhat non-specific) threshold, with Fortinet offering its native SD-WAN solution as part of the package. It will likely be some time before there is a definitive standard beyond Gartner for what is and isn’t SASE.
Security advantages of SASE
The key features in the security arsenal of any SASE solution worth its salt are as follows:
- Secure web gateways (SWGs): These portals scan incoming traffic for malicious code, suspicious URLs, malware and other cybersecurity threats, based on parameters established in the network administrator’s security policies. SWGs can help ensure users only have the exact level of access they need for their individual work responsibilities.
- Cloud access security broker (CASB): Because of CASBs, any gaps in security that might exist in the path between an end user at a SASE access point and a cloud service provider will not threaten confidential data while SaaS apps and other cloud-based tools are in use.
- Next-generation firewalls (NGFWs): SASE’s reliance on the cloud necessitates firewalls that offer integrated security across both cloud-based and physical environments, which is where NGFWs come in. Depending on the provider, these may be virtualized or hardware-based.
- Advanced threat protection (ATP): As cyberattackers grow more brazen, the malware they develop becomes more complex and harder to combat. ATP systems combine endpoint security tools, email gateways, anti-malware technologies and other methods to take on cyberthreats from all sources.
- Zero trust network access (ZTNA): This security solution allows SASE networks to restrict access by identifying users, devices and applications, rather than locations or IP addresses. In an era of remote working, ZTNA has become extremely valuable.
Only the most secure SD-WAN solutions stack up to what a fully realized SASE platform can offer. Legacy WANs, including many MPLS networks, don’t even come close.
The cloud access and performance potential of SASE
Opinions vary on just how much operational capacity and data enterprises have put into the cloud: Estimates made in the late 2010s and early 2020s projected that figure reaching above 80%; available data on public cloud utilization suggests something closer to 50% as of mid-2020. But there’s no denying which way the wind is blowing: toward steadily increasing cloud use.
This, in turn, necessitates always-on availability for enterprise users, regardless of locations — which is exactly what SASE provides in terms of cloud access and performance. Rerouting traffic according to real-time app needs increases performance when end users need it most, and creating PoPs using a combination of colocation facilities, public cloud and private data centers guarantees secure access to the network regardless of location or device.
SASE is still in its early stages, but with the way things move in telecom, it’s only a matter of time before adoption becomes fairly common. If your enterprise wants to get in on the proverbial ground floor of the technology, get in touch with GTT: Through the underlying strength of our Tier 1 backbone and partnerships with reliably security-focused vendors like Fortinet, Aruba (SilverPeak) and VMWare (VeloCloud), we can help you realize truly robust network performance in a world that grows more cloud-centric each day.