What is SASE, and how do you use it?
When we talk about the cloud, we refer to something more than hiring space on servers or remotely accessing software services. Collectively, the cloud represents a shift away from the centralised IT environments that replaced mainframes and came to dominate the market. Initially, we articulated this change by adopting Software-as- a-Service and virtual machines, then added concepts such as elastic workloads and renting compute space.
Now the cloud has asserted itself upon the rest of IT infrastructure, redefining networks and user access, not to mention the rapid dissipating security parameter. Perhaps we can even call the current security transformation as the last stand of the client-server era. The cloud way of doing things is certainly taking over. The mainstream adoption of remote working cemented that status, and security has been trying to follow suit.
Around two years ago, Gartner coined the term Secure Access Service Edge or SASE. SASE has attracted its share of controversy, and some say we are jumping the gun a little here. Yet SASE represents a solution for the current challenges of decentralised security, which explains its growing popularity and the confusion emerging around the concept.
"SASE is a cloud-delivered service that brings together networking and security for users, devices and locations," says Patrick Grillo, senior director, solutions marketing at Fortinet. "A key benefit of SASE is ensuring consistent security for remote users and devices, regardless of their location."
More specifically, says Simeon Tassev, MD at Galix consultancy, is that it's ‘a security framework that combines various security technologies and concepts to provide higher levels of protection in a world without the traditional boundaries’.
'Without the traditional boundaries' goes a long way to explain why SASE is suddenly on everyone's lips. Perimeter security could once mitigate some of the problems. Then concepts such as zero trust arose to help counter poor security awareness among users. Software-defined networks bolted security onto network traffic to follow the data, and encryption stopped someone from just scooping up data.
But as we come full circle into the cloud era, such individual strategies are not enough. SASE argues that they should be unified into a singular approach.
"There are two primary use cases driving adoption of a SASE architecture," says Meg Diaz, director, cloud security product marketing at Cisco Secure. "First, securing remote workers — this is all about making sure employees can access applications and data securely from anywhere they work, and doing it in a way that's simple and seamless for the end-users. Another use case is about securing the edge (which is really the WAN edge, from any location), and streamlining and securing connectivity to public and private apps across all office locations."
Is this cloud security?
SASE came into being to secure complicated environments that smash together different types of services. A company may use some SaaS offerings, run workloads in different clouds, and have onpremise storage or applications. Throw in different users with varying locations and devices, and you get a good idea why security is so hard to get right.
More traditional ways to manage security, such as VPNs, don’t handle this well: for example, if a user wants to access a SaaS application, but they are routed through the central company systems to enforce security policies. This creates a bottleneck (not to mention additional traffic costs). It's inefficient, rubbing security against productivity.
Recent security products such as advanced firewalls and SD-WAN can bypass the central security and, instead, check policies through points of presence. Yet if you want to do this beyond SaaS and make it seamless for end-users to access corporate assets as easily as outside services, SASE is the answer.
According to Mark Brown, BSI's global MD for cybersecurity and information resilience, this approach is very appealing to his customers. "Our clients tell us that it solves several challenges, such as the simplification of controls and vendors, portal consolidation, establishing security by design, and, indeed, the potential initiation of a zero trust model, and cost management through a singular response model."
Yet even though SASE is often called 'cloud security’, it can manifest as pure cloud, in a hybrid form or as an on-premise solution. It is primarily a managed service, as building and managing a bespoke SASE environment could end up as far too expensive. It's best to see SASE as a service bouquet and expect a service provider to align its different elements to your specific needs.
"SASE service providers offer various options to clients, making it easier for them to adopt the SASE architecture," says Tassev. And true to its services approach, SASE is a relevant option for any size company.
But before you jump on the phone and order SASE for your company, there is one more important fact to note. SASE emerged in 2019; it's still a minnow in technology terms and is a concept, not a specific product set. Grillo offers this advice: "The important thing to keep in mind with SASE is that it was sprung on an unsuspecting world less than two years ago. What's been lost in the hype is that Gartner forecasted a five- to 10-year time horizon for it to reach maturity. These are the early Wild, Wild West days of SASE and the relative immaturity of today's service offerings must be viewed through this lens."