Understanding SASE (Secure Access Service Edge)
Let’s get the elephant in the room out of the way first - it’s pronounced “Sassy.”
You would probably not get that from first glance (or second glance, or third glance,) but at least now you know you won’t make any embarrassing mistakes when discussing it. It stands for Secure Access Service Edge, and it’s a framework for a cloud secure network architecture that allows for today’s “Work from anywhere” work force to securely connect to the systems and assess they need.
To be clear, because this point gets confusing: SASE is not a specific tool or suite of tools or a protocol. It’s a framework for network architecture comprised of several different cloud applications and technologies, all combined into one cloud-delivered platform. The “Edge” part of SASE refers to the edge of the cloud where all of your business-critical applications live. Keeping the cloud safe via the cloud - this is a big shift in how people traditionally think of network security.
Keeping the Castle Safe
Prior to the coronavirus pandemic, 23% of people who could work from home regularly teleworked; during the pandemic it reached as high as 83%. Now that many offices have reopened, 61% of those workers now choose to work at home at least part of the week because they want to. Smart companies have embraced this by allowing hybrid or fully remote work options.
(Pew Research. (2022, February 16) Covid 19 Pandemic Continues to Reshape Work in America)
When everyone was coming in to a central location, network security was a lot easier. Your office was a castle, and all comers had to cross a well-fortified moat for network access. Securing the “edge” of your network was a simple matter of a firewall and maybe a web gateway, since everyone was working on a desktop computer that never left the office. Then suddenly that stationary desktop became a laptop that traveled in and out of the office daily, connecting to a home network with dubious-at-best security (you could find tutorials on how to crack a WAP password everywhere.) Then came the rise of smart phones and the proliferation of public WiFi networks and people were connecting to company resources everywhere from the coffee shop to the city bus. Today your workforce is scattered all over the world, using a variety of devices with a variety of connections which can leave your critical network resources exposed and vulnerable.
SASE to the Rescue
Enter SASE - shifting security so it’s based on digital identity (which could be a user, a device, a service, an application, or anything else) rather than a central location. There are several aspects that comprise a SASE architecture:
- SD-WAN: (Software-Defined Wide Area Network): This is an overlay on top of your WAN network that helps provide better security and user experience regardless of what type of connection you’re using, from the fastest pipe to the LTE/5G cellphone network.
- CASB: (Cloud-Access Security Broker) - This defines the how/what/where/when you can access cloud resources. For instance, on your work laptop you can run the full Office 365 Suite, but on your phone you can only access Outlook and Teams. It also often handles authentication policies like single sign-on, credential mapping, and device profiling.
- SWG:(Secure Web Gateway): This helps keep web-surfing PCs safe - blocking access to dangerous content, filtering unwanted software/malware downloads, blocking application access (for instance, no running web-based IM clients like Skype) and enforcing any regulatory policy compliance.
- FWaaS: (Firewall-as-a-Service): This is not your same old ACL-based firewall! FWaaS can do a lot more than just deny, deny, deny. It delivers advanced next-gen capabilities like Advanced Threat Protection, Intrusion Prevention, and Domain Security.
- ZTNA: (Zero Trust Network Access): This is more of a philosophy than a service. It states that you should never trust that an account or a device is who they say they are and limit their access as much as possible. Key components of ZTNA include a NAC, the use of certificate-based authentication in addition to user credentials, and multi-factor authentication.
This isn’t necessarily exhaustive (for instance, some people include antivirus and VPN as part of SASE) but it’s a good place to start if you want to implement SASE for your network.
(Diagram here -what I am thinking is like a cloud, and on the edge of the cloud we have ZTNA, SD-WAN, FWaaS, SWG, CASB, and then in the middle of the cloud are “Business critical applications” and then users coming in through the edge words)
Is SASE Worth It?
SASE has a lot of advantages over more traditional network security architecture:
- Agility - scale up or down as needed almost instantly; no ordering/configuring/deploying new hardware.
- Better performance and latency - optimized for the applications you need because everything is in the cloud, plus no outages for patching and maintenance.
- Consistency - You don’t have to sort through who needs access where and when - role-based access easily keeps your finance people looking at finance resources, your HR people looking at HR resources, and making sure everyone has access to what they need (and only what they need.)
- Ease of use & set up - no more deploying multiple appliances in a data center, no more trying to keep track of all the different configurations and vendors. Cloud-based makes it easy to set it and forget it. Did we mention, no patches or upgrades?
- Universal Access - A SASE network should provide consistent, fast, secure access to any resource from any location.
Understanding all of this may seem a bit overwhelming, but implementing SASE is much simpler than describing it. It’s a smart move for any company that cares about security (and given that the average data breach cost is 4.4 million dollars, that should be every company.)
(CNET, (2022 July 27) Average Data Breach Costs Hit a Record $4.4 Million, Report Says)