SASE (Secure Access Services Edge)

SASE (Secure access services edge) is a Gartner computing model that integrates WAN management and cybersecurity into a unified, cloud-native architecture. Gartner introduced the SASE framework in 2019. The SASE framework was created to support the rapidly evolving digital enterprise. Gartner has forecast that by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE. SASE has packaged and integrated these controls with the ability to identify sensitive data and malware and provides continuous visibility to user activity both for risk and relative levels of trust. 

SASE includes security controls and technologies for:

• Secure web gateways (SWGs)
• Cloud access security brokers (CASBs)
• Zero trust network access (ZTNA)
• Firewall as a service (FWaaS)
• Software-defined WANs (SD-WANs)

SD-Wan provides simplified connectivity for remote office locations. The need to use additional physical WAN hubs for user connectivity is eliminated. Gartner identified SD-Wan as a foundational and critical architectural component of a complete SASE architecture. 

CASB can detect and flag the use of unsanctioned applications. CASB can also detect abnormal user behavior, an essential flag for malicious and potentially destructive activity. 

Legacy approaches based on defending a perimeter have left most large enterprise organizations with a disparate patchwork of management consoles, vendors, and redundant policies. This legacy approach has resulted in far too much complexity, higher cost, the growth and exposure of new vulnerabilities, and increased risk in almost every area. In addition, legacy networking architectures require too much physical infrastructure. As a result, network operations teams are overrun with isolated solutions, lack of automation and scale, and far too many manual processes.

The on-premise castle and moat architecture would route all the endpoints through the data center, creating many performance issues as the “network edge.”  These problems further reduce flexibility and agility, and the ability to grow and scale up the network in the future. 

The digital transformation was perhaps the earliest SASE driver. The rapid move to the cloud was driven by the lower cost of cloud infrastructure, greater flexibility, and the speed and simplicity of deployment. 

The pandemic also accelerated the digital transformation. During the pandemic, the need for secure remote access grew by orders of magnitude. The growth in remote workers was unprecedented during this period. Unfortunately, remote workers often utilized their personal devices (BYOD), which did not run most corporate security software. Home networks also introduced many new vulnerabilities. As a result, remote work has exposed a much larger and more diverse attack surface. The pandemic has accelerated the move away from the office, and it is most likely that this new hybrid model for access will be the enterprise architecture of choice for the future. 

Instead of addressing this coherently, many organizations pulled together different security stacks, one for the on-premise workers, one for each cloud, and perhaps another solution for remote workers. For example, VPNs work, but they generally only provide remote gateway internal networks – they don’t stop or prevent remote access by infected or compromised devices from gaining that access.

Enterprises have been moved to respond to these changes. The SASE framework is a well-targeted response to the challenges and limitations of legacy networking and security architectures. These legacy architectures cannot maintain pace with the changes in SD-WAN, the cloud, and mobile devices, let alone the exploding internet of things (IoT) infrastructure.

SASE defines the infrastructure required for your network services and security controls to support remote workers, branch offices, and headquarters locations. SASE implementation should result in a better experience across the board for all users, with accompanying lowered cost, better scale, and improved performance. 

SASE networks should generally include:

• Integrated network and security services—simplified management of diverse WAN networking and security services available through a common platform
• A centralized policy control enables the deployment and enforcement of security policies to all devices and endpoints across the network. This central control is instead of the multiple consoles and disparate security stacks typical of the legacy architectures. Today, most security controls are administered separately using different consoles and mechanisms to define policies and rules. Organizational policies and compliance requirements are converted to the administrative setup for each vendor’s management consoles. This multitude of consoles produces more errors in implementing these policies, unintentional misalignment of policies, and unintended gaps in enforcement. Maintenance problems arise around the requirement for policy changes to be rolled out and implemented within multiple vendor management interfaces. Finally, the expense of maintaining and administering all of this is very high. Each security control requires an SME that has spent the time acquiring and maintaining their skills to administer the management interface best. 
• Cloud-native design principles and containerized microservices for agility, future flexibility, increased speed, and scalability.
• Cloud-managed services are available on demand. These services combine the cloud’s flexibly pay-as-you-go usage models to provide global enterprises with more scalable network and security services worldwide. 
• Local survivability of essential network services such as DNS and DHCP. If the WAN connectivity to headquarters facilities goes down, these must be maintained for branches and remote locations. 

Gartner has noted that it is essential that SASE network components are built using cloud-native principles. With ever-increasing numbers of connected devices and the growth in complexity of services, cloud-native architectures will be the only way to scale. Conversely, non-cloud native architectures will not scale, offer limited performance, and ultimately be more expensive.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.