Secure access service edge (SASE), pronounced as “sassy,” combines network and security technologies in a single cloud service. It’s generally considered to be the best replacement for legacy virtual private networks (VPNs).
SASE is more secure than a VPN. SASE provides layered protection by converging several security technologies and the network. By comparison, a VPN offers only perimeter-based security. Anyone who gets past the perimeter and enters the network is considered “trusted,” which can enable dangerous activity on the network and in databases from that point.
The Benefits of SASE
In short, SASE provides a context-based approach to security by joining multiple point security products into a single cloud-based access point. This security-as-a-service model provides many advantages over deploying several point solutions individually.
“One of the most significant advantages of SASE is its ability to secure distributed environments, making it the ideal choice for organizations with remote workers and a cloud-based infrastructure,” said Ben Goodman, Chief Executive Officer at 4A Security.
SASE provides several advantages over many standalone point security technologies. It has long been established that layered approaches to security make a better defense against attacks. SASE is effectively a layered approach in that several technologies are working together within a single cloud service.
“One of the core benefits of SASE is its inclusion of both networking technology called SD-WAN and four security capabilities that comprise the Secure Service Edge (SSE): Zero Trust Network Access, Firewall as a Service, Secure Web Gateway, and Cloud Access Security Broker,” said Keith Thomas, principal architect at AT&T Cybersecurity.
Simplified IT management and reduced complexity
Beyond effective and unified security protection, SASE makes IT’s job easier in managing one of its toughest duties: security.
“Additional advantages of SASE include cost, support, and optimization benefits for organizations such as reduced complexity — by lowering the number of individual solutions in favor of a single system — real-time security prevention, and centralized security controls management,” Thomas said.
Policy enforcement is also made easier with SASE.
“SASE also allows dynamic security policy enforcement based on real-time contextual information, adapting security measures to current risk levels,” said Erez Tadmor, Network Security Evangelist at Tufin.
Better Network Performance and Reliability
Networks are more complex than they used to be. Not that they were over-simplified earlier. Adding increased performance and reliability to networks through the use of SASE is extremely helpful for overworked IT and security teams.
“With the increase of user and application presence outside the traditional office premise, network traffic load has surged significantly. SASE enhances performance and reduced latency, enforces a zero-trust security model, and provides centralized control over network traffic and security components that are protecting it,” said Tadmor.
How SASE Cybersecurity Protects Against Cyber Threats
Slim and budget-constrained IT departments are stretched to the limit trying to manage disparate point protection technologies while also adding even more cybersecurity investments to protect against the increasing number of cyberthreats.
“The number of endpoints has skyrocketed across physical locations, cloud resources, and mobile users. The edge you have to defend is getting exponentially larger, but complexity is the enemy of cybersecurity,” said Mike Flannery, president of Windstream Enterprise.
“Secure Access Service Edge (SASE) took a broader and more holistic approach to secure access and traffic against threats, attacks, and data loss in 2023," Flannery added.
SASE management can also be outsourced to further lift the burden off of IT while doubling down on protection.
“When it’s managed and monitored by a SASE provider, not the enterprise itself, it’s even more effective. IT and security teams are running extremely lean right now, and a single vendor-managed solution relieves them from the burden of integrating, configuring, implementing, monitoring, and managing multiple layers of the security themselves,” Flannery said.
Enhancing user cybersecurity through Zero Trust Network Access (ZTNA)
Trust is required at some point. With too little trust, employees and partners can’t access the network to get work done. With too much trust, criminals will destroy your organization in one way or another. Safety lies in determining who to trust, when, and under what circumstances.
Zero Trust Network Access (ZTNA) offers a more comprehensive and elastic way to manage trust in terms of network access. While not foolproof, as no security measure is, it is a serious defense by virtue of the convergence of several technologies that together work and operate from an adaptive trust model. Trust is never implicit but scaled to fit circumstances, context, and other factors of prudence.
“SASE employs a zero-trust security model, continuously verifying user identities and device integrity, minimizing unauthorized access risks. It prioritizes securing network edges, reducing vulnerabilities in distributed setups. It also allows dynamic security policy enforcement based on real-time contextual information, adapting security measures to current risk levels,” said Tadmor.
Ensuring comprehensive cloud-native coverage with SASE
Point solutions, VPNs, and other defense guards pinned to a location are no longer covering all the bases, no matter how many of them an organization deploys. And the more that are deployed, the higher the complexity in managing it all.
“A key issue here is that enterprises are attempting to protect all the different elements with multiple point solutions. Small to medium organizations have an average of 20 to 30 security tools, with large enterprises utilizing over 60 tools and services,” said Etay Maor, Senior Director of Security Strategy at Cato Networks.
By contrast, cloud-native SASE coverage blankets everything, regardless of location.
“One of the more challenging aspects of today's attacks is the fact that enterprises have multiple environments, applications, locations, remote users, etc, that they must protect. This is not the same infrastructure it was 15 years ago – it is much more distributed and much harder to secure,” Maor added.
Cloud coverage also offers more and often better controls over usage and management.
“Rather than try to implement SASE all at once, it may be a good strategy for smaller IT teams to look at replacing outdated VPNs with a zero trust network (a component of SASE) as a starting point,” said Camille Campbell, senior product marketing manager for Cloud Management & Orchestration Platform at Cradlepoint, part of Ericsson.
How SASE secures your distributed environment: Security Components
SASE is a comprehensive platform of bundled cloud services. It's important to understand how the coverage differs from similar-sounding platforms.
“It's crucial to differentiate between SSE (Security Service Edge) and SASE. While many vendors offer SSE solutions, they might not provide their own SD-WAN services. Therefore, organizations must ensure compatibility between their chosen SD-WAN provider and the SSE service to fully leverage SASE benefits,” Veriti Co-founder and CPO Oren Koren said.
While offerings from SASE vendors vary, for it to be considered SASE, the package must include the following:
“SASE is a critical differentiator in the market, as it delivers a converged security and networking capability to protect locations and users and securely connect them to data centers, cloud apps, and the internet. This "unified" approach delivers a more seamless attack surface and a dramatic reduction in cost and complexity,” said Sheu.
SASE Cybersecurity: A Case Study
SASE performs well in a variety of use cases. The following case study is but one of many successful SASE outcomes. This particular case study is shared by Erez Tadmor, Network Security Evangelist at Tufin:
A multinational bank with 127 offices in more than 40 countries had a 12-month security policy review backlog. The bank was able to eliminate the backlog without disrupting the hyper-distributed network. This was accomplished by fully automating access enablement-- including risk validations and compliance assessment—and by designing access control change automation with the least privilege approach mechanism.
The customer automated the management of over 4,000 rules with Tufin SASE, virtually eliminating manual audit prep and compliance reporting altogether. The multinational Asia-based bank now has full network visibility, continuous compliance automation, and minimal audit preparation.
Another case study, this one by Cato Networks, draws a head-to-head comparison of results with and without SASE in a real-world threat scenario. Etay Maor, Senior Director of Security Strategy at Cato Networks, recounted the study:
In an all too familiar story, a large US-based chemical manufacturer experienced a ransomware attack. The attackers successfully breached the company via a phishing attack, wherein a user clicked on a link and unknowingly downloaded malware to their device. Once the attackers – a notorious Russian-based ransomware gang—gained access to the device and network, they took their time in identifying profitable targets. It was a stealthy attack. The criminals used standard attack tools to steal passwords and remain under the security team’s radar. After weeks of work, the attackers deployed the ransomware to seize the company’s data. They then demanded cryptocurrency to decrypt the data.
To study the difference SASE would have made, Cato Networks ran the same exact attack against a Cato Networks system. SASE successfully detected and mitigated every step the attackers took. First, the phishing attack was stopped by three different security systems. The two malware tools used were stopped; even the ransomware and the attempt to exfiltrate the data out of the network were stopped. The comparison between the two identical attack scenarios clearly showed the attackers know how to evade and disable single point solutions. The barriers the chemical manufacturer had in place included an AV, firewall, SIEM, and other security products. However, the same attack moves were unsuccessful against a converged security system.
A Final Word about SASE and Cybersecurity
Many enterprises are exploring ways to provide their increasingly distributed workforce with access to corporate resources in a manner that protects users, data, and the company.
Increasingly, SASE is being seen as the right technology to use in that it provides both the networking and security capabilities needed today. Specifically, a properly selected SASE solution or service extends connectivity to remote users and sites while also securing the link and traffic that travels over it.
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
