Simply stated, Secure Access Service Edge (SASE) is a cloud architecture model that combines network and cloud-based security framework to provide secure access to network services from anywhere. A plethora of offerings are now available from SASE vendors.
Those offerings cover a wide range of technologies and service models. And the SASE vendors include many familiar companies who, in the past, have provided SD-WAN, networking security, and endpoint security solutions. Here is our guide to help you sort through those offerings and pick a SASE vendor that is right for your enterprise needs.
What’s accelerating SASE demand?
Demand for a cybersecurity architecture rose in part because of the explosion of office workers who shifted to work from home or hybrid plans as we move through the COVID years. Combine that shift with the $1.2 trillion Infrastructure Investment and Jobs Act of 2021, which committed $45 billion to provide broadband to all (sites), and you have a broadening sea of devices to support and applications to access. Climbing broadband access speeds are helping feed the fire.
Supporting work-from-home and work-from-anywhere approaches and new sites supercharges the need to provide secure remote access to data and applications. Add in the use of SaaS offerings, cloud services, and IoT devices, and SASE becomes an alluring solution, so researching the best SASE companies is critical.
Why knowing the right SASE features is important
One of the challenges those new to SASE technology often encounter is that solutions can be quite complex as they are made up of many discrete elements. One way to better understand what SASE is and what it does is to look at those elements.
The elements within most offerings and assembled solutions fit into two categories. There are WAN Edge Services and Security Service Edge (SSE) elements. Functionally, there are five main pillars of SASE. They are SD-WAN, firewall-as-a-service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB), and zero trust network access (ZTNA).
Many SASE vendors don't yet have the full stack of features, and some partner with other companies to fill the gaps. There are traditional internet and WAN service providers who are now bundling endpoint security offerings with their WAN connectivity services. Another class of vendors is the remote access companies, like those that provide VPNs, edge routers, and more. Some are partnering with endpoint security vendors and WAN service providers to deliver SASE services. And finally, there are the traditional access security vendors. These are companies that offer firewalls, zero-trust access, and other offerings. Again, some of these vendors are now partnering with others to round out their offerings into a full SASE service.
Top features to consider when choosing a SASE vendor?
The fast-growing list of SASE solution providers offers a wide variety of choices. Note that some on the list are familiar network security vendors who partner with SD-WAN providers to offer a SASE solution, while others are SD-WAN providers that bundle cloud-based security services into a SASE offering.
You will find a mix of software vendors, networking hardware makers, service providers (telcos), as well as firms with roots in firewall offerings. Some have been evaluated as single-vendor SASE providers by the likes of Gartner Group, while others are part of a multi-vendor solution.
Here are some criteria to evaluate these SASE companies.
Network and security architecture
When evaluating which SASE solution best meets your organization’s specific networking and security needs, you need to ensure that flexibility is high on the list.
Organizations should look for a truly flexible SASE implementation that is integrated, one which will deliver a cloud-native infrastructure and offer cloud instances regardless of if the deployment is on public or hybrid clouds or on-premises, to any location and application type. Seek out a flexible SASE architecture that reduces the burden on your IT teams by simplifying the complexity of cloud or on-premises deployment while also delivering quality experiences to your end users.
Whether you’re shopping for a single- or multi-vendor-SASE solution for your organization, you must make service and support a top priority. What you believe to be the best crafted SASE offering can successfully reduce risk and confidently accelerate your business in the cloud yet fall when it comes to support. Ask for customer references, service level agreements (SLA), and details on the provider's support organization, and ask for information on reactions to specific problem scenarios.
Should you select a multi-vendor SASE solution, engage the contributing companies to determine the strengths and weaknesses of their interrelation. Is it strong and smooth, or does it sound as if it's not much more than a generic vendor partnership program? Cross-training and certification of staff should be attainable and of high value to your organization.
Another consideration when opting for a multi-vendor solution is the role of SASE standards. For help here, look to the work of industry groups like MEF. A recent Network Computing article noted the issues enterprises face in this arena and how MEF is trying to address those issues. In that article, the author noted:
“…a fragmented vendor ecosystem and lack of common terminology leave enterprises challenged to compare SASE feature sets and solutions. The resulting confusion can lead to incomplete service offerings that don’t meet needs and expectations.”
To simplify and speed up the evaluation, implementation, and management of SASE services, MEF published the industry's first standard for SASE, which defines common terminology, attributes of the service, and a service framework, along with a Zero Trust framework. With these frameworks, enterprises can make choices based on industry-standard definitions allowing for easier evaluation and faster decision-making and implementation.
The practice of defending core business applications and crucial data at the network perimeter is dated and increasingly complicated to manage. That's especially the case with the advent of work-from-home and hybrid approaches, where IT groups must support a myriad of devices, greater mobility, and higher-speed internet connections.
As a result, standard hardware-based security equipment used by network administrators is no longer sufficient to protect remote network access to applications. SASE provides unified policy management based on user identity, enabling your company to deploy security services no matter where its users or corporate resources are located.
Data protection solutions
Another benefit of a robust SASE implementation is the ability for IT to safeguard growing volumes of applications, systems, and data by setting an array of policies for their access.
Some of the capabilities and protections to look for in a SASE implementation include the following:
- Secure web gateway, which protects users from web-based threats while applying and enforcing corporate acceptable use policies.
- Cloud-access Security Broker (CASB), which is an on-premises or cloud-based security policy enforcement point between cloud service users and providers.
- Encryption, which encodes data so that it remains hidden from or inaccessible to unauthorized users.
- Firewall, which keeps out unauthorized traffic and only lets in communications that are deemed safe, using a set of security rules.
- Virtual Private Network (VPN), which brings privacy to communications over a public or untrusted data network.
Many SASE vendors support all these capabilities. Some do not.
Zero trust network access
Heralded by many as the next era of network access, Zero Trust Network Access (ZTNA) now offers organizations key new features, such as the ability to maintain least-privileged access and operate with the “allow-and-ignore” model.
ZTNA 2.0 provides secure connections to deliver better security outcomes for businesses with hybrid workforces, overcoming the limitations of ZTNA 1.0 solutions. Request vendors compare the versions.
Ask potential SASE solution providers if they support ZTNA 2.0 and how it addresses the limitations of version 1.0 with least-privileged access, continuous trust verification, and security inspection, plus protection for all apps and data.
There are options for your organization when it comes to network deployment of SASE, which currently include single vendor approaches, multi-vendor packages, the DIY option, and a managed services provider (MSP) alternative. The desired result is a deployment that converges networking and security functions into a single, unified platform that can be managed using a single pane of glass if needed.
Enterprise business and technology leaders should consider using a customer-centric approach that uses fewer vendors and simplifies operations, cuts complexity, and results in lower costs. However, since organizations have differing requirements, they need to address them with their SASE approach.
SASE combines networking and security functions in the cloud to deliver secure access to applications anywhere users work. Organizations should check to ensure that adopting ZTNA by verifying the identity of users and the health of their devices provides secure access to applications and application suites on a per-session basis, whether they are basic packages or enterprise-wide lifeblood systems.
Also, make your business more agile by leveraging the cloud to remove complexity from your infrastructure and provide immediate scalability. With open APIs in both networking and security, it's easy to choose what works best by integrating easily into preferred products or a broad and open single-vendor ecosystem.
Network optimization is a far-reaching and much-sought feature of SASE solutions. Pressing vendors for detailed use cases should shed light on how its attained. Though results will clearly vary by implementation, SASE should lighten Its load since it does not require deploying MPLS circuitry or special network infrastructure. It is pitched as being able to use broadband networks and leverage investments in current private network links.
SASE solutions are supposed to integrate with backbone networks and popular edge services, including content delivery networks (CDN), Cloud Access Security Broker (CASB), VPNs, and edge networks.
Reduced complexity is a top priority with SASE. You can simplify your IT infrastructure by minimizing the number of security products your IT team has to manage, update, and maintain, consolidating your security stack into a cloud-based network security service model.
The overarching goal here with a SASE solution is to configure security to detect and stop threats while maintaining compliance. What’s needed is contextual visibility into what is happening in a SASE session or connection.
To that end, organizations need insight into all cloud entities and knowledge of how the relationships among them affect their security posture. Once you know what you have, where it is, and how secure it is, you can enforce customizable governance policies that keep your cloud compliant with internal and external standards.
Organizations evaluating SASE companies should be certain to seek threat protection in vendor solutions, given the soaring number and sophistication of unauthorized attempts on their data and other resources.
Probe vendors to determine if their SASE packages provide integrated full content inspection, as your firm will benefit from more security and visibility into your network. Systems need to identify false positives attempts.
Ask SASE vendors what tools their systems offer to help your security staff resolve alerts – and quicker. A recent report claimed security teams take an average of 6 days to resolve alerts.
SSL connection and DNS
SSL is best described as a standard technology for securing an internet connection by encrypting data sent between a website and a browser. Specifically, the SASE solution's Secure Web Gateway (SWG) inspects the web activity of end-users and applies a consistent set of security policies to enforce safe browsing habits at the endpoint. A robust gateway's features include deep SSL inspections, DLP, URL filtering, and DNS filtering.
SASE vendor selection key takeaways
The shift to SASE is already underway, as most SASE vendors supporting the cybersecurity architecture have already posted use cases on their websites explaining how household name organizations have embraced it to improve the way they do business without fear of security breaches we read about weekly.
A complete SASE implementation can simultaneously enable IT leaders to embrace fundamental changes in the way companies support workers, a precious asset that needs to be safely turned loose to maximize productivity and power corporate business advances.
As SASE evolves, stay smart and stay current with crucial coverage, advice, tips, and primers about SASE vendor offerings and standards from industry experts.