SASE was created to address two primary concerns. Organizations using SD-WAN solutions needed better security, and VPNs were becoming increasingly bottlenecked. So, what is SASE?
As organizations tried to integrate Cloud Security providers like ZScaler for SWG and Netskope for CASB and needed to partner with SD-WAN providers like Velo or Viptela, they found a problem. These integrations were clunky, and customers didn’t have all of the integrations they required. Additionally, it became difficult to select best-of-breed solutions with only one throat to choke when things broke. Using a VPN seems logical, but that came with problems too.
The problem with VPNs
VPNs quickly became increasingly bottlenecked, costly, and impossible to secure. Five to ten years ago, VPNs (Virtual Private Networks) were ideal for remote users to access corporate applications, which sat behind a private network. But the increase in use of SaaS and cloud-based apps became problematic for VPN use. SaaS applications are meant to be accessed directly by the internet vs. a private network backhauled to a single location.
Increased user traffic was entering and calling back out through a single choke point. This meant higher latency and longer round-trip times. These new bottlenecks resulted in increased hardware costs and higher bandwidth to accommodate this new influx of user traffic.
With poor integrations between security and network, SASE providers knew a change needed to happen. Adding COVID in the mix in 2020 with a suddenly remote workforce, the change needed to come fast.
SASE providers understood users needed to access their SaaS apps directly while utilizing security policies and inspections from wherever the user is accessing the internet. To solve for this, SASE vendors created global pops, along with partnering with Tier 1 backbone providers for special access. This new Global footprint enabled SASE providers to deliver security and network services with the lowest latency possible.
What is SASE? There are four main categories
When asking what is SASE, it’s helpful to break out the four main categories.
1. Secure Web Gateway
Zscaler defines Secure Web Gateway as “a security solution that prevents unsecured internet traffic from entering an organization’s internal network.” SWG inspects web requests against company policy and usually includes URL filtering, DLP, Application control, AV and Firewall. For many years, ZScaler was best-of-breed with SWG.
2. CASB
Checkpoint defines CASB as “Enforcing organizations’ security policies through risk identification and regulations compliance, wherever cloud residing data is accessed.” CASB’s typically offer Firewall, Authentication, WAF’s and DLP tools. Netskope has been best-of-breed for CASB for several years.
3. ZTNA
Provides remote access securely while prohibiting lateral movement. This is done by connecting users to private networks while restricting access and hiding applications. A trust broker verifies both the user and device on each request and is repeated each time a user tries to access an application. Software Defined Perimeter SDP is a security approach that enables ZTNA, by authenticating first, connect second.
It’s a deny-by-default architecture, and Appgate says it best by stating ZTNA’s 3 pillars:
- Identity centric- designed around the user identity and not the IP address. Requires authentication before granting access.
- Zero Trust- Applies principle of lest privilege with micro segmentation and unauthorized resources are invisible and can’t be seen by the user.
- Cloud Centric- Engineered to operate natively in the cloud and deliver scalable security.
4. SD-WAN
The Fourth and final category of SASE is SD-WAN. Software Defined Wide Area Network is a box that connected corporate locations like branch site to private WAN provider and made Intelligent steering decisions like multiple paths to destination.
For many SD-Wan providers like Silverpeak or Velo cloud the integrations meant it could offload their services to the nearest SASE pop for inspection. SASE is a package brought together for a single place to control security and policies.
SSE for the post-covid workforce.
What is SASE and what value does it hold in our post covid world? Good question. In fact, SSE might be the better option if you’re a fully distributed company. Gartner coined Security Service Edge (SSE) in 2021. It is made up of only makes up the Security components of SASE. SSE does not have the networking components of SD-WAN, for example.
SSE provides DLP, NAC, sandboxing, and others, SSE focuses on security without the networking components. If you are looking for best-of-breed security to accomplish “0 trust”, SSE may be for you. SASE vs SSE is a complex issue (read the full breakdown from John Spiegel of Axis Security) but both solve the work-from-anywhere issue without restrictions or constraints brought on by a VPN.
If you have on-prem connectivity requirements, need to go back to the office, or need a hybrid solution, SASE is the way to go. If users are 100% remote and don’t need the networking components, SSE is your best solution. Both SASE and SSE enforce security wherever the user resides.
For Leaders, By Leaders (FLBL)
We are leaders that enjoy networking leaders with other leaders. Do you want to talk one of our Insights authors, a speaker, or be plugged into one of many communities that we are partnered with across the country? Time to call in the cavalry! We’re saddled up and ready to ride to your rescue.
Photo by Helena Lopes on Unsplash