What Is Secure Access Service Edge?

Secure Access Service Edge (SASE) is a component of zero trust architecture that protects network elements inside and outside a traditional network boundary. With the digital transformation of businesses, increased remote working, and the use of cloud services to run applications, security is moving to the cloud, and SASE is providing that security.

Changing network topology

Computer networks once consisted of an office network and a data centre specific to an enterprise. An employee would go into the office and log onto a computer, accessing applications running in the data centre. All company transactions occurred within the network perimeter.

This traditional network security approach established a firewall around the network. Once a user was inside the firewall, the security protocol would trust that computer, not checking the further activities of the user on the network.

Digital transformation has drastically changed how employees work. Many employees access applications at the office or remotely that are housed on the internet outside the safeguards of the corporate data centre. For example, an employee accessing Salesforce could be on a laptop at a kitchen table. The application could be resident on the internet, or the employee could remotely access the application housed in the company data centre.

In today's work world, the network perimeter we used to protect no longer exists because there are access points everywhere, and the internet is now our vehicle for transferring information. The challenge in this environment is to protect the gateways back into the enterprise environment, the "edges."

To bolster inadequate perimeter security protocols in this dispersed environment, IT teams have ended up with many vendors, policies, and consoles trying and not entirely succeeding in protecting data. SASE is a new solution to reduce cybersecurity complexity and improve effectiveness for dispersed-access environments.

The SASE model

SASE is a collection of technologies that combines network (SD-WAN, VPN) and security (SWG, CASB, FWaaS, ZTNA) functions. Such technologies are traditionally delivered in siloed point solutions. SASE – or Zero Trust Edge – combines these into a single, integrated cloud service.

SASE model components

  • Software-defined Wide Area Network (SD-WAN)
  • Virtual Private Network (VPN)
  • Secure Web Gateway (SWG)
  • Cloud Access Security Broker (CASB)
  • Firewall as a Service (FwaaS)
  • Zero Trust Network Access (ZTNA)

The SASE model enables organisations to unify their networks and strengthen security for dispersed users and devices.

SASE has multiple benefits for enterprises

  • Reduces costs
  • Decreases complexity
  • Supports network and security policy alignment
  • Reduces security incidents
  • Provides a seamless experience for users in any location.

A new security architecture

Organisations looking to advance their user-centric network and network management security protocols are adopting SASE architecture to enable zero-trust network access. The zero trust model is about never trusting, always verifying, and assuming compromise until a machine is proven trustworthy. The internet connects everything, and no device is inherently trustworthy because it is an open information platform.

SASE is an essential element in zero trust architecture. Much of SASE is not one new technology but a combination of new and existing technology. SASE delivers security controls to the user, device, or edge computing location. Previous cybersecurity protocols established firewall protection for a data centre, but SASE authenticates based on digital identity, real-time context, and company policies.

There are three critical components of SASE:

  1. Secure Web Gateway
  2. Cloud Access Security Broker
  3. Zero Trust Network Access

Secure web gateway

An SWG controls internet access and manages what a user can and cannot access. If a user tries to access or download something from a suspect website or attempts to access a forbidden destination such as a gambling site, the gateway blocks it.

Cyber-attacks have become very sophisticated. Just when we began to recognise the old style of a phishing email with misspelled words and awkward language, bad actors became more sophisticated. Now it is nearly impossible to tell which emails are legitimate and which are from hackers, even for knowledgeable users.

Internal cybersecurity training is integral to establishing more robust protection, but users make mistakes even with training. SWG is another tool your security team can use to see all traffic to and from your network. If there is a threat, the security team can use SWG to mitigate it.

SWG offers multiple functions:

  • URL filtering
  • Advanced threat defence
  • Legacy malware protection
  • Internet policy compliance enforcement

Restrictions can apply to large and small environments:

  • Governments control what the population sees
  • Internet service providers block selected content
  • Enterprises manage what employees access
  • Schools filter what sites are available to students
  • Libraries choose what patrons see

Cloud access security broker

CASB returns visibility to SaaS applications. As a user connects to Salesforce, Office 365, or another app, your security team can see what data your users are transferring, which files are uploaded or downloaded from OneDrive or SharePoint, who did it, and at what time.

CASB is software located on-site or in the cloud. It mediates between users and cloud services with security policies for cloud access and tracks actions on the network.

CASB security can consist of several elements:

  • Alerting
  • Logging and authentication
  • Single sign-on
  • Authorisation
  • Credential mapping
  • Device profiling
  • Encryption
  • Tokenisation
  • Malware detection and prevention

The starting point for CASB reporting is configuring the options for each user group within the organisation. One group may be authorised to upload but not download. Another group may edit documents, and another may only be able to view documents. The enterprise sets the policy.

The enterprise also sets the action to be taken if a prohibited action occurs. Your security team can set protocols to automatically block the activity or allow it to happen and report the event to the event viewer.

Zero trust network access

ZTNA gateways are the new element of SASE. ZTNA is a security architecture that only grants access to traffic between authenticated users, devices, and applications. No traffic is trusted, and all end devices are suspected of having malicious intent until proven otherwise. ZTNA is replacing VPNs for authenticating users remotely.

VPN is the technology enterprises traditionally used to connect remote users to the corporate network. VPN has several issues: it is costly and often establishes an unstable connection. In addition, ineffective remote connections cause workers to struggle to do their jobs, costing the enterprise money in loss of productivity.

The biggest issue with VPN is that it offers remote access with few security controls. A user accessing a corporate network via VPN from a home network authenticates and has full access to the network's front and back end. The user proceeds with work in the application's front end. If a piece of malware finds its way to the computer from the internet, it can go to the back end of the same application and grab all the data, causing a data breach.

ZTNA removes the malware's ability to move around inside the network because ZTNA individually authenticates each user, device, and application as trusted on the network.

VPN vulnerabilities:

  • Broad attack surface
  • Once in the network, bad actors can move laterally to exploit vulnerabilities
  • VPNs are exposed to the internet and vulnerable to service disruption
  • Hackers target any exposed surface, discover vulnerabilities, and attack

Approaching zero trust

The first step toward zero trust is for the organisation to commit to adopting the architecture. Over time, IT and security teams can gradually implement technologies from different product groups to increase maturity.

A starting point is to understand the problems in your environment that affect the organisation daily. For example, if internet access is out of control – everyone can access everything, and users are unwittingly downloading malware – SWG could be your initial zero trust technology.

The next step could be determining what SaaS apps employees use and who can access what. It makes sense to increase your security team's visibility, so they can adequately grant access for authorised activities and ensure users stay within the policy framework.

The bottom line for zero trust is protecting your data

Even with SASE security parameters in place, your network is still not entirely zero trust; you are moving toward it. Zero Trust is a journey over time to increase your network's security, and if you continue the path, security will iteratively get better.

Protecting a physical asset, like a laptop or server, or a digital asset like a user account or application is not the primary goal of cybersecurity. It is about protecting the data used by business operations, including usernames, passwords, proprietary corporate data, confidential material, and payment information.

Related Research

Related Articles