Existing network approaches and technologies simply no longer provide the levels of security and access control organisations need. Secure access service edge, or SASE (pronounced “sassy”), is an emerging cyber-security concept. Organizations need uninterrupted access for their users, no matter where they are located.
The need for a new approach for network security has risen due to the increase in remote users and Software-as-a-Service (SaaS) applications and data moving from the data centre to cloud services and the fact that the attack surface has also increased due to the network expansion.
What is SASE?
Secure Access Service Edge (SASE) is a cloud-delivered service that combines network and security functions with SD-WAN capabilities to support the dynamic, secure access needs of today’s hybrid organisations. Network security functions such as Cloud-Native Security Brokers (CASB), Firewall as a Service (FWaaS), Secure Web Gateway, and Zero Trust into a single cloud-delivered service model. SASE lets users take advantage of these network security functions regardless of location. SASE solutions should provide secure access to organisations no matter where their users, workloads, devices, or applications are located.
Nirav Shah in his blog post states that A truly secure SASE solution should include the following stack of security capabilities and tools:
- Firewall-as-a-Service (FWaaS). Any SASE solution should include a next-generation firewall (NGFW) that:
- Delivers high-performance secure sockets layer (SSL) inspection and advanced threat detection techniques via the cloud
- Establishes and maintains secure connections for distributed users
- Analyzes inbound and outbound traffic without impact on user experience
- Domain Name System (DNS). DNS identifies and isolates malicious domains to prevent malicious threats from entering the network.
- Intrusion Prevention System (IPS). IPS should be used to actively monitor the network, looking for malicious activities attempting to exploit known vulnerabilities.
- Data Loss Prevention (DLP). DLP functionality is needed to prevent end-users from moving key information outside the network to ensure that the network and data are both secure.
- Secure Web Gateway (SWG). An SWG solution secures web access against both internal and external risks. It also needs to be able to automatically block threats, even those embedded in encrypted traffic—including TLS 1.3—with high-performance SSL inspection.
- Zero-Trust Network Access (ZTNA) and Virtual Private Network (VPN). Enterprise-grade security should be added on top of VPN and extend ZTNA to remote users. This allows the SASE solution to inherently integrate with preexisting VPN solutions and extend zero-trust application access to remote off-network users.
- Sandboxing. Whether sandboxing is executed in the cloud or on an appliance, it provides crucial protection, especially against previously unknown threats.