In August 2019, market researchers from Gartner published an architectural model called “Secure Access Service Edge” (SASE) in their study “The Future of Network Security is in the Cloud [1]”, which combines WAN functionalities and enhanced network security into a consistent service in the cloud. 

The authors of the study call SASE (pronounced Sassy) “the future of network security in the cloud.” But what’s behind this model? Can it deliver on its promise, or is it nothing more than another euphonious acronym, of which there are all too many in the ICT world. 

What is SASE?

Secure Access Service Edge (SASE) is a network architecture that combines the benefits of Software-Defined Wide Area Network (SD-WAN) and network security and delivers it as a cloud service. The benefits of this integrated solution include simplified WAN deployment, improved efficiency and security, and the provision of adequate bandwidth per application. Since SASE is a cloud service, the necessary service resources can be dynamically scaled up and down based on demand.

Abbildung 1 - SASE-Modell als Erweiterung der SD-WAN Architektur

Figure 1 – SASE model as an extension of the SD-WAN architecture.

End devices and sites can be connected to the SASE network using either hardware appliances or software clients (see figure above). 

Network component 

On the WAN side, SASE relies on features provided by SD-WAN technologies. For more on this, see our in-depth blog series. In summary, the main features of SD-WAN can be reflected as follows: 

  • Dynamic path selection 
  • Increased data throughput by bundling multiple physical WAN ports into one virtual link 
  • Hot failover 
  • High level of automation for link parameters
  • Easy control and monitoring of ports, components and virtual links 

Security component 

On the security side, SASE offers cloud-based security features, such as zero-trust network access (ZTNA), cloud access security broker (CASB), secure web gateways (SWG), firewall-as-a-service (FWaaS), DNS protection, and more. Ideally, all these functions are offered as a SASE service from a single integrated solution. In this case, runtime-critical security functions are located in the so-called “edge” of the SASE architecture, provided in PoPs close to the customer by SASE providers or 3rd party vendors. 

What is the need for SASE? 

Gartner describes in its aforementioned study that more traditional data center functions are now operating outside the enterprise data center. While these functions have already found their way into IaaS provider clouds, SaaS applications and cloud storage, WAN architecture security functions still reside on premises in enterprise data centers. 

Users who want to access corporate data and applications remotely typically must first establish a VPN connection to the firewalls at the sites. In traditional architectures, this is followed by authentication to a central security point that grants access but also routes traffic through that central point. 

Obviously, this architecture introduces a lot of complexity and long data runtimes. 

What are the advantages of SASE? 

SASE offers a variety of benefits. Because SASE is a comprehensive solution model, it enables organizations to reduce both the cost and complexity of IT connectivity. This is achieved by eliminating the need to purchase, operate, and maintain multiple individual systems and by eliminating the need for the IT department to deal with technology from a wide variety of vendors. 

IT system managers can remotely control and monitor connection parameters and security policies centrally via cloud-based management platforms, similar to a stand-alone SD-WAN solution. 

With SASE, all network communications are processed through a centralized cloud-based and integrated solution, enabling comprehensive behavioral analysis of application data exchange. Threats and anomalies can be detected and mitigated that would otherwise be invisible in isolated systems. In addition, updated threat data and other external information can be incorporated for analysis. To keep runtimes low, the customer’s network is connected via PoPs from SASE providers that are close to the site. 

Another advantage offered by SASE is the provision of the connection with different quality characteristics according to bandwidth and latency. This means that different service qualities can be provided depending on the requirements of the application. 

Conclusion 

SASE is now no longer a mere theoretical concept. According to Dell’Oro market researchers, the market for SASE products is estimated to reach $5 billion by 2024 [2]. The big driver of this technology trend is the ongoing COVID-19 pandemic, which has led to the massive increase in home office jobs and mobile working. Labor scientists predict that even after the Corona pandemic, remote working will persist, albeit on a smaller scale than now, as part of the hybrid workplace. 

Dell’Oro writes in its study that 27 vendors have added SASE to their portfolios, including Akamai, Aruba, Barracuda Networks, Cato, Cisco, Fortinet, Palo Alto Network, VMware and Zscaler. 

It’s not just the current need to secure home office connectivity to corporate IT that makes SASE attractive to companies. As a cloud-based solution, SASE fits into the trend of many companies increasingly looking to move IT services provided on premises to the cloud. These factors suggest that demand for SASE products will increase. 

[1] MacDonald, Orans, Skorupa: „The Future of Network Security is in the Cloud”, Gartner, 30. August 2019

[2] Mann: „Dell’Oro: SASE Market to Hit $5B by 2024”, www.sdxcentral.com, 30.10.2020, abgerufen: 30.04.2021