| certifications | security - David Zomaya
What is SASE?
If you've been keeping up with the SD-WAN scene, you may have heard the term SASE. It's short for secure service access edge and pronounced "sassy". SASE started gaining popularity after Gartner coined the term back in 2019.
There's a lot of hype around SASE, and big names like Cisco, VMware, and CloudFlare have bought in, releasing SASE offerings the past two years. Of course, tech buzzwords are common and some have argued SASE is just a new marketing term for existing tech.
Here, we'll take a closer look at what SASE is, explore the efforts to standardize SASE, and help you decide if this acronym is worth remembering — or just another IT buzzword.
What is SASE?
SASE is a framework that combines wide area networking and security functions into a single cloud-based architecture. With SASE, instead of having separate appliances or cloud services for SD-WAN, SWG (secure web gateway), firewall, CASB (cloud access security broker), IDS/IPS (intrusion detection system/intrusion prevention system), and VPN, you have a single holistic cloud-service that does it all.
The SASE vendor provides access to a private network of PoPs (points of presence) around the world. Users connect to that network and all the SD-WAN and security functions are inherently part of everything that happens from there on out.
Of course, because SASE is still a relatively new concept, you can find different definitions depending on where you look. Interestingly, even though they coined the term, Gartner's glossary doesn't have an entry for SASE. Different vendor's implementations of SASE vary, so there isn't a single definition of what is and what isn't SASE that everyone agrees to. However, key characteristics of SASE include:
- Cloud-based.Traditionally, data centers were the center of an organization’s network. Everything from access management to QoS (quality of service) was facilitated using on-premises appliances. With SASE, the cloud is at the center of the network. The functionality once provided by appliances is provided by cloud services. The idea is that this is better-aligned with a world where SaaS (software as a service) apps and remote work are the norm. From anywhere with an Internet connection, users can authenticate and have all the required network and security policies applied to their activities.
- Networking & security are integrated. Often, security and networking are performed by two separate services. The classic example of this is a dedicated router moving traffic between networks while firewalls block/allow traffic to specific ports or IP addresses. With SASE, the underlying cloud infrastructure provides both security and network functions. Ideally, this leads to tighter overall security, better performance, and simpler maintenance and management.
- A "zero-trust" security model. Zero-trust is built around the idea of "deny access by default". The zero-trust security model represents a fundamental shift from the mindset of trusting everything on the right side of an organization's firewall. With the older approach, which some call a "castle and moat" approach, you assume that the firewall is keeping things safe and users that are already on a network can be trusted. Obviously, this falls apart if a machine is compromised. Zero-trust authenticates and authorizes access explicitly for each resource and never assumes access should be granted unless explicit authentication and authorization occur.
- Identity-based access to resources. Identity-based access helps implement a zero-trust model. In simple terms, identity-based access means that users, services, and devices on the network are granted or denied access to resources using policies based on who/what they are. This is different from the traditional DENY/ALLOW rules based on ports and IP addresses used in traditional security models. As opposed to checking simply if traffic is trying to access a blocked port or not, identity-based policies check help add a layer of context by restricting who is accessing an endpoint, not just the network addresses and ports involved.
What Problems Does SASE Aim to Solve?
One of the best tests for any buzzword is checking if it actually addresses any real problems we couldn't solve or couldn't solve as well without it.
The basic idea is that the SASE model is a better fit for modern networks with on-premises and cloud workloads than deploying a combination of solutions from different vendors. For example, with SASE, you don't need multiple discrete WAN and security appliances. Ideally, getting all those functions in one place should have cost, ease of use, and performance benefits.
Additionally, in a world where more and more users are accessing resources remotely, centralizing access in the cloud can streamline the creation and enforcement of security policies.
Given that, the benefits SASE can deliver include:
- Better performance. SASE includes many traffic optimization features like QoS and bandwidth optimization that traditional network appliances provide. Additionally, SASE providers may offer their own dedicated backbones with points of presence (PoPs) around the globe which provide high-throughput connectivity between locations.
- Streamlined operations. Managing network security and connectivity at scale is difficult. By providing a single platform for network and security management across an organization, SASE can simplify things for IT.
- Lower costs. When all (or most) of your services are bundled with a single vendor, you can see cost reductions. Simplifying network management complexities and no longer needing many on-premises appliances can drive down costs further.
- Universal access. Users being able to securely access resources from anywhere with an Internet connection can be a big benefit. Traditional VPN appliances can be complex for both IT and end-users.
- Holistic security. Because security is part of the infrastructure with SASE, it's inherently implemented across the network. That makes it easier to implement end-to-end security across the entire network.
SASE vs SD-WAN: What Makes SASE different?
If you've been keeping up with different SD-WAN implementations over the last few years, you may have noticed a lot of what we said about SASE could be applied to solutions labeled SD-WAN. In part, that's because both of these terms are buzzwords and marketers have begun calling some cloud-based SD-WAN products SASE. With terms that involve a lot of abstraction and lack a specific technical definition, this is to be expected.
However, there is a better way to understand the differences. Simply put: SD-WAN is a subset of SASE. In the SASE model, the network functions SD-WAN provides are part of the cloud infrastructure. SASE simply adds more network and security features to the mix.
How the MEF is standardizing SASE
At this point, it's clear that there is no consensus around what is and what isn't SASE today. If you compare SASE solutions from different vendors, the feature sets vary significantly. No single product offers all the services that can fall into the SASE category and there is no clear baseline that defines a minimum set of features. That creates an environment where concrete definitions can be difficult. However, that's to be expected in the early stages of a new technology model.
Fortunately, there are efforts to standardize SASE in progress. For example, the non-profit MEF Forum published their MEF SASE Services Framework whitepaper (PDF) last year. That whitepaper aims to provide a framework to standardize SASE services. Within that whitepaper, specific definitions are proposed for SASE components and service types. If the industry buys in, we may begin to see more standardization in the world of SASE, which is a good sign as the framework matures.
Final Thoughts: Is SASE just a marketing term?
SASE is definitely a marketing term, and in a way, it's a repackaging of several different technologies we already had. However, it's not just a marketing term. If you look past the fluff and drill down to the underlying concepts and technologies, SASE has real potential. The networking and security market are buying in, and that means there is a good chance SASE is here to stay.
Long story short: if you're currently building a career in networking and security, it's probably a good idea to get comfortable with SASE. Even if another label takes SASE's place in the years to come, understanding the model and technologies that make SASE compelling can be useful.