A Quick Introduction to SASE Architecture
SASE is an architectural model that converges both networking and security capabilities into a single-service cloud-native platform that shifts the security focus from traffic-flow-centric to identity-centric. SASE encompasses a package of technologies that embeds security into the global fabric of the network so it is always available no matter where the user is, where the application or resource being accessed is, or what combination of transport technologies connects the user and the resource.
SASE enables ubiquitous and direct client-to-cloud security—based on user identity and context—fully integrated with optimal client-to-cloud WAN routing. This realizes a flexible and scalable network architecture that provides embedded security as well as optimal performance along the Software-Defined Perimeter (SDP) edge.
The SASE Identity Architecture
SASE – Convergence and Inversion of the Network and Security Architectures
High-level SASE Architecture
In the Gartner representation of SASE architecture, the core of SASE is comprised of:
- The users, devices, applications, and resources, and
- The identity, risks, roles, profiles, privileges and policies that govern access between them
Encircling this core is the outer SASE layer comprised of all the security and networking technologies required to securely connect core entities: the Software-Defined Perimeter (SDP). The SDP tracks the transient connections between core entities, rather than follow the hard perimeters of traditional network architectures that aligned with fixed locations, geography, physical network zones, IP addressing or buildings.
Five SASE components are involved in defining and protecting the SDP: these components are engaged in a connection when needed (such as an NGFW, SWG or CASB), or are fundamental capabilities integral to the fabric of SASE (such as SD-WAN and ZTNA).
- Secure SD-WAN
- Secure Web gateway (SWG)
- Cloud Access Security Broker (CASB)
- Zero Trust Network Access (ZTNA)
- Firewalling: NGFW and Firewall-as-a-Service (FWaaS)
SD-WAN Architecture
SD-WAN architectures enabled organizations to leverage direct internet connectivity to enable client-to-cloud workflows.
Traditional WAN Architecture
Traditional WAN Architecture
Traditional WAN architectures use the internet (if it uses it at all) purely as a point-to-point connection—protected by VPN technology—between an off-prem user and the headquarters or data center location. From there, where security and policies are applied, traffic is routed to cloud destinations. This design suffers from latency and scalability deficits.
SD-WAN Architecture
SD-WAN Architecture
SD-WAN architectures — based on Software-Defined Networking (SDN) principles — everage the internet as a meshed backbone transport, with the data center or cloud destinations equally and directly accessible by any Work-from-Anywhere (WFA) user. This design minimizes latency and optimizes scalability, but necessitates SASE to enable security enforcement in this environment of any-to-any connections where the terms “on-prem” and “off-prem” have lost significance.
SDP Architecture
The SDP concept draws on the 2007 Defense Information Systems Agency’s (DISA) model of restricting connections to those with a need-to-know, rather than trusting everything inside the fixed perimeter of a network. In 2013, the Cloud Security Alliance’s (CSA) SDP Working Group popularized SDP to create highly secure, trusted, end-to-end networks for broad enterprise use, also incorporating:
- Standards from the National Institute of Standards and Technology (NIST)
- Zero Trust principles to facilitate secure access between hosts regardless of location
A fundamental attribute of an SDN architecture is the separation of control, data and management planes. This separation allows for control of both the SD-WAN and the SDP control planes in a network, which in turn allows implementation of both SD-WAN and SD-security in the same software control component.
Software Defined Perimeter Architecture
SWG Architecture
A SWG protects enterprises and users from being accessed and infected by malicious web traffic, as well as from being contaminated by hijacked websites that contain malware or viruses.
Based on the user, device, and location context, the SWG evaluates application policy and grants access only if the policy allows the request based on identity context.
Firewalls
Make decisions on a
packet-by-packet basis
No termination,
Stream scanning only
SWGs – Proxies
Receive complete request from
client before making decisions
Session termination,
Policy enforcement
CASB Architecture
A CASB provides a central location for concurrent policy and governance across multiple cloud services for both users and devices along with granular visibility into, and control over, user activities and sensitive data. There are two deployment options for CASBs, API mode and proxy mode.
API Mode
Proxy Mode
ZTNA Architecture
ZTNA underlies SDP architecture. The essence of ZTNA is to trust nothing and to authenticate every access attempt based on identity and context. ZTNA’s primary function within a SASE architecture is to authenticate users to applications using advanced context and role-based identity combined with Multifactor Authentication (MFA).
Free eBook
SASE For Dummies
Learn the business and technical background of SASE including best practices, real-life customer deployments, and the benefits that come with a SASE enabled organization.
Learn More
Find more research, analysis, and information on SASE (Secure Access Service Edge), networking, security, SD-WAN, and cloud from industry thought leaders, analysts, and experts.