What are the major SASE components?

SASE combines SD-WAN networking and embedded security capabilities in a cloud-native manner that shifts security focus from traffic-flow-centric to identity-centric.

Past network architectures were designed with specific network policy enforcement points and force-routed traffic—often creating grossly inefficient aggregation points and bottlenecks along the way—through these points to enforce security checks. SASE’s approach is the exact opposite, it takes security enforcement to where the traffic flow is: the client and application endpoints, as well as strategically placed gateways and proxies along the already-established most-efficient path.

SASE enables ubiquitous and direct client-to-cloud security—based on user identity and context—fully integrated with optimal client-to-cloud WAN routing. This realizes a flexible and scalable network architecture offering embedded security as well as optimal performance along the Software-Defined Perimeter (SDP) edge.

Four Factors that SASE is Based On

Security policies governing user sessions to access resources or applications are decoupled from the location of the user, device and resource, and are instead based on four factors:

  1. The identity of the entity requesting access
  2. Session context (for example, the health and behavior of the user and/or device, or the sensitivity of the resources being accessed)
  3. The security and compliance policies granting access privileges in each specific situation
  4. Ongoing analysis and risk assessment for each session

SASE Connecting Fabric

SASE provides a secure connecting fabric between SDP client and service edge, including public and private clouds, data centers, private enterprise and government networks, internet, large offices, branches offices, home offices, mobile or temporary sites, mobile users, Work-from-Anywhere (WFA) users, mobile devices, BYOD, IoT, on-prem and off-prem locations.

SASE predicates access based on the identity of an individual, device, application, or service and the context within which they are connecting to each other. SASE provides WFA user access to all applications and data, no matter where the user is located or the transport technologies between them, or the ownership of the transport networks.

The Capabilities and Attributes of SASE

A leading SASE solution is a purely software-driven solution that has the following characteristics:

Identity
  • Identity-based access per session
  • Enterprise-grade authentication for every access attempt
Architecture and transport
  • Cloud-native architecture
  • Supports all edge types along the SDP
  • Transport independence: any available wired, wireless, or cellular internet access
  • A globally distributed SD-WAN footprint with optimized routing path intelligence
  • Enables secure client-to-cloud connectivity
  • Encrypted traffic analysis
  • Globally distributed gateways and proxies with embedded security that seamlessly integrate with enterprise authentication methods
  • Multi-tenancy isolation
  • Micro-segmented access to all resources and assets
Policy-driven
  • Zero-trust approach to all users, devices and resources, independent of location
  • Distributed and consistent corporate security policy enforcement per session regardless of where the user is, what device is used, what asset is accessed, or where the asset is located
  • Least-privilege, need-to-know, application-aware access
Orchestration and visibility
  • Enables Continuous Diagnostics and Mitigation (CDM)
  • Continuous assessment and monitoring of risk and trust
  • Advanced analytics and risk assessments leveraging Machine Learning and Artificial Intelligence (ML/AI)
  • Comprehensive visibility and control of users, applications, and risks

The Components of SASE

SASE converges both networking and security capabilities into a single-service cloud-native model, and includes several distinct components.

SASE is more than a single technology; it is an entire package of technologies that embeds security into the global fabric of the network so it is always available no matter where the user is, where the application or resource being accessed is, or what combination of transport technologies connects the user and the resource.

Software-defined WAN (SD-WAN)

Secure SD-WAN technology forms the foundation of a SASE solution by enabling optimal performance and intelligent routing in a client-to-cloud network architecture. Key capabilities include:

  • Secure traffic on-ramp and off-ramp
  • Multicloud connectivity
  • Embedded UTM security features
  • Leveraging internet-based backbones
  • Traffic routing from anywhere
  • DIA, direct cloud access, and intelligent traffic steering
  • Path selection to optimize consistent user experience
  • Inline encryption
  • Advanced routing and dynamic path selection
  • Application-awareness and traffic classification
  • Globally distributed gateways
  • Latency optimization
  • Self-remediating network capabilities

 

Firewalling: NGFW and Firewall-as-a-Service (FWaaS)

A cloud-based Next-Generation Firewall (NGFW) is a scalable, application-aware software solution allowing enterprises to eliminate the challenges of legacy appliance-based solutions, offering a full set of UTM features. A NGFW solution goes beyond a stateful firewall by offering features such as advanced threat protection, web and network visibility, threat intelligence, and access control. At the minimum, organizations should expect the following for their NGFW deployment:

  • User and application access control
  • Intrusion detection and prevention
  • Advanced malware detection
  • Threat and network intelligence
  • Automation and orchestration

 

Secure Web Gateway (SWG)

An SWG guards WFA users and devices against internet-sourced threats by protecting a web-surfing user device from being infected by unwanted software or malware and by enforcing corporate and regulatory policy compliance. An SWG includes:

  • Enforcement of internet security and compliance policies
  • Filtering malicious internet traffic with UTM capabilities such as URL Filtering, antivirus, anti-malware, IDS/IPS, zero-day attack prevention, phishing protection and more
  • Application identification and control capabilities
  • Data Loss/Leakage Prevention (DLP) capabilities
  • Remote Browser Isolation (RBI) to scan user sessions for risk, allowing users to safely navigate today’s menacing threat landscape. Risky websites are rendered on remote browsers, while sanitized pages (mostly as image files) are rendered on the user browser. RBI allows anonymous browsing and risk-free open access to internet sites.

 

SWGs can be implemented as on-premises hardware, virtual appliances, cloud-based services, or in hybrid mode as combined on-premises and cloud.

Cloud Access Security Broker (CASB)

A CASB offers products and services to address security deficits in an organization’s use of cloud services. It fills the need to secure cloud services that users are increasingly adopting, and in the growing deployment of direct cloud-to-cloud access. A CASB provides a central location for concurrent policy and governance across multiple cloud services for both users and devices along with granular visibility into, and control over, user activities and sensitive data.

A CASB delivers five critical security capabilities:

  • Cloud application discovery
  • Data security
  • Adaptive access control
  • Malware detection
  • User and Entity Behavior Analytics (UEBA) which offers policy enforcement based on unusual behavioral patterns of traffic to/from cloud services

CASBs can be either on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to inject enterprise security policies as the cloud-based data or applications are accessed.

 

Zero Trust Network Access (ZTNA)

ZTNA is a framework of technologies working together, based on the premise that nothing is trusted: not users, devices, data, workloads, locations or the network. ZTNA’s primary function within a SASE solution is to authenticate users to applications. Advanced context and role-based identity, combined with Multifactor Authentication (MFA), are essential for securing access for users and devices, for both on and off-network access.

There are two general models of a ZTNA implementation:

Client-initiated ZTNA

A software agent installed on the device sends its security context and credentials to an SDP controller for authentication. This model is suitable for managed devices.

 

Service-initiated ZTNA

An SDP (or ZTNA) connector installed along with the application establishes and maintains an outbound connection to the cloud provider. Users are challenged to authenticate to the provider to access protected applications. This model is suitable for unmanaged devices as no special software is required on the end device.

Free eBook

SASE For Dummies

Learn the business and technical background of SASE including best practices, real-life customer deployments, and the benefits that come with a SASE enabled organization.

Get the eBook

Learn More

Find more research, analysis, and information on SASE (Secure Access Service Edge), networking, security, SD-WAN, and cloud from industry thought leaders, analysts, and experts.

 

On-Demand Webinar: 60 min

Building a Bridge for Secure, Multi-Cloud Connectivity with SASE

Learn how to seamlessly deploy a blended combination of both cloud and on-premises services to create consistent services, features, policies, and configuration regardless where the service is delivered.

 
 

White Paper

Zero Trust Security

Zero Trust is a new approach to security that requires organizations to fundamentally shift the way they approach identity and access.

 
 

5:30 min Video

What is Versa Secure Access (VSA)?

Versa Secure Access (VSA) is the industry’s first solution to deliver the leading Secure SD-WAN services and private connectivity for employees who are remote or working from home.