What are the major SASE components?

Four Factors that SASE is Based On

Security policies governing user sessions to access resources or applications are decoupled from the location of the user, device and resource, and are instead based on four factors:

1. The identity of the entity requesting access
2. Session context (for example, the health and behavior of the user and/or device, or the sensitivity of the resources being accessed)
3. The security and compliance policies granting access privileges in each specific situation
4. Ongoing analysis and risk assessment for each session

SASE Connecting Fabric

SASE provides a secure connecting fabric between SDP client and service edge, including public and private clouds, data centers, private enterprise and government networks, internet, large offices, branches offices, home offices, mobile or temporary sites, mobile users, Work-from-Anywhere (WFA) users, mobile devices, BYOD, IoT, on-prem and off-prem locations.

SASE predicates access based on the identity of an individual, device, application, or service and the context within which they are connecting to each other. SASE provides WFA user access to all applications and data, no matter where the user is located or the transport technologies between them, or the ownership of the transport networks.

Software-defined WAN (SD-WAN)

Secure SD-WAN technology forms the foundation of a SASE solution by enabling optimal performance and intelligent routing in a client-to-cloud network architecture. Key capabilities include:

• Secure traffic on-ramp and off-ramp
• Multicloud connectivity
• Embedded UTM security features
• Leveraging internet-based backbones
• Traffic routing from anywhere
• DIA, direct cloud access, and intelligent traffic steering
• Path selection to optimize consistent user experience
• Inline encryption
• Advanced routing and dynamic path selection
• Application-awareness and traffic classification
• Globally distributed gateways
• Latency optimization
• Self-remediating network capabilities

Firewalling: NGFW and Firewall-as-a-Service (FWaaS)

A cloud-based Next-Generation Firewall (NGFW) is a scalable, application-aware software solution allowing enterprises to eliminate the challenges of legacy appliance-based solutions, offering a full set of UTM features. A NGFW solution goes beyond a stateful firewall by offering features such as advanced threat protection, web and network visibility, threat intelligence, and access control. At the minimum, organizations should expect the following for their NGFW deployment:

• User and application access control
• Intrusion detection and prevention
• Advanced malware detection
• Threat and network intelligence
• Automation and orchestration

Secure Web Gateway (SWG)

An SWG guards WFA users and devices against internet-sourced threats by protecting a web-surfing user device from being infected by unwanted software or malware and by enforcing corporate and regulatory policy compliance. An SWG includes:

• Enforcement of internet security and compliance policies
• Filtering malicious internet traffic with UTM capabilities such as URL Filtering, antivirus, anti-malware, IDS/IPS, zero-day attack prevention, phishing protection and more
• Application identification and control capabilities
• Data Loss/Leakage Prevention (DLP) capabilities
• Remote Browser Isolation (RBI) to scan user sessions for risk, allowing users to safely navigate today’s menacing threat landscape. Risky websites are rendered on remote browsers, while sanitized pages (mostly as image files) are rendered on the user browser. RBI allows anonymous browsing and risk-free open access to internet sites.

SWGs can be implemented as on-premises hardware, virtual appliances, cloud-based services, or in hybrid mode as combined on-premises and cloud.

Cloud Access Security Broker (CASB)

A CASB offers products and services to address security deficits in an organization’s use of cloud services. It fills the need to secure cloud services that users are increasingly adopting, and in the growing deployment of direct cloud-to-cloud access. A CASB provides a central location for concurrent policy and governance across multiple cloud services for both users and devices along with granular visibility into, and control over, user activities and sensitive data.

A CASB delivers five critical security capabilities:

• Cloud application discovery
• Data security
• Adaptive access control
• Malware detection
• User and Entity Behavior Analytics (UEBA) which offers policy enforcement based on unusual behavioral patterns of traffic to/from cloud services

CASBs can be either on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to inject enterprise security policies as the cloud-based data or applications are accessed.

Zero Trust Network Access (ZTNA)

ZTNA is a framework of technologies working together, based on the premise that nothing is trusted: not users, devices, data, workloads, locations or the network. ZTNA’s primary function within a SASE solution is to authenticate users to applications. Advanced context and role-based identity, combined with Multifactor Authentication (MFA), are essential for securing access for users and devices, for both on and off-network access.

There are two general models of a ZTNA implementation:

Client-initiated ZTNA

A software agent installed on the device sends its security context and credentials to an SDP controller for authentication. This model is suitable for managed devices.

Service-initiated ZTNA

An SDP (or ZTNA) connector installed along with the application establishes and maintains an outbound connection to the cloud provider. Users are challenged to authenticate to the provider to access protected applications. This model is suitable for unmanaged devices as no special software is required on the end device.