What is SASE and What Problems Does it Address?
The 4th Industrial Revolution continues to fundamentally transform industries and reshape the way enterprises conduct business across an increasingly distributed, global landscape. In this environment, emerging technologies promise to drive greater efficiency and growth, fusing digital and analog worlds together in new ways. While none of us can say with any certainty what this future world will look like, we can be certain of this much: the ability to access and secure data and applications in real-time will be foundational to realizing its ultimate promise.
Of course, our current world has changed dramatically since the COVID-19 pandemic forced businesses to accommodate millions of remote workers. Whereas legacy IT models were predicated on centralized office locations and secured data centers, the pandemic accelerated the trend of increasingly distributed workforces and necessitated a greater push to make applications, data and other privileged network resources available in a decentralized fashion. Unfortunately, current infrastructure and architectures are wildly insufficient for supporting the real-time access and security demands of next-generation applications and technologies.
And while it’s true that this new way of work offers greater flexibility, new operating efficiencies, lower costs, and a host of other benefits, it comes at a cost. Since legacy infrastructure was never designed to support a decentralized and distributed workforce, there are a variety of performance and security challenges to consider: lagging application performance, network latency, weak data security controls, and perhaps most distressing of all, an unrelenting and constantly evolving threat environment.
A New Architectural Vision: SASE
In 2019, the terminology of Secure Access Service Edge (SASE) started spreading across many industry circles, outlining a new architectural framework designed to meet the challenges of the modern distributed enterprise. As enterprises increasingly adopt SD-WAN to optimize network performance, and new threats emerge outside the defined security perimeter, the complexity of managing these systems in a cohesive manner creates a whole set of new IT management and security challenges.
The SASE framework represents the convergence of several established technologies which aim to merge comprehensive SD-WAN capabilities and network security functions into a unified approach – one that will ultimately be better suited to addressing the needs of tomorrow’s enterprise data workloads and applications. While SASE is more of a philosophy and a direction than a checklist of features and capabilities, it may generally be characterized as comprised of five key networking and security technologies:
- Firewall as a Service (FWaaS)
- Cloud Access Security Broker (CASB)
- Secure Web Gateway, and
- Zero Trust Network Access (ZTNA)
In this new paradigm, there is an expectation that the applications and the data that workers require to stay productive remain always available, optimized for performance needs, and protected regardless of wherever they might be connecting from.
In essence, the idea of SASE is to offer secure network services anywhere a user might connect from. And this converged solution should ideally optimize and extend the performance of applications that are spread across individual users, premises, edge, and public/private cloud environments.
The Problems that SASE Addresses
Even as the pandemic has subsided, an increasing number of enterprises are considering permanent shifts or hybrid approaches for some portion of their employees to remote work. The typical medium-sized enterprise uses dozens of SaaS applications on a daily basis and also requires access to other administrative and operational resources, such as internal file sharing systems. The conventional approach was to have users tunnel into a single location via their VPN where entitlements and policies could be centrally applied and enforced.
However, as many enterprise CIOs have come to learn, this approach also represents a network choke point that degrades the user experience and requires the organization to invest in larger and more costly inspection devices to manage and inspect the traffic. Secure Web Gateways and next generation Firewall as a Service vendors have emerged to address this gap by distributing these inspection engines to regional PoP locations and partnering with SaaS vendors to apply security in the cloud environment – or what we call Cloud Access Service Brokers (CASB).
But what If the user needs to connect back into the corporate network? How can you leverage the advantages of SD-WAN while still having a single security policy when users return to their homes or elsewhere?
SASE was designed with the end user in mind and begins with the idea of zero trust. So long as the user can verify their identification and the connecting device then it doesn’t matter where the user is physically located. In this type of environment, a trusted user can only connect to the specific resources they’re trying to access and nothing else, which is often enabled by an software-defined perimeter (SDP).
Unlike traditional VPN solutions which centralize all of these inspection points, a SASE approach distributes all of these checkpoints across various regions, improving the efficiency of network resources and reducing the latency found in a conventional ‘hub and spoke’ model.
Ultimately this helps address the complexity of managing these components as separate point solutions that each require their own sets of tools to master. SASE offers a common and centralized cloud-based toolset that improves visibility and control across these systems, which can then be managed and orchestrated in the cloud with policy-setting distributed at the network edge.
The Benefits That SASE Can Deliver
For organizations with distributed users and applications, this convergence of critical IT capabilities offers enterprises significant benefits, including the ability to:
- Optimize & Scale Performance: maximize business productivity by optimizing network and application performance wherever users are based while enhancing access and response times to cloud-based applications
- Accelerate Security Deployment & Incident Response: implement identity-based security policies, introduce security controls from the cloud, and improve incident response times by leveraging threat intelligence aggregated across all cybersecurity solutions
- Simplify Visibility & Control: view and holistically manage consolidated networking and security services from both a single “pane of glass” as well as from a single operator
- Improve Opex Efficiency: operate more efficiently by automating networking functions, modernizing branch technology, and using virtualized network functions in a more flexible OpEx model.
While the expanding edge of the enterprise network creates opportunities for innovation, it also creates new vectors for cybersecurity threats and introduces complexities that challenge the basic IT function of providing secure and reliable access to protected resources. With SASE, virtually every process can be streamlined and securely applied — allowing you to do more with fewer resources. This integrated architectural approach is what will enable enterprises to confidently adopt immersive digital experiences across distributed environments.
In the next post in our SASE series, we’ll examine some of the most common use cases that are ideally suited to a SASE approach.
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen’s products and offerings as of the date of issue. Services not available everywhere. Business customers only. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2021 Lumen Technologies. All Rights Reserved.