What is SASE, and how do you use it?

By James Francis, Ghost Writer, Copywriter, Media Hack & Illustrator

Johannesburg, 02 Dec 2021

When we talk about the cloud, we refer to something more than hiring space on servers or remotely accessing software services. Collectively, the cloud represents a shift away from the centralised IT environments that replaced mainframes and came to dominate the market. Initially, we articulated this change by adopting Software-as- a-Service and virtual machines, then added concepts such as elastic workloads and renting compute space.

What's in a name?

SASE is a new concept. It was first coined in a 2019 paper from Gartner, and this caused a stir among different analysts. Some hail it as the next level of modern security, while others argue it's just a new name for a grouping of technologies that already exist. This type of controversy is not unique. Several years ago, analyst firms such as Forrester challenged Gartner over its use of the term 'Integrated Risk Management,' which appears to be no different to 'Governance, Risk & Compliance,' other than that Gartner calls it something else. These semantic differences are quite important among competing analyst firms.

SASE may appear to be in the same boat, but all the commentators for this article agreed that it's a substantial designation. Mark Brown from BSI says that "while there are evident parallels with existing technologies that bring cause for many to say that this is simply a new name for an old concept, it's more accurate to say that SASE provides a singular responsive, replacing previous amalgamations of disparate technologies, in a singular framework and is, therefore, not just a new name, but a new concept."

Now the cloud has asserted itself upon the rest of IT infrastructure, redefining networks and user access, not to mention the rapid dissipating security parameter. Perhaps we can even call the current security transformation as the last stand of the client-server era. The cloud way of doing things is certainly taking over. The mainstream adoption of remote working cemented that status, and security has been trying to follow suit.

Around two years ago, Gartner coined the term Secure Access Service Edge or SASE. SASE has attracted its share of controversy, and some say we are jumping the gun a little here. Yet SASE represents a solution for the current challenges of decentralised security, which explains its growing popularity and the confusion emerging around the concept.

Defining SASE

"SASE is a cloud-delivered service that brings together networking and security for users, devices and locations," says Patrick Grillo, senior director, solutions marketing at Fortinet. "A key benefit of SASE is ensuring consistent security for remote users and devices, regardless of their location."

More specifically, says Simeon Tassev, MD at Galix consultancy, is that it's ‘a security framework that combines various security technologies and concepts to provide higher levels of protection in a world without the traditional boundaries’.

'Without the traditional boundaries' goes a long way to explain why SASE is suddenly on everyone's lips. Perimeter security could once mitigate some of the problems. Then concepts such as zero trust arose to help counter poor security awareness among users. Software-defined networks bolted security onto network traffic to follow the data, and encryption stopped someone from just scooping up data.

But as we come full circle into the cloud era, such individual strategies are not enough. SASE argues that they should be unified into a singular approach.

"There are two primary use cases driving adoption of a SASE architecture," says Meg Diaz, director, cloud security product marketing at Cisco Secure. "First, securing remote workers — this is all about making sure employees can access applications and data securely from anywhere they work, and doing it in a way that's simple and seamless for the end-users. Another use case is about securing the edge (which is really the WAN edge, from any location), and streamlining and securing connectivity to public and private apps across all office locations."

Is this cloud security?

SASE came into being to secure complicated environments that smash together different types of services. A company may use some SaaS offerings, run workloads in different clouds, and have onpremise storage or applications. Throw in different users with varying locations and devices, and you get a good idea why security is so hard to get right.

How to bake a SASE pie

SASE is a concept that encompasses several ingredients, some of which change depending on the specific environments. But it's the mix of different technology ingredients that define whether you’re using SASE or not. What are the key elements that define a SASE solution? According to Gartner, which was the first to define SASE, the core functions are:

Software-Defined Networking (SD-WAN)
Firewall-as-a-Service (FWaaS) Secure Web Gateway (SWG)
Cloud Access Security Broker (CASB), and
Zero Trust Network Access (ZTNA)

Meg Diaz from Cisco Secure says you can summarise SASE into three areas: "We think about three main components of a SASE architecture: networking, security, and observability."

More traditional ways to manage security, such as VPNs, don’t handle this well: for example, if a user wants to access a SaaS application, but they are routed through the central company systems to enforce security policies. This creates a bottleneck (not to mention additional traffic costs). It's inefficient, rubbing security against productivity.

Recent security products such as advanced firewalls and SD-WAN can bypass the central security and, instead, check policies through points of presence. Yet if you want to do this beyond SaaS and make it seamless for end-users to access corporate assets as easily as outside services, SASE is the answer.

According to Mark Brown, BSI's global MD for cybersecurity and information resilience, this approach is very appealing to his customers. "Our clients tell us that it solves several challenges, such as the simplification of controls and vendors, portal consolidation, establishing security by design, and, indeed, the potential initiation of a zero trust model, and cost management through a singular response model."

Yet even though SASE is often called 'cloud security’, it can manifest as pure cloud, in a hybrid form or as an on-premise solution. It is primarily a managed service, as building and managing a bespoke SASE environment could end up as far too expensive. It's best to see SASE as a service bouquet and expect a service provider to align its different elements to your specific needs.

"SASE service providers offer various options to clients, making it easier for them to adopt the SASE architecture," says Tassev. And true to its services approach, SASE is a relevant option for any size company.

But before you jump on the phone and order SASE for your company, there is one more important fact to note. SASE emerged in 2019; it's still a minnow in technology terms and is a concept, not a specific product set. Grillo offers this advice: "The important thing to keep in mind with SASE is that it was sprung on an unsuspecting world less than two years ago. What's been lost in the hype is that Gartner forecasted a five- to 10-year time horizon for it to reach maturity. These are the early Wild, Wild West days of SASE and the relative immaturity of today's service offerings must be viewed through this lens."