Secure access service edge, or SASE, refers to a cloud-based IT model that combines networking and security services.
Secure access service edge, or SASE, is a cloud-based security model which bundles software-defined networking with network security functions and delivers them from a single service provider. The term ‘SASE’ was coined by Gartner, a global research and advisory firm, in 2019.
SASE is a cloud-based alternative to the traditional ‘hub-and-spoke’ network infrastructure used to connect users in multiple locations (spokes) to resources hosted in centralized data centers (hubs). In a traditional network model, data and applications live in a core data center. In order to access those resources, users, branch offices, and applications connect to the data center from within a localized private network or a secondary network that typically connects to the primary one through a secure leased line or VPN.
While simple in principle, a hub-and-spoke model is ill-equipped to handle the complexities introduced by cloud-based services like Software-as-a-Service (SaaS) and the rise of distributed workforces. With more applications, workloads, and sensitive corporate data moving to the cloud, enterprises are forced to rethink how and where network traffic is inspected and secure user access policies are managed. It is no longer practical to reroute (or ‘trombone’) all traffic through a centralized data center if most applications and data are hosted in the cloud, as that can introduce unnecessary latency. Large groups of remote users, meanwhile, may experience significant latency when connecting to a corporate network via VPN, or else expose themselves to additional security risks when accessing company resources over an unsecured connection.
By contrast, SASE places network controls on the cloud edge — not the corporate data center. Instead of layering cloud services that require separate configuration and management, SASE streamlines network and security services to create a secure, seamless network edge. Implementing identity-based, zero trust access policies on the edge network allows enterprises to expand their network perimeter to any remote user, branch office, device, or application. In turn, this eliminates the need for legacy VPNs and firewalls and gives enterprises more granular control over their network security policies. To do this, a SASE framework is built on top of a single global network to bring these integrated services closer to end users.
Imagine a traditional network architecture model as a brick-and-mortar bank. Now imagine that Bob wants to check his account balance before making a rent payment. To do so, he will have to physically travel to the bank and verify his identity with the teller. Every month, he will have to make another trip to the bank to repeat this process, which can cost him significant time and effort, especially if he lives far from the bank.
This is somewhat similar to hardware-centric network architecture, in which security and access decisions are made and enforced at a fixed, on-premise data center rather than in the cloud. Adding cloud services to a traditional network architecture model is kind of like giving Bob the option to check his account balance by placing a phone call to the bank. It is slightly more convenient than driving to the bank, but will require him to complete an entirely different identity verification process (instead of handing over his ID, for instance, he may be required to give another set of confidential information over the phone to prove his identity). The bank will have to manage these different procedures in order to keep their customers’ account information secure.
Traditional hub-and-spoke infrastructure is not designed with cloud services in mind. It relies on a secure network perimeter built around a core data center, which is only effective when the bulk of an enterprise’s applications and data reside within that perimeter. Managing various security services and access policies can quickly become difficult for IT teams to manage and update.
SASE, on the other hand, is like a banking app on Bob’s mobile device. Instead of driving to the bank to check his account or placing a time-consuming phone call, he can digitally verify his identity and instantly access his account balance from anywhere in the world. And this doesn’t just apply to Bob, but to every customer the bank has, no matter where they’re located.
SASE brings network security services and access control closer to the end user by shifting those key processes to the cloud, and operates on a global network in order to minimize latency while doing so.
Secure access service edge packages software-defined wide area networking (SD-WAN) capabilities with a number of network security functions, all of which are delivered from and managed on a single cloud platform. A SASE offering includes four core security components:
Depending on the vendor and the needs of the enterprise, these core components may be bundled with any number of additional security services, from web application and API protection (WAAP) and remote browser isolation to recursive DNS, Wi-Fi hotspot protection, network obfuscation/dispersion, edge computing protection, and so on.
SASE offers several benefits compared to a traditional, data center-based network security model:
It is important to note that not all SASE implementations will look the same. While they may share some core characteristics — identity-based access policies, network security services, and a cloud-centric architecture — there may also be some notable differences based on the organization’s needs. For instance, a SASE implementation may opt for single-tenancy architecture rather than multitenant architecture, incorporate network access control for IoT (Internet of Things) and edge devices, offer additional security capabilities, lean on minimal hardware/virtual appliances to deliver security solutions, etc.
Cloudflare’s SASE model applies to both Cloudflare for Infrastructure and Cloudflare for Teams, both of which are backed by a single global network that services approximately 25 million Internet properties. Cloudflare is uniquely architected to deliver a platform of integrated network and security services across each of its 200+ globally distributed cities, eliminating the need for companies to purchase and manage a complex collection of point solutions in the cloud.
Cloudflare for Infrastructure encompasses Cloudflare’s suite of integrated security and performance services, which secure, accelerate, and ensure the reliability of any on-premise, hybrid, and cloud environment. An integral part of Cloudflare for Infrastructure is Cloudflare Magic Transit, which shields networking infrastructure from DDoS threats and network layer attacks, and works in tandem with the Cloudflare Web Application Firewall (WAF) to defend against vulnerability exploits. Magic Transit also uses Cloudflare’s global network to accelerate legitimate network traffic for optimal latency and throughput. Learn more about Cloudflare Magic Transit.
Cloudflare for Teams safeguards company data in two distinct ways: with Cloudflare Access, a zero trust network access solution, and Cloudflare Gateway, a DNS filtering and network security service that protects against threats like malware and phishing. Cloudflare Access eliminates the need for legacy VPNs and enables secure, identity-based access to internal applications and data, no matter where users are located. Cloudflare Gateway protects user and corporate data by filtering and blocking malicious content, identifying compromised devices, and using browser isolation technology to prevent malicious code from executing on user devices. Learn more about Cloudflare for Teams.
After reading this article you will be able to:
Zero Trust Security
Secure Web Gateway
What is IAM?
Software Defined Perimeter