SOLUTIONS
Deliver Superior Online Experiences
Mitigate DDoS Attacks Stop Malicious Bot Abuse Accelerate Internet Applications Ensure Application Availability Optimize Web Experiences Stream Videos On-Demand
Secure Employee Applications and Devices
Deliver Zero Trust Access to Applications Implement Secure Access Service Edge (SASE) Protect Users Accessing the Internet Protect Corporate Networks Manage Secure Contractor Access Replace Virtual Private Networks (VPNs) Secure Your Remote Workforce Stop Zero Day Attacks with Browser Isolation
 
Protect and Accelerate Networks
Mitigate L3 DDoS Attacks Connect network infrastructure with Cloudflare Transform Corporate Networks
Code on the Network Edge
Build a Serverless Application Deploy a Static Website Configure a CDN Define Conditional Request Routing
Manage a Secure Cloud
Secure Hybrid, Cloud, & SaaS Platforms Enable SSL for SaaS Applications Reduce Cloud Data Transfer Costs
Register a Website
Register or Transfer a Website
INDUSTRIES
eCommerce Financial Services Gaming Healthcare and Life Sciences Media and Entertainment Public Sector SaaS
PUBLIC INTEREST
Election Campaigns Athenian Project Project Galileo Project Fair Shot
FOR INFRASTRUCTURE
Application & Network Security
DDoS Protection WAF Bot Management Magic Transit Rate Limiting SSL / TLS Cloudflare Spectrum Network Interconnect
Performance & Reliability
CDN DNS Argo Smart Routing Load Balancing Stream Delivery China Network Waiting Room
FOR TEAMS
Cloudflare for Teams Access Gateway Browser Isolation
FOR DEVELOPERS
Serverless Applications
Cloudflare Workers Cloudflare Workers KV
Domain Registration
Cloudflare Registrar
Website Development
Cloudflare Pages Cloudflare Stream
FOR EVERYONE
1.1.1.1 1.1.1.1 with WARP (App) 1.1.1.1 for Families
INSIGHTS
Analytics Cloudflare Logs Web Analytics Cloudflare Radar
PRIVACY
Data Localization Compliance
FOR INFRASTRUCTURE
Advanced Security
Bot Management Firewall rules Magic Transit Spectrum (TCP/UDP) SSL WAF
Performance & Reliability
CDN DNS Image Resizing Load Balancing Stream (Video)
 
Insights
Analytics
Domain Registration
Registrar
FOR SERVERLESS APPLICATIONS
Workers Quick Start Cloudflare Pages Sample Workers Projects Workers Tutorials Command-line (Wrangler) Runtime
FOR TEAMS
Cloudflare for Teams
EXPLORE CLOUDFLARE API
Cloudflare API API Authentication
DOCUMENTATION HUB
Dev Documentation Hub
RESOURCES
Resource Hub Whitepapers Webinars Solutions & Product Guides Case Studies Analysts
EXPLORE
What's New? Network Map Cloudflare in China GDPR
GET STARTED
Register Your Website Welcome Center Get Help
LEARN
Learning Center Security DDoS Bot Management SSL Identity and Access Management Performance CDN DNS Cloud Serverless Network Layer
CONNECT
Blog Community
COMPLIANCE
GDPR Transparency Report Compliance
CONTACT
+1 650 319 8930
CHANNEL & ALLIANCE PARTNERS
Partner Network Partner Portal
TECHNOLOGY PARTNERS
Overview Analytics Partners Bandwidth Alliance Interconnect Partnerships Peering Portal
PRICING BY PLAN
Free Pro Business Enterprise
COMPARE AND EXPLORE
Need Help Choosing a Plan? Add Ons Compare All Plans

What is SASE? | Secure access service edge

Secure access service edge, or SASE, refers to a cloud-based IT model that combines networking and security services.

Share facebook icon linkedin icon twitter icon email icon
What is IAM?
Access Control
Zero Trust Security
What is SASE?
Secure Web Gateway
Remote Access
Glossary
  • What is IAM?
  • Access Control
  • Zero Trust Security
  • What is SASE?

    What is SASE?

    Secure access service edge, or SASE, is a cloud-based security model which bundles software-defined networking with network security functions and delivers them from a single service provider. The term ‘SASE’ was coined by Gartner, a global research and advisory firm, in 2019.

    sase - secure access service edge

    SASE is a cloud-based alternative to the traditional ‘hub-and-spoke’ network infrastructure used to connect users in multiple locations (spokes) to resources hosted in centralized data centers (hubs). In a traditional network model, data and applications live in a core data center. In order to access those resources, users, branch offices, and applications connect to the data center from within a localized private network or a secondary network that typically connects to the primary one through a secure leased line or VPN.

    While simple in principle, a hub-and-spoke model is ill-equipped to handle the complexities introduced by cloud-based services like Software-as-a-Service (SaaS) and the rise of distributed workforces. With more applications, workloads, and sensitive corporate data moving to the cloud, enterprises are forced to rethink how and where network traffic is inspected and secure user access policies are managed. It is no longer practical to reroute (or ‘trombone’) all traffic through a centralized data center if most applications and data are hosted in the cloud, as that can introduce unnecessary latency. Large groups of remote users, meanwhile, may experience significant latency when connecting to a corporate network via VPN, or else expose themselves to additional security risks when accessing company resources over an unsecured connection.

    By contrast, SASE places network controls on the cloud edge — not the corporate data center. Instead of layering cloud services that require separate configuration and management, SASE streamlines network and security services to create a secure, seamless network edge. Implementing identity-based, zero trust access policies on the edge network allows enterprises to expand their network perimeter to any remote user, branch office, device, or application. In turn, this eliminates the need for legacy VPNs and firewalls and gives enterprises more granular control over their network security policies. To do this, a SASE framework is built on top of a single global network to bring these integrated services closer to end users.

    Why is SASE necessary?

    Imagine a traditional network architecture model as a brick-and-mortar bank. Now imagine that Bob wants to check his account balance before making a rent payment. To do so, he will have to physically travel to the bank and verify his identity with the teller. Every month, he will have to make another trip to the bank to repeat this process, which can cost him significant time and effort, especially if he lives far from the bank.

    This is somewhat similar to hardware-centric network architecture, in which security and access decisions are made and enforced at a fixed, on-premise data center rather than in the cloud. Adding cloud services to a traditional network architecture model is kind of like giving Bob the option to check his account balance by placing a phone call to the bank. It is slightly more convenient than driving to the bank, but will require him to complete an entirely different identity verification process (instead of handing over his ID, for instance, he may be required to give another set of confidential information over the phone to prove his identity). The bank will have to manage these different procedures in order to keep their customers’ account information secure.

    hub and spoke network model

    Traditional hub-and-spoke infrastructure is not designed with cloud services in mind. It relies on a secure network perimeter built around a core data center, which is only effective when the bulk of an enterprise’s applications and data reside within that perimeter. Managing various security services and access policies can quickly become difficult for IT teams to manage and update.

    SASE, on the other hand, is like a banking app on Bob’s mobile device. Instead of driving to the bank to check his account or placing a time-consuming phone call, he can digitally verify his identity and instantly access his account balance from anywhere in the world. And this doesn’t just apply to Bob, but to every customer the bank has, no matter where they’re located.

    hub and spoke network model

    SASE brings network security services and access control closer to the end user by shifting those key processes to the cloud, and operates on a global network in order to minimize latency while doing so.

    What capabilities does SASE include?

    Secure access service edge packages software-defined wide area networking (SD-WAN) capabilities with a number of network security functions, all of which are delivered from and managed on a single cloud platform. A SASE offering includes four core security components:

    1. Secure web gateways (SWG): Also known as a secure Internet gateway, an SWG prevents cyber threats and data breaches by filtering unwanted content from web traffic, blocking unauthorized user behavior, and enforcing company security policies. SWGs can be deployed anywhere, making them ideal for securing remote workforces.
    2. Cloud access security broker (CASB): A CASB performs several security functions for cloud-hosted services: revealing shadow IT (unauthorized corporate systems), securing confidential data through access control and data loss prevention (DLP), ensuring compliance with data privacy regulations, and more.
    3. Zero trust network access (ZTNA): ZTNA platforms lock down internal resources from public view and help defend against potential data breaches by requiring real-time verification of every user to every protected application.
    4. Firewall-as-a-Service (FWaaS): FWaaS refers to firewalls delivered from the cloud as a service. FWaaS protects cloud-based platforms, infrastructure, and applications from cyber attacks. Unlike traditional firewalls, FWaaS is not a physical appliance, but a set of security capabilities that includes URL filtering, intrusion prevention, and uniform policy management across all network traffic.

    Depending on the vendor and the needs of the enterprise, these core components may be bundled with any number of additional security services, from web application and API protection (WAAP) and remote browser isolation to recursive DNS, Wi-Fi hotspot protection, network obfuscation/dispersion, edge computing protection, and so on.

    What are the advantages of a SASE framework?

    SASE offers several benefits compared to a traditional, data center-based network security model:

    • Streamlined implementation and management. SASE merges single-point security solutions into one cloud-based service, freeing enterprises to interact with fewer vendors and to spend less time, money, and internal resources configuring and performing maintenance on physical infrastructure.
    • Simplified policy management. Instead of juggling multiple policies for separate solutions, SASE allows organizations to set, monitor, adjust, and enforce access policies across all locations, users, devices, and applications from a single portal.
    • Identity-based, zero-trust network access. SASE leans heavily on a zero trust security model, which does not grant a user access to applications and data until their identity has been verified — even if they are already inside the perimeter of a private network. When establishing access policies, a SASE approach takes more than an entity’s identity into account; it also considers factors like user location, time of day, enterprise security standards, compliance policies, and an ongoing evaluation of risk/trust.
    • Latency-optimized routing. For enterprises that deliver latency-impacted services (e.g. video conferencing, streaming, online gaming, etc.), any significant increase in latency is an issue. SASE helps cut down on latency by routing network traffic across a global edge network in which traffic is processed as close to the user as possible. Routing optimizations can help determine the fastest network path based on network congestion and other factors.

    It is important to note that not all SASE implementations will look the same. While they may share some core characteristics — identity-based access policies, network security services, and a cloud-centric architecture — there may also be some notable differences based on the organization’s needs. For instance, a SASE implementation may opt for single-tenancy architecture rather than multitenant architecture, incorporate network access control for IoT (Internet of Things) and edge devices, offer additional security capabilities, lean on minimal hardware/virtual appliances to deliver security solutions, etc.

    How does Cloudflare help with SASE adoption?

    Cloudflare’s SASE model applies to both Cloudflare for Infrastructure and Cloudflare for Teams, both of which are backed by a single global network that services approximately 25 million Internet properties. Cloudflare is uniquely architected to deliver a platform of integrated network and security services across each of its 200+ globally distributed cities, eliminating the need for companies to purchase and manage a complex collection of point solutions in the cloud.

    Cloudflare for Infrastructure encompasses Cloudflare’s suite of integrated security and performance services, which secure, accelerate, and ensure the reliability of any on-premise, hybrid, and cloud environment. An integral part of Cloudflare for Infrastructure is Cloudflare Magic Transit, which shields networking infrastructure from DDoS threats and network layer attacks, and works in tandem with the Cloudflare Web Application Firewall (WAF) to defend against vulnerability exploits. Magic Transit also uses Cloudflare’s global network to accelerate legitimate network traffic for optimal latency and throughput. Learn more about Cloudflare Magic Transit.

    Cloudflare for Teams safeguards company data in two distinct ways: with Cloudflare Access, a zero trust network access solution, and Cloudflare Gateway, a DNS filtering and network security service that protects against threats like malware and phishing. Cloudflare Access eliminates the need for legacy VPNs and enables secure, identity-based access to internal applications and data, no matter where users are located. Cloudflare Gateway protects user and corporate data by filtering and blocking malicious content, identifying compromised devices, and using browser isolation technology to prevent malicious code from executing on user devices. Learn more about Cloudflare for Teams.

  • Secure Web Gateway
  • Remote Access
  • What's a VPN?
  • VPN Security
  • VPN Speed
  • Business VPN
  • GDPR Remote Access
  • Remote Workforce Security
  • What is the RDP?
  • RDP Security
  • Glossary
  • What is a CASB?
  • Phishing Attack
  • DNS Filtering
  • Data Loss Prevention (DLP)
  • URL Filtering
  • Software Defined Perimeter
  • Two-Factor Authentication
  • RBAC
  • What is SSO?
  • Multi-Factor Authentication
  • What is SAML?
  • Network Perimeter
  • What is OAuth?
  • Identity Provider (IdP)
  • Identity as a Service
  • Browser Isolation

SASE

Learning Objectives

After reading this article you will be able to:

  • Define secure access service edge (SASE)
  • Learn what services SASE includes
  • Learn how SASE differs from traditional network architecture
  • Explore the advantages of adopting a SASE framework

Related Content

Zero Trust Security

Secure Web Gateway

What is IAM?

Access Control

Software Defined Perimeter

What is SASE?

Secure access service edge, or SASE, is a cloud-based security model which bundles software-defined networking with network security functions and delivers them from a single service provider. The term ‘SASE’ was coined by Gartner, a global research and advisory firm, in 2019.

sase - secure access service edge

SASE is a cloud-based alternative to the traditional ‘hub-and-spoke’ network infrastructure used to connect users in multiple locations (spokes) to resources hosted in centralized data centers (hubs). In a traditional network model, data and applications live in a core data center. In order to access those resources, users, branch offices, and applications connect to the data center from within a localized private network or a secondary network that typically connects to the primary one through a secure leased line or VPN.

While simple in principle, a hub-and-spoke model is ill-equipped to handle the complexities introduced by cloud-based services like Software-as-a-Service (SaaS) and the rise of distributed workforces. With more applications, workloads, and sensitive corporate data moving to the cloud, enterprises are forced to rethink how and where network traffic is inspected and secure user access policies are managed. It is no longer practical to reroute (or ‘trombone’) all traffic through a centralized data center if most applications and data are hosted in the cloud, as that can introduce unnecessary latency. Large groups of remote users, meanwhile, may experience significant latency when connecting to a corporate network via VPN, or else expose themselves to additional security risks when accessing company resources over an unsecured connection.

By contrast, SASE places network controls on the cloud edge — not the corporate data center. Instead of layering cloud services that require separate configuration and management, SASE streamlines network and security services to create a secure, seamless network edge. Implementing identity-based, zero trust access policies on the edge network allows enterprises to expand their network perimeter to any remote user, branch office, device, or application. In turn, this eliminates the need for legacy VPNs and firewalls and gives enterprises more granular control over their network security policies. To do this, a SASE framework is built on top of a single global network to bring these integrated services closer to end users.

Why is SASE necessary?

Imagine a traditional network architecture model as a brick-and-mortar bank. Now imagine that Bob wants to check his account balance before making a rent payment. To do so, he will have to physically travel to the bank and verify his identity with the teller. Every month, he will have to make another trip to the bank to repeat this process, which can cost him significant time and effort, especially if he lives far from the bank.

This is somewhat similar to hardware-centric network architecture, in which security and access decisions are made and enforced at a fixed, on-premise data center rather than in the cloud. Adding cloud services to a traditional network architecture model is kind of like giving Bob the option to check his account balance by placing a phone call to the bank. It is slightly more convenient than driving to the bank, but will require him to complete an entirely different identity verification process (instead of handing over his ID, for instance, he may be required to give another set of confidential information over the phone to prove his identity). The bank will have to manage these different procedures in order to keep their customers’ account information secure.

hub and spoke network model

Traditional hub-and-spoke infrastructure is not designed with cloud services in mind. It relies on a secure network perimeter built around a core data center, which is only effective when the bulk of an enterprise’s applications and data reside within that perimeter. Managing various security services and access policies can quickly become difficult for IT teams to manage and update.

SASE, on the other hand, is like a banking app on Bob’s mobile device. Instead of driving to the bank to check his account or placing a time-consuming phone call, he can digitally verify his identity and instantly access his account balance from anywhere in the world. And this doesn’t just apply to Bob, but to every customer the bank has, no matter where they’re located.

hub and spoke network model

SASE brings network security services and access control closer to the end user by shifting those key processes to the cloud, and operates on a global network in order to minimize latency while doing so.

What capabilities does SASE include?

Secure access service edge packages software-defined wide area networking (SD-WAN) capabilities with a number of network security functions, all of which are delivered from and managed on a single cloud platform. A SASE offering includes four core security components:

  1. Secure web gateways (SWG): Also known as a secure Internet gateway, an SWG prevents cyber threats and data breaches by filtering unwanted content from web traffic, blocking unauthorized user behavior, and enforcing company security policies. SWGs can be deployed anywhere, making them ideal for securing remote workforces.
  2. Cloud access security broker (CASB): A CASB performs several security functions for cloud-hosted services: revealing shadow IT (unauthorized corporate systems), securing confidential data through access control and data loss prevention (DLP), ensuring compliance with data privacy regulations, and more.
  3. Zero trust network access (ZTNA): ZTNA platforms lock down internal resources from public view and help defend against potential data breaches by requiring real-time verification of every user to every protected application.
  4. Firewall-as-a-Service (FWaaS): FWaaS refers to firewalls delivered from the cloud as a service. FWaaS protects cloud-based platforms, infrastructure, and applications from cyber attacks. Unlike traditional firewalls, FWaaS is not a physical appliance, but a set of security capabilities that includes URL filtering, intrusion prevention, and uniform policy management across all network traffic.

Depending on the vendor and the needs of the enterprise, these core components may be bundled with any number of additional security services, from web application and API protection (WAAP) and remote browser isolation to recursive DNS, Wi-Fi hotspot protection, network obfuscation/dispersion, edge computing protection, and so on.

What are the advantages of a SASE framework?

SASE offers several benefits compared to a traditional, data center-based network security model:

  • Streamlined implementation and management. SASE merges single-point security solutions into one cloud-based service, freeing enterprises to interact with fewer vendors and to spend less time, money, and internal resources configuring and performing maintenance on physical infrastructure.
  • Simplified policy management. Instead of juggling multiple policies for separate solutions, SASE allows organizations to set, monitor, adjust, and enforce access policies across all locations, users, devices, and applications from a single portal.
  • Identity-based, zero-trust network access. SASE leans heavily on a zero trust security model, which does not grant a user access to applications and data until their identity has been verified — even if they are already inside the perimeter of a private network. When establishing access policies, a SASE approach takes more than an entity’s identity into account; it also considers factors like user location, time of day, enterprise security standards, compliance policies, and an ongoing evaluation of risk/trust.
  • Latency-optimized routing. For enterprises that deliver latency-impacted services (e.g. video conferencing, streaming, online gaming, etc.), any significant increase in latency is an issue. SASE helps cut down on latency by routing network traffic across a global edge network in which traffic is processed as close to the user as possible. Routing optimizations can help determine the fastest network path based on network congestion and other factors.

It is important to note that not all SASE implementations will look the same. While they may share some core characteristics — identity-based access policies, network security services, and a cloud-centric architecture — there may also be some notable differences based on the organization’s needs. For instance, a SASE implementation may opt for single-tenancy architecture rather than multitenant architecture, incorporate network access control for IoT (Internet of Things) and edge devices, offer additional security capabilities, lean on minimal hardware/virtual appliances to deliver security solutions, etc.

How does Cloudflare help with SASE adoption?

Cloudflare’s SASE model applies to both Cloudflare for Infrastructure and Cloudflare for Teams, both of which are backed by a single global network that services approximately 25 million Internet properties. Cloudflare is uniquely architected to deliver a platform of integrated network and security services across each of its 200+ globally distributed cities, eliminating the need for companies to purchase and manage a complex collection of point solutions in the cloud.

Cloudflare for Infrastructure encompasses Cloudflare’s suite of integrated security and performance services, which secure, accelerate, and ensure the reliability of any on-premise, hybrid, and cloud environment. An integral part of Cloudflare for Infrastructure is Cloudflare Magic Transit, which shields networking infrastructure from DDoS threats and network layer attacks, and works in tandem with the Cloudflare Web Application Firewall (WAF) to defend against vulnerability exploits. Magic Transit also uses Cloudflare’s global network to accelerate legitimate network traffic for optimal latency and throughput. Learn more about Cloudflare Magic Transit.

Cloudflare for Teams safeguards company data in two distinct ways: with Cloudflare Access, a zero trust network access solution, and Cloudflare Gateway, a DNS filtering and network security service that protects against threats like malware and phishing. Cloudflare Access eliminates the need for legacy VPNs and enables secure, identity-based access to internal applications and data, no matter where users are located. Cloudflare Gateway protects user and corporate data by filtering and blocking malicious content, identifying compromised devices, and using browser isolation technology to prevent malicious code from executing on user devices. Learn more about Cloudflare for Teams.

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.