Secure access service edge (SASE) architecture is an IT model that combines security and networking services on one cloud platform.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Secure access service edge (SASE) is an architectural model that unifies network connectivity with network security functions onto a single cloud-based platform. Unlike traditional enterprise networking, the modern SASE approach places network controls on the cloud edge instead of the corporate data center. This allows enterprises to provide simpler, secure, and consistent access from any user to any application — regardless of location.
In other words, SASE offers organizations a streamlined way to manage previously disjointed infrastructure — networking and access control — together.
SASE platforms converge network connectivity with multiple Zero Trust security services that employ the principle of least privilege. With Zero Trust, users that authenticate successfully only have access to the resources and applications necessary for their role.
SASE creates a unified corporate network based on cloud services run over the Internet. This allows organizations to transition away from managing many architectural layers and disparate point solutions.
A SASE architecture is important because it is more effective than traditional IT security at connecting and protecting the modern organization’s workforce.
In the ‘old world’ model (i.e., a “castle and moat” security architecture), an organization’s IT infrastructure is fairly homogeneous and protected by a firewall. To access network resources, employees not in the office (or contractors and other third parties) connect to the network via a virtual private network (VPN) and firewall, or use another network route via a public IP address. Then, anyone inside the network “perimeter” also has access to the applications and data within that network.
However, with more applications and data now living in the cloud, it has become riskier and more complex to manage network security with this approach. For example, traditional security struggles to keep pace with the following trends:
SASE is more suitable for addressing these kinds of challenges. SASE provides secure, fast, and reliable connectivity for a workforce, workplace, and workloads. Instead of solely building out and operating their own modern networks, organizations can rely on globally distributed cloud-native services to simplify managing security and connectivity.
Consolidating security and networking capabilities as a service via a SASE architecture provides several benefits, including:
A SASE platform typically contains these core technology components:
Depending on the vendor’s capabilities, SASE platforms may also include:
The diagram below illustrates how a SASE platform can converge all these functions to deliver secure connectivity to all private applications, services, and networks — and also ensure the security of the workforce’s Internet access.
SASE implementation is commonly progressive (over months or even years). Implementation plans vary widely, and depend on unique factors such as:
Because each organization’s situation is different, there is no “one size fits all” approach to SASE deployment. However, use cases for enabling SASE commonly fall under these five IT priorities:
Applying Zero Trust principles (as a tenet of the broader SASE journey), starting with Zero Trust Network Access, enables use cases such as:
A SASE architecture supports a “work-from-anywhere” approach with consistent visibility and protections against threats both on- and off-network. Example use cases include:
Instead of maintaining legacy corporate networks, organizations can tap into distributed and cloud-native SASE services. This enables use cases such as:
Sensitive data may be exposed through the unsanctioned use of generative AI and shadow IT, leading to compromise or breaches that may be costly to remediate. However, a SASE architecture enables use cases such as:
Apps need to be secure, resilient, and performant for end users — with the scalability to handle growth in data while still meeting data governance requirements. A SASE architecture can help simplify and secure several stages of the app modernization process; for example:
In a traditional network model, data and applications live in a core data center. Users, branch offices, and applications connect to the data center from within a localized private network or a secondary network (which typically connects to the primary one through a secure leased line or VPN). This process can be risky and inefficient if an organization hosts SaaS applications and data in the cloud.
Unlike traditional networking, SASE places network controls on the cloud edge — not the corporate data center. Instead of layering services that require separate configuration and management, SASE converges network and security services using one control plane. By implementing identity-based, Zero Trust security policies on the edge network, SASE allows organizations to expand network access to any remote user, branch office, device, or application.
Multiprotocol label switching (MLPS) sends networking packets along predetermined network paths. Ideally, the result with MPLS is that packets take the same path every time. This is one reason MPLS is generally considered reliable, yet inflexible. For example, with MPLS, security controls are enforced via centralized “breakout” locations; all outbound and inbound traffic gets routed through headquarters. This requires backhauling traffic to reach security functions.
SASE instead uses low-cost Internet connectivity, rather than the dedicated network paths of MPLS. This is suitable for organizations looking for networking efficiency at lower costs. A SASE platform provides flexible and application-aware intelligent routing, integrated security, and granular network visibility.
SASE incorporates a user’s secure access as part of the network architecture. But, not all organizations already have a cohesive approach across IT, network security, and networking teams. These organizations may prioritize security service edge (SSE) — a subset of SASE functionality that is focused on securing internal users’ access to the web, cloud services, and private applications.
SSE is a common stepping stone to a full SASE deployment. While it may be an oversimplification, some organizations may think of SASE as “SSE plus SD-WAN.”
In SASE, the dual-vendor approach means having two or more providers for ZTNA, SWG, CASB, SD-WAN/WANaaS, and FWaaS — often one for security, and one for networking. This lets organizations customize their tech stack and leverage the strengths of each vendor. It also means organizations must have the time and internal resources to orchestrate and integrate disparate services.
Organizations may also choose to pursue single-vendor SASE (SV-SASE) instead. This combines disparate security and networking technologies into a single cloud-delivered platform. SV-SASE is ideal for organizations looking to consolidate point products, drive down TCO, and ensure consistent policy enforcement with less effort.
With either approach, a SASE platform should be able to augment or integrate with existing tools for network on-ramps, identity management, endpoint security, log storage, and other network security components.
Whichever SASE approach is chosen, consider the following criteria and sample questions when assessing potential vendors:
Risk reduction
Network resiliency
Future-proof architecture
Cloudflare’s SASE platform, Cloudflare One, protects enterprise applications, users, devices, and networks. It is built on the Cloudflare connectivity cloud, a unified, composable platform of programmable cloud-native services that enable any-to-any connectivity between all networks (enterprise and Internet), cloud environments, applications, and users.
Since all Cloudflare services are designed to run across every network location, all traffic is connected, inspected, and filtered close to the source for the best performance and consistent user experience. There is no backhauling or service chaining to add latency.
Cloudflare One also delivers composable SASE on-ramps and services that enable organizations to adopt security and network modernization use cases in any order. For instance, many Cloudflare customers start with Zero Trust SSE services to reduce their attack surface, stop phishing or ransomware, prevent lateral movement, and secure data. By progressively adopting Cloudflare One, organizations can move away from their patchwork of appliances and other point solutions and consolidate security and networking capabilities on one unified control plane. Learn more about how Cloudflare delivers SASE.
SASE architecture combines network connectivity and security functions into a unified cloud-delivered service. It integrates SD-WAN capabilities with security services like CASB, SWG, and Zero Trust into a single platform.
SASE solutions provide secure access to resources regardless of where users are located, making them ideal for remote and hybrid work environments. They apply consistent security policies to all connections, protecting users and data whether users are in the office or working remotely.
SASE implementation typically includes SD-WAN, FWaaS, CASB, ZTNA, and SWG components. These all work together to provide network connectivity and security as a unified service.
Unlike traditional network security that focuses on keeping threats out of a defined network, SASE shifts security to the cloud and applies it wherever users connect. SASE also eliminates the need for multiple point solutions by consolidating networking and security functions into a single cloud-based service.
Organizations may face challenges integrating existing security infrastructure with new SASE deployment models during implementation. Challenges may include skill gaps (as IT teams shift from managing on-premises to cloud resources), change management, ensuring regulatory compliance as data passes through the cloud, and the need to retrain employees on new workflows. Additionally, selecting the right SASE vendor requires careful evaluation of both networking and security capabilities to ensure all requirements are met.