¿Qué es SASE? | Perímetro de servicio de acceso seguro

Secure access service edge, or SASE, is a cloud-based IT model that combines networking and security services.

Objetivos de aprendizaje

Después de leer este artículo podrás:

  • Definir el perímetro de servicio de acceso seguro (SASE)
  • Learn the components of a SASE approach
  • Explorar las ventajas de adoptar un marco SASE

Copiar enlace del artículo

¿Qué es SASE?

Secure access service edge, or SASE, is a cloud-based IT model that bundles software-defined networking with network security functions and delivers them from a single service provider. Gartner, a global research and advisory firm, coined the term "SASE" in 2019.

A SASE approach offers better control over and visibility into the users, traffic, and data accessing a corporate network — vital capabilities for modern, globally distributed organizations. Networks built with SASE are flexible and scalable, able to connect globally distributed employees and offices across any location and via any device.

SASE - secure access service edge

What security capabilities does SASE include?

SASE combines software-defined wide area networking (SD-WAN) capabilities with a number of network security functions, all of which are delivered from a single cloud platform. In this way, SASE enables employees to authenticate and securely connect to internal resources from anywhere, and gives organizations better control over the traffic and data that enters and leaves their internal network.

SASE includes four core security components:

  1. Secure web gateways (SWG): An SWG prevents cyber threats and data breaches by filtering unwanted content from web traffic, blocking unauthorized user behavior, and enforcing company security policies. SWGs can be deployed anywhere, making them ideal for securing remote workforces.
  2. Cloud access security broker (CASB): A CASB performs several security functions for cloud-hosted services, including revealing shadow IT (unauthorized corporate systems), securing confidential data through access control and data loss prevention (DLP), and ensuring compliance with data privacy regulations.
  3. Zero trust network access (ZTNA): ZTNA platforms lock down internal resources from public view and help defend against potential data breaches by requiring real-time verification of every user and device to every protected application.
  4. Firewall como servicio (FWaaS, por sus siglas en inglés): FWaaS se refiere a los firewalls entregados desde la nube como un servicio. FWaaS protege las plataformas, la infraestructura y las aplicaciones basadas en la nube contra los ataques cibernéticos. A diferencia de los firewalls tradicionales, FWaaS no es un dispositivo físico, sino un conjunto de capacidades de seguridad que incluye el filtrado de URL, la prevención de intrusiones y la gestión uniforme de políticas en todo el tráfico de la red.

Depending on the vendor and the needs of the enterprise, these core components may be bundled with additional security services, including web application and API protection (WAAP), remote browser isolation, or Wi-Fi hotspot protection.

¿Cuáles son las ventajas de un marco SASE?

SASE ofrece varios beneficios en comparación con un modelo de seguridad de red tradicional basado en un centro de datos:

  • Identity-based Zero Trust network access. SASE leans heavily on a Zero Trust security model, which does not grant a user access to applications and data until their identity has been verified — even if they are already inside the perimeter of a private network. When establishing access policies, a SASE approach takes more than an entity's identity into account; it also considers factors like user location, time of day, enterprise security standards, compliance policies, and an ongoing evaluation of risk/trust.
  • Blocking attacks against network infrastructure. The firewall and CASB components of SASE help prevent external attacks (like DDoS attacks and vulnerability exploits) from getting in and compromising internal resources. Both on-premise and cloud-based networks can be protected by a SASE approach.
  • Preventing malicious activity. By filtering URLs, DNS queries, and other outgoing and incoming network traffic, SASE helps prevent malware-based attacks, data exfiltration, and other threats to corporate data.
  • Streamlined implementation and management. SASE merges single-point security solutions into one cloud-based service, freeing enterprises to interact with fewer vendors and to spend less time, money, and internal resources configuring physical infrastructure.
  • Simplified policy management. Instead of juggling multiple policies for separate solutions, SASE allows organizations to set, adjust, and enforce access policies across all locations, users, devices, and applications from a single portal.
  • Latency-optimized routing. SASE helps cut down on latency by routing network traffic across a global edge network in which traffic is processed as close to the user as possible. Routing optimizations can help determine the fastest network path based on network congestion and other factors.

How does SASE compare to traditional networking?

En un modelo de red tradicional, los datos y las aplicaciones se alojan en un centro de datos central. Para acceder a esos recursos, los usuarios, las sucursales y las aplicaciones se conectan al centro de datos desde dentro de una red privada localizada o desde una red secundaria que normalmente se conecta a la principal a través de una línea alquilada segura o VPN.

This model has proved to be ill-equipped to handle the complexities introduced by cloud-based services like software-as-a-service (SaaS) and the rise of distributed workforces. It is no longer practical to reroute all traffic through a centralized data center if applications and data are hosted in the cloud.

By contrast, SASE places network controls on the cloud edge — not the corporate data center. Instead of layering cloud services that require separate configuration and management, SASE streamlines network and security services to create a secure network edge. Implementing identity-based, Zero Trust access policies on the edge network allows enterprises to expand their network perimeter to any remote user, branch office, device, or application.

How organizations can implement SASE

Many organizations take a piecemeal approach to SASE implementation. In fact, some may have already adopted certain SASE elements without knowing it. Key steps organizations can take towards fully adopting a SASE model include:

  1. Securing remote workforces
  2. Placing branch offices behind a cloud perimeter
  3. Moving DDoS protection to the edge
  4. Migrating self-hosted applications to the cloud
  5. Replacing security appliances with unified, cloud-native policy enforcement

These steps are broken down further in the white paper "Getting started with SASE," available for download here.

How Cloudflare enables SASE

Cloudflare is uniquely architected to deliver a platform of integrated network and security services across data centers in over 250 globally distributed cities, eliminating the need for enterprises to purchase and manage a complex collection of point solutions.

Cloudflare One is a SASE platform that securely connects remote users, offices, and data centers to each other and the resources that they need. To get started with Cloudflare One, see the Cloudflare One product page. Or, learn more about ZTNA, a crucial technology behind SASE.