What is SASE? | Secure access service edge

Secure access service edge, or SASE, refers to an cloud-based IT model that combines networking and security services.

Share facebook icon linkedin icon twitter icon email icon
  • What is IAM?
  • Access Control
  • Zero Trust Security
  • What is SASE?

    What is SASE?

    Secure access service edge, or SASE, is a cloud-based security model which bundles software-defined networking with network security functions and delivers them from a single service provider. The term ‘SASE’ was coined by Gartner, a global research and advisory firm, in 2019.

    sase - secure access service edge

    SASE is a cloud-based alternative to the traditional ‘hub-and-spoke’ network infrastructure used to connect users in multiple locations (spokes) to resources hosted in centralized data centers (hubs). In a traditional network model, data and applications live in a core data center. In order to access those resources, users, branch offices, and applications connect to the data center from within a localized private network or a secondary network that typically connects to the primary one through a secure leased line or VPN.

    While simple in principle, a hub-and-spoke model is ill-equipped to handle the complexities introduced by cloud-based services like Software-as-a-Service (SaaS) and the rise of distributed workforces. With more applications, workloads, and sensitive corporate data moving to the cloud, enterprises are forced to rethink how and where network traffic is inspected and secure user access policies are managed. It is no longer practical to reroute (or ‘trombone’) all traffic through a centralized data center if most applications and data are hosted in the cloud, as that can introduce unnecessary latency. Large groups of remote users, meanwhile, may experience significant latency when connecting to a corporate network via VPN, or else expose themselves to additional security risks when accessing company resources over an unsecured connection.

    By contrast, SASE places network controls on the cloud edge — not the corporate data center. Instead of layering cloud services that require separate configuration and management, SASE streamlines network and security services to create a secure, seamless network edge. Implementing identity-based, zero trust access policies on the edge network allows enterprises to expand their network perimeter to any remote user, branch office, device, or application. In turn, this eliminates the need for legacy VPNs and firewalls and gives enterprises more granular control over their network security policies. To do this, a SASE framework is built on top of a single global network to bring these integrated services closer to end users.

    Why is SASE necessary?

    Imagine a traditional network architecture model as a brick-and-mortar bank. Now imagine that Bob wants to check his account balance before making a rent payment. To do so, he will have to physically travel to the bank and verify his identity with the teller. Every month, he will have to make another trip to the bank to repeat this process, which can cost him significant time and effort, especially if he lives far from the bank.

    This is somewhat similar to hardware-centric network architecture, in which security and access decisions are made and enforced at a fixed, on-premise data center rather than in the cloud. Adding cloud services to a traditional network architecture model is kind of like giving Bob the option to check his account balance by placing a phone call to the bank. It is slightly more convenient than driving to the bank, but will require him to complete an entirely different identity verification process (instead of handing over his ID, for instance, he may be required to give another set of confidential information over the phone to prove his identity). The bank will have to manage these different procedures in order to keep their customers’ account information secure.

    hub and spoke network model

    Traditional hub-and-spoke infrastructure is not designed with cloud services in mind. It relies on a secure network perimeter built around a core data center, which is only effective when the bulk of an enterprise’s applications and data reside within that perimeter. Managing various security services and access policies can quickly become difficult for IT teams to manage and update.

    SASE, on the other hand, is like a banking app on Bob’s mobile device. Instead of driving to the bank to check his account or placing a time-consuming phone call, he can digitally verify his identity and instantly access his account balance from anywhere in the world. And this doesn’t just apply to Bob, but to every customer the bank has, no matter where they’re located.

    hub and spoke network model

    SASE brings network security services and access control closer to the end user by shifting those key processes to the cloud, and operates on a global network in order to minimize latency while doing so.

    What capabilities does SASE include?

    Secure access service edge packages software-defined wide area networking (SD-WAN) capabilities with a number of network security functions, all of which are delivered from and managed on a single cloud platform. A SASE offering includes four core security components:

    1. Secure web gateways (SWG): Also known as a secure Internet gateway, an SWG prevents cyber threats and data breaches by filtering unwanted content from web traffic, blocking unauthorized user behavior, and enforcing company security policies. SWGs can be deployed anywhere, making them ideal for securing remote workforces.
    2. Cloud access security broker (CASB): A CASB performs several security functions for cloud-hosted services: revealing shadow IT (unauthorized corporate systems), securing confidential data through access control and data loss prevention (DLP), ensuring compliance with data privacy regulations, and more.
    3. Zero trust network access (ZTNA): ZTNA platforms lock down internal resources from public view and help defend against potential data breaches by requiring real-time verification of every user to every protected application.
    4. Firewall-as-a-Service (FWaaS): FWaaS refers to firewalls delivered from the cloud as a service. FWaaS protects cloud-based platforms, infrastructure, and applications from cyber attacks. Unlike traditional firewalls, FWaaS is not a physical appliance, but a set of security capabilities that includes URL filtering, intrusion prevention, and uniform policy management across all network traffic.

    Depending on the vendor and the needs of the enterprise, these core components may be bundled with any number of additional security services, from web application and API protection (WAAP) and remote browser isolation to recursive DNS, Wi-Fi hotspot protection, network obfuscation/dispersion, edge computing protection, and so on.

    What are the advantages of a SASE framework?

    SASE offers several benefits compared to a traditional, data center-based network security model:

    • Streamlined implementation and management. SASE merges single-point security solutions into one cloud-based service, freeing enterprises to interact with fewer vendors and to spend less time, money, and internal resources configuring and performing maintenance on physical infrastructure.
    • Simplified policy management. Instead of juggling multiple policies for separate solutions, SASE allows organizations to set, monitor, adjust, and enforce access policies across all locations, users, devices, and applications from a single portal.
    • Identity-based, zero-trust network access. SASE leans heavily on a zero trust security model, which does not grant a user access to applications and data until their identity has been verified — even if they are already inside the perimeter of a private network. When establishing access policies, a SASE approach takes more than an entity’s identity into account; it also considers factors like user location, time of day, enterprise security standards, compliance policies, and an ongoing evaluation of risk/trust.
    • Latency-optimized routing. For enterprises that deliver latency-impacted services (e.g. video conferencing, streaming, online gaming, etc.), any significant increase in latency is an issue. SASE helps cut down on latency by routing network traffic across a global edge network in which traffic is processed as close to the user as possible. Routing optimizations can help determine the fastest network path based on network congestion and other factors.

    It is important to note that not all SASE implementations will look the same. While they may share some core characteristics — identity-based access policies, network security services, and a cloud-centric architecture — there may also be some notable differences based on the organization’s needs. For instance, a SASE implementation may opt for single-tenancy architecture rather than multitenant architecture, incorporate network access control for IoT (Internet of Things) and edge devices, offer additional security capabilities, lean on minimal hardware/virtual appliances to deliver security solutions, etc.

    How does Cloudflare help with SASE adoption?

    Cloudflare’s SASE model applies to both Cloudflare for Infrastructure and Cloudflare for Teams, both of which are backed by a single global network that services over 25 million Internet properties. Cloudflare is uniquely architected to deliver a platform of integrated network and security services across each of its 200+ globally distributed cities, eliminating the need for companies to purchase and manage a complex collection of point solutions in the cloud.

    Cloudflare for Infrastructure encompasses Cloudflare’s suite of integrated security and performance services, which secure, accelerate, and ensure the reliability of any on-premise, hybrid, and cloud environment. An integral part of Cloudflare for Infrastructure is Cloudflare Magic Transit, which shields networking infrastructure from DDoS threats and network layer attacks, and works in tandem with the Cloudflare Web Application Firewall (WAF) to defend against vulnerability exploits. Magic Transit also uses Cloudflare’s global network to accelerate legitimate network traffic for optimal latency and throughput. Learn more about Cloudflare Magic Transit.

    Cloudflare for Teams safeguards company data in two distinct ways: with Cloudflare Access, a zero trust network access solution, and Cloudflare Gateway, a DNS filtering and network security service that protects against threats like malware and phishing. Cloudflare Access eliminates the need for legacy VPNs and enables secure, identity-based access to internal applications and data, no matter where users are located. Cloudflare Gateway protects user and corporate data by filtering and blocking malicious content, identifying compromised devices, and using browser isolation technology to prevent malicious code from executing on user devices. Learn more about Cloudflare for Teams.

  • Secure Web Gateway
  • Remote Access
  • Glossary

SASE

Learning Objectives

After reading this article you will be able to:

  • Define secure access service edge (SASE)
  • Learn what services SASE includes
  • Learn how SASE differs from traditional network architecture
  • Explore the advantages of adopting a SASE framework

What is SASE?

Secure access service edge, or SASE, is a cloud-based security model which bundles software-defined networking with network security functions and delivers them from a single service provider. The term ‘SASE’ was coined by Gartner, a global research and advisory firm, in 2019.

sase - secure access service edge

SASE is a cloud-based alternative to the traditional ‘hub-and-spoke’ network infrastructure used to connect users in multiple locations (spokes) to resources hosted in centralized data centers (hubs). In a traditional network model, data and applications live in a core data center. In order to access those resources, users, branch offices, and applications connect to the data center from within a localized private network or a secondary network that typically connects to the primary one through a secure leased line or VPN.

While simple in principle, a hub-and-spoke model is ill-equipped to handle the complexities introduced by cloud-based services like Software-as-a-Service (SaaS) and the rise of distributed workforces. With more applications, workloads, and sensitive corporate data moving to the cloud, enterprises are forced to rethink how and where network traffic is inspected and secure user access policies are managed. It is no longer practical to reroute (or ‘trombone’) all traffic through a centralized data center if most applications and data are hosted in the cloud, as that can introduce unnecessary latency. Large groups of remote users, meanwhile, may experience significant latency when connecting to a corporate network via VPN, or else expose themselves to additional security risks when accessing company resources over an unsecured connection.

By contrast, SASE places network controls on the cloud edge — not the corporate data center. Instead of layering cloud services that require separate configuration and management, SASE streamlines network and security services to create a secure, seamless network edge. Implementing identity-based, zero trust access policies on the edge network allows enterprises to expand their network perimeter to any remote user, branch office, device, or application. In turn, this eliminates the need for legacy VPNs and firewalls and gives enterprises more granular control over their network security policies. To do this, a SASE framework is built on top of a single global network to bring these integrated services closer to end users.

Why is SASE necessary?

Imagine a traditional network architecture model as a brick-and-mortar bank. Now imagine that Bob wants to check his account balance before making a rent payment. To do so, he will have to physically travel to the bank and verify his identity with the teller. Every month, he will have to make another trip to the bank to repeat this process, which can cost him significant time and effort, especially if he lives far from the bank.

This is somewhat similar to hardware-centric network architecture, in which security and access decisions are made and enforced at a fixed, on-premise data center rather than in the cloud. Adding cloud services to a traditional network architecture model is kind of like giving Bob the option to check his account balance by placing a phone call to the bank. It is slightly more convenient than driving to the bank, but will require him to complete an entirely different identity verification process (instead of handing over his ID, for instance, he may be required to give another set of confidential information over the phone to prove his identity). The bank will have to manage these different procedures in order to keep their customers’ account information secure.

hub and spoke network model

Traditional hub-and-spoke infrastructure is not designed with cloud services in mind. It relies on a secure network perimeter built around a core data center, which is only effective when the bulk of an enterprise’s applications and data reside within that perimeter. Managing various security services and access policies can quickly become difficult for IT teams to manage and update.

SASE, on the other hand, is like a banking app on Bob’s mobile device. Instead of driving to the bank to check his account or placing a time-consuming phone call, he can digitally verify his identity and instantly access his account balance from anywhere in the world. And this doesn’t just apply to Bob, but to every customer the bank has, no matter where they’re located.

hub and spoke network model

SASE brings network security services and access control closer to the end user by shifting those key processes to the cloud, and operates on a global network in order to minimize latency while doing so.

What capabilities does SASE include?

Secure access service edge packages software-defined wide area networking (SD-WAN) capabilities with a number of network security functions, all of which are delivered from and managed on a single cloud platform. A SASE offering includes four core security components:

  1. Secure web gateways (SWG): Also known as a secure Internet gateway, an SWG prevents cyber threats and data breaches by filtering unwanted content from web traffic, blocking unauthorized user behavior, and enforcing company security policies. SWGs can be deployed anywhere, making them ideal for securing remote workforces.
  2. Cloud access security broker (CASB): A CASB performs several security functions for cloud-hosted services: revealing shadow IT (unauthorized corporate systems), securing confidential data through access control and data loss prevention (DLP), ensuring compliance with data privacy regulations, and more.
  3. Zero trust network access (ZTNA): ZTNA platforms lock down internal resources from public view and help defend against potential data breaches by requiring real-time verification of every user to every protected application.
  4. Firewall-as-a-Service (FWaaS): FWaaS refers to firewalls delivered from the cloud as a service. FWaaS protects cloud-based platforms, infrastructure, and applications from cyber attacks. Unlike traditional firewalls, FWaaS is not a physical appliance, but a set of security capabilities that includes URL filtering, intrusion prevention, and uniform policy management across all network traffic.

Depending on the vendor and the needs of the enterprise, these core components may be bundled with any number of additional security services, from web application and API protection (WAAP) and remote browser isolation to recursive DNS, Wi-Fi hotspot protection, network obfuscation/dispersion, edge computing protection, and so on.

What are the advantages of a SASE framework?

SASE offers several benefits compared to a traditional, data center-based network security model:

  • Streamlined implementation and management. SASE merges single-point security solutions into one cloud-based service, freeing enterprises to interact with fewer vendors and to spend less time, money, and internal resources configuring and performing maintenance on physical infrastructure.
  • Simplified policy management. Instead of juggling multiple policies for separate solutions, SASE allows organizations to set, monitor, adjust, and enforce access policies across all locations, users, devices, and applications from a single portal.
  • Identity-based, zero-trust network access. SASE leans heavily on a zero trust security model, which does not grant a user access to applications and data until their identity has been verified — even if they are already inside the perimeter of a private network. When establishing access policies, a SASE approach takes more than an entity’s identity into account; it also considers factors like user location, time of day, enterprise security standards, compliance policies, and an ongoing evaluation of risk/trust.
  • Latency-optimized routing. For enterprises that deliver latency-impacted services (e.g. video conferencing, streaming, online gaming, etc.), any significant increase in latency is an issue. SASE helps cut down on latency by routing network traffic across a global edge network in which traffic is processed as close to the user as possible. Routing optimizations can help determine the fastest network path based on network congestion and other factors.

It is important to note that not all SASE implementations will look the same. While they may share some core characteristics — identity-based access policies, network security services, and a cloud-centric architecture — there may also be some notable differences based on the organization’s needs. For instance, a SASE implementation may opt for single-tenancy architecture rather than multitenant architecture, incorporate network access control for IoT (Internet of Things) and edge devices, offer additional security capabilities, lean on minimal hardware/virtual appliances to deliver security solutions, etc.

How does Cloudflare help with SASE adoption?

Cloudflare’s SASE model applies to both Cloudflare for Infrastructure and Cloudflare for Teams, both of which are backed by a single global network that services over 25 million Internet properties. Cloudflare is uniquely architected to deliver a platform of integrated network and security services across each of its 200+ globally distributed cities, eliminating the need for companies to purchase and manage a complex collection of point solutions in the cloud.

Cloudflare for Infrastructure encompasses Cloudflare’s suite of integrated security and performance services, which secure, accelerate, and ensure the reliability of any on-premise, hybrid, and cloud environment. An integral part of Cloudflare for Infrastructure is Cloudflare Magic Transit, which shields networking infrastructure from DDoS threats and network layer attacks, and works in tandem with the Cloudflare Web Application Firewall (WAF) to defend against vulnerability exploits. Magic Transit also uses Cloudflare’s global network to accelerate legitimate network traffic for optimal latency and throughput. Learn more about Cloudflare Magic Transit.

Cloudflare for Teams safeguards company data in two distinct ways: with Cloudflare Access, a zero trust network access solution, and Cloudflare Gateway, a DNS filtering and network security service that protects against threats like malware and phishing. Cloudflare Access eliminates the need for legacy VPNs and enables secure, identity-based access to internal applications and data, no matter where users are located. Cloudflare Gateway protects user and corporate data by filtering and blocking malicious content, identifying compromised devices, and using browser isolation technology to prevent malicious code from executing on user devices. Learn more about Cloudflare for Teams.