What is SASE architecture? | Secure access service edge

Secure access service edge (SASE) architecture is an IT model that combines security and networking services on one cloud platform.

Learning Objectives

After reading this article you will be able to:

  • Define the secure access service edge (SASE) model
  • Learn why SASE is important and how it benefits organizations
  • Discover the technology components that comprise a SASE platform
  • Understand how SASE compares to other networking approaches, including single-vendor SASE vs. dual-vendor SASE

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is secure access service edge (SASE)?

Secure access service edge (SASE) is an architectural model that unifies network connectivity with network security functions onto a single platform. Unlike traditional enterprise networking, the modern SASE approach places network controls on the cloud edge instead of the corporate data center. This allows enterprises to provide simpler, secure, and consistent access from any user to any application — regardless of location.

In other words, SASE offers organizations a streamlined way to manage previously disjointed infrastructure — networking and access control — together.

SASE platforms converge network connectivity with multiple Zero Trust security services that employ the principle of least privilege. With Zero Trust, users that authenticate successfully only have access to the resources and applications necessary for their role.

SASE creates a unified corporate network based on cloud services run over the Internet. This allows organizations to transition away from managing many architectural layers and disparate point solutions.

SASE architecture combines Zero Trust security and network services

Why is SASE important?

A SASE architecture is important because it is more effective than traditional IT security at connecting and protecting the modern organization’s workforce.

In the ‘old world’ model (i.e., a “castle and moat” security architecture), an organization’s IT infrastructure is fairly homogeneous and protected by a firewall. To access network resources, employees not in the office (or contractors and other third parties) connect to the network via a virtual private network (VPN) and firewall, or use another network route via a public IP address. Then, anyone inside the network “perimeter” also has access to the applications and data within that network.

However, with more applications and data now living in the cloud, it has become riskier and more complex to manage network security with this approach. For example, traditional security struggles to keep pace with the following trends:

  • More mobile workforces: Many organizations have embraced remote and hybrid work, and support the use of unmanaged (not company-controlled) devices. Therefore, more people — and the applications they need for work — are located outside the proverbial moat.
  • Accelerated cloud adoption: Organizations have moved more apps, data, and infrastructure from on-premises data centers to public or private cloud environments. Generative AI and other digital transformation initiatives have also increased cloud deployments.
  • Growing attack surfaces: Digital systems all have areas attackers can use as entry points. More entry points means more potential attack vectors to exploit — which, in turn, has increased the risk of lateral movement.
  • Operational complexity: With the rise of hybrid work, and applications being deployed primarily through the cloud, the requirements for networks have changed. This has resulted in administrative complexity, as well as inconsistency with how security controls are applied.
  • Higher network-related costs: With traditional networking, more equipment (such as firewalls, routers, and switches) must be provisioned and purchased to support each region. Needing more equipment can also increase subscription and bandwidth costs.
  • Data privacy and compliance regulations: It can be difficult for organizations to adhere to the latest data privacy and compliance standards, certifications, and regulatory requirements. Data protection laws vary widely across countries and even industries, and have continued to evolve with the proliferation of GenAI.

SASE is more suitable for addressing these kinds of challenges. SASE provides secure, fast, and reliable connectivity for a workforce, workplace, and workloads. Instead of solely building out and operating their own modern networks, organizations can rely on distributed cloud-native services to simplify managing security and connectivity.

Whitepaper
The Buyer’s Guide to SASE Use Cases
Guide
The Zero Trust guide to securing aplication access

Top 5 SASE benefits

Consolidating security and networking capabilities as a service via a SASE architecture provides several benefits, including:

  1. Reduced cyber risk: SASE operates heavily on the Zero Trust security model, which does not grant an entity access to applications and data until their identity has been verified — even if they are inside the network perimeter. Zero Trust security takes more than just an entity's identity into account: geolocation, device posture, enterprise security standards, and a continuous evaluation of risk/trust based on additional contextual signals are all considered. Users only access resources that are explicitly allowed. This prevents threats from spreading across an entire network, which reduces the risk of lateral movement.
  2. Reduced costs: Security hardware — like network firewalls and secure web gateway (SWG) boxes — incurs costs beyond the sticker price. Installation, warranties, repairs, and patch management all require additional expenditures and IT resources. Eliminating those costs by moving network security to the cloud helps reduce total cost of ownership.
  3. Reduced complexity: SASE simplifies IT operations by eliminating the need for multiple, siloed networking and security tools. It streamlines management with centralized policy enforcement and monitoring across locations, people, devices, and applications from a single interface. For example, a SASE architecture can help simplify compliance by providing visibility and automation tools to help organizations more efficiently configure the security settings they need to meet various regulations.
  4. Consistent data protection: A SASE platform consolidates data visibility and controls across web, SaaS, and private apps in a unified way that ensures consistent enforcement of data protection policies. For instance, SASE services that safeguard access to sensitive data, prevent data leaks, manage cloud app risks, and secure web browsing all help organizations meet regulatory requirements. SASE further strengthens security and simplifies compliance by supporting centralized logging, encryption, real-time threat mitigation, and more.
  5. Improved employee experience: More reliable Internet connectivity improves productivity. With SASE, network routing optimizations improve performance and reduce latency by processing traffic as close to the user as possible. Additionally, SASE helps IT teams automate more workflows and spend less time responding to access-related tickets.
Sign Up
Keep employees and apps protected online

Typical technology components of SASE

A SASE platform typically contains these core technology components:

  • The main technology that makes the Zero Trust approach to secure access possible is Zero Trust Network Access (ZTNA). ZTNA provides simple, secure access between any user and app, on any device, in any location by continually checking granular context like identity and device posture on a resource-by-resource basis.
  • A secure web gateway (SWG) prevents threats and protects data by filtering unwanted web traffic content and blocking risky or unauthorized behavior online. SWGs can filter web traffic from anywhere, making them ideal for hybrid workforces.
  • Using the cloud and SaaS apps makes it harder to ensure that data stays private and secure. A cloud access security broker (CASB) is one solution to this challenge: a CASB provides data security controls over (and visibility into) an organization’s cloud-hosted services and applications. And, to prevent data from being stolen or destroyed without permission, data loss prevention (DLP) technologies detect the presence of sensitive data in web, SaaS, and private applications. In combination with a SWG, DLP solutions can scan data in transit (e.g. uploaded or downloaded files, chat messages, form fills). In combination with a CASB, DLP solutions can scan data at rest.
  • In a SASE architecture, organizations adopt either software-defined wide area networking (SD-WAN) or WAN-as-a-Service (WANaaS) to connect and scale operations (e.g., offices, retail stores, data centers) across large distances. SD-WAN and WANaaS use different approaches:
    • SD-WAN technology uses software at enterprise sites and a centralized controller to overcome some of the limitations of traditional WAN architectures, simplifying operations and traffic steering decisions.
    • WANaaS builds on the benefits of SD-WAN by taking a “light branch, heavy cloud” approach that deploys the minimum required hardware within physical locations and uses low-cost Internet connectivity to reach the nearest “service edge” location. This can reduce total costs, offer more integrated security, improve middle mile performance, and better serve cloud infrastructure.
  • A next-generation firewall (NGFW) inspects data on a deeper level than a traditional firewall. NGFWs can offer application awareness and control, intrusion prevention, and threat intelligence — which allows them to identify and block threats that may be hidden in normal-seeming traffic. NGFWs that can be deployed in the cloud are called cloud firewalls or firewall-as-a-service (FWaaS).
  • Remote browser isolation (RBI) applies the Zero Trust principle to web browsing by assuming no website code should be trusted to run by default. RBI loads webpages and executes any associated code in the cloud — away from users’ local devices. This separation helps prevent malware downloads, minimizes the risk of zero-day browser vulnerabilities, and defends against other browser-borne threats. RBI can also apply data protection controls to browser-based resources, which is useful for securing unmanaged device access.
  • Centralized management that integrates across all of the services allows admins to define policies, which are then applied across all the connected services.

Depending on the vendor’s capabilities, SASE platforms may also include:

The diagram below illustrates how a SASE platform can converge all these functions to deliver secure connectivity to all private applications, services, and networks — and also ensure the security of the workforce’s Internet access.

SASE applies secure access to all private applications, services, and networks

SASE use case examples

SASE is commonly implemented progressively (over months or even years). Implementation plans vary widely, and depend on unique factors such as:

  • An organization’s short- and long-term growth strategy
  • Which roles and apps are at greater risk for cyber attacks
  • Individual teams’ flexibility and openness to change
  • Potential speed, complexity, and costs of migration

Because each organization’s situation is different, there is no “one size fits all” approach to SASE deployment. However, use cases for enabling SASE commonly fall under these five IT priorities:

1. Adopting Zero Trust

Applying Zero Trust principles (as a tenet of the broader SASE journey), starting with ZTNA, enables use cases such as:

  • Replacing risky VPNs and other traditional hardware-based security
  • Simplifying third-party and BYOD access
  • Mitigating ransomware attacks
  • Limiting data exposure across SaaS apps and cloud storage

2. Protecting the attack surface

A SASE architecture supports a “work-from-anywhere” approach with consistent visibility and protections against threats both on- and off-network. Example use cases include:

  • Stopping phishing across email, social media, collaboration apps, and other channels
  • Securing connectivity for remote workers
  • Protecting and optimizing traffic to any cloud or Internet destination
  • Securing wide area networks (WANs)

3. Modernizing the network

Instead of maintaining legacy corporate networks, organizations can tap into distributed and cloud-native SASE services. This enables use cases such as:

  • Simplifying branch connectivity compared to MPLS and traditional SD-WAN
  • Shifting DMZ security to the cloud
  • Eliminating elevated trust on the local area network (LAN)
  • Reducing IT risk and accelerating connectivity for mergers and acquisitions (M&A)

4. Protecting data

Sensitive data may be exposed through the unsanctioned use of generative AI and shadow IT, leading to compromise or breaches that may be costly to remediate. However, a SASE architecture enables use cases such as:

  • Simplifying compliance with data security regulations
  • Managing shadow IT
  • Safeguarding GenAI usage
  • Detecting and controlling sensitive data

5. Modernizing applications

Apps need to be secure, resilient, and performant for end users — with the scalability to handle growth in data while still meeting data governance requirements. A SASE architecture can help simplify and secure several stages of the app modernization process; for example:

  • Protecting privileged (developer/IT) access to critical infrastructure
  • Preventing leaks and theft of developer code
  • Securing DevOps workflows
  • Securing apps undergoing cloud migration

SASE vs. other networking approaches

SASE vs. traditional networking

In a traditional network model, data and applications live in a core data center. Users, branch offices, and applications connect to the data center from within a localized private network or a secondary network (which typically connects to the primary one through a secure leased line or VPN). This process can be risky and inefficient if an organization hosts SaaS applications and data in the cloud.

Unlike traditional networking, SASE places network controls on the cloud edge — not the corporate data center. Instead of layering services that require separate configuration and management, SASE converges network and security services using one control plane. By implementing identity-based, Zero Trust security policies on the edge network, SASE allows organizations to expand network access to any remote user, branch office, device, or application.

SASE vs. MPLS

Multiprotocol label switching (MLPS) sends networking packets along predetermined network paths. Ideally, the result with MPLS is that packets take the same path every time. This is one reason MPLS is generally considered reliable, yet inflexible. For example, with MPLS, security controls are enforced via centralized “breakout” locations; all outbound and inbound traffic gets routed through headquarters. This requires backhauling traffic to reach security functions.

SASE instead uses low-cost Internet connectivity, rather than the dedicated network paths of MPLS. This is suitable for organizations looking for networking efficiency at lower costs. A SASE platform provides flexible and application-aware intelligent routing, integrated security, and granular network visibility.

How are SASE and SSE (security service edge) different?

SASE incorporates a user’s secure access as part of the network architecture. But, not all organizations already have a cohesive approach across IT, network security, and networking teams. These organizations may prioritize security service edge (SSE) — a subset of SASE functionality that is focused on securing internal users’ access to the web, cloud services, and private applications.

SSE is a common stepping stone to a full SASE deployment. While it may be an oversimplification, some organizations may think of SASE as “SSE plus SD-WAN.”

Single-vendor SASE vs. dual-vendor SASE

In SASE, the dual-vendor approach means having two or more providers for ZTNA, SWG, CASB, SD-WAN/WANaaS, and FWaaS — often one for security, and one for networking. This lets organizations customize their tech stack and leverage the strengths of each vendor. It also means organizations must have the time and internal resources to orchestrate and integrate disparate services.

Organizations may also choose to pursue single-vendor SASE (SV-SASE) instead. This combines disparate security and networking technologies into a single cloud-delivered platform. SV-SASE is ideal for organizations looking to consolidate point products, drive down TCO, and ensure consistent policy enforcement with less effort.

With either approach, a SASE platform should be able to augment or integrate with existing tools for network on-ramps, identity management, endpoint security, log storage, and other network security components.

Questions to ask potential SASE vendors

Whichever SASE approach is chosen, consider the following criteria and sample questions when assessing potential vendors:

Risk reduction

  • Are all data flows and communications through SaaS suites protected across every channel?
  • What user/device risk scoring and analytics are available?
  • Are any security functions bypassed based on any network on-ramps?
  • Is application traffic decrypted and inspected in a single pass? Are there any deployment caveats?
  • Can threat intelligence feeds be integrated into their architecture?

Network resiliency

  • Are the security and networking functions natively integrated by default?
  • Is each connectivity method and SASE service interoperable with each other in any order?
  • Is every function delivered from every data center location?
  • Do they offer uptime and/or end-user latency guarantees?
  • How is the network architected to ensure service continuity in the event of an outage?

Future-proof architecture

  • What happens to SASE services/costs if you switch between clouds?
  • Is the platform developer-friendly? Will future SASE functions work with current apps?
  • What data localization and compliance capabilities are built in?
  • How is the platform accounting for future Internet or security standards, such as post-quantum encryption?

How Cloudflare enables SASE

Cloudflare’s SASE platform, Cloudflare One, protects enterprise applications, users, devices, and networks. It is built on the Cloudflare connectivity cloud, a unified, composable platform of programmable cloud-native services that enable any-to-any connectivity between all networks (enterprise and Internet), cloud environments, applications, and users.

Since all Cloudflare services are designed to run across every network location, all traffic is connected, inspected, and filtered close to the source for the best performance and consistent user experience. There is no backhauling or service chaining to add latency.

Cloudflare One also delivers composable SASE on-ramps and services that enable organizations to adopt security and network modernization use cases in any order. For instance, many Cloudflare customers start with Zero Trust SSE services to reduce their attack surface, stop phishing or ransomware, prevent lateral movement, and secure data. By progressively adopting Cloudflare One, organizations can move away from their patchwork of appliances and other point solutions and consolidate security and networking capabilities on one unified control plane. Learn more about how Cloudflare delivers SASE.