Secure Access Service Edge (SASE) architectures promise to prevent multiple types of cyber-attacks, but deciding whether SASE is right for your organization will require understanding whether SASE is a fit for your use cases in IT. This Advisory Note looks at the definition and promise of SASE, the typical capabilities of solutions, and the perceived benefits, and then provides a way of assessing whether SASE is a good fit for your organization.
1 Executive Summary
The term secure access service edge (SASE) has become popular in recent months and has been adopted by numerous vendors. SASE stands for a concept that integrates a range of cloud-native security services including cloud access security brokers (CASB), firewall as a service (FWaaS), secure web gateways (SWG), and zero-trust network access (ZTNA), with wide-area network (WAN) capabilities for delivering both directly to any edge computing location.
In this context, the "edge" can be anything from a single user or device to branch offices or fleets of internet of things (IoT) devices. This approach addresses the performance bottleneck issues of traditional networks that rely on traffic backhauling. Additionally, by integrating identity, business context and real-time risk assessment into every connection, SASE architectures promise to prevent multiple types of cyber-attacks.
While the idea of delivering SaaS-based security services with ZTNA and networking is not new, suppliers that deliver software-defined wide-area networks (SD-WANs), and other services listed above, are capitalizing on the popularity of SASE. However, for potential buyers there are several things to consider before embarking on an implementation.
First, SASE is not a well-defined architecture in a narrow sense. It is more a collection of technologies, where vendors are increasingly filling the gap towards an architecture and to enable the various components to work together effectively.
But just grouping various services together is not enough on its own. Consistent policy management and enforcement across everything, security analytics spanning all the elements, and an integrated administration capability are mandatory for making SASE a holistic concept.
Second, a major challenge that comes with this need for integration is the risk of supplier lock-in. If SASE is a one-stop shop, then the risk of being locked into the approach of a single supplier – sometimes with few selected partners – is huge. SASE needs to evolve to become an open, flexible, standards-based architecture, where different services from different providers can be combined.
Third, even while SASE solutions often include ZTNA as one of the capabilities, it may be debated whether the reliance on SD-WAN as the underlying infrastructure does not stand in contrast to the basic principles of zero trust. The risk is to assume that SD-WAN is always secure and can be trusted, but trusting a single element in the multi-layered security stack is the exact opposite of what zero trust is about.
Fourth, it is necessary to consider the risk that might arise from having an overlay over the internet that might fail. While the internet was designed to withstand major disruptions, the recent incidents with edge providers such as Akamai or Cloudflare clearly show how the ongoing trend to reverse the internet's decentralized nature can lead to massive outages.
Fifth, buyers should first look at their use cases when considering SASE. Where does this approach add value, and where does it just add complexity? If office workers access SaaS services only, why add an extra layer of complexity?
On the other hand, for connecting factories, for use cases in commerce and logistics, and for areas that still run a lot of legacy IT such as many of the banks, SASE might provide a value. However, there are always alternatives for creating a secure, reliable infrastructure.
SASE, like most concepts in IT, is neither the one perfect solution for everything nor sheer marketing buzz. Buyers should look carefully beyond labels, analyze their own use cases and requirements, and understand how they can be addressed by the capabilities of a particular SASE offering because capabilities may vary substantially between suppliers. They also have to think about the future – today's requirements will inevitably change tomorrow, and a SASE platform must be flexible enough to adapt quickly.
Only once all these considerations have been taken into account will you be in a position to make an informed decision as to whether SASE is a good fit for your needs or not.