What is SASE (Secure Access Service Edge)?

What is SASE?

The secure access service edge (SASE), pronounced like "sassy") is a framework identified by Gartner as a means to securely connect entities such as users, systems, and endpoint devices to applications and services that may be located anywhere. Crucially, SASE is not one technology. In its 2019 report "The Future of Network Security is in the Cloud," Gartner defined the SASE framework as a cloud-based cybersecurity solution that offers “comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.”

SASE is distinct from security service edge (SSE), which Gartner defines as a subset of SASE that only focuses on the security services needed from a SASE cloud platform.


How SASE works

A SASE architecture combines a software-defined wide area network (SD-WAN) or other WAN with multiple security capabilities (e.g., cloud access security brokers, anti-malware), securing your network traffic as the sum of those functions.

Legacy approaches to inspection and verification, such as forwarding traffic through a multiprotocol label switching (MPLS) service to firewalls in your data center, are effective if that's where your users are. Today, though, with so many users in remote locations, home offices, and so on, this "hairpinning"—forwarding remote user traffic to your data center, inspecting it, and then sending it back again—tends to reduce productivity and hurt the end user experience.

What makes SASE stand out from point solutions and other secure networking strategies is that it's both secure and direct. Rather than relying on your data center security, traffic from your users' devices is inspected at a nearby point of presence (the enforcement point) and sent to its destination from there. This means more efficient access to applications and data, making it the far better option for protecting distributed workforces and data in the cloud.

Is SASE just a buzzword?

While SASE has garnered a lot of attention from vendors and media focused on networking and security, we believe the main principle behind the SASE framework—the notion that security and network architectures focused on the data center have become ineffective—is what makes it most compelling. This notion isn’t just a trend or marketing catchphrase; the industry has broadly accepted it. So, what does a SASE solution offer that makes it so valuable compared to traditional enterprise network security that connects offices via private networks and routes traffic through secure web gateways and firewalls?

As Gartner points out, traditional models in which connectivity and security focus on the data center should focus instead on the identity of users and devices. According to the report, “In a modern cloud-centric digital business, users, devices and the applications they require secure access to are everywhere.” In other words, today’s workflows, traffic patterns, and use cases are much different today than when hub-and-spoke networks were conceived. Here’s why:

  • More user traffic is heading to cloud services than data centers
  • More work is performed off the network than on it
  • More workloads are running in cloud services than data centers
  • More SaaS applications are in use than those hosted locally
  • More sensitive data is housed in cloud services than inside the enterprise network
Instead of the security perimeter being entombed in a box at the data center edge, the perimeter is now everywhere an enterprise needs it to be — a dynamically created, policy-based secure access service edge.
Gartner, The Future of Network Security Is in the Cloud; 30 August 2019; Lawrence Orans, Joe Skorupa, Neil MacDonald


Components of the SASE model

You can break down SASE into six essential elements in terms of its capabilities and technologies.


1. Software-defined wide area network (SD-WAN)

SD-WAN is a overlay architecture that reduces complexity and optimizes the user experience by selecting the best route for traffic to the internet, cloud apps, and the data center. It also enables rapid deployment of new apps and services, and helps you manage policies across a large number of locations.


2. Secure web gateway (SWG)

SWGs prevents unsecured internet traffic from entering your internal network. It prevents your employees and users from accessing and being infected by malicious web traffic, websites with vulnerabilities, internet-borne viruses, malware, and other cyberthreats.


3. Cloud access security broker (CASB)

CASBs ensure safe use of cloud apps and services to prevent data leaks, malware infection, regulatory noncompliance, and lack of visibility. CASBs secure cloud apps whether they are hosted in public clouds (IaaS), private clouds, or delivered as software-as-a-service (SaaS).


4. Firewall as a service (FWaaS)

FWaaS helps you replace physical firewall appliances with cloud firewalls that deliver advanced Layer 7/next-generation firewall (NGFW) capabilities, including access controls, such as URL filtering, advanced threat prevention, intrusion prevention systems (IPS) and DNS security.


5. Zero trust network access (ZTNA)

ZTNA products and services give remote users secure access to your internal apps. In the zero trust model, trust is never assumed, with least-privileged access granted based on granular policies. ZTNA gives remote users secure connectivity without placing them on your network or exposing your apps to the internet.


6. Centralized management

Managing all of the above from a single console lets you to eliminate many of the challenges of change control, patch management, coordinating outage windows, and policy management while delivering consistent policies across your organization, wherever users connect.


3 Benefits of SASE

How can an enterprise enforce access controls and security while facing these common realities? That’s where a SASE platform of WAN capabilities (SD-WAN) and comprehensive security services comes in. Cloud-based SASE offers significant benefits to organizations that put aside traditional on-premises enterprise network infrastructure and security to take advantage of cloud services, mobility, and other aspects of digital transformation.


1. SASE reduces IT cost and complexity

As they work to enable secure access to cloud services, protect remote users and devices, and close other gaps in their security, organizations have been forced to adopt a range of security solutions, adding significant costs and management overhead. Even so, the on-premises network security model is simply not effective in a digital world. Instead of trying to use a legacy concept to solve a modern problem, SASE flips the security model. Rather than focusing on a secure perimeter, SASE focuses on entities, such as users. Based on the concept of edge computing—processing of information close to the people and systems that need it—SASE services push security and access close to users. Using an organization’s security policies, SASE dynamically allows or denies connections to applications and services.


2. The SASE model provides a fast, seamless user experience

When users were on the network, and IT owned and managed the apps and infrastructure, it was easy to control and predict the user experience. Today, even with distributed multi-cloud environments, many enterprises still use VPNs to connecting users to their networks for security. However, VPNs deliver a poor user experience, and they broaden an organization's attack surface by exposing IP addresses. Instead of this degradation, SASE provides optimization: It calls for security to be enforced close to what needs securing—instead of sending the user to the security, it sends security to the user. SASE is cloud secure, intelligently managing connections at the internet exchanges in real time and optimizing connections to cloud applications and services to ensure low latency.


3. SASE reduces risk

As a cloud native solution, SASE is designed to address the unique challenges of risk in the new reality of distributed users and applications. By defining security, including threat protection and data loss prevention (DLP), as a core part of the connectivity model and not a separate function, it ensures that all connections are inspected and secured, no matter where users are connecting, what apps they are accessing, or what kind of encryption is in use. A key component of the SASE framework is zero trust network access (ZTNA), which provides mobile users, remote workers, and branch offices with secure application access while eliminating the attack surface and the risk of lateral movement on the network.

Why SASE is key to digital transformation

Digital business transformation has ushered in demand for greater agility and scalability with reduced complexity. Companies are finding that they need to provide consistent, secure, global access to corporate data, applications, and services, regardless of users' locations or devices. The Zscaler SASE solution offers enterprises an entirely new model for connecting users and devices that is fast, flexible, simple, and secure. With the help of a cloud native SASE service provider, organizations that adopt SASE will find themselves with the speed and agility needed to transform to the digital future.

By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.
Gartner, The Future of Network Security Is in the Cloud; 30 August 2019; Lawrence Orans, Joe Skorupa, Neil MacDonald

Zscaler and SASE

We offer a complete SASE solution built for performance and scalability: the Zscaler Zero Trust Exchange™. Easy to deploy and manage as an automated, cloud-delivered service, our globally distributed platform ensures users are always just a short hop from their applications. No user or application is inherently trusted—instead, our policy engine establishes trust before any connection is made, determining appropriate levels of access and restrictions based on user, device, application, location, and content to keep your users and data safe.

a diagram showing how cloud-based SASE platform offers significant benefits to organizations

What makes our SASE unique

  • A native, multitenant cloud architecture that scales dynamically with demand
  • Proxy-based architecture for full inspection of encrypted traffic at scale
  • Security and policy brought close to users to eliminate unnecessary backhauling
  • Zero trust network access (ZTNA) that restricts access to provide native application segmentation
  • Zero attack surface, preventing targeted attacks because your source networks and identities aren't exposed to the internet

Through peering with hundreds of partners in major internet exchanges around the world, it offers optimal performance and reliability for your users.