Want to experience it for yourself? Explore our SASE offering to discover how it can help your business.
SASE (pronounced “sassy”) refers to the whole framework, not a specific technology. In its 2019 report "The Future of Network Security is in the Cloud," Gartner defined the SASE framework as a cloud-based cybersecurity solution that offers “comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.”
SASE is distinct from security service edge (SSE), which Gartner defines as a subset of SASE that only focuses on the security services needed from a SASE cloud platform.
A SASE architecture combines a software-defined wide area network (SD-WAN) or other WAN with multiple security capabilities (e.g., cloud access security brokers, anti-malware), securing your network traffic as the sum of those functions.
Legacy approaches to inspection and verification, such as forwarding traffic through a multiprotocol label switching (MPLS) service to firewalls in your data center, are effective if that's where your users are. Today, though, with so many users in remote locations, home offices, and so on, this "hairpinning"—forwarding remote user traffic to your data center, inspecting it, and then sending it back again—tends to reduce productivity and hurt the end user experience.
What makes SASE stand out from point solutions and other secure networking strategies is that it's both secure and direct. Rather than relying on your data center security, traffic from your users' devices is inspected at a nearby point of presence (the enforcement point) and sent to its destination from there. This means more efficient access to applications and data, making it the far better option for protecting distributed workforces and data in the cloud.
While SASE has garnered a lot of attention from service providers and media focused on networking and security, what’s most compelling is the main principle behind the SASE framework—the notion that data center-focused security and network architectures have become ineffective. This notion isn’t just a marketing catchphrase; the industry has broadly accepted it.
So, what does a SASE solution offer that makes it so valuable compared to traditional enterprise network security that connects offices via private networks and routes traffic through secure web gateways and firewalls?
As Gartner points out, traditional models in which connectivity and security focus on the data center should focus on the identity of users and devices instead. According to the report, “In a modern cloud-centric digital business, users, devices and the applications they require secure access to are everywhere.”
In other words, today’s workflows, traffic patterns, and use cases are much different today than when hub-and-spoke networks were conceived. That’s because:
Gartner, The Future of Network Security Is in the Cloud, 30 August 2019, Lawrence Orans, Joe Skorupa, Neil MacDonald
SASE can be broken down into six essential elements in terms of its capabilities and technologies:
1. Software-Defined Wide Area Network (SD-WAN)
SD-WAN is an overlay architecture that reduces complexity and optimizes the user experience by selecting the best route for traffic to the internet, cloud apps, and the data center. It also enables rapid deployment of new apps and services and helps you manage policies across a large number of locations.
2. Secure Web Gateway (SWG)
SWGs prevent unsecured internet traffic from entering your internal network. It shields your employees and users from accessing and being infected by malicious web traffic, vulnerable websites, internet-borne viruses, malware, and other cyberthreats.
3. Cloud Access Security Broker (CASB)
CASBs prevent data leaks, malware infection, regulatory noncompliance, and lack of visibility by ensuring safe use of cloud apps and services. They secure cloud apps hosted in public clouds (IaaS), private clouds, or delivered as software-as-a-service (SaaS).
4. Firewall as a Service (FWaaS)
FWaaS helps you replace physical firewall appliances with cloud firewalls that deliver advanced Layer 7/next-generation firewall (NGFW) capabilities, including access controls, such as URL filtering, advanced threat prevention, intrusion prevention systems (IPS), and DNS security.
5. Zero Trust Network Access (ZTNA)
ZTNA products and services give remote users secure access to internal apps. With a zero trust model, trust is never assumed, and least privileged access granted based on granular policies. It gives remote users secure connectivity without placing them on your network or exposing your apps to the internet.
6. Centralized Management
Managing all of the above from a single console lets you eliminate many of the challenges of change control, patch management, coordinating outage windows, and policy management while delivering consistent policies across your organization, wherever users connect from.
How can an enterprise enforce access controls and security while facing these common realities? That’s where a SASE platform of WAN capabilities (SD-WAN) and comprehensive security services come in. Cloud-based SASE offers significant benefits to organizations that put aside traditional on-premises enterprise network infrastructure and security to take advantage of cloud services, mobility, and other aspects of digital transformation.
As they work to enable secure access to cloud services, protect remote users and devices, and close other gaps in their security, organizations have been forced to adopt a range of security solutions, adding significant costs and management overhead. Even so, the on-premises network security model is simply not effective in a digital world.
Instead of trying to use a legacy concept to solve a modern problem, SASE flips the security model. Rather than focusing on a secure perimeter, SASE focuses on entities, such as users. Based on the concept of edge computing—processing of information close to the people and systems that need it—SASE services push security and access close to users. Using an organization’s security policies, SASE dynamically allows or denies connections to applications and services.
When users were on the network, and IT owned and managed the apps and infrastructure, it was easy to control and predict the user experience. Today, even with distributed multi-cloud environments, many enterprises still use VPNs to connecting users to their networks for security. However, VPNs deliver a poor user experience, and they broaden an organization's attack surface by exposing IP addresses.
Instead of this degradation, SASE provides optimization: It calls for security to be enforced close to what needs securing—instead of sending the user to the security, it sends security to the user. SASE is cloud secure, intelligently managing connections at internet exchanges in real time as well as optimizing connections to cloud applications and services to ensure low latency.
As a cloud native solution, SASE is designed to address the unique challenges of risk in the new reality of distributed users and applications. By defining security, including threat protection and data loss prevention (DLP), as a core part of the connectivity model, it ensures all connections are inspected and secured, regardless of location, app, or encryption.
A key component of the SASE framework is zero trust network access (ZTNA), which provides mobile users, remote workers, and branch offices with secure application access while eliminating the attack surface and the risk of lateral movement on the network.
Digital business transformation demands greater agility and scalability coupled with reduced complexity and improved security. What’s more, modern enterprises need to ensure their users are getting the best experiences from anywhere.
These circumstances have moved SASE from the category of “nice to have” to “necessity.” Here are four reasons why:
All this has driven networking and security vendors to glue together their own versions of a SASE architecture. Many of these vendors claim to engineer a cloud-delivered product, but the truth is a great number of them are just a “cloud platform” built on legacy hardware.
Only one vendor can provide a truly cloud-delivered SASE model. Why? Because we built our platform in the cloud, for the cloud.
Gartner, The Future of Network Security Is in the Cloud
The Zscaler Zero Trust Exchange™ is our SASE solution, offering you a fast, flexible, simple, and secure model for connecting users and devices. Our platform is easy to deploy and manage as an automated, cloud-delivered service, and because it’s globally distributed, your users are always just a short hop from their applications.
Here's what makes our SASE unique:
Through peering with hundreds of partners in major internet exchanges around the world, the Zero Trust Exchange offers optimal performance and reliability for your users.