What is SASE? Everything you need to know.

Learn all about Secure Access Service Edge (SASE) and why you should consider implementing it in your organization.


20 minute read time

Increasing cloud adoption and the rising risk of cyberattacks create new challenges for enterprise IT teams, who must ensure the online accessibility and absolute security of an increasingly distributed, remote workforce.

Discover what SASE is and why enterprises are turning to this new security framework to meet those needs.

SASE explained

Secure Access Service Edge (SASE) is a cloud-native network and security framework that provides users with secure cloud access to applications, data and services and protects an organization’s data and systems from unwanted access.

This architecture integrates “network as a service” with “network security as a service,” resulting in unified, secure connectivity that’s available anytime, anywhere.

Gartner’s SASE definition

According to Gartner, SASE is an emerging offering combining comprehensive networking and security functions—such as software-defined wide-area networking (SD-WAN), Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA)—to support the dynamic secure access needs of organizations.1

Why is SASE necessary?

As more organizations pursue digital transformation, they are incorporating the public Internet to support cloud-native applications and services as an alternative to investing in additional, costly on-premises infrastructures. That’s led to an increase in application traffic traveling beyond the corporate perimeter—and beyond the reach of traditional network security measures. SASE offers agile, robust security to secure traffic at any endpoint, anywhere.

3 drivers of SASE adoption

Enterprises are adopting SASE for a number of reasons, including:

1. The rise of remote work: 

The pandemic—and the rapid shift to remote work that followed—has led to remote workers logging on from home or any public WiFi hotspot using a mix of personal and company devices.

2. The decentralization of computing: 

To improve response times and optimize bandwidth, data storage and computing has moved closer to the edge of the network where the data is generated and consumed.

3. The dramatic rise in cyberattacks: 

As reported in SDxCentral, 86% of organizations surveyed expect to be impacted by a cyberattack within a year.

In a hub-and-spoke network model, security solutions are fragmented among physical locations, cloud resources and mobile users, making it a challenge to monitor and remediate ever-increasing cybersecurity incidents. Additionally, security insurance for ransomware attacks has become prohibitively expensive.

For more information

How do you know when it’s time to switch to SASE?

How do you know when it’s time to leave your legacy solutions behind and begin the migration to SASE? Here are four signs to look out for:

Losing agility and flexibility

Your current network is no longer nimble enough to evolve with your organization’s future-proofing initiatives, such as supporting new cloud workloads, addressing a remote workforce and accommodating for rapid expansion.

Increasing security vulnerabilities

Your security solutions are fragmented among physical locations, cloud resources and mobile users, and it’s becoming a challenge to monitor and remediate cybersecurity incidents across all perimeters. You fear your organization will fall victim to the next cyberattack.

Degrading app performance

Your lagging business applications are starting to impact your employees’ productivity. If your workers need more to stay efficient they require secure, reliable, low-latency connectivity to cloud and data center applications.

Lacking visibility and control

You can’t control what you can’t see. Limited visibility into applications and bandwidth makes it hard to control and manage application performance and security.

How does SASE work?

If you want to understand how SASE works, it helps to be familiar with the components that make up its fully integrated framework.

How is SASE delivered?

SASE is delivered by combining network as a service—specifically, SD-WAN—with network security as a service, which includes security technologies that work together to protect an organization’s data and systems from unwanted access.

How a SASE framework compares to traditional network security

A SASE architecture differs greatly from how it manages network traffic.

Traditional hub-and-spoke networks, such as multiprotocol label switching (MPLS), keep all network traffic within the network perimeter. Accordingly, network security models are designed to safeguard employee devices and systems located within that perimeter as well.

As enterprises move to software-as-a-service (SaaS) and cloud-based services, the network has had to evolve—including the way network security is deployed and administered.

The flexibility of the remote workplace offers many advantages for organizations, but it also poses significant security risks, as remote workers use both their personal and company devices to connect to the business over public Internet connections.

With a SASE framework, businesses can now provide robust security services and support enterprise mobility beyond the network perimeter. IT can centrally apply one security policy across all of its locations to protect the network, rather than having to update physical endpoints at each location.

SASE components and the differences between other technologies

As a unified framework, SASE incorporates several technologies working together.

SASE vs SD-WAN: Not one or the other, but together as one

SASE is built on a foundation of SD-WAN, which enables intelligent, centralized WAN management.

SASE leverages SD-WAN’s capabilities to provide optimized application performance, network routing, global connectivity, WAN and Internet security, cloud acceleration and remote access. SD-WAN also provides an ideal platform to secure unified communications applications like voice, video and chat.

Whereas SD-WAN connects branch offices to the data center, SASE also focuses on connecting endpoints and end-user devices. Together, they form a complete solution that spans an organization’s entire network and user base, wherever and whenever they access network applications and resources.

SASE versus SSE

While SASE describes an architecture framework that consolidates networking and security delivered as a unified service from the cloud, Security Service Edge (SSE) focuses on the security capabilities listed below and leaves out networking-as-a-service. For an in-depth look at SASE versus SSE, see Gartner’s descriptions.

SASE versus CASB

Cloud Access Security Broker (CASB) protects cloud-based data. CASB applies security policies as users access cloud-based resources to protect against cloud security risks, comply with data privacy regulations and enforce corporate security policies.

SASE versus ZTNA

Zero Trust Network Access (ZTNA) protects remote users and enforces security policies dynamically. It embraces a zero-trust policy, where application access dynamically adjusts based on user identity, location, device type and more.

SASE versus SWG

Secure Web Gateway (SWG) defends against malicious web traffic and malware. SASE offers SWG protection to all users at all locations, and eliminates the need to maintain policies across multiple point solutions.

SASE versus FWaaS

Firewall as a Service (FWaaS) secures WAN and LAN traffic. It eliminates the need for a physical appliance, making network security capabilities such as URL filtering, intrusion prevention system (IPS), next generation anti-malware (NG-AM) and managed detection and response (MDR) available everywhere.

SASE versus WAN edge security

WAN edge security is typically delivered with on-premises-based firewall solutions. While these solutions offer security for compute services at the network edge, they don’t cover branch and remote-user security. SASE, on the other hand, covers all three—cloud network, branch site and remote user—in a single, centrally managed ruleset. For an in-depth discussion of SASE and the changing nature of edge security, see Network Edge Security: SASE Changes the Game

For more information

6 key benefits of SASE

SASE provides an easy and scalable way to provide applications with increased security and bandwidth allocation. Organizations that use SASE can see these benefits.

1. Enterprise-level security

Allows users to access apps and data over any connection type with peace of mind that security is in place.

2. Centralized operations

Put policy management in the cloud and distribute enforcement points close to the user, app or device through a “single pane of glass” portal.

3. Device consolidation

Reduce the amount of single-purpose customer premises equipment (CPE) at a branch to a single agent or SD-WAN device to reduce cost and complexity.

4. Zero Trust Network Access

Ensure encrypted connections and base network access on the identity of the user, device or application to enable a secure work-from-anywhere model.

5. Improved performance

Leverage multiple access connections to improve resiliency and performance for critical applications—including latency-sensitive apps.

6. Lower operational overhead

Let SASE providers fully manage, monitor and maintain security software and devices, so IT doesn’t need to constantly update, patch, upgrade and replace appliances.

What does a true SASE architecture look like?

The term “SASE” is used to describe a variety of methods of cloud security, but a true SASE solution integrates and automates all the essential components into a unified framework controlled by a single pane of glass. The key to understanding SASE architecture is that it must cover not only the network edge, but also branch sites and end users.

The following conceptual diagram illustrates how the various components work together to cover these three distinct perimeters. For a deeper understanding of this multi-perimeter approach, see Network Edge Security: SASE changes the game.

Tips for implementing a SASE solution

In comparison to traditional hub-and-spoke networks, SASE represents a fundamental change in network security (and networking). If you’re considering implementing a SASE solution in your organization, here are a few things to keep in mind:

Managed versus DIY

The decision to design, build, deploy and manage a SASE model within your organization involves taking on all capital expenditures (CAPEX) on hardware, as well as finding and hiring specialized security experts. Below is a comparison between doing it yourself and working with a managed service provider.

DO IT YOURSELFMANAGED SERVICE
Design and implementation
Design
  • IT staff resources and expertise
  • Access management overhead
  • Internal or third-party installation
  • Complexity of integrating network, security and voice vendors
  • Large upfront investment
  • Engineering design expertise
  • Implementation project management
  • Professional installation
  • Integrated network, voice and security options
  • Access aggregation and management options
  • Flexible purchase options
Management
Management
  • Internal expertise required for changes, troubleshooting and repair
  • No automation or integration of systems for alarms and ticketing
  • Off-the-shelf management platform(s)
  • Co-managed or fully managed options
  • Solution visibility and control
  • Alarm and trouble ticket automation
  • Service installation and billing dashboards
  • Single interface for network, access, voice and security
Technology refresh
Technology
  • Internal teams need to test new patches and code, and perform the upgrades
  • Obsolescence challenges
  • Scalability hurdles
  • Software/hardware upgrades—testing and vetting new code and technologies
  • Future technology options
  • Easy to scale cloud-based SD-WAN and security
  • Security and SASE upgrades
Operational support
Support
  • Skilled IT staff to manage and coordinate escalations
  • Access management complexity
  • Hardware warranty only
  • Continuous investment in internal teams to keep pace with advancements
  • Dedicated support team options
  • 24/7 care and repair monitoring
  • Security operations center (SOC) 24/7 monitoring and cyber threats resolution
  • Service level agreements (SLAs) for availability and performance

What to look for in a SASE provider

A SASE provider should be well versed in legacy networking technology as well as have experience deploying software-based security and networking. Depending on your network and security solutions and your provider’s ability to deploy SASE technologies, you may face these barriers to adoption:

Vendor focus

Your provider’s capabilities and offerings may be focused exclusively on networks or on security, but it’s possible they aren’t proficient in both areas.

Vendor approach

Well-integrated features, in-line proxy experience and context awareness are all key to successful SASE implementation. If a vendor lacks them, it can increase costs and decrease performance.

Vendor history

Your provider’s legacy experience may be with on-premises hardware in the “data-center-centric” approach, which can create resistance to a cloud-native mindset.

5 questions to ask a SASE vendor

  1. Do you provide complete visibility and control for all traffic and all edges (users, branches, data centers, cloud)?
    • Your SASE solution should allow full mesh connectivity among users, locations and cloud resources. Some solutions may apply access and security separately, leaving capability gaps that require the purchase, implementation and maintenance of additional products to meet your needs.
  2. Does your solution allow users to seamlessly transition from corporate offices to other locations and back?
    • The SASE approach enables providing always-on security and access to users at any time and any location. Because of this, effective solutions natively transition between office and other networks, without any interaction from the user. This means that the agent on the user’s endpoint should detect corporate networks and behave appropriately when connected or disconnected from them. No third-party products or integrations should be required for this.
  3. What is the global presence of your service?
    • You should be able to create policies to optimize traffic across the backbone—not just between your locations, but to SaaS and public clouds as well.
  4. Is your service architected for resiliency and self-healing?
    • Check with your prospective SASE vendors to ensure they have a simple solution for providing healing architecture at your locations.
  5. Can all aspects of your solution be accessed and managed from a single management application? What co-management rights will you have?
    • More consoles not only create more complexity and increase troubleshooting times, but may also indicate a service that isn’t fully converged or cloud-native. Will you be able to change application and security policies on your own or will you have to depend on your service provider to make all the changes?

6 criteria for selecting an SD-WAN service provider

As the network foundation for SASE, SD-WAN enables optimized application performance, network routing, global connectivity, WAN and Internet security, cloud acceleration and remote access. Here are the key questions to ask a potential SD-WAN provider:

  1. What types of access diversity do you have? Can they be set up in active-active mode?
  2. What level of reliability can you offer? What service level agreements (SLAs) come included?
  3. What are the varying degrees of hybrid WAN and SD-WAN management in place?
  4. Does your management portal provide complete visibility and control of all network activities, users and devices? Does it integrate easily with other network services? What types of reports can you generate?
  5. Do you provide multiple or bundled services, such as network, access, voice, LAN, security?
  6. What kind of support do you offer? Is there a person or team available to help assess needs, plan, set business policies, implement systems and optimize performance?
  7. What service guarantees do they offer?
  8. Will your vendor provide design and implementation support?

SASE from Windstream Enterprise: Integrated network and security. Managed your way.

Windstream Enterprise is the first and only North American managed service provider to converge cloud-native network and security into a fully integrated Secure Access Service Edge (SASE) solution. This comprehensive architecture enables businesses to adapt to constantly shifting users, applications and work environments, while keeping all application and security policies synchronized with these changing endpoints—all from a single pane of glass. What’s more, it’s backed by our Cyber Security Operations Center, Technical Service Management experts and first-in-the-industry service guarantees.

Return to top


Citations

  1. Andrew Lerner. “Say Hello to SASE (Secure Access Service Edge).” Gartner. Dec. 13, 2019.
  2. Nancy Liu. Palo Alto Networks: Ransomware Payments Hit Record Highs in 2021. SDXCentral. April 1, 2022.
  3. MacDonald, Neil, et al. “2021 Strategic Roadmap for SASE Convergence.” Gartner. March 25, 2021.