Secure Access Service Edge (SASE)
Learn how security-as-a-service works together with cloud infrastructure in SASE.
What is SASE?
Secure Access Service Edge (SASE) is a cloud architecture model that combines network and security-as-a-service functions together and delivers them as a single cloud service. Conceptually, SASE extends networking and security capabilities beyond where they’re typically available. This lets work-from-anywhere and remote workers, to take advantage of firewall as a service (FWaaS), secure web gateway (SWG), zero-trust network access (ZTNA), and a medley of threat detection functions. SASE is composed of Security Service Edge (SSE) and SD-WAN.
The term SASE (pronounced “sassy”) was first described by Gartner in an August 2019 report called, “The Future of Network Security in the Cloud.” Gartner notes that in the SASE market trend report, "Customer demands for simplicity, scalability, flexibility, low latency, and pervasive security force convergence of the WAN edge and network security markets.”
Why is SASE necessary?
Enterprise networks are increasingly reliant on cloud-based applications to run their businesses and support distributed workflows to support remote and mobile users. This has resulted in the conventional enterprise network to rapidly grow beyond the conventional network edge, challenging infrastructure leaders to secure and manage an ever-expanding attack surface. While networks have advanced rapidly enough to support the workflows of these remote endpoints, most security tools have not kept pace, rendering VPN-only solutions obsolete. For organizations to remain competitive, all endpoints must be secured and managed with the same security and networking policies as their on-premises infrastructure, regardless of where they’re located.
Securing Digital Transformation
Digital acceleration is paving the way to hybrid working models where people have the flexibility to work on or off-premises, virtually from anywhere. While this expands the talent pool available to an organization, it also increases the risk of a costly cyberattack, such as ransomware, gaining access to private networks and resources.
Recognizing the inherent threats in an expanded attack surface, Garter introduced the concept of secure access service edge or SASE, a network security architecture that would protect hybrid work at every network edge, location, application, mobile device, and cloud. Since then, many SASE solutions have come to market but few deliver on Gartner’s vision of a holistic and converged network security architecture.
SASE converges networking and security into one solution that increases network performance and productivity, simplifies management and operations, and improves security posture with consistent policies at scale. In short, SASE follows remote users anywhere with secure access.
A fully converged SASE solution delivers network security for all edges with identity-driven secure access, a cloud-native architecture, and globally distributed network connectivity in the form of hundreds of geographically dispersed network points of presence.
Several cloud-delivered security services comprise SASE. These include Firewall-as-Service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB), and zero-trust network access (ZTNA). SASE converges these security services with the advanced networking capabilities of a software-defined WAN (SD-WAN) resulting in one holistic security solution delivered as a service.
Benefits of SASE
When properly implemented, a SASE approach allows organizations to apply for secure access no matter where their users, workloads, devices, or applications are located. This becomes a critically important advantage to ensure remote workers' security. SaaS applications see rapid adoption, and data move rapidly among data centers, branch offices, and hybrid- and multi-cloud environments. SASE enables safe browsing, secure access to corporate apps and secure access to SaaS applications from anywhere,
SASE Offers:
- Flexible, consistent security: Deliver a comprehensive range of security services, from threat prevention to NGFW policies, to any edge, ensuring zero-trust network access to know who is on your network, know what is on your network, and protect assets both on and off the network
- Reduced total cost of ownership: Conquer point product sprawl once and for all by using a single platform approach and reducing or eliminating capex and opex costs
- Reduced complexity: Simplify your architecture by consolidating key networking and security functions from disparate point products into single solutions, all easily managed from a single-pane-of-glass management system
- Optimized performance: Leveraging cloud availability, your team members easily and securely connect to the Internet, applications, and corporate resources wherever they are located.
What is Security Service Edge (SSE)?
SSE is a cloud-delivered security service from anywhere that enables safe browsing, authenticated access to private applications, secure access to SaaS applications.
SSE includes:
- Firewall-as-a-Service (FWaaS) - same features as our high-end FortiGate, provided through the Cloud (IPS, anti-malware protection, web security, anti-spam, sandbox)
- Secure Web Gateway (SWG) - inspects end-user web activity and applies a consistent set of security policies to enforce safe browsing habits at the endpoint. Includes features such as Data Loss Prevention, deep SSL inspection, URL filtering, DNS filtering.
- Zero-Trust Access Network (ZTNA) - provides secure remote access to an organization’s applications, data, and services based on clearly defined access control policies. ZTNA differs from virtual private networks (VPNs) in that they grant access only to specific services or applications, where VPNs grant access to an entire network.
- Cloud Access Security Broker (CASB) - unified platform where administrators can centrally configure policies for cloud service use. Includes in-line CASB for control over the type of application access (e.g. is the employee allowed to access Facebook?), or API-based CASB that connects to the app and checks the content sent (e.g. files uploaded in Office365 email)
Why SASE and Why Now?
SASE delivers true convergence, enabling enterprises to move faster with a zero-trust approach to security that empowers hybrid work, simplifies operations, and lowers costs. It protects organizations from the devastating impacts of cyberattacks with identity-based secure access controls and consistent security policies on premises as well as on public and private clouds.
SASE is critical for distributed enterprises to secure the way hybrid work gets done today in a cloud-native environment.
Delivered as a service, SASE simplifies onboarding for users and IT. It lowers TCO by allowing organizations to shift to OPEX models and control costs with flexible usage-based licensing or subscription pricing, versus long-term CAPEX investments. With geographically dispersed cloud access to SASE network security services—remote users experience instant connectivity to networks and apps resulting in higher productivity.
Fully integrated SASE solutions simplify IT operations with centralized management and unified security policies edge-to-edge. Short-staffed security teams can be more proactive with AI-powered threat intelligence. Automation supplement cybersecurity skills and network management tasks.
Hybrid Workforce Meets Hybrid Cloud
SASE protects the enterprise with a holistic approach to securely connect any user to any platform in any location.
SASE extends the same protections and performance to hybrid workers using converged cloud security and network services that they would experience working at their traditional, on-premises offices. When remote users have secure access to corporate networks and applications—no matter the location of users, devices, endpoints, or apps—productivity goes up and risk goes down.
A fully converged SASE solution also increases the operational efficiency of network operations and security teams with simplified management, unified security at every edge, and a zero-trust approach.
Correcting Your Cloud Security Posture
SASE converges networking and security to enable consistent, enterprise-wide management and visibility of all users, devices, applications, and security policies.
Fully converged SASE solutions are helping organizations correct their cloud security postures by delivering consistent security that follows the user everywhere. The following capabilities are key to achieve a zero-trust security posture for hybrid work:
- centralized management and full visibility
- unified security policy everywhere
- networking combined with WAN capabilities
- context-based user identity for secure access
- cloud-delivered services for security and networking
- geographically dispersed network points of presence
Prioritizing End-User Experiences
SASE provides a unified management interface and metrics that enable IT to correlate user experiences with business outcomes.
SASE allows organizations to extend users’ secure access and security policies from the network edge to the cloud edge. By following the user, SASE deliver a consistent user experience for a hybrid workforce across endpoints, WAN, cloud, data center.
SASE represents a huge gain in efficiency with a single solution versus the complexity of managing multiple VPNs and single-point security solutions. For example, a unified and centralized management interface gives IT the visibility and control of hybrid work needed to proactively manage security and operations while optimizing user experiences.
This includes analytics and pre-generated and on-demand reports with granular logging of events across user, endpoint, and applications. There is also digital experience monitoring (DEM) that provides visibility into endpoint application performance and digital experience to improve end-user experiences no matter where the user resides or their applications are hosted.
How SASE Works
SASE enables hybrid and remote workers with secure access to corporate applications, data, and services so they can work from anywhere, no matter where the resources are located. SASE secures hybrid work by converging cloud-delivered security services with advanced networking capabilities to improve workers productivity with consistently secure access and connectivity edge to edge.
Giving IT comprehensive visibility and control of hybrid work within the converged SASE architecture is critical to enable centralized and unified management with automation-driven network configuration, visibility, and consistent security policy management.
The cloud-delivered security services of SASE include a CASB (cloud access security broker), FWaaS (firewall as a service), SWB (secure web gateway), and ZTNA (zero trust network access). The advanced networking component of SASE is SD-WAN (software-defined, wide area network).
Cloud Access Security Broker Secures SaaS Access and Cloud-Based Resources
In a SASE architecture, the CASB service sits between users and cloud-based SaaS applications. CASB enforces security policies as users access application services. It provides cloud-discovery analysis which enables administrators to assess the risk of cloud services and decide whether to grant users access to applications.
The four pillars of CASB are:
- Visibility into cloud services that enables administrators to track application use such as device and location
- Built-in data security with data loss prevention (DLP) to mitigate risks as enterprises shift applications to cloud services
- Advanced threat protection to detect and remediate application malware across both managed and unmanaged devices
- Achieve compliance with complex industry standards such as HIPAA, FINRA, and PCI-DSS
Cloud-delivered firewall as a service provides intrusion prevention
A FWaaS enables high-performance inspection and advanced threat detection via the cloud, maintains secure connections, and analyzes inbound and outbound network traffic without impacting the user experience. A cloud-native FWaaS delivers the same performance at scale as processor-enhanced, hardware appliances without the high capital expenditure costs associated with infrastructure.
Users don’t have to connect to a physical firewall. Instead, their transmissions are protected by cloud-hosted software, ensuring consistent security no matter where they’re located. SASE connects distributed sites and remote users to a single global FWaaS with a unified application-aware security policy to scale security where it is needed. This allows enterprises to expand security coverage without having to purchase and provision new hardware, regardless of the size of the organization.
As a cloud-delivered service, FWaaS provides a full stack of security that spans cloud-based scenarios enabling IT to move security inspection partially or fully to a cloud infrastructure. Capabilities include web filtering and intrusion prevention systems (IPS), domain name system (DNS) security, web filtering, file filtering, and advanced threat protection.
Zero Trust Network Access authenticates users and devices to applications
The ZTNA service is like a keycard that opens the door to your hotel room versus a VPN keycard that opens the door to every room. Using the same analogy, ZTNA also knows when there’s been a break in and alerts management. In this manner, ZTNA gives organizations identity-based control of access to private services, applications, and data based on clearly defined secure access-control policies.
This requires strong authentication capabilities, powerful network access control tools, and pervasive application access policies. ZTNA uses multi-factor authentication to identify all users and devices when they attempt to access corporate resources and while they are online. By combining network and cloud-based ZTNA services, organizations can ensure secure access to applications by enforcing policy, whether devices and users are on or off-premises.
Controlling data confidentiality, integrity, and availability is challenging in a distributed environment. Unlike ZTNA, VPN solutions cannot guarantee secure access for hybrid work from anywhere to any edge with instant network access and unified security. Designed for the way work got done 20 years ago, VPN tunnels allow unrestricted access to the entire enterprise network unlike ZTNA where access is identity based and contextual.
SASE and SD-WAN
Security-Driven Networking, Optimized Connectivity
While SSE delivers the critical security services of SASE, SD-WAN delivers the networking component. SD-WAN solutions increase an organization's efficiency by tracking application performance and using automation to select the best connectivity available. A fully functional SD-WAN solution provides integrated networking and security capabilities that extend connectivity beyond an organization’s internal network for secure network access by its remote users.
WAN optimization has become crucial as data has increased in volume and complexity. As enterprises migrate to Software-as-a-Service (SaaS), they expect their data to travel securely through the cloud. SD-WANs have the ability to optimize connectivity to cloud services such as Amazon Web Services or Microsoft Azure.
As the connectivity component of SASE, an SD-WAN needs to include such things as dynamic path selection, self-healing wide-area networking (WAN) capabilities, and consistent application and user experience for business applications. User experience is key, especially as users may be accessing their organization's network in different environments via different applications. Software-defined wide-area networks (SD-WANs) remove the manual labor required to optimize a WAN by relying on software to manage network connections, whether they are based on multiprotocol label switching (MPLS), 3G/4G, or broadband.
While considered a challenge for traditional WANs, SD-WANs are adept at supporting intensive, high-bandwidth applications, such as those involving voice or video, and offloading such applications to local internet where possible. Because software does the job of choosing the best connection, teleconferencing may use a dedicated circuit and email the public internet. This is why SD-WAN is ideal for hybrid work and a key component of SASE.
SASE and Zero Trust
The ZTNA security service of SASE is an extension of a Zero Trust Architecture (ZTA) which, according to the National Institute of Standards and Technology, not only includes applying zero trust principles to control access to applications but access to the physical network as well.
For example, while ZTNA authenticates users and devices to control secure access to cloud applications, a Zero Trust Architecture also includes the physical side with secure network access control, access policy enforcement, and integration with dynamic network segmentation to limit access to networked resources.
ZTNA controls application access based on user and device identity and predefined policies. This enables secure and granular access per user that improves security and scalability for a better user experience. Applying a zero-trust architecture to SASE includes both physical network security and cloud application secure access controls, or Universal ZTNA.
SASE and the Unified Client Agent
A component of ZTNA, a cloud-delivered unified client agent is critical for SASE because it enables hybrid workers to securely connect to the network using zero-trust principles. The unified client agent supports centralized management and security such as AI-based antivirus, endpoint quarantine, and application firewall, as well as support for a cloud sandbox, USB device control, and ransomware protection.
At minimum a SASE unified client agent should provide endpoint visibility and compliance control, advanced endpoint protection, secure remote access via ZTNA, sandbox integration, endpoint hardening, and role-based access control.
Comparing SASE to legacy VPN solutions
Virtual private networks (VPNs) were designed more than 20 years ago to secure a connection between two entities: the remote user and the client—a lot has changed since then. Today, hybrid work requires SASE to provide secure connections to the services, data, and applications that users need (on premises or in clouds) using their own devices anywhere. Hybrid workers on VPNs are subject to congestion and a poor user experience which slows productivity down.
There are many reasons to migrate from legacy VPN to SASE including the following:
- VPNs open an all-access pass to the network versus SASE zero trust network access.
- Centrally deployed VPNs add latency that degrades remote users’ experiences versus SASE’s geographically dispersed network points of presence.
- VPNs don’t support BYOD—increasing complexity and costs by requiring the use of corporate devices whereas SASE supports secure access by authenticating users’ devices.
- VPN policy management is overly complex and constricted by hardware whereas SASE centralizes and simplifies management and unifies security for consistency everywhere.
What to look for in a SASE solution
For SASE to work well, all of its components—connectivity, networking, and security— need to interoperate as a single integrated system. This convergence of advanced networking and cloud-enabled security services enables a zero-trust approach that boosts performance and productivity without compromising protection.
SASE is a quickly emerging market with only a few vendors offering true convergence. Many more offer partial SASE solutions or a set of partner products that don’t interconnect. Given the goal of SASE is to help organizations improve their security postures, granular visibility and control is critical to proactively manage users’ secure access from anywhere to everywhere.
A Checklist for SASE evaluation
A fully featured, single-vendor SASE solution simplifies operations with cloud-based management, simplified onboarding, and AI-powered threat intelligence. It boosts productivity with secure access and instant connectivity to work and collaboration. When it comes to evaluating and selecting the best SASE solution for your hybrid workforce, consider these core requirements:
- One solution with full convergence of security services and networking
- Unified agent to deliver consistent security policy everywhere
- Secure internet access to web and internet
- Flexible, secure private access to public clouds
- Secure SaaS access to cloud-based apps and services
- Cost-effective, flexible consumption and simplified onboarding
- Simple and centralized cloud-based services management
- Enterprise-class security with AI-powered threat intelligence
- Geographically dispersed network locations for scalability and speed
- Vendors with strong corporate financial viability and global channels
What is Single-Vendor SASE?
To ensure consistent connectivity and security for users everywhere, networking and security solutions must converge at the edges and in the cloud. This can be difficult to achieve when trying to integrate solutions from different vendors. In contrast, a platform-centric, single-vendor SASE solution drives operational efficiency by simplifying management and fully integrating and converging networking and security functions.
True convergence means cloud-delivered security services must work seamlessly with advanced networking capabilities for a comprehensive and easy-to-manage SASE deployment. This is best achieved through a single-vendor approach because single-vendor SASE:
- Decreases risk with integrated security across all your users, applications, and devices
- Simplifies management by providing a single console for all your security and networking features
- Enhances productivity by optimizing the flow of traffic between your users, applications, and the cloud
- Reduces costs by eliminating your need to manage multiple vendors and point products
Expanding SASE to secure all users, access, edges, and devices
Fortinet brings new innovations in its SASE offering. Fortinet SASE is becoming the industry’s most comprehensive SASE offering - securing users, access, edges, and devices anywhere while delivering the highest ROI, consistent security posture and improved user experience. Powered by Fortinet’s unique security and networking convergence approach, it offers organizations a simple secure networking journey towards SASE.
Fortinet SASE’s new innovations enhances the cutting-edge AI-powered solution specifically designed for the hybrid workforce, the power of cloud delivery, unified management and logging, with comprehensive features such as Universal ZTNA, SD-WAN integration, OT/IoT security, LAN/WLAN/5G security, Digital Experience Monitoring, and a flexible licensing model. The new
Fortinet SASE solution ensures the utmost security for all edges, devices, and users, whether they are accessing the web, corporate applications, or SaaS applications.
Introducing FortiSASE - Single-Vendor SASE
FortiSASE is a single-vendor SASE solution that converges networking and security services to secure hybrid workers’ access to the web, cloud, and applications, while simplifying operations. It combines software-defined wide area network (SD-WAN) capabilities with cloud-delivered security services to extend the convergence of networking and security from the network edge to remote users anywhere.
Watch this short FortiSASE demo to see how the central management interface works in a real-world hybrid work scenario.
Delivered as a service, with hundreds of global points of presence for connectivity anywhere, FortiSASE simplifies operations, increases security, and lowers TCO for with unified security policy for consistent protection, centralized management, and flexible usage-based pricing.
FortiSASE deploys AI-powered Security Services to applications, content, devices, network, and web and provides a unified interface to NOC and SOC teams. Instant visibility and analytics cover network points of presence, endpoint-to-app performance, and potential threats, to enhance the user experience and accelerate troubleshooting and response to cyberattacks.
All FortiSASE network and security services components run on one operating system (OS) with one unified client agent, and are centrally managed from a single console. These include Fortinet Secure SD-WAN, FortiProxy secure web gateway Fortinet Universal Zero Trust Network Access (ZTNA), FortiGuard Cloud Access Security Broker (CASB), Firewall-as-a-Service (FWaaS), and FortiMonitor a platform for digital experience monitoring (DEM).
Related Topics
More SASE Resources
Speak with an Expert
Please fill out the form and a knowledgeable representative will get in touch with you soon.