What is Secure Access Service Edge (SASE) ?
Summary
TLDRThis video introduces Secure Access Service Edge (SASE), a term coined by Gartner that combines multiple network and security technologies into one comprehensive solution. SASE addresses challenges of remote work and complex network infrastructures by integrating security as a service and network as a service. Key components include SD-WAN, Secure Web Gateway, Firewall as a Service, and Zero Trust Network Access, which ensure consistent security policies and optimized performance. The video discusses how SASE reduces latency, enhances security, and centralizes policy management, making it a critical approach for modern, distributed networks.
Takeaways
- 🔒 **Secure Access Service Edge (SASE)** is a term coined by Gartner that integrates network and security services.
- 🌐 **Goal of SASE** is to provide secure network services from anywhere a user connects.
- 🏠 **Work from Home Increase**: The demand for secure cloud access without traditional VPN bottlenecks has grown.
- 🛠️ **SASE Core Levels** include SD-WAN, Secure Web Gateway, Firewall as a Service, and Zero Trust Network Access.
- 🔄 **Recommended Levels** in SASE involve sandboxing, browser isolation, network access control, and next-gen antivirus.
- 📡 **Optional Levels** may include Wireless LAN and VPN services for certain customer needs.
- 👥 **Zero Trust Network Access** is foundational to SASE, ensuring secure access regardless of user location.
- 🌐 **Endpoint Client** acts as a vehicle for data, providing connectivity and zero trust access.
- 🔄 **SD-WAN Integration** in SASE allows for intelligent routing and security offloading.
- 🔒 **CASB (Cloud Access Security Broker)** is crucial for managing and securing access to cloud applications in SASE.
- 🔄 **Service Chaining** is a key concept where SD-WAN directs traffic to secure web gateways for inspection.
Q & A
What is Secure Access Service Edge (SASE)?
-SASE is a term coined by Gartner that combines multiple network and security technologies into a single offering, aiming to provide secure network services regardless of where the user connects from.
Why is SASE important for modern organizations?
-SASE is crucial because it addresses the challenges posed by distributed workloads and users, providing a unified security policy and reducing inefficiencies and costs caused by using multiple separate technologies. It is especially important with the rise of remote work and increased demand for secure, direct access to cloud services.
What are the three levels of SASE as outlined by Gartner?
-Gartner outlines three levels of SASE: Core, Recommended, and Optional. The Core level includes SD-WAN, Secure Web Gateway, Firewall as a Service, CASB, and Zero Trust Network Access. The Recommended level includes Sandboxing, Browser Isolation, WAF, Network Access Control, and Next-Gen Antivirus/EDR. The Optional level includes Wireless LAN and VPN for those who still need them.
How does SASE solve the latency and bottleneck issues caused by traditional VPNs?
-SASE addresses VPN-related latency and bottlenecks by distributing security inspection to regional points of presence (PoPs) instead of routing all traffic through a central location. This allows for secure, efficient access to cloud applications without the delays caused by traditional VPNs.
What is Zero Trust Network Access (ZTNA), and why is it critical to SASE?
-ZTNA is a security model where trust is never assumed based on network location. It verifies both the user’s identity and the device before granting access to specific resources. In SASE, ZTNA ensures secure access regardless of the user's location by enforcing strict access control policies.
How does SD-WAN play a role in the SASE framework?
-SD-WAN plays a critical role in SASE by enabling efficient traffic routing and service chaining security inspections. It allows organizations to optimize traffic routes while still ensuring security through features like packet duplication, forward error correction, and quality of service (QoS) prioritization.
What role does the Secure Web Gateway (SWG) play in SASE?
-In the SASE framework, SWG provides cloud-based security services, such as firewalling, web filtering, antivirus, and intrusion prevention, often acting as an SDP gateway for secure communication between users and resources. SWG ensures secure access without the need for centralized inspection points.
What advantages does SASE offer over traditional hub-and-spoke network architectures?
-SASE offers advantages over traditional hub-and-spoke networks by distributing security inspection across regional PoPs, reducing the need for large, centralized security devices, and enabling more efficient routing, reducing costs and latency for remote and cloud-based users.
What is Cloud Access Security Broker (CASB), and why is it integral to SASE?
-CASB is a security policy enforcement point that sits between cloud service consumers and providers, ensuring that cloud-based applications are accessed securely. In the SASE framework, CASB provides visibility, control, and protection for cloud services, centralizing security policies and ensuring secure access to SaaS applications.
How does SASE ensure consistent security policies across on-premise and remote environments?
-SASE provides consistent security policies by integrating Zero Trust Network Access, SD-WAN, and CASB into a unified management plane. Whether users are on-network or off-network, the same security policies are applied without gaps, ensuring seamless protection regardless of the user’s location.
Outlines
🔐 Understanding SASE (Secure Access Service Edge)
SASE, or Secure Access Service Edge, is a term coined by Gartner that merges various network and security technologies into a single solution. Its goal is to provide secure network services regardless of where the user connects. As organizations and workloads become more distributed, traditional security systems become costly and inefficient, especially with the rise of remote work. SASE addresses this by integrating security as a service with network services to offer direct cloud access without the latency issues of traditional VPNs. Gartner outlines three levels of SASE: core, recommended, and optional, encompassing technologies like SD-WAN, secure web gateways, firewall as a service, and more.
🏠 Challenges of Remote Work and Traditional Security Approaches
With the increasing shift to remote work, traditional security setups are facing challenges. Employees use SaaS applications and require access to internal resources, often through a VPN. This centralized approach causes higher latency and increased costs. Vendors like Zscaler tackle these issues by decentralizing security inspections to regional points of presence (PoPs) and integrating security directly into cloud environments. SASE aims to solve these challenges by providing secure, direct access, enabling seamless connectivity without routing everything through a central location.
🔒 Zero Trust Network Access (ZTNA) and the Role of SDP
A key component of SASE is Zero Trust Network Access (ZTNA), which allows user verification regardless of location. In a true zero-trust network, a user only accesses specific resources they are authorized for, preventing over-permissioned access. Software Defined Perimeter (SDP) is becoming the preferred technology for this model. SDP sets up secure TLS tunnels on a per-application basis and dynamically controls access. This integration ensures secure, direct access, minimizing the need for traditional VPNs and central security inspection.
🌐 How SASE Connects Users to the Cloud and Internal Networks
SASE enables users to connect securely to both cloud applications and internal networks, wherever they are located. The system uses a client to route users to the nearest inspection point for security checks before accessing resources, whether it be a SaaS application or private network. The security services, including firewalling, web filtering, and antivirus, are all performed in the cloud, eliminating the need for large, centralized security appliances. By distributing security inspections regionally, SASE optimizes both cost and performance.
📡 Merging SD-WAN and Secure Web Gateways
SASE combines the benefits of SD-WAN and secure web gateways to create a cohesive solution. When a user connects remotely, SASE authenticates them with Zero Trust Network Access (ZTNA) and uses SD-WAN to optimize traffic flow. This allows for critical features like QoS, traffic prioritization, latency reduction, and packet duplication, which are essential for voice and data applications. The system also supports service chaining, where security inspections can be offloaded to secure web gateways like Zscaler when local inspection is not available.
💻 Service Chaining and Policy Management in SASE
In SASE, service chaining allows security functions to be passed between various solutions, ensuring consistent security policies. For example, users can seamlessly switch between on-premise SD-WAN and off-network secure web gateways without changes in policy. The goal is to apply security policies uniformly, whether users are working from the office or remotely. This consistency ensures that security inspections happen regardless of location, minimizing gaps in security coverage.
☁️ The Importance of Cloud Access Security Brokers (CASB)
Cloud Access Security Brokers (CASB) play a critical role in modern SASE solutions. With most enterprises heavily using SaaS applications, CASB is essential for visibility, access control, and policy enforcement across cloud environments. A CASB integrated into a SASE solution offers centralized security management, allowing for consistent policies for both on-net and off-net users. This ensures that organizations can enforce security measures across all cloud applications and quarantine users in case of suspicious activity.
🔑 Summary: Combining Zero Trust, SD-WAN, and CASB
To summarize, SASE starts with Zero Trust Network Access (ZTNA) to authenticate and authorize users based on their identity and device. Depending on whether the user is on or off the corporate network, the system routes traffic through the nearest PoP for security inspections. SD-WAN steers traffic and provides performance optimizations, while CASB ensures visibility and control over cloud applications. This unified approach offers a seamless, secure experience for users, wherever they may be.
Mindmap
Keywords
💡Secure Access Service Edge (SASE)
💡Zero Trust Network Access (ZTNA)
💡Software-Defined Wide Area Network (SD-WAN)
💡Secure Web Gateway (SWG)
💡Firewall as a Service (FWaaS)
💡Cloud Access Security Broker (CASB)
💡Service Chaining
💡Policy Enforcement
💡Inspection Point
💡Work from Home (WFH)
💡Distributed Workloads
Highlights
Secure Access Service Edge (SASE) is a term coined by Gartner that combines multiple network and security technologies into a single offering.
SASE aims to provide secure network services to users wherever they are located, addressing the challenges of distributed workloads and users.
One key problem SASE addresses is the inefficiency and costliness of multiple security policies and technologies that don't integrate well.
With the increase in work-from-home users, SASE enables secure, direct access to cloud services without the bottlenecks and latency of traditional VPNs.
Gartner's SASE framework includes three levels: Core, Recommended, and Optional. Core includes SD-WAN, secure web gateway, firewall as a service, CASB, and Zero Trust Network Access.
Recommended SASE services include sandboxing, browser isolation, WAF, network access control, and next-gen antivirus/EDR.
Optional services within SASE include wireless LAN and VPN for customers that still require these legacy technologies.
Zero Trust Network Access (ZTNA) plays a crucial role in SASE by ensuring users only access specific resources based on their identity and privileges, regardless of their location.
ZTNA is supported by Software Defined Perimeter (SDP), which creates one-to-one tunnels for secure application access on a per-application basis.
SASE provides network security services like firewalling, antivirus, web filtering, and IPS in the cloud, allowing for distributed inspection rather than relying on centralized VPNs.
SASE's integration with SD-WAN allows for intelligent traffic steering, ensuring secure, optimized connectivity to both internal resources and cloud services.
Service chaining within SASE allows SD-WAN appliances to offload security inspection to secure web gateway providers like Zscaler when necessary.
The consolidation of security and network policies into a single solution is a key benefit of SASE, ensuring consistent enforcement whether users are on or off the network.
Cloud Access Security Broker (CASB) is essential within SASE for managing security policies related to SaaS applications, including access control and monitoring for suspicious behavior.
SASE solutions allow organizations to implement zero trust network access while optimizing traffic flow with SD-WAN, ensuring seamless and secure access regardless of user location.
Transcripts
[Music]
secure access service edge or sassy is a
term coined by gartner that combines
multiple network and security
technologies into a single offering the
goal is to offer secure network services
anywhere the user connects in from
and as we think about how distributed
our workloads and users are
we find ourselves having to deal with
multiple technologies that don't
necessarily work together
this means multiple security policies
and inefficient designs that are costly
and don't scale
with the increase of work from home
users there's a bigger demand than ever
for secure direct access to the cloud
without having the central bottleneck
and latency of the traditional vpn
sassy attempts to solve this problem by
combining security as a service with
network as a service
garner has laid out three levels to
accomplish sassy including
core recommended and optional sassy core
levels include sd-wan secure web gateway
firewall as a service casby and xero
trust network access
the sassy recommended level includes
sandboxing
browser isolation waff network access
control
next gen antivirus or edr and sassy
optional levels include wireless lan and
vpn for customers that still need those
services
in this video we'll discuss how these
technologies come together and how
vendors are working with each other to
bring you a sassy package
before we go further please take a
moment to hit like on the video to give
me a boost in the youtube algorithm
and subscribe if you want to see more
cyber security videos
before we dive into how sassy works we
need to understand the problem it's
trying to solve
a recent report by gartner found that 74
percent of cfos intend to shift more
employees to work from home
even after this pandemic has subsided
the average employee in a small
organization
uses about eight sas applications as
part of their business workflow
yet they also need access to internal
resources like a soft phone
file share and other services the
traditional approach was to have users
vpn into a central location where policy
and inspection can be applied
this creates higher latency for the user
more expensive circuits for the
organization
and bigger inspection devices to handle
the traffic secure web gateway and
firewalls are service vendors like
z-scaler to carry this problem by
distributing the inspection engines to
regional pop locations
and partnering with sas vendors to apply
security right in the cloud environment
itself
but what about if the user needs to
connect back into the corporate network
how can i leverage the advantages of
sd-wan while still having a single
security policies when my users go out
back to their homes
sassy is designed with the end user in
mind and it starts with the idea of zero
trust network access zero trust network
access means that we don't care where
the user is connecting in from as long
as a user can verify their
identification
and the device they're using to connect
in a true zero trust network
a trusted user with the appropriate
privilege can only connect to the
specific
resources they're trying to access and
nothing else while there's no specific
technology that must be used for xero
trust
stp or software defined perimeter is
quickly becoming the favorite
with sdp an application request sets up
a tls tunnel on a per
application basis an stp controller sets
up and tears down these one-to-one
tunnels
and uses an stp gateway to control
access as enforcement points
for more information check out my
previous video titled accomplishing zero
trial security using stp
and since sassy is all about providing
network and security services wherever
the user is located
the endpoint client is a vehicle to get
our data where it needs to go
the client provides zero trust network
access along with the connectivity to
the various points
this means when a user needs access to a
sas application like office 365
from their home the client recognizes
their users off net and routes into the
nearest inspection point for security
which then hands off to the application
the same logic applies when the user
needs to access an internal resources
hosted on a private network
they're routed to the nearest inspection
point which then sends them back to the
private network
security services like firewalling
antivirus web filtering and ips
are all happening in the cloud by the
secure web gateway provider
depending on the vendor secure web
gateway providers is also acting like an
stp gateway that allows connections to
and from the various resources
in contrast to a traditional vpn network
where users are connecting to one
central location with big security
devices doing the inspection
with sassy those inspection devices are
distributed across
various regions which means savings on
the circuit size and security device
that would have been in a traditional
hub and spoke network
most of what we're talking about thus
far is not new to you if you're familiar
with zscaler or other cloud web gateways
but what about when the remote user
connects back into the office
does it still make sense for the user to
continue to route all their traffic to
the cloud or should i leverage sd-wan to
make the best decision
this is where sassy really starts to
make sense conceptually by
merging the advantages of sd-wan and
secure web gateway to provide
a single consolidated solution sd-wan
plays a pivotal role in the sassy
framework by service chaining security
inspection off to the secure web gateway
when inspection is required
now when a remote user connects into the
office i still authenticate them with
zero trust network access
but i can let my sd-wan appliance make
the best steering decision
on how to get to its resources by still
using sd-wan that means that my voip
calls can still be protected with things
like forward air correction and packet
duplication
i can also do qos and prioritizing of
traffic latency optimization
caching and all of the other sd-wan
features that we all know and love and
have tremendous benefit from
what we're seeing now in the sassy
market is more and more sewn vendors
partner with secure web gateway vendors
like zscaler to do service chaining
in a previous video titled secure sd-wan
we detail
why local security inspection is always
better choice if you have the ability
needless to say if your sd-wan vendor
doesn't have any local security
inspection
service chaining to a secure web gateway
is always an option
that being said your goal should be to
leverage a solution where you only have
to make a policy change
once and that policy change should be
consistent no matter where the user is
connecting in from
a good sassy solution should have the
ability to have different off-net and
on-network policies
when users get behind your corporate
network sd-wan should be making the
steering decisions
when they pack up and go home for the
night the client should connect to the
nearest pop location and still leverage
those same policies and security
inspections
without there being any gap the last
item in the sassy core framework is
cloud access security broker or casby
according to a report by esg
csos reported that sassy is a top
security concern in the cloud
and with nearly every modern enterprise
using some form of sas
application for business workflows casb
is becoming as important to your
security posture
as firewall is to your network in the
context of sassy
cloud access security broker should be
integrated into a single solution
that means visibility into your sas
applications wherever it's being used
centralizing your security policies
enforcing who has access to your cloud
applications
and even quarantining users if it's
necessary when suspicious behavior is
detected
this involves having a sassy solution
that integrates casbi
into the management plane and having the
same policy whether your users are on
net
or off net to summarize it all starts
with zero trust network access
this is the authentication and
authorization mechanism that allows a
user
to a resource no matter where they're
connecting in from if they're off
network their client connects them to
the nearest pop location where security
services
inspect and route them accordingly if
they're behind the corporate network
sd-wan steers them where they need to go
and offload security inspection when
necessary
so that wraps up this video and i hope
you found it informative
as always please comment hit like
subscribe to stay on top of our latest
releases here at the ceso perspective
and visit us at the csoprospective.com
5.0 / 5 (0 votes)