SASE - "Identity is everything" or "Trust No-one"

Ed Davison

Principal Engineer

We all know how much a techie loves an acronym, almost as much as the technology itself, well … SASE (Secure Access Service Edge – pronounced “sassy”) has a whole bag of them to come to grips with, all wrapped in a new mind-set bordering on a philosophy.

If we could all take a moment to think back to the halcyon days of 2019 where life was a perhaps little more straight-forward , when we occasionally worked from home, rather than lived where we work, Gartner introduced us to the SASE concept - The amalgamation of SD-WAN and security functionalities into a single service, driven by a cloud native focus with the aim of addressing the dynamic secure access needs of organisations.

The principal technologies comprising the new integrated vision were SD-WAN, ZTNA, FWaaS, SWG and CASB, all driven by policies focused on user sessions, tailored by identity, context, security/compliance policies and continual risk assessment.

So … what do these actually mean?

SD-WAN – Software Defined Wide Area Network – Use of software to control and secure connectivity, management, and services between network endpoints, be they data centres, remote network edge or cloud infrastructures. Endpoints comprising the SD-WAN can be physical or virtual instances, or hybrid (uCPE – universal customer premise equipment), covering connectivity options ranging from LTE to MPLS. The important factors being the separation of the control plane from the data plane, the ability to segment and secure traffic, and then route via the optimal transmission path.

ZTNA – Zero Trust Network Access – Sometimes referred to a Software Defined Perimeter (SDP), Zero Trust Network Access is a new approach to securing access to applications and services regardless of location. In essence, it is the wider implementation of the “DENY ALL unless explicitly allowed” security policy across the estate, where all networks are untrusted and there are assumed to be malicious actors in play, and administrators must explicitly allow access to resources and/or applications. Using this approach identity is key, be they user, application, or resource.

FWaaS – Firewall as a Service – Delivery of firewalls and other security services as a cloud service. As opposed to the traditional deployment of these services at the network edge, FWaaS provides your security services with a more cloud-like delivery with the flexibility to quickly turn features on or off, and scale dynamically as your requirements change.

SWG - Secure Web Gateway – A security service to detect and block malicious software from user web or Internet traffic, and to police and enforce corporate or regulatory requirements in line with corporate or industry compliance, through the use of technologies such as application identification, anti-virus and malware detection, and URL filtering, and others. Ideally in the SASE context, Secure Web Gateways like FwaaS, should scale with demand to operate a line rate.

CASB - Cloud Access Security Broker – A security service to manage and secure an organisations access to data and services located in the cloud. Sited between an organisation’s users and cloud resources, these solutions can be located on-premises or in the cloud, and extend an organisations security policy across their SaaS, PaaS, and IaaS services

Although, at the time, these individual technologies were not all that new and by no means are these the only technologies being leveraged now. However, the packaging of these into a single service, moving these to the cloud, distributed across multiple points-of-presence to ensure close proximity to consumers, all manageable through a single-pane-of-glass, and driven by the cloud pay-as-you-grow paradigm, potentially allowed organizations to free themselves of the cost and complexity of building and maintaining their own infrastructures; thus complementing their transition to the cloud. At the time, pre-COVID-19 that is, Gartner predicted at least 40% of enterprises having explicit strategies to adopt SASE by 2024.

So … where are we now ?

At this point in time, with the vast majority of the workforce working from home, on this note would like to draw your attention to some interesting thoughts on home working, it may be safe to say that COVID-19 (or SARS-CoV-2 – apologies another acronym), has possibly accelerated this adoption, or if not certainly sharpened focus on the possible benefits of SASE, not least for those who need to cater for home workers, when permitted again mobile colleagues, and the demands for the infrastructure to support new services.

Whether we go back to the pre-COVID ways of working, evolve into a hybrid home and office, or remain a largely home-based workforce who knows? SASE though is now more likely to feature more prevalently on the technology landscape. As connectivity changes, consumed services become dispersed, more and more elements become “Internet Enabled”, the ability to secure and police connectivity regardless of the location of the user is SASE

Having said this, SASE in its current guise, may not be the silver bullet for you right now. Its stage in the development cycle, the perceived view of its position on the hype-cycle, the associated loss of some control, vendor lock-in or lack of vendor integration are still challenges to overcome. Of course yes, you can scale remote access solutions, extend corporate security architectures into the home, leverage all sorts of technological solutions in support of the new operational geography, including today’s secure SD-WAN solutions, and this may be entirely suitable for your current cloud journey.

Therefore, while the SASE vendors are defining the art of the possible and pushing the boundaries of technology, this is a space to keep a close eye on.


Recent Posts

See All