How security access service edge (SASE) can improve performance and security for hybrid workforces

The broadened physical and virtual environment blurs visibility and loosens control, making it difficult to track sensitive data, remain compliant and retain secure profiles between office and VPN users.

To gain back control in this complex landscape, more organizations are turning to security access service edge (SASE). This model seeks to reduce risk by moving security capabilities from the data center to the cloud and deploying a software-defined wide area network (SD-WAN).

“SASE architecture is designed to solve the problem of network performance and limited security visibility for distributed corporate business systems (infrastructure, platforms and applications),” said Keith Thomas, principal architect for AT&T Cybersecurity.

“This approach provides better network performance, greater security visibility and a better overall user experience.”

SASE defined

Gartner analysts coined the term SASE in 2019 and split it off into its own Magic Quadrant in early 2022.

The firm identifies it as a “converged network” including SD-WAN, secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), firewall-as-a-service (FWaaS) and data loss prevention (DLP).

“SASE supports branch office, remote worker and on-premises secure access use cases,” according to Gartner. It is “primarily delivered as a service and enables zero-trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.”

The global SASE market sat at $665.9 million in 2020, according to one estimate from Grand View Research; the firm anticipates it to continue to expand to 2028 at a compound annual growth rate (CAGR) of 36.4%. Another projection from Markets and Markets says the market will reach $4.1 billion by 2026, representing a CAGR of nearly 27%.

Leading companies in the evolving space include Netskope, Zscaler, Palo Alto Networks, Fortinet, Cisco, Perimeter 81, Cato Networks and Forcepoint.

“Given that many users and applications no longer live and operate on a corporate network, access and security measures can’t depend on conventional hardware appliances in the corporate data center,” said Robert Arandjelovic, director of solution strategy for Netskope.

With SASE, instead of delivering traffic to an appliance for security, users connect to the intermediating service “to safely access and use web services, applications and data with the consistent enforcement of security policy,” he said.

Increased security, decreased complexity

SASE architectures, said Arandjelovic, are typically based on a single-vendor offering that deliver networking and security capabilities together, or a dual-vendor model that integrates an SSE offering with an SD-WAN offering.

And, while each provider varies in how they deliver SASE, they generally adhere to this process:

Users looking to access services, applications or data will connect to the nearest SASE point of presence (POP) and authenticate.Depending on where the resource resides (on a website, in an app, in a private application hosted in a data center or infrastructure-as-a-service), the SASE architecture uses the appropriate integrated service and enables the user to access entitled resources. While this occurs, SASE applies consistent threat protection and data protection controls. Ideally, these leverage a “single pass” approach to minimize user disruption.

The best SASE tools, said Arandjelovic, ensure “fast, ubiquitous connectivity” while adhering to zero-trust principles and least privileged access that adjust based on risk context.

Ultimately, SASE reduces cost and complexity through consolidation, he said, thus enabling companies to “end the cycle of regularly making major investments in separate security services and appliances.”

Important questions to consider

There are many questions to consider when assessing SASE tools, said Bruce Johnson, senior product marketing manager for Cradlepoint. The key ones being:

Will my current infrastructure support SASE? Does my current IT staff have the training required to deploy, manage and support a SASE environment? Does my environment include technologies such as 5G that warrant additional capabilities?

Testing and troubleshooting should then be conducted in a sandbox, he advised, to protect the production environment before hybrid workforce devices are configured.

As he noted, “geography becomes much less important” with SASE because critical services are independent of where employees and resources are located.

For example, “a company that supports a global workforce including hybrid workers can provide protection and network connectivity to a worker anywhere in the world.”

SASE’s modular capabilities

Arandjelovic agreed that, like many comprehensive frameworks, “SASE can appear overwhelming if considered all at once.”

But because it is modular, organizations can adopt it gradually based on their own pace and priorities.

The first step is to collaborate across the “IT divide,” he said, with security and infrastructure teams forming a common set of requirements. Once agreed upon, the next step is to identify and prioritize key projects — whether those be securing access to web and cloud apps, modernizing VPN connectivity or implementing enterprise-wide data protection.

Organizations can then build out controls and policies, and roll out subsequent projects as needed — a process that is simplified due to the unified SASE platform.

A thoughtful, sensible approach

Indeed, many analysts recommend first deploying ZTNA, then extending usage “bit by bit,” said Klaus Gheri, VP of network security at Barracuda.

This is the most “thoughtful and sensible approach” so long as organizations consider such questions as:

Does the solution provide agents for all required platforms? Does it force the funneling of any and all traffic through the SASE service, or does it allow access to other capabilities such as Microsoft 365? Does it allow access to applications other than web apps?Does it allow expansion to adopt additional functions?Does it allow the rollout of devices or sensors for IoT or industrial use cases?

SASE tools should ultimately be all about consistent security — everywhere — with an underpinning of zero trust, he said.

“This ensures that every employee gets secure, reliable and fast application access without the choke point of a VPN concentrator that we used to see,” he said.

“Changing the networking and security infrastructure of an existing company sounds like a scary thing to do — and it often is,” he acknowledged. “So, the benefits need to outweigh the risks and efforts rather quickly.”

Complex, but an investment that pays off

Ultimately, business leaders must be aware that there are many possible paths to take when deciding how and when to deploy SASE, said Mary Blackowiak, lead product marketing manager for AT&T Cybersecurity.

Some choose to source SD-WAN from their security vendor, while others prefer to stack security on top of their existing network infrastructure, she pointed out.

Another option is acquiring the technology and outsourcing to a managed security service provider (MSSP). This can be particularly attractive in light of the security industry’s ongoing skills shortage, she pointed out.

Also, it is critical to build a roadmap of upcoming network and security transformation initiatives and begin the proof of concept process early.

This “can help position businesses for increased productivity, fewer risks and simplified management,” said Blackowiak.

The bottom line, said AT&T’s Thomas, “SASE is a complex and resource-intensive strategic initiative to execute but, ultimately, can be a transformative strategy and provide cost savings to an organization.”