Originally defined by Gartner, a SASE (Secure Access Service Edge, pronounced “sassy”) is a security solution designed to enable businesses to fully and safely utilise cloud-based services while maintaining a robust network security posture. By offering a comprehensive cloud-delivered networking and security infrastructure, SASEs provide secure access to SaaS tools and applications while delivering full visibility of traffic across all protocols and ports.
For many, a SASE solution will replace and expand upon traditional VPN (Virtual Private Network) functionality. Where VPNs were originally the standard means of secure remote connectivity to corporate resources and network environments, a SASE provides enhanced capabilities in an increasingly cloud-based digital space.
VPNs operate by securing data’s journey through the internet with a tunnelling protocol, encrypting data using an IPSec (Internet Protocol Security) or an SSL (Secure Sockets Layer). The most common forms of VPN are Site-to-Site, used to connect remote corporate locations to a central hub and to each other, and Remote Access to facilitate remote working on users’ devices outside the office by allowing access to secure environments via a user’s own internet connection.
However, while VPNs are an effective method of granting access to secure data centres and corporate resources, as cloud services have boomed and users have become more reliant on SaaS and cloud-based tools, they are no longer the most effective solution for comprehensive security protection.
A SASE security solution takes the capabilities of a VPN and enhances their application across cloud services and resources, not only protecting businesses during access to physical locations and data centres but extending this coverage to include public cloud services. This includes SaaS (Slack, HubSpot, Salesforce), PaaS (Adobe Commerce, Google App Engine) and IaaS (Amazon Web Services, Microsoft Azure, IBM Cloud) solutions, as well as private cloud apps and services.
The Need for SASE Solutions
Remote Access VPNs have a single primary purpose – to allow users outside of an organisation’s perimeter firewall access to those resources kept securely within the corporate network. While connected to a VPN, encrypted tunnels grant users access to the internal network. These tunnels vary in length, depending on a user’s proximity to the central data centre. Those closest to the data centre can expect peak performance, with those further away (in another country, for example) experiencing degraded performance.
VPNs are also affected by the usage demands upon them. Following unprecedented growth in remote working, more and more users are now reliant on VPNs to access central data and applications. This spike in demand can often cause existing infrastructure to become strained, with user experience suffering. For those businesses experiencing a rapidly scaling remote workforce, remote access security solutions must be able to consistently handle the increased traffic and associated strain while maintaining consistent user-experience across the organisation. In our new, largely remote-first world, with users spanning countries and continents, many organisations are beginning to realise that a traditional Remote Access VPN is not sufficient for consistent productivity and protection.
When a VPN’s performance suffers, the user experience is limited. Rather than deal with slower access speeds or workflow interruptions, users may opt to disconnect from their VPN to continue working. While the user’s access to the private corporate environment will be revoked following disconnection, their use of cloud apps and services remains unaffected. Data continues to be shared, stored, and processed in these applications, and a security blind spot is created, preventing consistent enforcement of security policy – a SASE provides continuous visibility across apps to prevent this.
SASE and Devices
A SASE solution offers benefits to both managed and unmanaged user devices, ideal for organisations with a remote staff.
Those users with managed devices will require a SASE client app on their laptop, phone, or tablet. This app connects to the SASE platform once internet access is available, without the need for interaction or repeated opt-in, ensuring user up-take and consistent security provision.
Once connected, users on managed devices will be granted access to all permitted business applications, whether cloud-based or in the central data centre, regardless of location, enabling increased remote productivity across a wealth of public cloud and SaaS tools. The user’s device will receive SASE’s protection via the security service layer, guarding against both known and unknown malware, cyber threat exploits and credential-based attacks.
Unmanaged devices within businesses’ BYOD policy are also able to securely access web-based and SaaS applications by utilising SASE’s SAML (Security Assertion Markup Language) proxy integration.
SASE and ZTNA 2.0
Zero Trust is a cyber security framework that operates by eliminating the assumption of trust within an organisation’s security environment. Instead, authentication is required before anything (be that users, devices, or applications) is granted access. While the concept began to gather momentum among security leaders in the mid-2000s, the term Zero Trust was popularised in 2010 by Forrester researcher John Kindervag. ZTNA (Zero Trust Network Access) considers this “never trust, always verify” model specifically in the context of network access, concentrating on secure network practices.
Unfortunately, existing ZTNA, or ZTNA 1.0, network security solutions were never intended to accommodate the growth experienced by corporate networks since 2020. Such tools typically provide too much access, with limited coverage across non-web applications and SaaS platforms, creating issues for both performance and security provision. Newer, more sophisticated attacks, lodged by threat actors aware of the modern worker’s habits and requirements, are increasingly able to exploit these tools.
It’s for that reason that ZTNA 2.0 has emerged as the best path forward, considering “work” as an activity performed, rather than a location, with Zero Trust protection provided across all work tools both private and public. Coined by Palo Alto Networks, the ZTNA 2.0 framework is purpose-built for organisations reliant on any number of cloud-based tools, overcoming the limitations of legacy ZTNA 1.0 solutions by providing comprehensive security for businesses with remote or hybrid workforces, and a SASE solution incorporates this security provision.
This protection is delivered through continuous security inspection and verification of trust, even across existing allowed connections, taking into consideration the ever-changing configuration and security risk of the unmanaged SaaS and cloud applications utilised by businesses today. Where ZTNA 1.0 tools rely on a benchmarked picture of what is and is not trustworthy, newer ZTNA 2.0 tools, including SASEs, appreciate that threats and risk factors are constantly shifting and should be continually assessed to maintain security.
Five Benefits of a SASE Solution
Complete Visibility and Simplified Monitoring
A crucial flaw to VPNs is the lack of visibility offered should a user choose to disconnect. Though their access to central environments may be limited, their activity on cloud apps will remain unaffected. However, with a SASE solution, security teams are afforded complete, and consistent, visibility across remote hybrid corporate network environments, spanning data centres, branches, public and private cloud services, and individual users.
Rather than monitoring and reporting on a selection of dashboards across your organisation’s network and security products, a SASE combines the capabilities of a SWG (Secure Web Gateway), FWaaS (Firewall as A Service), ZTNA 2.0 (Zero Trust Network Access) and CASB (Cloud Access Security Broker) to provide security teams with a single source of truth for all network activity including apps, users, and data. This consolidated insight assists with the correlation of security events and streamlines the process of troubleshooting and cyber threat incident response.
Alleviated Pressures on IT
Improved visibility and data collection lessens the strain on IT security teams. In an environment with several multi-point network and security products, specialist expertise is required to properly train and resource the staff required to manage these tools. This can be financially prohibitive for many organisations, who may be required to task more generalist network and security staff with the responsibility for a disparate selection of tools, lessening the effectiveness of existing security solutions through inconsistent management.
A SASE solution can help to keep staff retention and training costs under control by providing a single dashboard for monitoring, alleviating the administrative and technical burden on existing teams without a negative impact on security or resource provision. Its cloud-based infrastructure also frees up teams from maintenance tasks such as hardware replacement and patching.
As users’ app and service usage increases with their need for greater collaboration and communication, it becomes increasingly difficult for organisations to effectively control their access without impinging on productivity.
To simplify the administrative process of access control, businesses can utilise SASE capability to classify traffic by application on all ports by default, removing the need to research which applications use which ports for the configuration of appropriate policies.
Threat Prevention and Reduction in Risk
Security is at the core of a SASE, with comprehensive provision along the entire user access path, incorporating user, device, and location-based profiling along with support for inline encryption/decryption.
By continually managing all connections, and not just those actively opted-into in order to access shared documents and central environments, security is ensured end-to-end, closing vulnerabilities, and providing a seamless experience that evolves with the environment.
Increased Network Reliability
With teams working across locations and in some cases time zones, consistent network coverage is crucial to maintain productivity.
A SASE solution aids organisations in network reliability and performance regardless of location by delivering SD-WAN (Software Defined Wide Area Network) capabilities to enable multiple links from a variety of sources, including broadband, satellite and MPLS (Multiprotocol Label Switching). This broad provision helps in reducing the network congestion typically associated with routine internet traffic across a single highly utilised connection.
Threatscape is pleased to offer Palo Alto Networks’ Prisma SASE, providing insight into data, assets and risks in the cloud while consistently securing your environment without compromise.
In 2023, Palo Alto Networks was ranked a Leader in the 2023 Gartner Magic Quadrant for SSE – a key component of their SASE offering. For more information on Prisma SASE, request a consultation with our expert team.