A Guide to Secure Access Service Edge (SASE)
Making 2023 Your Year of Edge Security and Performance
Last month we wrote about “The Edge.” We defined it not as a location, but as an overall customer and user experience when interacting with your company. Successful edge networking ensures performance and security when your data, users, and customers are widely distributed. Your employees may no longer work at your headquarters, or in an office at all. They may be at home, they’re in a coffee shop, they’re in a remote location, or they’re in transit. They may no longer use only the computer assigned by your company, but their own laptops, smartphones, and tablets.
On top of that, your customers demand an exceptional experience no matter how they access your goods or services. Your applications, platforms, and data are already hosted in multiple public cloud environments. This is in addition to your own private hosted cloud, and your employees need access to all of it.
What is SASE?
SASE (pronounced “sassy”) is the combination of security and networking elements offered in a single package. SASE combines comprehensive SD-WAN capabilities with complete network security functions such as SWG, CASB, FWaaS, and ZTNA. These elements support the dynamic, growing, distributed security needs of companies everywhere.
The SASE solution leverages the Cloud, so there’s no need to purchase new hardware. Plus, it’s managed by your vendor. This means that there’s no need to hire specialized security or IT staff to manage it. SASE is a networking package that includes connectivity (“SA” or the “secure access”) and security (“SE” or the “service edge”). The diagram below presents our model.
This is complex stuff.
Secure Access Service Edge or SASE hangs on the Cloud and is customized to secure your highly distributed environment.
How does SASE work?
Let’s dive into the specific components of SASE (Secure Access Service Edge) to better understand how it works.
The “SSE” part of SASE is the Secure Service Edge. This is the core package of security components that will protect your data, your applications, and your users.
The four key elements of security service edge (SSE) are Firewall as a Service (FWaaS), Zero Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), and Secure Web Gateway (SWG). These elements are presented in greater detail below.
While any of these security services can be purchased separately, they work more efficiently as part of an integrated SASE solution.
The explosion of applications and users everywhere can mean that you’re managing hundreds or thousands of firewalls to ensure security. If you’re routing all user traffic through a centralized point (such as a data center) because that’s where your firewall is located, user performance and security suffer.
Firewall-as-a-Service, also known as cloud firewall, places the management burden on your vendor. FWaaS delivers firewall functionality as a cloud-based service.
Good FWaaS offerings provide the same features as a next-generation firewall. SASE offers FWaaS as part of a unified, cloud-based security model. This way, you can easily manage deployment from a single platform.
Zero Trust Network Access (ZTNA)
ZTNA, another component of your SASE solution, is an ideal security approach for your distributed environment. When ZTNA is employed outside of the SASE environment, users must first authenticate through a gateway to gain access to an application.
This authentication occurs no matter where the user is located, no matter the device or network access they’re using. ZTNA focuses on policy, identity and content. The policies follow the identity of each user wherever they are, and the control is yours. ZTNA is zero trust – meaning that it adopts a “least privilege” strategy. No access is permitted until you say it is. Security administrators identify users and create policies to restrict or allow access, minimize data loss, and quickly mitigate potential threats. ZTNA inspects and logs all traffic, and strictly enforces access control.
When ZTNA is offered as part of a unified SASE package, SASE applies the security principles across other services within the SASE solution. By accurately identifying users, devices, and applications, no matter where they are connecting from, you have simplified policy creation, policy management, and rules enforcement.
Connecting through a gateway adds complexity to the security solution. ZTNA through SASE removes the complexity of the gateway connection. It does this by incorporating required networking and security services into a single cloud framework.
Cloud Access Security Broker (CASB)
CASB is another essential security component of SASE. It secures traffic between an enterprise and its cloud providers. CASB comprises data security, threat protection, data loss prevention, and application control. And, crucially, it includes pre-configured government compliance for financial and healthcare organizations.
CASB creates a single platform for administrators to manage security controls for all application types. When CASB is integrated into a SASE solution, it works much better than CASB alone. With a unified SASE solution, CASB provides the visibility that helps you understand which software apps are being used and where sensitive data is going, no matter where users are located.
Secure Web Gateway (SWG)
If your organization already runs web filtering to prevent access to certain inappropriate web destinations, you have an incomplete solution. Because web filtering runs on a separate appliance, it results in inconsistent policy enforcement when your employees are working remotely. Further, web filtering only looks at web-based traffic and ignores non-web applications and data traffic. This can leave your company exposed.
SWG with SASE fixes this. SWG includes a comprehensive web security solution. This includes SSL Proxy, URL Filtering, Intrusion Detection and Prevention (IDS/IPS), NextGen Anit-Virus (NG-AV), Data Loss Prevention, and Advanced Threat Protection.
With SWG as part of your SASE security package, you have complete visibility and control over traffic, regardless of employee locations. As you grow, your SWG automatically scales to continue supporting you.
While these four security services form the minimal base package of SASE, your SASE vendor may offer more. This could include DNS security, browser isolation, and others. The key is that this base package is cloud-based and managed by your vendor.
You enjoy overall control of your policies and visibility into their enforcement. Still, you need not hire an army of IT and security experts to start to take advantage of SASE. The service is already tailored to your highly distributed environment.
SD-WAN vs. SASE
The “A” part of SASE is the network access – your WAN connection to the security services presented above. As your corporate perimeter dissolves when applications move to multiple clouds to be accessed from anywhere, you must offer end users seamless connectivity and security. An SD-WAN “overlay” to your public Internet or private WAN network optimizes your WAN, unifies security across users, and saves money.
The network access includes the following elements:
- The SD-WAN overlay, including its self-healing architecture and AI operations
- The global SASE POPs
The many benefits of SD-WAN are widely documented, and summarized again here:
SD-WAN improves digital experiences
SD-WAN provides application-aware routing, no matter the origination or destination of the traffic. This means that the network is always available for your critical applications, as defined by you, even for your most remote users and locations. If the site has connectivity, even just an Internet connection, it can be integrated into your corporate SD-WAN.
SD-WAN saves money
All you need is an inexpensive broadband Internet link. With the SD-WAN overlay, you have well-performing, secure connections from your locations to the Cloud. The equivalent MPLS links would be more expensive.
SD-WAN is easy to adopt and integrate
Deployment is pre-configured, automated, and centrally provisioned. This allows for faster installations and eliminates the need for dedicated project managers at your remote sites.
SD-WAN really performs
SD-WAN includes AIOps data correlation. This automates root cause analysis leading to faster diagnoses. Further, automated workflows learn the network to deliver proactive remediation, improving uptime. If your organization already has the SD-WAN network connection, then the “SSE” portion of SASE is all you need. If your organization already has a WAN, consider an SD-WAN overlay. SD-WAN allows you to redirect some traffic to your broadband Internet links without disrupting or modifying your WAN.
This saves your WAN for applications that require private connections for compliance and accelerates the performance of all of your traffic. This improves your observability, visibility, and control.
The global SASE POPs are locations of interconnection between your sites and the SASE service. They are the initial point of security and processing for your end-users’ traffic. You’ll hear SASE providers brag about the number of POPs they offer globally and how widely distributed those POPs are.
And for good reason. The more numerous, widely distributed, and optimally placed the POPs are, the closer users are to the SASE solution and to the cloud services being accessed. This proximity lowers latency and provides better overall performance of the service.
Why do I need SASE?
We’ve discussed the benefits of SASE throughout this blog. However, put simply: SASE provides an unmistakable return on investment (ROI).
SASE architecture boosts the performance of your inexpensive broadband connections and eliminates costly hardware and operational investments. What’s more, it ensures the security of every remote, hybrid, and office worker. It also gives you a full understanding of how your network and applications are performing.
SASE also learns using AI-based operations. This allows it to proactively and preemptively remediate network issues before they become outages. Plus, it’s managed in the Cloud by your vendor which frees your IT staff up to focus on business-critical objectives.
Usually, cost savings are achieved by cutting corners and compromising on things like network performance. With SASE, the value that results from improved performance turns into an overall lower total cost of ownership (TCO). Summarized, SASE accomplishes long-term ROI by:
- Simplifying and unifying your edge-to-edge security, reducing the operational expense of managing multiple vendors, platforms, and security systems.
- Providing consistent, policy-based security and data protection where you define the policies, and your vendor applies and manages them.
- Easily scaling to grow as you grow. This means faster integration of new people, locations, and applications which translates to faster realization of business results. And time is indeed money.
- Including your SD-WAN overlay on top of your current access – no need for expensive new network connections.
- Improving overall network performance, with less time chasing vendors and repairing impairments or outages.
- Keeping all communication secured regardless of network location. ZTNA follows the person to ensure that the identity of that person, rather than their physical network location, is used to ensure trusted access.
2023 is the time for a truly unified security and WAN solution
Your most critical applications and processing (such as your G-Suite, Microsoft apps, Workday, Salesforce, etc.) are already hosted in the Cloud. Some applications may still be hosted at a local data center, creating a complex hybrid cloud architecture. Your employees work everywhere and access your applications using public network infrastructure and an array of company and personal devices.
SASE allows you to bring it all into a single, unified network and security environment. Here, you define the policies, your vendor manages the solution, and your infrastructure catches up with the evolution of your business.
Why SASE from Zayo?
Zayo has built, owns, and operates a massive North American and European fiber optic infrastructure. We continue to build out our global fiber network with unmatched capacity and reliability. This network – all 16M miles of fiber – serves as the foundational “underlay” of the SASE model.
When you work with Zayo, we provide the SD-WAN, the SASE POPs, the data centers, the Tier 1 Internet connections, and the fiber network underneath it all. A true one-stop-shop for “edge to everywhere” connectivity.
SSE from Zayo offers agility, flexibility, and choice. Zayo works with a number of SSE vendors to tailor-fit the solution to each customer’s current and future requirements.
Already operate an SD-WAN? We can work with your existing network by layering best-in-class security with managed edge equipment. We offer a two-vendor, a single-vendor, or a hosted hardware approach while managing the whole thing.
SD-WAN from Zayo is unmatched in our industry. We can deploy thousands of locations in days. We do this using automation to enable scaled, rapid deployment without human configuration errors, but with a dedicated project manager.
The addition of SD-WAN need not occur all at once though – removing the risk from this change. As you explore SD-WAN and decide you love it, we can easily connect new locations by shipping pre-configured edge hardware in a plug-and-play mode. API integration with your ITSM ensures we stay in sync, providing better two-way ticketing and status visibility.
SASE from Zayo provides you with ultimate visibility and control using our intuitive “single pane of glass” portal. The zInsights portal provides insights on end-to-end application and device performance for all your sites and networks. You’ll see how the network responds to performance issues, assigning bandwidth dynamically to the applications demanding it, in real time. This prevents outages and keeps the company-wide CEO-hosted Zoom call rolling.
Our solutions are designed to meet you where you are today and connect what’s next for your business. Let’s make 2023 the year of your unified network, staff, and data security.
Security to support transformation
Zayo’s SASE services provide a holistic edge security solution to protect your data and systems. Explore Zayo’s SASE solution in further detail.