Search
Home Search Center IP Encyclopedia Online Courses Intelligent Model Selection

What Is SASE (Secure Access Service Edge)?

Secure Access Service Edge (SASE) is a cloud architecture model that integrates software-defined wide area network (SD-WAN) with security functions such as secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), and zero trust network access (ZTNA) into one holistic service. The core principle of SASE is to deliver this service to connection sources such as users, systems, endpoints, and remote networks over an integrated cloud platform, instead of relying on the traditional data center architecture.
The SASE architecture implements seamless network-security integration and provides a more flexible, efficient, and secure network access solution for enterprises. It enables enterprises to manage distributed network resources and security policies more effectively so that users can enjoy secure and efficient network access wherever they are.

Why Is SASE Necessary?

With the widespread adoption of new ICT technologies such as cloud computing, big data, the Internet of Things (IoT), and AI, digital transformation is gaining traction throughout a wide range of industries. At the same time, these technologies also bring many security risks and challenges. Recent years have seen large numbers of malicious security events. These can be caused by both external forces, such as advanced persistent threats (APTs), and internal violations, such as large-scale data leakages. This has driven information security owners of organizations to realize that traditional border protection methods can no longer meet network security requirements.

  • As network edges continue to expand and hybrid network environments spanning cloud and on-premises services are deployed more widely, enterprise network architectures are more complex than ever. Meanwhile, enterprises are still facing a severe challenge: a lack of collaboration between isolated security products and tools.
  • New technologies and applications provide new carriers for network attacks. This makes attacks more flexible, the attack process more covert, and technologies more intelligent. Worse yet, attacks may span networks, applications, content, and devices, making threat detection and source tracing incredibly difficult.
  • Digital transformation has become a major trend across industries, making data sharing and circulation integral to services. The security boundaries between previously isolated service networks will blur, and these services will converge with each other. This makes security control more difficult and presents a greater risk of information breaches.

According to Gartner's survey, 75% of enterprises are actively seeking comprehensive integration solutions from security suppliers; inefficient operations and inability to effectively tackle challenges arising from the integration of heterogeneous security architectures continue to raise concerns among security and risk management leaders. As such, they desire more efficient and fully integrated solutions that can replace the isolated single-point security products.

To address these challenges, in 2019 Gartner proposed the concept of SASE in The Future of Network Security Is in the Cloud to support emerging technologies required by digital enterprises.

In 2020, the Metro Ethernet Forum (MEF) released the MEF SASE Service Framework White Paper, with the aim of formulating a unified standard for the SASE service framework, covering SD-WAN, security, automation, and other standardization work. To further promote the standardization of SASE services, MEF also launched the SASE service definition project, aiming to develop a series of standardization specifications that include SD-WAN service attributes and framework, application security of SD-WAN services, zero-trust security framework and service attributes, common SD-WAN edge devices, performance monitoring and service preparation tests of SD-WAN services, and intent-based orchestration and policy-driven service processes.

Under the guidance of Gartner and MEF, SASE is developing towards a more open and standardized direction, and a more open, flexible, and secure network is taking shape.

What Are the Benefits of SASE?

Compared with the traditional cyber security architecture, SASE brings the following benefits:

  • Improved security: SASE combines a medley of security services, such as FWaaS, SWG, and CASB, making it ideal for providing all-round security protection for customers. In addition, SASE supports ZTNA to ensure that only authenticated users, devices, and applications (rather than locations and IP addresses) can access network resources, improving overall security.
  • Simplified network management: SASE provides centralized network and security management to help simplify IT management and reduce management costs. Furthermore, SASE can automatically adjust security policies based on factors such as the user identity, device status, and location so that there is less need for manual configuration.
  • Higher performance and reliability: SASE uses SD-WAN technology to optimize data transmission paths for higher network performance and reliability. SASE services are available through globally distributed edge nodes so that users can quickly and securely access such services regardless of their locations.
  • Support for remote and mobile work: SASE ensures that remote and mobile users can securely access enterprise resources for easier remote work and collaboration. SASE does not depend on specific devices and supports secure access of many different endpoints.
  • Lower costs: SASE's cloud-based service model reduces enterprises' investment in hardware and infrastructure. SASE typically uses the pay-per-use mode. As enterprises only pay for the services they use, operational costs are also lower.
  • More flexible and scalable: SASE services can be quickly deployed to adapt to the fast-changing requirements of enterprises. SASE's cloud infrastructure provides high scalability so that enterprises can easily expand services on demand.
  • Better user experience: SASE enables seamless, secured access to enterprise resources for better user experience. By optimizing data transmission paths, SASE reduces the network delay and speeds up service response.

What Is the SASE Architecture? How Does SASE Work?

Thanks to its unique features, SASE technology innovates an architecture to adapt to the ever-evolving modern network and security requirements.

SASE has the following features:

  • Identity-driven: The networking experience and level of access permissions are determined by user and resource identity, not simply an IP address. The identity associated with each network connection then directly impacts the quality of service, route selection, risk-driven security control. This helps to reduce operational overhead by letting enterprises develop one set of networking and security policies for users without having to consider device or geographical location.
  • Cloud-native: Gartner notes that the future of network security lies in the use of the cloud, which is considered the core feature of SASE. Key cloud capabilities include elasticity, self-healing, and self-maintenance. SASE can leverage these capabilities to reduce customers' operational costs, improve service deployment convenience, enhance service running resilience, and enable customers to access the network from anywhere.
  • Support for all edges: SASE creates one network for all company resources, covering DCs, branches, cloud resources, and mobile users. For example, SD-WAN devices support physical edges, while mobile clients and clientless browsers connect users on the go.
  • Globally distributed: To ensure that all the network and security functions are available anywhere and deliver the best possible experience to all edges, the SASE cloud must be globally distributed. To this end, enterprises need SASE offerings with global POPs and peer-to-peer connections, and must expand their footprint to deliver low-latency services to enterprise edges.

Based on these features, a SASE architecture should be designed based on logical layers and functions. The logical architecture of SASE consists of the management and control layer, security service edge (SSE) layer, network layer, and endpoint layer. Each layer provides different functions and consists of several core components, as shown in the following figure.

Overall architecture of SASE
Overall architecture of SASE
  • Management and control layer: provides unified network and security management capabilities for endpoints, users, and applications. The following will detail the architecture from three dimensions: management, control, and analysis.

    Management

    The controller, as the "smart brain" and core component of the SASE solution, provides network management and orchestration functions. The controller manages devices at the network layer, and collects and displays O&M information, such as network topologies, faults, and performance information, for end users from multiple dimensions. Network orchestration provided by SASE includes but is not limited to CPE deployment, WAN creation, VPN topology definition, and definition of various network value-added service policies.

    Control

    The core function of the SASE control layer is to control route-based forwarding and define the SASE network topology. Specifically, the control layer distributes VPN route and tunnel information and defines the overlay network topology. In addition, this layer provides inter-site IPsec key exchange and STUN server services. These functions are implemented by enhancing functions of traditional BGP RRs. An RR can be deployed independently or combined with an existing edge site. In addition, the RRs support multi-tenancy.

    Analysis

    The analyzer provides security analysis and operations capabilities. Based on actual customer scenarios, the analyzer interconnects with border gateways and endpoints to provide basic capabilities such as data governance, log audit, threat detection, and attack source tracing, response, and handling. Additionally, the analyzer collects threat information such as the threat information library to provide security operation center capabilities. In addition, provides security lab expert enablement capabilities to help customers complete security O&M and improve security protection effectiveness.

  • SSE layer

    Leveraging flexible modular combination, this layer provides users with security services, including traffic-type and non-traffic-type security capabilities such as ZTNA, FWaaS, SWG, and CASB.

  • Network layer

    This layer integrates network and security features through SASE gateways (such as firewalls), implementing LAN-WAN-security integration and providing a unified view of networks, security, and assets (endpoints, users, and applications). Also, this layer offers multi-VPN instance access capabilities by extending BGP EVPN, meeting service isolation requirements of different tenants. After BGP is integrated with IKE, tunnels can be automatically created between branches, achieving rapid site deployment within minutes. Furthermore, a standalone EVPN RR can function as a controller to implement horizontal expansion, so as to meet the scalability and reliability requirements of large-scale networking involved in SASE.

  • Endpoint layer

    This layer supports mobile and fixed OSs, is compatible with third-party security components, and provides ZTNA and EDR/EPP endpoint protection capabilities.

Generally, SASE provides services for end users through user interfaces (UIs) in two methods. One is based on the enterprise-developed portal that integrates the end-to-end service processing and enabling process of SASE and is mainly for self-use by enterprise tenants and solution demonstration. The other is carriers or enterprise customers using northbound open application programming interfaces (APIs) of the SASE controller to implement SASE solution integration and flexible UI customization based on their own business support system (BSS) or operations support system (OSS).

What Are the 5 Core SASE Components?

Standard SASE components defined by Gartner include SD-WAN, ZTNA, FWaaS, SWG, and CASB.

Five core components of SASE
Five core components of SASE
  • SD-WAN: separates network logic from underlying physical network links (e.g., Internet connections provided by MPLS, broadband, or wireless links) and routes site-to-Internet and site-to-site network traffic to its intended destination in best-effort mode.
  • ZTNA: Based on the principle of "never trust, always verify", strict identity authentication and authorization are required for each access request. To elaborate, fine-grained access control is implemented to ensure that only authorized users and devices can access specific applications and services. ZTNA is typically integrated with identity and access management (IAM) systems to perform dynamic and context-aware access control. Users can access the network only after passing authentication and their access behaviors are monitored in real time, helping to prevent unauthorized access and handle security threats in a timely manner.
  • FWaaS: provides firewall functions as a cloud service. It moves the traditional hardware-based firewall functions to the cloud and provides and manages firewall services through cloud service providers, so as to safeguard enterprise networks and applications.
  • SWG: safeguards users' Internet access. It integrates multiple functions and technologies to control, monitor, and protect web traffic, so as to prevent the spread of malware, malicious websites, and malicious content.
  • CASB: a solution used to protect the security and compliance of enterprises when they are using cloud services. It acts as an intermediate agent between the enterprise intranet and the cloud service provider, providing enterprises with high visibility, control, and protection of data and applications in the cloud environment.

SASE vs. SD-WAN: What's the Difference?

SASE and SD-WAN are two different network technologies. SD-WAN focuses on network connection optimization, while SASE is a more comprehensive solution that not only optimizes network connections, but also provides integrated security functions. They differ in terms of functions and application scenarios. The following figure shows their key differences.

SASE vs. SD-WAN
SASE vs. SD-WAN

SASE does not take the place of SD-WAN, but works with it. Indeed, they are not mutually exclusive, but complement and play to each other's strengths. Depending on their service needs and priorities, enterprises can choose to deploy SD-WAN independently or select the SASE solution that combines SD-WAN functions. In actual applications, many enterprises choose the gradual transition approach, deploying SD-WAN first and then introducing SASE if both service requirements and technology maturity permit.

Relationship between SASE and SD-WAN
Relationship between SASE and SD-WAN

SASE Security Solutions

As digital transformation gathers pace, it is crucial to provide users with more agile, secure, and convenient services. Thanks to its all-round strength, SASE has become a focus in the cyber security domain, with a series of vendors launching their SASE solutions to meet the urgent requirements for efficient, flexible, and integrated security services.

Huawei not only provides cloud-network-security-endpoint integrated products and solutions, but also offers full-scenario, 24/7 analysis and control capabilities through its Xinghe Intelligent SASE Solution. This unified network-security convergence solution complies with the MEF SASE model standards and integrates SD-WAN networking, security, and remote management. This makes it ideal for implementing unified monitoring, analysis, and operations. This integrated approach greatly reduces the potential scope of threats and enables quick response to threats, providing network-security convergence SASE solutions and services for enterprises' digital transformation. Additionally, this feature-rich solution ensures that users can enjoy flexible delivery experience in the SASE environment and the entire network, and obtain consistent enterprise-level security protection on any edge network. For more solution details, see Huawei Xinghe Intelligent SASE Solution. For details about solution deployment and maintenance, see Huawei Xinghe Intelligent SASE Solution Documentation.

About This Topic
  • Author: Yu Qi, Yang Xiaofen
  • Updated on: 2024-12-11
  • Views: 4465
  • Average rating:
Share link to