CM – Security Think Tank: SASE – more than the sum of its parts?


SASE (Secure Access Service Edge) is provided as a service based on the integration of five technologies: Software-Defined WAN (SD-WAN), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA) and Firewall as a Service (FWaaS).

SASE is currently being strongly promoted by various providers, but has just left the « peak of excessive expectations » in the Gartner hype cycle behind in terms of maturity . In terms of component technologies, FWaaS is currently at the peak of the curve, while the other four – CASB, SWG, SD-WAN and ZTNA – are climbing the “slope of enlightenment”.

So what makes an integration of these component technologies more than the sum of its parts? What are the advantages and pitfalls? And what should we ask the suppliers at the end of their pitch?

Most large companies typically run a hybrid model with some services and data in the cloud and others on-premise. These organizations will already use a CASB to mediate identities between different cloud services and the fixed environment – and most will have users who work either from the office or remotely via a VPN that connects to a central location / p> The traditional approach is for remote workers to connect using a full-tunnel VPN so that all data traffic goes through the company’s fixed infrastructure. With a small number of remote workers and most of the data and services on-site, this works well. However, as a result of the pandemic and the relocation of services and data to the cloud, we’ve seen a dramatic increase in remote access, creating congestion on VPNs as well as bottlenecks in centralized infrastructures when remote users access the cloud.

SASE wants to avoid this by allowing remote users to securely connect directly to cloud services and corporate infrastructure as needed. This is achieved in part by using SD-WAN to dynamically change connectivity and CASB to broker the various services. Nevertheless, SASE also adds zero trust through ZTNA, WSG and FWaaS in order to enable more precise access to data and services and to improve general security.

This is offered as a single service that is directly secure from the user’s point of view Provides connection to all services and data without the bottleneck of the firm infrastructure of the company. From a business perspective, it provides additional security and is provided as a service, reducing initial capital and maintenance costs.

Given that SASE is an integration of existing technologies, why not look for the best in each technology and the Perform integration yourself? In theory this would be possible, but in practice SASE requires very close integration between the various component technologies – especially in the area of ​​identities. CASB, ZTNA, SWG etc. have to be configured more or less with the access rights of the users.

The use of different developer components and the separate configuration of the access rights for each one is impractical and can lead to errors.

The change however, SASE does not solve all security problems. By moving away from the traditional VPN that connects the company and regional offices to head office and then to the Internet, users will be able to connect directly from anywhere. Any firm infrastructure in a company is effectively a set of services accessible through the cloud, and the company remains responsible for the security of that element. In addition, the end-user machines will remain the responsibility of the company.

In the traditional model, a full-tunnel VPN would have been used for users and remote offices, with no direct connection to the Internet. With SASE, user PCs and remote locations must be configured in such a way that they only connect to the cloud access point or, if a VPN is maintained, also to the company’s fixed infrastructure. In addition, the introduction of SASE would mean that the approach to security monitoring and incident response would have to be reviewed and updated.

If users connect via the cloud and mainly use cloud services, monitoring from the cloud must be used . Fixed infrastructure services and data storage would still need to be monitored, but now users are coming through the cloud. Even if the Internet access is via the cloud service and not via a VPN or from the company, the command and control channels of attackers or the data exfiltrated from a compromised endpoint may not be visible.

The SASE service provided must therefore be part of day-to-day security operations and an integral part of all incident response measures.

SASE is also a relatively new service in which the providers are fighting for a foothold. Nonetheless, the key to SASE is tight integration between the technologies. You should therefore beware of systems that are created through the acquisition of promising startups in order to gain access to the component technologies and to loosely integrate their technologies. This approach is unlikely to deliver on SASE’s promise.

Due to the need for tight integration of several different technologies, not all of which are the best, and the rapidly evolving individual technologies, the best are likely now won’t be the best in a few years. A cautious approach with the ability to switch supplier or step back if things don’t work is advisable.

A SASE service effectively extends your security area into the cloud, giving users direct access through that extended area or cloud Edge. It also provides more controlled access to data and services while reducing configuration and maintenance costs. However, this puts more responsibility for security in the hands of the service provider.

Therefore, this can be a step too far for some organizations such as Defense, Critical Infrastructure, and Finance, which traditionally keep all security in-house, at least for now. But for others who don’t have large investments in fixed infrastructure and want to outsource, this could be an attractive option. The others will follow in time.

Yoav Boaz of ServiceNow defines evolutionary vs. revolutionary approaches to business modeling and proposes a gradual digital …

The transition to business and digital transformation depends on a clear understanding of business capabilities and how they …

Strong bipartisan support for cartel reform has led to the introduction of numerous cartel reform bills that may include …

Safety metrics need to be clear, actionable, and well-received by corporate governance. Learn how to create metrics that businesses …

New innovations come with an onslaught of risk and vulnerability. Use these three concepts to fuel innovation while …

Less than a week after Patch Tuesday in November, Microsoft released an unscheduled security update for Windows Server to …

Smart Factories are usually powered by technologies such as AI or IoT systems. Companies like Ford, John Deere and …

Implementing software-defined perimeter and zero-trust security models with an enterprise VPN adds significant user and …

AT&T sets up its latest managed SASE Service to companies using Cisco hardware. The features of the offer range from firewall and …

Learn more about these three big data frameworks and the respective use case. You can also consider options such as.

High performance computing requires specialized hardware to collect data and a software framework to help sort and process that data.

Kyndryl, the spin-off from IBM Services, debuted this week amid mixed analyst views on how it would fare. Kyndryl-CTO Antoine …

The database provider brings its latest database with a focus on providing optimized functionality for large deployments that …

The winter version of the cloud data provider updates its data platform with new features, so that companies query and …

The connection of different data sources for analyzes and machine learning is faster in the provider’s latest platform update, …

All rights reserved,
Copyright 2000-2021, TechTarget
Privacy Policy

Cookie settings

Don’t sell my personal information


Cloud computing,Palo Alto Networks,Cloudflare,Akamai Technologies,Forcepoint,Security,Cloud computing, Palo Alto Networks, Cloudflare, Akamai Technologies, Forcepoint, Security,,,,,

Donnez votre avis et abonnez-vous pour plus d’infos



[supsystic-newsletter-form id=4]

Vidéo du jour: