Organizations that embrace work-from-anywhere and hybrid work models need security that scales with the network. SASE does just that.
It delivers secure, direct connections for users and applications. It does this by distributing cloud-based authentication gateways closer to distributed users rather than relying on centrally located security services.
It consolidates networking and numerous security capabilities into a single service, offering cost savings by eliminating management complexity.
SASE represents a shift from traditional network-centric security models to more user-centric and cloud-based approaches.
Zero Trust Network Access (ZTNA)
Unlike legacy remote access technologies, Zero Trust models require users to authenticate multiple times and continuously verify identity. They use device, user, and network security context to determine whether users can enter a subnet. By lowering the attack surface, this strategy strengthens the basis for other crucial security measures like Least Privilege and multi-factor authentication.
With Zero Trust, an organization can limit application access based on business needs. This helps protect cloud environments, prevents data exfiltration, and ensures users only see the data and applications they are authorized to use. As such, choosing a solution that can deliver adaptive and contextual access is essential.
To accomplish this, a Zero Trust solution uses a Software-Defined Perimeter, which hides applications and data from users who are not authorized to view them. It also makes outbound-only connections that render the internal network invisible to unauthorized users and devices. This way, only traffic destined for the corporate internet passes through ZTNA.
To support the Zero Trust model, SASE bundles NGFW, firewall, and other security functions into a single platform that delivers optimal network connectivity and cloud-based security. By putting these security tools as close to users as possible, organizations can eliminate the need for centralized hardware appliances and cut costs. It also puts them in a position to quickly respond to threats that may emerge from the web and other sources.
Context-Aware Access
The ability to make decisions about access based on context is a critical component of SASE security. Context is determined by the characteristics of a user or end-point: who they are, what they’re trying to access, how they’re connecting (public WiFi, work from home, etc), and what device they’re using. Context-aware access considers all this to provide the right level of access — or deny access.
Single-Pass Architecture
Organizations must have a unified network and security architecture to maximize the benefits of SASE. Without one, jumping straight to a SASE solution can cause unnecessary redundancies and increase management overheads. In addition, the unified approach of SASE must allow for consistent networking, security, user, application, and analytical policies across all environments. This eliminates the need for redundant third-party services and helps to reduce the number of tools needed to manage networks.
To achieve this, SASE solutions should offer a single-pass architecture. This allows for inspecting network traffic only once, reducing latency and improving performance. This feature is a necessity since the unified design of SASE means that all networking functions, policy lookups, and security inspection engines are combined into a single device. In addition, SASE solutions should support in-line encryption and multitenant segmentation.
A SASE security platform should also provide advanced capabilities like SD-WAN, cloud access security broker (CASB), secure web gateway, and Zero Trust network access. These advanced features help organizations minimize backhauled connections, lower transport costs, improve data center aggregation, and reduce WAN/LAN latency. Finally, a SASE security platform should support seamless, end-to-end resiliency by automatically moving traffic between Cato appliances within a PoP or across multiple PoPs to avoid losing connectivity or performance. This feature is essential given the increasing use of cloud applications by employees.
Web Application and API Protection
While traditional security approaches and technologies need more visibility and control digital organizations need, SASE offers a way to solve these problems. It provides granular access control based on identity (not location or IP address), allowing organizations to support remote and mobile users better and secure dynamic services, software-as-a-service applications, and distributed data.
SASE uses software virtualization to deliver secure networking and security at the edge—whether in a global point of presence (PoP), data center, IaaS, or colocation facility. IT executives set policies through a cloud-based management platform, which SASE enforces at the distributed edge without tunneling traffic back to the data center or “hairpin” it through a distant PoP. This results in a great user experience with low latency while boosting application availability and minimizing network costs through SASE-based optimization.
SASE also includes a suite of security services, such as secure web gateways, firewalls, anti-malware, and intrusion detection/prevention. These are unified into a single solution that reduces complexity and administrative costs. In addition, by delivering infrastructure and security together in a single SASE suite, IT teams can spend less time managing multiple tools and more time on high-value projects. This can result in significant cost savings for organizations.
