Why SASE Must Support ALL Edges, ALL Traffic, and ALL Applications

Dave Greenfield
October 18, 2020

As SASE becomes more widely adopted in the industry, there are wide discrepancies in the use of the term. In its August 2019 report, The Future of Network Security Is in the Cloud, Gartner saw SASE (secure access service edge) as creating a single network for the complete enterprise, connecting and securing all edges everywhere.

Of late, though, some network providers want to selectively deliver only part of those capabilities, such as only providing secure access to the Internet. It’s really “sleight of marketing” to call implementing select capabilities “SASE,” as this doesn’t meet Gartner’s original definition of the term [bold emphasis added]:

The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.

SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.

In further describing SASE, the Gartner analysts wrote:

What security and risk professionals in a digital enterprise need is a worldwide fabric/mesh of network and network security capabilities that can be applied when and where needed to connect entities to the networked capabilities they need access to.

In short, SASE is meant to be one holistic platform for the complete network, covering all edges, all traffic, and all applications, i.e., the “entities” in the definition above.

The Legacy Network Can’t Be Overlooked

This complete network includes an enterprise’s legacy network. While enterprises are moving many applications and workloads to the cloud, as well as embracing mobility, there continues to be legacy infrastructure that still performs important functions. Workers in branch offices still need to access files in private datacenters. People in sales offices still need to use legacy applications left in private datacenters that are too sensitive or simply unsuitable to be moved to the cloud. Both scenarios, and many others, continue to require predictable, low-latency network performance between locations.

To deliver on those expectations, you’re going to need the right networking features. These include the route optimization to calculate the best path for each packet, the QoS in the last mile, and the dynamic path selection to move traffic to the optimum path. The global Internet is too unpredictable with too much latency to deliver high performance connections day in and day out. You’ll need the lower latency of a global private backbone and a fix for packet loss. Basically, it’s all the “networking stuff” that we take for granted today when building an enterprise WAN.

Site-to-Site Security a Must

And when traffic is sent between sites, it must be secured. It means ensuring that NGFW is in place to restrict access to resources, that anti-malware is used to prevent the lateral movement of malware across the organization, that DLP ensures that data isn’t being syphoned off in a breach.

Relying on separate products to address site-to-site traffic means that enterprises have to face the challenges of a multiplicity of systems (and maybe even vendors). IT ends up juggling multiple management consoles, each populated with siloed information, which makes operations more much more challenging. Visibility into the network is fragmented as data collection is spread across two (or more) solutions.

And because visibility is obscured, so is the ability to detect trends spanning site-to-site and Internet communications. For example, malicious content may bypass detection and be downloaded from the Internet. The malware might exfiltrate data to its C&C server or infect other WAN-based resources, such a file server. Such an approach might be missed if you weren’t looking at the networking and security domains for both Internet-based communications and site-to-site traffic.

SASE Sees It All

SASE spans all edges, applications, and traffic flows. Only a true SASE architecture has complete visibility and control over both network and security because they are converged into a single software stack. As noted in the recent Hype Cycle report, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.” Thus, data flows are inspected one time (called a single-pass architecture) to determine networking and security needs. For example, which way to steer the packets, how to prioritize data flows, how to impose security policies, whether there is malware present, etc.

Because all such evaluations are done in a single pass of the traffic – where the data flow is decrypted once, inspected, then re-encrypted – performance is truly enhanced. Contrast this to networks with separate security appliances or web services, which require the traffic to be decrypted, inspected and re-encrypted multiple times. This adds unnecessary latency to the network. It’s called “stitching together” a SASE-like solution, but hardly True SASE.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.