November 10, 2022

SASE—How to separate the good, the bad, and the ugly

Corey Kiesewetter

The idea of Secure Access Service Edge (SASE) has been around for a few years now and has seen more popularity than almost any other modern security architectural model.

Yet due to this popularity so many tools and services have applied the SASE moniker to themselves that everything seems to be SASE at first glance. It can be hard to separate true SASE solutions from those simply labeled as such. This blog post is meant to help clarify some of the value that organizations can derive from true SASE platforms, some key points of a what a SASE platform requires and some important differences between some leading platforms. 

 

SASE provides a key path to Zero Trust

One highly recognized value that SASE can deliver is easing the path to a Zero Trust security posture.  The details of a Zero Trust security posture are outside the scope of this writing, but it’s a mature security posture that most organizations would like to implement and those in the government and defense sectors are mandated to implement. 

SASE, above anything else, calls for a unified security platform that can provide identity-based access controls around resources like cloud applications, private applications, web access, and site-to-site connectivity.  We see the convergence of security around the first three channels:

  • Cloud apps
  • Web
  • Private apps

These three elements represent the security half of SASE, known as Security Service Edge (SSE).  These three channels should be handled uniformly, with the same identity constructs for users and the same sensitive data and malware protection capabilities.  This is one of the ways that SSE and SASE can simplify security—policies can be set up once with uniform consistency across different channels. This also provides value by covering the gaps left by a patchwork of loosely integrated point-products. 

Another important aspect of a SASE architecture is the cloud-native management plane and cloud enforcement capabilities.  By leveraging the cloud, organizations can have several instances of their security platform distributed throughout the world to give users everywhere a better experience. 

 

Not all cloud architectures are equal

It’s important to recognize the difference between SASE platforms built in privately-run cloud data centers and those built on global hyperscaler clouds like AWS and GCP. Many vendors in the SASE space have pursued the path of building out their own data centers. Thisstrategy limits the overall compute and networking available to customers.  Consider the raw amount of compute and networking capabilities at the disposal of security platforms that automatically scale on AWS, GCP or Azure versus that available to platforms run by SASE vendors that provision their own physical servers and networking equipment in their own data centers.

SASE solutions running on cloud platforms like AWS, GCP, or Azure are better able to support your organization’s growth and security needs, and in more places. This extends to your organization’s often unpredictable traffic demands, especially when they peak. You won’t have to worry about the scalability and reliability of SASE solutions running on the major cloud service providers.

 

Cloud-first does not mean cloud only

Even though SASE platforms are cloud-first, that doesn’t mean they should be cloud only.  The networking half of SASE, SD-WAN, is a point to this very fact.  A full SASE solution requires both SSE and SD-WAN, and the SD-WAN portion allows enforcement of certain controls at the local network edge.  Unified capabilities between SD-WAN and SSE can prioritize traffic routing for both performance and security with consistency and thus provide even more value.  And, those that can provide the same security capabilities in the cloud, at the branch/office, and on the endpoint can provide resilience and optimum performance as policies can be set up that enforce control wherever makes the most sense for any given scenario. 

Beyond the networking piece, data security controls are also a key component of  SASE solutions.  As SASE is designed to facilitate controlled access to multiple different types of resources and for many different types of users, it is the sensitive data being utilized in these different resources that represents the real value for organizations that needs to be protected. 

Organizations that get breached have to pay fines, not because an application was down, but because the data in that application was compromised.  However, worse for an organization than a multi-million dollar fine for a compliance violation is getting critical information stolen, such as the schematics to a leading new innovation or the chemical formula for a new medicine.  These are all very different types of data which all have immense value for organizations and can be spread across a myriad of applications. Many times, organizations can’t tell exactly what sensitive data is located where, and who has access.  This can all be solved with a unified SASE platform that includes mature data security capabilities. 

Check out this video for more about simplifying the path to Zero Trust through SASE:: 

Corey Kiesewetter

Corey Kiesewetter is Forcepoint’s Product Marketing Manager for cloud security products, with a focus on SASE and Zero Trust applications.  Corey has been directly helping IT practitioners realize best practices in datacenter operations the past decade and holds a degree in...

Read more articles by Corey Kiesewetter

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.