The term “SASE” started off as an allusive acronym that was hard to define and even harder to understand. SASE isn’t necessarily a product or a one-size-fits-all solution. SASE is a framework, and while it’s comprised of different network access and security features, those features may vary from provider to provider.
It has always been my stance that there isn’t a perfect SASE solution for every company. It’s important to take a step back and analyze the environment (e.g., Where are the applications hosted? Where are the employees sitting? What does the workflow look like for these employees?) before making a decision. From there, we can get a good sense of which SASE features are going to be beneficial and we can make sure the providers we look at will fulfill those requirements.
Hopefully, this post will give you a place to start in that process. You’ll find a list of common SASE features and when it makes sense to use them below.
SASE Network Access Features
Software-Defined Wide Area Network (SD-WAN)
- SD-WAN is a solution that provides the most efficient connection to on-prem, cloud, or SaaS applications. With features like dynamic path selection and load balancing, companies can utilize bandwidth on two (or more) circuits to optimize their network and improve user experience.
- SD-WAN takes measurements of latency, packet loss, jitter, and congestion, and uses them to “choose the best path” for network traffic. It also allows for application prioritization and increased network visibility.
- Within the world of SASE, we are typically talking about an SD-WAN solution using gateways or POPs (points of presence).
- Who can benefit: Companies with at least two circuits at each site and/or distributed locations. Companies who are experiencing issues connecting to certain applications.
Not sure what I mean by gateway or POP-based SD-WAN? I’ve got you covered with this post on SD-WAN architecture types!
- WAN Optimization is meant to increase the speed with which a user can access applications. This is achieved using features such as data caching, deduplication, and compression.
- With the rise of SD-WAN, we are seeing less demand for WAN Optimization, but we do see some SD-WAN providers using it within their network.
- Who can benefit: Companies facing issues with performance of mission-critical applications using TCP traffic (i.e., not UDP, like voice and video).
Content Delivery Network (CDN)
- A CDN is a geographically distributed group of servers that work together to improve website load times, reduce bandwidth costs, increase availability/redundancy, and improve website security.
- The main benefit from a CDN is that website resources are pushed to globally distributed servers, getting content closer to end users, which ultimately decreases the amount of time they must wait for a webpage to load.
- Who can benefit: Anyone with a website or online presence.
- Bandwidth aggregation refers to the service of procuring circuits from global, national, and local carriers, and providing one bill to the end customer. These circuits can be any kind of transport, including broadband, DIA (Dedicated Internet Access, often fiber), 5G/LTE, fixed wireless, etc.
- Who can benefit: Companies who want a single bill for SASE, circuits, and management.
Network as a Service
- A managed service for a company’s network, including proactively monitoring circuits, opening trouble tickets with carriers, and fixing network issues on the customer’s behalf.
- This service can be for a network that the provider sourced for the customer (via bandwidth aggregation), or a network that the customer has already deployed.
- Who can benefit: Companies with short-staffed IT teams that no longer have the time or willingness to manage the network.
SASE Security Features
Cloud Access Security Broker (CASB)
- CASB encompasses several features that all work together to secure users’ connections to cloud-based applications and resources. These features can include authentication, single sign-on, credential mapping, device profiling, encryption, tokenization, and more.
- CASB can sit at a customer’s site or be hosted in the cloud. With SASE, it’s usually hosted.
- Instead of blocking or allowing all access to certain cloud-based resources, CASB makes an intelligent decision to block/allow based on identity, activity, application, and data.
- Who can benefit: Companies with users accessing cloud- or SaaS-based applications.
Secure Web Gateway (SWG)
- SWG is a set of features that protect end user devices from web-based threats. These features include URL filtering, malicious-code detection/filtering, and application controls for popular applications.
- SWG also serves as a way to companies to enforce web policies, such as blocking access to certain websites.
- Who can benefit: Companies with users who are accessing the internet outside of a VPN.
Zero Trust Network Access (ZTNA)
- ZTNA is a solution that provides secure remote access to a company’s applications and resources. The “zero trust” portion refers to a framework that is meant to only allow access to applications by users who need them. Their identity and context must be verified before access will be granted.
- ZTNA differs from remote user VPN because VPNs are designed to give company-wide access to remote users, whereas ZTNA is intended to limit access to only those that need it. Think of ZTNA as the evolution of remote VPN.
- Who can benefit: Companies with remote users accessing applications hosted on-prem or in a data center.
Firewall as a Service (FWaaS)
- FWaaS is a cloud-based service that includes next-generation firewall features such as URL filtering, advanced threat protection, intrusion prevention systems (IPS), and DNS security.
- FWaaS often overlaps with SWG, but there are a few differences. Most notably, SWG only inspects web traffic from remote endpoints, whereas FWaaS inspects all traffic from remote endpoints.
- Who can benefit: I think we can all agree that every company needs a firewall at the very least. FWaaS, specifically, is useful for companies with remote users, increasing cloud/SaaS usage, or several locations that need this functionality (i.e., to avoid buying firewall devices for every site).
Remote Browser Isolation (RBI)
- RBI is a service that protects against malicious websites by processing a web page within a browser hosted in the cloud. After the web page has been processed, it is delivered to the user to interact with it normally. It’s as if a picture or a copy of the website is delivered to the end device, but not the website itself.
- Any malware that might come from a website will be downloaded to the cloud-hosted isolated environment instead of the user’s local device.
- Who can benefit: Companies that are using an internet browser on a local device (i.e., they are not using VDI (Virtual Desktop Infrastructure) or DaaS (Desktop as a Service) for internet traffic).
Data Loss Prevention (DLP)
- DLP is a broad strategy to detect and prevent the loss or misuse of a company’s data through breaches, ex-filtration transmissions, and unauthorized use.
- DLP provides the security team with complete visibility into data in use, in motion, and at rest. It performs content inspection and contextual analysis on messages sent to make sure sensitive data (e.g., SSNs, confidential information, etc.) isn’t being leaked. Alerts can be set up to notify the security team if this happens.
- Who can benefit: Virtually anyone.
Web Application and API Protection as a Service (WAAPaaS)
- WAAPaaS is a highly specialized solution meant to protect web applications and APIs by sitting in front of a public web application and analyzing incoming traffic. The features of WAAPaaS include bot management, Web Application Firewall (WAF), API protection, and DDoS protection.
- As an example, bot management has the ability to differentiate between bots and real users, and then block the illegitimate traffic.
- Gartner coined this term as an evolution of cloud web application firewall services.
- Who can benefit: Companies who are hosting web applications and/or web APIs.
What Comes Next?
Does any of these features sound like something you’d be interested in? We are always happy to chat! Feel free to fill out our short questionnaire and we will be in touch soon.