When a famous global research firm, such as Gartner, describes an emerging technology in a report with a phrase like “the future” in its title, the industry tends to stop and listen.
In a piece of research released 2019, the analyst firm Gartner coined the term “Secure Access Service Edge” and also confirmed the correct pronunciation of the acronym SASE. Which is, of course, “sassy”.
Gartner’s report was titled ‘The Future of Network Security Is in the Cloud’.
Its authors said that network security architectures that “place the enterprise data centre at the centre of connectivity” were fast becoming an “inhibitor to the dynamic access requirements of digital business”.
Writing before the coronavirus pandemic forced businesses to rapidly shift to a remote working model, Gartner called on security and risk management leaders to “position the adoption of SASE as a digital business enabler in the name of speed and agility”.
“Digital business and edge computing have inverted access requirements, with more users, devices, applications, services and data located outside of an enterprise than inside,” it wrote.
Today, the need for secure home-working solutions has made the case for Secure Access Service Edge even more pronounced. After all, we have already lived through a move away from enterprise-based locations which is unprecedented in human history.
So, what is SASE, why is it the future of network security, and, whilst we’re on the topic, can we learn to live with a striking acronym that Gartner VP Analyst Andrew Lerner admitted was one that “I actually don’t love saying”?
What is Secure Access Service Edge (SASE)?
SASE represents the convergence of network as a service, such as software-defined WAN (SD-WAN) with security as a service including SWG, CASB and firewall as a service (FWaaS), delivered wherever users or devices are located.
Secure Access Service Edge serves the needs of digital transformation and a world where the perimeter is no longer “entombed in a box at the data centre edge” but anywhere the enterprise needs it to be.
Gartner wrote: “The legacy ‘data centre as the centre of the universe’ network and network security architecture is obsolete and has become an inhibitor to the needs of digital business.
“Digital business transformation inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device — not the data centre. Security and risk management leaders need a converged cloud-delivered secure access service edge to address this shift.”
SASE in an early stage of development right now, with Gartner suggesting adoption will trickle into the mainstream over the next 5 to 10 years.
SASE is not a single product or something you can go and buy off the shelf. It is a model or framework to guide the bringing together of component parts to create a Secure Access Service Edge.
This means that a healthy scepticism towards vendor marketing claims is strongly advised. Many product teams and marketers would like you to believe they have a SASE product offering on sale today, but this is just not the case.
However, Gartner predicts that by 2024, 40% of businesses will have a plan to adopt SASE architectures. The best way to be prepared for the change that’s coming is to get started and lay the groundwork for a SASE.
It’s important to start planning as soon as possible to ensure short term tech decisions don’t make the journey longer or harder.
What is Zero Trust and why is it linked to SASE?
Components to develop a SASE are already hitting the market. For many organisations, the first stop on their journey, will be Zero Trust Network Access (ZTNA).
It may sound like an extreme security stance, but the truth about Zero Trust is rather gentler. It hinges around the premise that trust is never granted implicitly but must be continually evaluated, with the security ecosystem adapting to changes in risk accordingly.
The whole concept of Zero Trust becomes even more relevant now that people are working out of bedrooms and kitchens. Up to now, network security has been built on TCP/IP, which was designed at a time when trust could be assumed under much easier and controlled conditions.
Unfortunately, this unwarranted implicit trust has led to excessive latent risk, particularly as IP addresses are weak identifiers and can leave organisations vulnerable. This vastly increases the risk of Account Takeover (ATO) attacks, which are already a major concern in the remote working era and can have a huge financial and reputational impact on organisations.
Implementing Zero Trust Network Access (ZTNA) allows IT teams to verify and assess risk continuously. Whereas the old model was based on ‘connect then authenticate’ with ZTNA this is turned on its head and becomes ‘authenticate then connect’.
The adoption of ZTNA will drive the death of the VPN, which businesses currently use to protect remote devices. By implementing ZTNA, businesses can enable access whilst authenticating first to an intermediary layer (the ZTNA controller) before connecting to applications and associated data.
If your organisation is heading for SASE, you should make sure ZTNA is part of its roadmap.