How SASE Combines Security and Access

Secure access service edge is still somewhat new, but it is emerging as a strategy that brings together approaches to improve security (via security service edge, or SSE) and access (via software-defined wide area networking, or SD-WAN). If organizations are starting from scratch to improve or secure remote access to applications, they may need to implement a full SASE architecture. In many cases, however, they may already have one component or another in place, and they can deploy SSE or SD-WAN to fill the gaps.

In a nutshell, SASE combines security and networking: getting users to an application wherever they are, securely and efficiently, while addressing performance, user experience, risk management and compliance. For example, if an organization has a solid security stack on-premises but needs better access for remote employees, it can deploy SSE for the remote user security component or remote zero-trust network access (ZTNA). On the flip side, if an organization has SSE deployed to support a remote workforce but wants to optimize branch connectivity, it can use SD-WAN for optimized access, which can link to the SSE to provide a universal security policy.

Currently, few vendors deliver a full SASE architecture, which means organizations must assemble the best solution for their specific environments. The good news is that most of these solutions generally play well together. At the same time, all sorts of interdependencies come into play during these architecture discussions. So, it helps to seek guidance from experts who understand the landscape and can provide the right advice for each environment.

Much of the ambiguity around SASE architecture has to do with security. To start with, SSE comprises the nuts and bolts: secure web gateway, cloud access security broker, data loss prevention, cloud-delivered firewalls and remote ZTNA. 

The main benefits of SSE are speed to deployment, scale and performance. The “as a service” model allows an administrator to quickly roll out the solution and make changes to the deployment without the time and effort it takes to deploy a hardware stack. This also provides the flexibility to avoid overprovisioning and underprovisioning, as SSE is right-sized based on user counts or bandwidth. Performance improves because security components are no longer hosted on-premises but are supported at multiple points of presence throughout service providers’ facilities. That means users generally get more direct access to applications, many of which are cloud-based. 

Many organizations get started on SSE when they adopt remote ZTNA. In a remote access sense, ZTNA is essentially a VPN replacement deployed on-premises or off-premises, generally in a role-based format with some form of identity integration. The whole point of ZTNA is that we don’t assume that any specific user should have access to any specific data set or workload — an approach that makes it valuable for both remote and onsite locations.

Access also involves SD-WAN, which helps optimize communication from branch to branch. Here, ZTNA could provide connectivity for remote access. SSE for user security comes into play for remote access, but it can also secure branches when they don’t have an on-premises security stack.

If an organization is starting from scratch, with a traditional network and network security approach in which all components are hosted on-premises and branches are connected via legacy service providers, it probably should consider a SASE deployment. That’s especially true if the organization expects its employees to continue with a hybrid mix of office and remote work.

If the organization has already deployed a VPN, for example, but has scale and performance issues, it may need SSE to improve the user components. Most likely, it already has some elements of this architecture in its environment. Addressing the gaps is a matter of seeing what the organization has in place, what it can reuse and what it can integrate as it shifts to this new model.

Story by Robert Herriage, who leads CDW’s presales secure access service edge and multicloud networking practices.