Secure Access Service Edge (SASE): The Security-Driven SD-WAN

Learn how SD-WAN and SASE can complement one another to design a network with more contextual intelligence and central policy management.
Male in blue shirt working in front of the window during the day with three computers

What good is transport without security? No one wants to take an unbelievably cheap flight to Hawaii if the airline has a terrible reputation for safety. The same principle applies to network transport and data delivery. What good is a software-defined wide area networking (SD-WAN) application-driven network if it’s not highly secure?

In our SD-WAN series thus far, we have looked at the technology itself and its use cases within a given IT shop, in addition to discussing some of the underlying protocols and methodologies that make SD-WAN possible from a carrier services delivery perspective. Today we will discuss the crux of any network services refresh initiative: Cybersecurity.

How Does SD-WAN Make the Network More Secure?

In short, it doesn’t. SD-WAN might have some features that seem to make an impact on cybersecurity, but in reality, these tools are not incredibly robust. The firewall included in an economical SD-WAN appliance is no different than the consumer-grade firewalls that accompany a router at your local big box electronics retailer. In fact, some SD-WAN providers simply recommend you turn it off and use something more intelligent that is cloud-based.

If SD-WAN is solving for my application delivery, what is solving for the integrity of that data as it traverses the internet, end to end? The answer lies in a newer technology trend that complements SD-WAN and security technologies called SASE (pronounced “sassy”).

What Is SASE?

Defined by Gartner, SASE stands for secure access service edge. This framework of solutions and methodology attempts to converge wide area network (WAN) capabilities with network security functions. This is still a loose framework as it formulates itself into something more long-standing and established, but there are five main cogs of SASE:

  • Software-defined wide area networking (SD-WAN): SD-WAN creates an overlay network that is used in tandem with any existing network infrastructure to create an application-centric experience for users accessing the cloud.
  • Secure web gateways (SWG): A cloud-based proxy that enforces standards on URL filtering, malicious code detection and application controls for communication apps like MS Teams, Slack, etc. This tool protects users from making bad decisions online but is not a substitute for cybersecurity awareness training.
  • Firewall as a service (FWaaS): A cloud-based firewall hosted in a data center that is patch managed by a third party responsible for creating a standard security experience. In some cases, the third party will manage alerts and log reporting. All components of SASE are cloud-based and there is no way to manage a secure network with a premises-based firewall.
  • Cloud access security broker (CASB): CASB is critical for extending a set of rules and regulations over software and infrastructure that are not corporate-owned, allowing end users to work in the most convenient way possible while staying secure. It enforces corporate network policy on top of SaaS-based applications that the end user does not have control over. This can also extend to development of heavy environment platforms and virtualized infrastructure, whether it is shared or private.
  • Zero trust network access: Zero trust network access is a contextual framework for user access and permissions. Think of this as a highly situational identity access management tool that permits and denies based on location, user, department, connection, time of day and typical behavior. Should someone in operations be accessing a payroll database from a coffee shop in Western Europe at 4 a.m.? If it’s out of character or protocol, zero trust network access will deny it and report it.

SASE is cloud-based, cloud managed and delivered as a service. It’s a global framework that includes identity access management tools that can be wrapped into users, devices, IoT initiatives or edge compute.

While SD-WAN was more limited to traditional network sites, SASE encapsulates more of the network refresh design models that IT shops are expected to adopt – and are adopting as edge compute becomes a more prevalent trend.

The key is that SASE enables a framework that lies over more than traditional physical sites. SASE can lay over any internet-enabled endpoint. SASE also shares the similarity of SD-WAN in that it is flexible at the edge: SASE allows any endpoint to access any application over any network in a protected manner.

Why Should I Use SD-WAN and SASE Together?

Users are moving toward a marriage of SD-WAN with SASE for a few reasons. Flexibility and scalability are two of the most important reasons as the cloud-based nature of these tools allows for rapid response and triage. The consolidation of all these tools underneath one banner helps customers save budgets on overall spend, and the federation of the tools also means there’s a single pane of glass to monitor all applications. This also means there’s less development work to get APIs up and running correctly.

The centralized policy management of SASE, including global access control, is the main value of these technologies, as IT organizations can push their own standards of operability and trust across outside WANs and applications.

In that sense, SASE truly is the only next gen-focused security methodology that considers the reality of the information worker and the decisions they make each day accessing information across disparate tools. And while the needs of tomorrow’s worker may remain undefined, this type of approach will be accommodating to all new applications that may find themselves more ubiquitous than others.

SASE Is Not a Comprehensive Approach to Cybersecurity

SASE can’t do everything for an organization to remain secure. As mentioned earlier, end-user training around cybersecurity is paramount. Additionally, SASE does not offer endpoint detection and response/managed detection and response (EDR/MDR) services, which are a critical component of securing a “work from anywhere” environment.

Essentially, there aren’t any security operations center (SOC) type services in SASE, meaning there aren’t any humans triaging and responding to an incident as it takes place in real time. SASE is not meant to be a holistic approach to security overall; it is simply meant to be the extension of network security policy over other applications hosted outside of internal systems.

Using SASE for Management Support

But that’s not to say that SASE doesn’t offer any type of management support. In fact, most shops adopting SASE opt in to some type of management, whether it’s fully managed or some sort of hybrid model. Hybrid models are usually adopted when the end user has some on-premises firewalls or legacy homebrew applications that require some internal expertise around auditing, at the very least.

One of the major trends to watch for in the SASE space is related to service chaining and vendor integrity. Customers caught in the middle of multi-tier partnerships and mergers and acquisitions may be forced into a higher learning curve as applications are tethered together for the vendor’s benefit. This ends up leaving the customer to make sense of managing the environment as these organizations and their support models change during consolidation.

Finger pointing between vendors could be the least of a customer’s problems if operability issues start to take root as the vendors consolidate toward the top. Also, SASE is not truly built for an AI-focused environment. It will be an interesting trend to follow as edge compute becomes more omnipresent in network refreshes.

Should You Launch SD-WAN and SASE?

IT users looking to integrate SD-WAN technologies should exercise due diligence and audit SASE methodologies. Depending on the customer, there may not be a need to launch SD-WAN in tandem with SASE simultaneously. But having some visibility down the road on how those tools and technologies can complement one another will give IT professionals a stronger roadmap of how their networks can be designed with more contextual intelligence and central policy management.

In other words, it’s best to know how to make yourself as safe as possible, even if you don’t have the means to make it happen overnight. Reviewing security posture and protocol, as SD-WAN is considered a new network architecture, is a best practice to be followed by all, regardless of needs or capabilities.

Get more tech insights like this right in your inbox with CompTIA’s IT Career Newsletter. Subscribe today. 

Email us at blogeditor@comptia.org for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment