WP What is SASE? | Framework & Security Explained | Imperva

Secure Access Service Edge

1.2k views
App SecurityEssentials

What is Secure Access Service Edge (SASE)?

Secure Access Service Edge (SASE) is a framework that handles the security and network demands of external traffic, without going through the data center. Introduced by Gartner in 2019, SASE helps avoid the common problem of cloud congestion and data center network latency, speeding response times.

SASE works by distributing critical functions closer to the user and application, reducing the burden on the data center. Its characteristics include:

  • Built on software-defined WAN (SD-WAN)
  • Cloud-based architecture
  • Supports identity-based access
  • Distributed packet inspection and policy enforcement

SASE provides for unified policy management, allowing you to secure traffic quickly and efficiently whatever its origins and wherever your resources are located. This makes it particularly attractive for organizations with complex cloud operations.

Why is SASE Security Important?

As organizations increasingly adopt cloud services, network security is becoming more complex. Traditional network security models were based on the idea of directing traffic to a corporate network perimeter, protected by security tools and services. This was appropriate when most employee devices and corporate systems were located within the network perimeter.

Today these assumptions no longer hold true. A large part of the workforce is now working outside the office, and organizations increasingly use cloud systems operated by third-party organizations. As a result, standard hardware-based security equipment used by network administrators is no longer sufficient to protect remote network access.

SASE provides unified policy management based on user identity, allowing businesses to deploy security services no matter where their users or corporate resources are located.

SASE can offer the following benefits to an organization:

  • Easy, inexpensive deployment—SASE does not require deploying expensive Multi-Protocol Label Switching (MPLS) circuitry, or specialized network infrastructure. It can leverage commodity broadband networks, while leveraging existing investments in private network links.
  • Improved security—SASE can protect sensitive data and mitigate threats like man-in-the-middle (MitM), spoofing, and malicious traffic. It encrypts traffic with remote devices, and implements inspection policies on public networks, such as unsecured WiFi.
  • Integrates with backbone and edge—SASE combines backbone networks with edge services such as Content Delivery Network (CDN), Cloud Access Security Broker (CASB), VPN, and edge networks.
  • Central management—SASE provides one management platform that controls and implements security policies for the entire organization and simplifies operations, compared to traditional site-centric security solutions.

What Capabilities are Included in the Gartner SASE Framework?

According to Gartner’s definition, Secure Access Services Edge solutions include software-defined wide area network (SD-WAN) capabilities, and additional network security features. All of these features are typically provided on a single cloud platform.

SASE products commonly include four core components:

  • Secure Web Gateway (SWG)—filters unwanted content from web traffic, blocks unauthorized users, and implements corporate security policies to prevent network threats and data leakage, for both on-premise and remote employees.
  • Cloud Access Security Broker (CASB)—performs several security functions for services hosted in the cloud. CASB can expose Shadow IT, protect sensitive data through access control, and implement data loss prevention (DLP).
  • Zero Trust Network Access (ZTNA)—performs real-time verification for users of all protected applications, locks down internal resources, and blocks public access by default.
  • Firewall as a Service (FWaaS)—protects cloud-based platforms, infrastructure and applications from cyber attacks. Unlike traditional firewalls, it is not a physical device, but rather a set of security features including URL filtering and intrusion prevention, enabling unified policy management across all network traffic.
SASE components

SASE components

In addition to these core components, solutions may provide other capabilities like web application and API protection, remote browser isolation, recursive DNS services, Wi-Fi hotspot protection, network obfuscation, protection of edge networks, and more.

How to Evaluate SASE Solutions

When evaluating SASE products, consider them along five dimensions: architecture, tenancy model, privacy, visibility, and licensing model.

Architecture

Ideally, SASE products should have a cloud-native architecture based on microservices, making it easy to scale as needed. To minimize latency, the solution should immediately act on data packets, processing and forwarding or blocking them as necessary, and not passing them between virtual machines (VM) to clouds.

In addition, the software stack should not have specific hardware dependencies, to enable more flexible deployment, and it should be possible to deploy relevant security components to any device or endpoint.

Tenancy Model

Cloud-native SASE architectures are typically multi-tenant, with multiple customers sharing the underlying data plane. Some providers use dedicated instances for each customer, while others may share the same infrastructure across customers.

The tenancy model is significant because it affects the scalability and cost of the SASE provider. The density of a single tenant is usually low, and will result in a higher cost to the organization, and may have scalability limitations. However, some companies prefer the single tenant model because of the improved security and isolation it provides.

Privacy

SASE providers must offer the option of avoiding inspection of traffic containing sensitive data, as required by standards like GDPR in the EU and HIPAA in the USA. If there is a compliance requirement not to inspect traffic, the SASE solution can leverage browser isolation to protect user sessions from threats and prevent damage to enterprise systems.

Visibility

SASE products should provide detailed activity monitoring, logging user access of applications and services, including all activities in the session. SASE products need to distribute and manage logs on a large scale, and provide the ability to maintain user and device logs in specific geographical regions, as required by the organization’s compliance policies.

Licensing Model

Some components of SASE solutions, such as WAN Edge and SD-WAN products, are usually licensed based on bandwidth. However, products such as CASB, SWG and remote browser isolation are typically licensed annually per user.

Because SASE integrates these two types of offerings, it is expected that bandwidth-based pricing will be phased out. Most pricing models will be subscription-based, tied to the number of protected entities (device, user, application, system) or collection of entities such as a branch or edge location.

Application Security with Imperva

SASE creates a secure gateway for applications, it must be complemented by solutions that can identify and block malicious traffic. Imperva provides comprehensive protection for applications, APIs, and microservices:

Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.

Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.

API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.

Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.

DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.

Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.