Sayers Blog

Secure Access Service Edge: How To Choose the Right SASE Solution For Your Business

Among the latest networking and security technologies, one stands out not only for its capabilities but also its abbreviated name with an attitude. Secure Access Service Edge (SASE, pronounced “sassy”) brings networking and security technologies into an integrated, scalable service delivered from the cloud.

As the number of vendors claiming to offer a SASE technology grows, be sure the vendor and solution are the right fit for your security strategy and use cases.

To help you evaluate SASE and select the right solution for your organization, we’ll cover what SASE is, what it’s not, tips for a successful implementation, and pitfalls to watch for.

Thanks to Ken Wisniewski, Sayers senior cybersecurity solutions architect, for his “SASE Explained” presentation from the Sayers #Curio Virtual Tech Summit. We’ve pulled these highlights from his 23-minute presentation, which is now available free on-demand.

 

What Is SASE: 5 Core Technologies, 4 Key Benefits 

According to Gartner, whose research coined the term in 2019, SASE supports the dynamic secure access needs of organizations by combining five core technologies: 
 
Software-defined wide area network (SD-WAN)
Firewall as a service (FWaaS)
Secure web gateway (SWG)
Cloud access security broker (CASB) 
Zero trust network access (ZTNA)
 
Many organizations have already deployed one or more of these technologies, though typically independently. SASE consolidates some of these, as well as other capabilities beyond these five core, under the overall umbrella of the Secure Access Service Edge. 
 
 
A one-line definition of SASE: The consolidation of networking and security technologies delivered as a scalable service from the cloud.
 
 
SASE brings these technologies together not only to provide multiple features and functionality but to do so in a way that simplifies their management and ease of use. 
 
 
The resulting benefits of this technology approach include four main areas:
 
1. Delivered as software as a service (SaaS). This type of delivery improves service resiliency, simplifies deployment, and enables automatic scaling for performance. Instead of deploying multiple security appliances or a single heavy appliance at the edge, SASE uses an agent-based, cloud-based, or light implementation for branch/edge deployments that can secure traffic as a service solution that scales on-demand. 
 
2. Globally distributed infrastructure. SASE platforms are generally globally distributed – or at least regionally distributed – depending on your needs. Globally distributed technology that’s present near your users, whether in a branch office or a particular region of the world, improves performance, reduces latency, and enhances the user experience. 
 
3. Consolidated capabilities. SASE brings together network interconnectivity along with core capabilities for internet egress security, including application control, URL filtering, threat detection and prevention, data leakage prevention, SaaS application control, SSL and TLS decryption, and more. SASE also secures access to internal applications, using remote access VPN-type capabilities that provide authentication and connection brokering. 
 
4. Flexibility from a policy perspective. One of the most important elements of a SASE solution is the ability to be flexible based on identity and context. SASE not only enables a broad feature set but also allows you to be prescriptive in how those are deployed by dynamically applying different controls to specific devices, sources, destinations, or user groups.

 

What SASE Is Not

Beyond the core technologies and benefits of a SASE solution, it’s also important to understand what SASE shouldn’t claim to be.

SASE isn’t a security appliance. “If a vendor tells you, ‘Here’s my box, it’s SASE,’ they have missed the mark dramatically,” says Wisniewski. SASE should be deployed as a service, be a scalable solution, and in most cases be in the cloud as opposed to on-premise equipment.

SASE isn’t zero-trust. While zero-trust network access can be a component of SASE – and SASE can be part of a zero-trust strategy – no vendor, technology, or specific capability can claim to be zero-trust by itself.

Additionally, SASE isn’t an infrastructure as a service solution, a security stack of several appliances deployed in a colocation data center, nor a point product to specifically handle one use case.

“The whole benefit here is the scalability and the consolidation of capabilities for your network security needs, deployed in a cloud-type environment,” Wisniewski says.

 

Tips For Success

If you’re considering a SASE solution or receive a SASE sales pitch from a vendor, be sure to include these steps in your evaluation:
 
1. Gap analysis. Among your current vendors, what SASE capabilities do they have now and plan to have in the future? Weigh this against your use cases and immediate needs. 
 
2. Identify opportunities. Maybe it’s time for a hardware refresh. Or, if you have a specific remote user use case, SASE could offer a broader suite of capabilities specifically for remote user workforce demand. You might want to deploy SD-WAN alongside a security-focused SASE solution, or at the same time across your branch deployment.
 
3. Recognize different vendor approaches. SASE vendors almost exclusively started in one of the five core technology areas mentioned earlier, and then expanded their feature set via in-house development, external acquisitions, or partnerships with other third parties.
 
For example, the SD-WAN focused vendors are strong on the networking side but maybe further behind with security capabilities. They tend to be open to integrating with other vendor categories to add on security firewall capabilities or secure web gateway functionality. 
 
4. Identify and test vendors. Not all vendors will cover all use cases, and this could be the right time to consolidate your vendor management. “Don’t be afraid to declutter or simplify your environment and perhaps lose a little bit of capability in the short term for a broader simplification, ease of use, and ease of management gain,” says Wisniewski. 
 
Ask for a proof of concept to test their SASE solutions and verify performance. “These vendors are all claiming performance and user experience gains over what you have today,” adds Wisniewski. “Make sure what they’re claiming fits your specific use cases and applications, because that’s not always the case.” 
 
5. Phase in your implementation. Don’t try to deploy every component of SASE all at once. Pick an area, adopt, and then grow your expansion as you need to. 

 

Pitfalls To Watch For When Adopting SASE

You likely won’t find a vendor specializing exclusively in SASE – yet. If the vendor you’re considering covers only one of those five core technology areas, make sure they have an aggressive roadmap to adopt or to expand their capabilities.

In terms of performance, review the number of points of presence (POPs) the vendor has deployed as well as any available latency information. The more POPs they’ve deployed, the better your performance is likely to be.

Also consider decryption limitations, one of the most important aspects from a scalability perspective. Wisniewski advises:


“Be sure the solution you’re adopting supports all of the cipher suites, TLS 1.3 protocol, and all the new changes related to TLS and SSL.”


Keep in mind the vendor’s licensing models. A true-up model instead of a hard limit will save you from deploying a solution that cuts you off when you hit one more user than you’re licensed for.

Lastly, ensure the vendor’s capabilities support all the use cases you want to deploy. They may have a use case capability, but it might be limited to a specific mode of implementation or integration or only supported on a certain SaaS application. These are all worth vetting through a proof of concept.

Questions? Contact Sayers today to help you choose the right SASE vendor, set up a proof of concept, and implement the ideal solution for your business.

 

Ken Wisniewski, Sayers Senior Cybersecurity Solutions Architect

Ken Wisniewski is a senior cybersecurity solutions architect at Sayers. He works with clients to understand and solve some of their most complex cybersecurity challenges. His areas of expertise include cloud security, network, and gateway security, endpoint and mobile security, and security monitoring and operations. Prior to joining Sayers, Wisniewski led the network security team at a Fortune 100 financial institution where he managed an array of network security technologies.