Secure access service edge: Difference between revisions
Undid revision 945028223 by 37.142.39.122 (talk) Remove inline external link |
Attempting to fix the citations + minor update |
||
| Line 7: | Line 7: | ||
{{Citation style|date=December 2019}} |
{{Citation style|date=December 2019}} |
||
}} |
}} |
||
SASE is an acronym for '''Secure Access Service Edge'''. Coined by analyst firm [[Gartner]], SASE simplifies [[Wide area network|wide-area networking (WAN)]] and [[Computer security|security]] by delivering both as a [[Cloud computing|cloud]] service directly to the source of connection ([[User (computing)|user]], device, [[branch office]], [[Internet of things|IoT device]], [[edge computing]] location) rather than the [https://www.gartner.com/en/documents/3957375/invest-implications-the-future-of-network-security-is-in enterprise data center]. [[Computer security|Security]] is based around [[Digital identity|identity]], real-time context and enterprise [[Computer security|security]] and [[Regulatory compliance|compliance]] policies. An [[Digital identity|identity]] may be attached to anything from a person/[[User (computing)|user]] to a device, [[branch office]], [[Cloud computing|cloud]] service, [[Application software|application]], [[Internet of things|IoT]] system, or an [[edge computing]] location |
SASE is an acronym for '''Secure Access Service Edge'''. Coined by analyst firm [[Gartner]], SASE simplifies [[Wide area network|wide-area networking (WAN)]] and [[Computer security|security]] by delivering both as a [[Cloud computing|cloud]] service directly to the source of connection ([[User (computing)|user]], device, [[branch office]], [[Internet of things|IoT device]], [[edge computing]] location) rather than the [https://www.gartner.com/en/documents/3957375/invest-implications-the-future-of-network-security-is-in enterprise data center]. [[Computer security|Security]] is based around [[Digital identity|identity]], real-time context and enterprise [[Computer security|security]] and [[Regulatory compliance|compliance]] policies. An [[Digital identity|identity]] may be attached to anything from a person/[[User (computing)|user]] to a device, [[branch office]], [[Cloud computing|cloud]] service, [[Application software|application]], [[Internet of things|IoT]] system, or an [[edge computing]] location.<ref name=":0">{{Cite journal|last=MacDonald|first=Neil|last2=Orans|first2=Lawrence|last3=Skorupa|first3=Joe|date=August 30, 2019|title=The Future of Network Security Is in the Cloud|url=https://www.gartner.com/doc/reprints?id=1-1OG9EZYB&ct=190903&st=sb|journal=Gartner|volume=|issue=|pages=|via=}}</ref> |
||
SASE is meant to be a simplified [[Wide area network|WAN]] and [[Network security|security]] solution for a [[Mobile computing|mobile]], global workplace that relies on [[cloud application]]s and data. The common solution of [[Backhaul (telecommunications)|backhauling]] all [[Wide area network|WAN]] traffic over long distances to one or a few corporate [[data centers]] for [[Computer security|security]] functions adds network [[Latency (engineering)|latency]] when [[User (computing)|users]] and their [[Cloud computing|cloud]] [[Application software|application]] are globally dispersed, rather than on-premises |
SASE is meant to be a simplified [[Wide area network|WAN]] and [[Network security|security]] solution for a [[Mobile computing|mobile]], global workplace that relies on [[cloud application]]s and data. The common solution of [[Backhaul (telecommunications)|backhauling]] all [[Wide area network|WAN]] traffic over long distances to one or a few corporate [[data centers]] for [[Computer security|security]] functions adds network [[Latency (engineering)|latency]] when [[User (computing)|users]] and their [[Cloud computing|cloud]] [[Application software|application]] are globally dispersed, rather than on-premises.<ref name=":0" /> By targeting services to the [[Edge computing|edge]] at the connection source, SASE eliminates the [[Latency (engineering)|latency]] caused by [[Backhaul (telecommunications)|backhauling]]. |
||
== Overview == |
== Overview == |
||
| Line 16: | Line 16: | ||
SASE [[SD-WAN]] service enhancements may include [[Quality of service|traffic prioritization]], [[WAN optimization]] and converged [[Internet backbone|backbones]] to enhance reliability and maximize performance [3]. |
SASE [[SD-WAN]] service enhancements may include [[Quality of service|traffic prioritization]], [[WAN optimization]] and converged [[Internet backbone|backbones]] to enhance reliability and maximize performance [3]. |
||
[[Wide area network|WAN]] and [[Computer security|security]] functions are typically delivered as a single service at globally dispersed SASE [[Point of presence|points of presence (PoPs)]] located as close as possible to dispersed [[User (computing)|users]], [[Branch office|branch offices]] and [[Cloud computing|cloud]] services |
[[Wide area network|WAN]] and [[Computer security|security]] functions are typically delivered as a single service at globally dispersed SASE [[Point of presence|points of presence (PoPs)]] located as close as possible to dispersed [[User (computing)|users]], [[Branch office|branch offices]] and [[Cloud computing|cloud]] services.<ref name=":0" /> To access SASE services, [[Edge computing|edge]] locations or [[User (computing)|users]] connect to the closest available [[Point of presence|PoP]]. SASE vendors may contract with several [[Internet backbone|backbone]] providers and [[peering]] partners to offer customers fast, low-[[Latency (engineering)|latency]] [[Wide area network|WAN]] performance for long-distance [[Point of presence|PoP]]-to-PoP connections.<ref name=":0" /> |
||
== History and Drivers == |
== History and Drivers == |
||
The term SASE was coined by [[Gartner]] analysts Neil McDonald and Joe Skorupa and described in a [https://www.gartner.com/en/documents/3947237 July 29, 2019 Networking Hype Cycle] [4] and [https://www.gartner.com/en/documents/3953690/market-trends-how-to-win-as-wan-edge-and-security-conver Market Trends Report, How to Win as WAN Edge and Security Converge into the Secure Access Service Edge] [5] and an August 30, 2019 [[Gartner]] report, The Future of Network Security is in the Cloud |
The term SASE was coined by [[Gartner]] analysts Neil McDonald and Joe Skorupa and described in a [https://www.gartner.com/en/documents/3947237 July 29, 2019 Networking Hype Cycle] [4] and [https://www.gartner.com/en/documents/3953690/market-trends-how-to-win-as-wan-edge-and-security-conver Market Trends Report, How to Win as WAN Edge and Security Converge into the Secure Access Service Edge] [5] and an August 30, 2019 [[Gartner]] report, The Future of Network Security is in the Cloud.<ref name=":0" /> |
||
SASE is driven by the rise of [[Mobile computing|mobile]], [[Edge computing|edge]] and [[Cloud computing|cloud]] computing in the enterprise at the expense of the LAN and corporate [[data center]]. As [[User (computing)|users]], [[Application software|applications]] and [[data]] move out of the enterprise [[data center]] to the [[Cloud computing|cloud]] and network [[Edge computing|edge]], moving [[Computer security|security]] and [[Wide area network|WAN]] to the [[Edge computing|edge]] as well is necessary to minimize [[Latency (engineering)|latency]] and performance issues. [6]. |
SASE is driven by the rise of [[Mobile computing|mobile]], [[Edge computing|edge]] and [[Cloud computing|cloud]] computing in the enterprise at the expense of the LAN and corporate [[data center]]. As [[User (computing)|users]], [[Application software|applications]] and [[data]] move out of the enterprise [[data center]] to the [[Cloud computing|cloud]] and network [[Edge computing|edge]], moving [[Computer security|security]] and [[Wide area network|WAN]] to the [[Edge computing|edge]] as well is necessary to minimize [[Latency (engineering)|latency]] and performance issues. [6]. |
||
The [[Cloud computing|cloud]] model is meant to delegate and simplify delivery of [[SD-WAN]] and [[Computer security|security]] functions to multiple [[Edge computing|edge]] computing devices and locations. Based on policy, different [[Computer security|security]] functions may also be applied to different connections and sessions from the same entity, whether [[Software as a service|SaaS]] [[Application software|applications]], [[social media]], [[data center]] [[Application software|applications]] or personal banking, according to [[Gartner] |
The [[Cloud computing|cloud]] model is meant to delegate and simplify delivery of [[SD-WAN]] and [[Computer security|security]] functions to multiple [[Edge computing|edge]] computing devices and locations. Based on policy, different [[Computer security|security]] functions may also be applied to different connections and sessions from the same entity, whether [[Software as a service|SaaS]] [[Application software|applications]], [[social media]], [[data center]] [[Application software|applications]] or personal banking, according to [[Gartner]].<ref name=":0" /> |
||
The [[Cloud computing|cloud]] architecture boasts typical [[Cloud computing|cloud]] enhancements such as [[Elasticity (cloud computing)|elasticity]], flexibility, agility, global reach and delegated management. |
The [[Cloud computing|cloud]] architecture boasts typical [[Cloud computing|cloud]] enhancements such as [[Elasticity (cloud computing)|elasticity]], flexibility, agility, global reach and delegated management. |
||
| Line 64: | Line 64: | ||
===Consistent Security=== |
===Consistent Security=== |
||
'''Consistent''' [[Computer security|Security]] via a single [[Cloud computing|cloud]] service for all [[Wide area network|WAN]] [[Computer security|security]] functions and [[Wide area network|WAN]] connections. [[Computer security|Security]] is based on the same set of policies, with the same security functions delivered by the same [[Cloud computing|cloud]] service to any access [[Session (computer science)|session]], regardless of [[Application software|application]], [[User (computing)|user]] or device location and destination ([[Cloud computing|cloud]], [[data center]] [[Application software|application]]). Once the SASE provider adapts to a new threat, the adaption can be available to all the [[Edge computing|edges]]. |
'''Consistent''' [[Computer security|Security]] via a single [[Cloud computing|cloud]] service for all [[Wide area network|WAN]] [[Computer security|security]] functions and [[Wide area network|WAN]] connections. [[Computer security|Security]] is based on the same set of policies, with the same security functions delivered by the same [[Cloud computing|cloud]] service to any access [[Session (computer science)|session]], regardless of [[Application software|application]], [[User (computing)|user]] or device location and destination ([[Cloud computing|cloud]], [[data center]] [[Application software|application]]). Once the SASE provider adapts to a new threat, the adaption can be available to all the [[Edge computing|edges]].<ref name=":0" /> |
||
== Criticism of SASE == |
== Criticism of SASE == |
||
| Line 96: | Line 96: | ||
===Firewall as a Service (FWaaS)=== |
===Firewall as a Service (FWaaS)=== |
||
FWaaS is a [[Firewall (computing)|firewall]] offered as a [[Cloud computing|cloud]] service, rather than on premises as software or hardware. Most FWaaS providers offer [[Next-generation firewall|NGFW]] capabilities. [11] Typically, an entire organization is connected to a single FWaaS [[Cloud computing|cloud]] with no requirement for maintaining its own [[Firewall (computing)|firewall]] infrastructure. SASE combines [[Edge computing|edge]] FWaaS with other [[Computer security|security]] functions and [[SD-WAN] |
FWaaS is a [[Firewall (computing)|firewall]] offered as a [[Cloud computing|cloud]] service, rather than on premises as software or hardware. Most FWaaS providers offer [[Next-generation firewall|NGFW]] capabilities. [11] Typically, an entire organization is connected to a single FWaaS [[Cloud computing|cloud]] with no requirement for maintaining its own [[Firewall (computing)|firewall]] infrastructure. SASE combines [[Edge computing|edge]] FWaaS with other [[Computer security|security]] functions and [[SD-WAN]].<ref name=":0" /> |
||
==Marketplace== |
==Marketplace== |
||
[[Gartner]] classifies SaaS as an emerging market with several vendors offering a large number of SASE capabilities, but no single provider offering the entire SASE portfolio. It lists 14 companies in several market categories as SASE players, including [[Cisco]], [[Akamai Technologies|Akamai]], [[Palo Alto Networks]], [[Broadcom Inc.|Symantec]], [[VMware]], |
[[Gartner]] classifies SaaS as an emerging market with several vendors offering a large number of SASE capabilities, but no single provider offering the entire SASE portfolio. It lists 14 companies in several market categories as SASE players, including [[Cisco]], [[Akamai Technologies|Akamai]], [[Palo Alto Networks]], [[Broadcom Inc.|Symantec]], [[VMware]], [[Cato Networks]] and [[Netskope]], and expects some of the major [[Cloud computing|cloud]] providers to move into this category.<ref>{{Cite journal|last=Riley|first=Steve|last2=Lawson|first2=Craig|date=October 22, 2019|title=Magic Quadrant for Cloud Access Security Brokers|url=https://www.gartner.com/doc/reprints?id=1-1XOFCANJ&ct=191024&st=sb|journal=Gartner|volume=|pages=|via=}}</ref> [[Gartner]] doesn't expect a complete SASE offering to be available until sometime in 2020.<ref name=":0" /> |
||
==References== |
==References== |
||
{{reflist}} |
{{reflist}} |
||
[1] L. O. J. S. Neil MacDonald, "The Future of Network Security is in the Cloud," Gartner, 2019. |
|||
[2] "The Network for Digital Business Starts with the Secure Access Service Edge (SASE)," Cato |
[2] "The Network for Digital Business Starts with the Secure Access Service Edge (SASE)," Cato |
||
Networks, 2019. |
Networks, 2019. |
||
Revision as of 05:07, 18 March 2020
 | This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
|
SASE is an acronym for Secure Access Service Edge. Coined by analyst firm Gartner, SASE simplifies wide-area networking (WAN) and security by delivering both as a cloud service directly to the source of connection (user, device, branch office, IoT device, edge computing location) rather than the enterprise data center. Security is based around identity, real-time context and enterprise security and compliance policies. An identity may be attached to anything from a person/user to a device, branch office, cloud service, application, IoT system, or an edge computing location.[1]
SASE is meant to be a simplified WAN and security solution for a mobile, global workplace that relies on cloud applications and data. The common solution of backhauling all WAN traffic over long distances to one or a few corporate data centers for security functions adds network latency when users and their cloud application are globally dispersed, rather than on-premises.[1] By targeting services to the edge at the connection source, SASE eliminates the latency caused by backhauling.
Overview
SASE combines SD-WAN with a stack of security functions, including Cloud Access Security Brokers (CASB), Secure Web Gateways (SWG), antivirus/malware inspection, virtual private networking (VPN), firewall as a service (FWaaS), and data loss prevention (DLP), all delivered by a single cloud service at the network edge [2].
SASE SD-WAN service enhancements may include traffic prioritization, WAN optimization and converged backbones to enhance reliability and maximize performance [3].
WAN and security functions are typically delivered as a single service at globally dispersed SASE points of presence (PoPs) located as close as possible to dispersed users, branch offices and cloud services.[1] To access SASE services, edge locations or users connect to the closest available PoP. SASE vendors may contract with several backbone providers and peering partners to offer customers fast, low-latency WAN performance for long-distance PoP-to-PoP connections.[1]
History and Drivers
The term SASE was coined by Gartner analysts Neil McDonald and Joe Skorupa and described in a July 29, 2019 Networking Hype Cycle [4] and Market Trends Report, How to Win as WAN Edge and Security Converge into the Secure Access Service Edge [5] and an August 30, 2019 Gartner report, The Future of Network Security is in the Cloud.[1]
SASE is driven by the rise of mobile, edge and cloud computing in the enterprise at the expense of the LAN and corporate data center. As users, applications and data move out of the enterprise data center to the cloud and network edge, moving security and WAN to the edge as well is necessary to minimize latency and performance issues. [6].
The cloud model is meant to delegate and simplify delivery of SD-WAN and security functions to multiple edge computing devices and locations. Based on policy, different security functions may also be applied to different connections and sessions from the same entity, whether SaaS applications, social media, data center applications or personal banking, according to Gartner.[1]
The cloud architecture boasts typical cloud enhancements such as elasticity, flexibility, agility, global reach and delegated management.
Required Characteristics
SASE has many characteristics and components, but the principal elements are:
- Convergence of WAN and network and network security functions.
- A cloud-native architecture delivering converged WAN and security as a service that offers the scalability, elasticity, adaptability and self-healing typical of all cloud services.
- Globally distributed fabric of PoPs guaranteeing a full range of WAN and security capabilities with low latency, wherever business offices, cloud applications and mobile users are located. To deliver low latency at any location, SASE PoPs have to be more numerous and extensive than those offered by typical public cloud providers and SASE providers must have extensive peering relationships.
- Identity-driven services. An identity can be attached to anything from a person or branch office to a device, application, service, IoT device or edge computing location at the source of connection. Identity is the most significant context affecting SASE security policy. However, location, time of day, risk/trust posture of the connecting device and application and data sensitivity will provide other real-time context determining the security services and policies applied to and throughout each WAN session.
- Support for all edges equally, including physical locations, cloud data centers, users’ mobile devices and edge computing, with placement of all capabilities at the local PoP rather than the edge location. Edge connections to the local PoP may vary from an SD-WAN for a branch office to a VPN client or clientless Web access for a mobile user, to multiple tunnels from the cloud or direct cloud connections inside a global data center. [6]
Features
Gartner and others have cited numerous features/benefits of a SASE architecture for the mobile, cloud enabled enterprise. These include:
Reduced Complexity
Reduced Complexity that comes with the cloud model and a single vendor for all WAN and security functions, vs. multiple security appliances from multiple vendors at each location. Reduced complexity also comes from a single-pass architecture that decrypts the traffic stream and inspects it once with multiple policy engines rather than chaining multiple inspection services together.
Universal Access
Universal Access A SASE architecture is architected to provide consistent fast, secure access to any resource from any entity at any location, as opposed to access primarily based around the corporate data center.
Cost Efficiency
Cost efficiency of the cloud model, which shifts up-front capital costs to monthly subscription fees, consolidates providers and vendors, and reduces the number of physical and virtual branch appliances and software agents IT has to purchase manage and maintain in-house. Cost reduction also comes from delegation of maintenance, upgrades and hardware refreshes to the SASE provider.
Performance
Performance of applications and services enhanced by latency-optimized routing, which is particularly beneficial for latency-sensitive video, VoIP and collaboration applications. SASE providers can optimize and route traffic through high-performance backbones contracted with carrier and peering partners.
Ease of Use
Ease of Use Depending on the implementation, SASE is likely to reduce the number of apps and agents required for a device to a single app and provides a consistent experience to the user regardless of where they are or what they are accessing.
Consistent Security
Consistent Security via a single cloud service for all WAN security functions and WAN connections. Security is based on the same set of policies, with the same security functions delivered by the same cloud service to any access session, regardless of application, user or device location and destination (cloud, data center application). Once the SASE provider adapts to a new threat, the adaption can be available to all the edges.[1]
Criticism of SASE
Criticism of SASE has come from several sources, including IDC and IHS Markit, as cited in a November 9, 2019 sdxcentral post written by Tobias Mann.[2] Both analyst firms criticize SASE as a Gartner term that is neither a new market, technology nor product, but rather an integration of existing technology with a single source of management.
Clifford Grossner of IHS Markit criticizes the lack of analytics, artificial intelligence and machine learning as part of the SASE concept and the likelihood that enterprises won't want to get all SD-WAN and security functions from a single vendor. Gartner counters that service chaining of security and SD-WAN functions from multiple vendors yields “inconsistent services, poor manageability and high latency.” [7]
IDC analyst Brandon Butler cites IDC's position that SD-WAN will evolve to SD-Branch, defined as centralized deployment and management of virtualized SD-WAN and security functions at multiple branch office locations.
Nevertheless, Cato Networks, Infoblox, and Palo Alto [8] have introduced offerings in the SASE market.
Complementary Technology
SD-WAN is a maturing technology that simplifies wide area networking through centralized control of the networking hardware or software that directs traffic across the WAN. It also allows organizations to combine or replace private WAN connections with Internet broadband, LTE and/or 5g connections. The central controller sets policies and prioritizes, optimizes and routes WAN traffic, selecting the best link and path dynamically for optimum performance. SD-WAN vendors may offer some security functions with their SD-WAN virtual or physical appliances, which are typically deployed at the data center or branch office.
Typically SASE incorporates SD-WAN as part of a cloud service that also delivers mobile access and a full security stack delivered from a local PoP.
Network as a Service (NaaS)
SASE and NaaS overlap in concept. NaaS delivers virtualized network infrastructure and services using a cloud subscription business model. Like SASE it offers reduced complexity and management costs. Typically, different NaaS providers offer different service packages, such as a package of WAN and secure VPN's as a service, bandwidth on demand, or hosted networks as a service. By contrast SASE is meant to be a single comprehensive secure SD-WAN solution for branch offices, mobile users, data centers and any other secure enterprise WAN requirement. [9]
NGFW combines a traditional firewall with other security and networking functions geared to the virtualized data center. Security functions include application control, deep and encrypted packet inspection, intrusion prevention, Web site filtering, anti-malware, identity management, threat intelligence and even WAN quality of service and bandwidth management. [10]
NGFW offers a subset of the security stack offered by SASE, and typically doesn't include SD-WAN services. NGFW may be deployed on premises or as a cloud service, while SASE is a cloud architecture by definition. While SASE focuses security on WAN connections, a NGFW can be deployed anywhere including internally in the data center.
Firewall as a Service (FWaaS)
FWaaS is a firewall offered as a cloud service, rather than on premises as software or hardware. Most FWaaS providers offer NGFW capabilities. [11] Typically, an entire organization is connected to a single FWaaS cloud with no requirement for maintaining its own firewall infrastructure. SASE combines edge FWaaS with other security functions and SD-WAN.[1]
Marketplace
Gartner classifies SaaS as an emerging market with several vendors offering a large number of SASE capabilities, but no single provider offering the entire SASE portfolio. It lists 14 companies in several market categories as SASE players, including Cisco, Akamai, Palo Alto Networks, Symantec, VMware, Cato Networks and Netskope, and expects some of the major cloud providers to move into this category.[3] Gartner doesn't expect a complete SASE offering to be available until sometime in 2020.[1]
References
- ^ a b c d e f g h i MacDonald, Neil; Orans, Lawrence; Skorupa, Joe (August 30, 2019). "The Future of Network Security Is in the Cloud". Gartner.
- ^ "Analysts Debate SASE's Merits as Vendors Board Hype Train". SDxCentral. Retrieved 2019-11-18.
- ^ Riley, Steve; Lawson, Craig (October 22, 2019). "Magic Quadrant for Cloud Access Security Brokers". Gartner.
[2] "The Network for Digital Business Starts with the Secure Access Service Edge (SASE)," Cato Networks, 2019.
[3] M. Conran, "The Evolution to Secure Access Service Edge (SASE) is Being Driven by Necessity," Network World , 24 October 2019.
[4] D. Y. Andrew Lerner, "Hype Cycle for Enterprise Networking 2019," Gartner, 2019.
[5] J. S. Neal MacDonald, "Market Trends: How to Win as WAN Edge and Security Converge into the Secure Service Access Edge," Gartner, 2019.
[6] M. Conran, "Secure Access Service Edge (SASE): A Reflection of our Times," Network World, October 2019.
[7] T. Mann, "Analysts Debate SASE's Merits as Vendors Board Hype Train," SDXCentral, 9 November 2019.
[8] T. Mann, "Palo Alto Networks Leaps Into SASE Market," SDXCentral, 16 November 2019.
[9] D. Greenfield, "NaaS Meets SD-WAN: What is NaaS Anyway and How Will it Impact Your SaaS, PaaS, and Cloud Strategy," Cato Networks, 2019.
[10] C. Brook, "What is a Next Generation Firewall? Learn About the Differences NGFW and Traditional Firewalls," Digital Guardian, 24 October 2019.
[11] "What is Firewall as a Service (FWaaS) and Why You Need It," Cato Networks, 2018.
[12] J. Hardcastle, "Perimeter 81 Vows to Win SASE Space Race," SDXCentral, 12 February 2020.