Secure access service edge (SASE) is one of the more recent security concepts to gain traction. At its broadest level, it aims to secure everything outside enterprise firewalls, a concept known as the ever-expanding network edge.
What is Secure Access Service Edge?
Just what is SASE technology? Gartner also calls SASE the “security service edge” (SSE) and notes: “SASE allows any endpoint to access any application over any network in a protected manner.”
The analyst firm regards SASE as a transformational innovation for endpoint security. Based on Gartner’s forecast, 70% of organizations that implement zero trust network access (ZTNA) between now and 2025 will choose a SASE provider for ZTNA rather than a standalone offering.
That’s because, according to Gartner, a SASE offering combines services for networking and network security, which allows organizations to benefit from more integrated services end-to-end rather than a standalone product for a single use case. As a result, Gartner predicts that SASE offerings will become more commonplace as a way to maximize revenue and account control.
SASE, then, is a way to secure access to the web, cloud services, and private applications. While there are some on-premises SASE tools, most providers are based in the cloud, with capabilities that vary depending on the vendor. But they tend to include features such as access control, threat protection, security monitoring, security of data, and control of acceptable use, all enforced by network-based and API-based integration.
An interesting example of the difference between SASE and traditional enterprise security would be the merger of McAfee Enterprise and FireEye. When it settled, the merged companies were split between Trellix – traditional enterprise products brought together under the umbrella of extended detection and response (XDR) – and Skyhigh, a SASE play that includes everything outside the firewall.
See the Top XDR Solutions
Is the SASE Market Growing?
Dell’Oro Group research shows that a coming together of WAN enterprise networking and security is largely behind the growing popularity of SASE.
“The pandemic made remote work and cloud-based applications necessary, and by doing so, accelerated the obsolescence of the classic hub-and-spoke networking model,” said Mauricio Sanchez, research director of network security and SASE & SD-WAN at Dell’Oro Group. “Rather than thinking of networking and security as separate problems to solve, they are now being thought of as a continuum and driving together cloud-friendly networking and security technologies into SASE.”
ResearchAndMarkets sees the SASE market growing at a 36.4% compound rate over the next several years, reaching $11.3 billion by 2028.
Michael Wood, CMO at Versa Networks, added that there is a marked shift of workloads, applications, services, and storage from on-premises to the cloud, which has increased the risk factor in terms of the ability to secure and control information.
“IT will deploy SASE more pervasively as it enables this converged model, while delivering improved security policy administration, end-user protection, and cloud application security,” stated Wood.
Major Trends in SASE
SASE will continue to merge several aspects of networking and security. Experts predict that this will occur across three distinct areas:
5G integration with SASE
Support and automation for 5G services is incorporating SASE at the mobile network edge. The economics of 5G require a new software-based architecture such as SASE to automate the deployment, provisioning, and operations at scale.
Cloud security posture management (CSPM) converges with SASE
As applications and data continue to shift to the cloud at accelerating rates, securing cloud infrastructure against attacks to exploit vulnerabilities or misconfigurations has been gaining significant importance. With infrastructure as code (IaC) and with ever-changing cloud IaC, it is difficult to build secure, well-configured, and well-protected cloud deployments. CSPM and other cloud security technologies play an important role to ensure protection of cloud infrastructure.
Endpoint protection with built-in AI/ML in SASE services
Expansion of security services such as malware sandboxing, data loss prevention (DLP), and user and entity behavior analytics (UEBA) will become an integral part of SASE. All these technologies are ripe for disruption (and are already being disrupted) by inclusion of artificial intelligence and machine learning (AI/ML) technology. SASE services will be augmented with AI/ML in endpoint devices used.
Top SASE Vendors
eSecurity Planet evaluated a number of vendors that have introduced SASE products and services. Here are our picks for the top SASE vendors.
Versa SASE delivers secure networking and security while increasing multicloud application performance and lowering costs. It takes a best-of-breed security approach, bringing together a variety of tools and integrating them with networking, SD-WAN, multi-tenancy, and analytics within the carrier-grade Versa Operating System (VOS).
- Versa offers cloud, on-premises, or blended deployment options.
- Single-pass parallel processing architecture is available.
- Contextual security can be based on user, role, device, application, location, security posture of the device, and content.
- Gartner identified Versa SASE as having the most SASE components out of 56 vendors evaluated.
- Enterprise Management Associates (EMA) found that Versa SASE has the most SASE supported functions.
- Dell’Oro Group listed Versa as the 2021 SASE market share leader.
- Versa SASE is available as a private cloud service, wherein enterprises can operate, manage, and host their own private Versa Cloud Gateways wherever they choose.
Founded in 2018 by two IDF elite intelligence unit alumni, CEO Amit Bareket and CPO Sagi Gidali, Perimeter 81 provides an integrated cloud-based secure access service edge platform. Its multi-regional SASE network provides a set of converged secure network capabilities, delivered and managed over a multi-tenant cloud. With a least-privileged strategy and access control, interactions can be controlled with resources based on relevant attributes, including application access, user and group identity, and the sensitivity of the data being accessed.
- A firewall as a service protects against potential threats, while implementing next-gen firewall features.
- Perimeter 81 includes cloud access security broker (CASB) functionality to extend security policy to any cloud service provider’s architecture.
- A secure web gateway (SWG) utility is incorporated for those that want to protect employees from accidental malware infection by enforcing policies for browser traffic.
- Least-privilege access is enforced to network segments based on identity, role, and device.
- Encrypted tunneling is available via private or public gateways, placed locally for low-latency secure connections.
The Zscaler Zero Trust Exchange is a cloud-native SASE platform that incorporates SWG, CASB, and ZTNA. As a result, all connections are inspected regardless of user, endpoint, app, or encryption.
- As a globally distributed platform, users are a short hop to applications.
- Zscaler brings security policy enforcement close to users across 150+ points of presence worldwide.
- Unnecessary backhauling is eliminated.
- A multi-tenant cloud is available.
- Proxy-based architecture offers full inspection of encrypted traffic across SWG, CASB, and security services at scale.
- Access is restricted to provide native app segmentation, not network segmentation.
- Zscaler processes up to 200 billion transactions at peak periods.
- Zscaler was named a Leader in the latest Gartner Magic Quadrant for SASE.
Netskope Security Service Edge (SSE) is a data-centric, cloud-native SASE solution that offers adaptive access and data and threat protection for users anywhere, on any device. It provides visibility, with real-time granular controls across cloud infrastructure.
- Secure web and cloud access is available for infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
- Netskope detects and mitigates threats across web, SaaS applications, cloud services, and private applications.
- Instance awareness and profiles for over 41,000 cloud applications provide granular control of activities.
- Users can implement Netskope either in forward proxy or reverse proxy for web, private applications, and SaaS applications (both approved and unapproved).
- Netskope CloudXD includes AI/ML-enabled web and cloud app categorization and private app discovery.
- Support is available for 250+ services in AWS including by instance.
- ML-enabled trust scores for cloud applications via Netskope CCI—Cloud Confidence Index and users via Netskope UCI—User Confidence Index are ways to capture anomalies and shifts that can trigger adaptive policy controls and automated workflows for investigations.
- Netskope was named a Leader in the latest Gartner Magic Quadrant for SASE.
McAfee Enterprise and FireEye have rebranded to form a couple of entities in Trellix and Skyhigh Security. Trellix focuses on traditional enterprise security while Skyhigh’s focus is on SASE, although the two combine efforts on DLP use cases. Skyhigh Secure Service Edge secures data across the web, cloud (SaaS, PaaS, and IaaS), and private apps—from anywhere, any application, and any device.
- Guided investigation automatically asks and answers questions while gathering, summarizing, and visualizing evidence from multiple sources as a way to lower the need for more security operations center (SOC) resources.
- Users can tap into the Trellix ePolicy Orchestrator (Trellix ePO) for on-premises management or SaaS-based Trellix ePO to reduce infrastructure maintenance.
- Machine-generated insights into attacks are available.
- Manual tasks are automated to gather and analyze evidence.
- McAfee was named a Leader in the latest Gartner Magic Quadrant for SASE.
Prisma SASE from Palo Alto Networks is designed to secure all apps used by a hybrid workforce regardless of location. It brings together ZTNA, cloud SWG, CASB, FWaaS, and SD-WAN into a single integrated cloud service as a means of reducing network and security complexity.
- ML-powered threat prevention stops 95% of web-based threats inline.
- Guaranteed by performance service-level agreements (SLAs).
- Prisma SASE brings protection closer to users, so traffic doesn’t have to backhaul to headquarters to reach the cloud.
- The Autonomous Digital Experience Management (ADEM) add-on for Prisma SASE helps IT teams see, understand, and improve digital experiences for all users and branch locations.
- Intelligence is gathered from endpoint devices, synthetic tests, and user traffic.
- CloudBlades avoid the need to update branch appliances or controllers.
- Data loss prevention categorizes and protects data while in motion across remote users and remote locations.
- Palo Alto Networks was named a Challenger by Gartner in its latest Magic Quadrant for SASE.
Cisco has solutions in the core SASE areas of networking, security, and zero trust. The Cisco SASE approach lets organizations secure the user’s connection experience and safely move access control closer to where it’s needed.
- Organizations can scale up or down as worker distribution shifts with a flexible licensing and consumption model.
- Cisco SD-WAN is a cloud-delivered overlay WAN architecture, connecting branches to headquarters, data centers, and multicloud environments through a single fabric.
- Applications can be deployed in minutes on any platform.
- Integrated security is available either on-premises or in the cloud.
- Multicloud access is accelerated with cloud onramp tools for SaaS and public cloud IaaS applications.
- Cisco Umbrella unifies firewall, SWG, DNS-layer security, CASB, and threat intelligence functions into a single cloud service.
- Cisco Secure Access by Duo offers a ZTNA solution to secure access across applications from any user, device, and location.
- Cisco was named a Challenger by Gartner in its latest Magic Quadrant for SASE.
Lookout delivers a single security platform that protects data from the endpoint to the cloud while respecting personal privacy. It can detect insider threats and file-less cyberattacks by analyzing behaviors rather than performing deep inspection of devices, apps and data.
- By understanding anomalous user behavior within infrastructure, such as sharing, downloading, and deleting data, it spots suspicious activity of a malicious insider.
- Lookout continuously monitors the risk level of endpoints.
- It provides a single place to implement policies, hunt for threats, and conduct investigations.
- Encryption is available for data at rest, in-flight, and in-use.
- Lookout was named a Visionary in the latest Gartner Magic Quadrant on SASE.
Read next: Top SD-WAN Solutions for Enterprise Security