Secure Access Service Edge (SASE) is a network architecture that combines\u00a0software-defined wide area networking (SD-WAN) and security functionality into a unified cloud service that promises simplified WAN deployments, improved efficiency and security, and application-specific bandwidth policies.\nFirst outlined by Gartner in 2019, SASE (pronounced \u201csassy\u201d) has quickly evolved from a niche, security-first SD-WAN alternative into a popular WAN sector that analysts project will grow to become a $10-billion-plus market within the next couple of years.\nMarket research firm Dell\u2019Oro group forecasts that the SASE market will triple by 2026, topping $13 billion. Gartner is more bullish, predicting that the SASE market will grow at a 36% CAGR between 2020 and 2025 to reach $14.7 billion by 2025.\nWhat is SASE? \nSASE consolidates SD-WAN with a suite of security services to help organizations safely accommodate an expanding edge that includes branch offices, public clouds, remote workers and IoT networks.\nWhile some SASE vendors offer hardware appliances to connect edge users and devices to nearby points of presence (PoPs), most vendors handle the connections through software clients or virtual appliances. SASE is typically consumed as a single service, but there are a number of moving parts, so some SASE offerings piece together services from various partners.\nOn the networking side, the key features of SASE are WAN optimization, content delivery network (CDN), caching, SD-WAN, SaaS acceleration, and bandwidth aggregation. The vendors that make the\u00a0WAN\u00a0side of SASE work include SD-WAN providers, carriers, content-delivery networks, network-as-a-service (NaaS) providers, bandwidth aggregators and networking equipment vendors.\nThe security features of SASE can include encryption, multifactor authentication, threat protection, data leak prevention (DLP), DNS, Firewall-as-a-Service (FWaaS), Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA). The security side of SASE relies on a range of providers, including cloud-access security brokers, cloud secure web gateways providers,\u00a0zero-trust\u00a0network access providers, and more.\nThe feature set will vary from vendor to vendor, and the top SASE vendors are investing in advanced capabilities, such as support for 5G for WAN links, advanced behavior- and context-based security capabilities, and integrated AIOps for troubleshooting and automatic remediation.\nIdeally, all these capabilities are offered as a unified SASE service by a single service provider, even if certain components are white labeled from other providers.\nWhat are the benefits of SASE?\n\u00a0Because it is billed as a unified service, SASE promises to cut complexity and cost. Enterprises deal with fewer vendors, the amount of hardware required in branch offices and other remote locations declines, and the number agents on end-user devices also decreases.\nSASE removes management burdens from IT\u2019s plate, while also offering centralized control for things that must remain in-house, such as setting user policies. IT executives can set policies centrally via cloud-based management platforms, and the policies are enforced at distributed PoPs close to end users. Thus, end users receive the same access experience regardless of what resources they need, and where they and the resources are located.\nSASE also simplifies the authentication process by applying appropriate policies for whatever resources the user seeks, based on the initial sign-in. SASE also supports\u00a0zero-trust\u00a0networking, which controls access based on user, device and application, not location and IP address.\nSecurity is increased because policies are enforced equally regardless of where users are located. As new threats arise, the service provider addresses how to protect against them, with no new hardware requirements for the enterprise.\nMore types of end users \u2013 employees, partners, contractors, customers \u2013 can gain access without the risk that traditional security \u2013 such as\u00a0VPNs\u00a0and DMZs \u2013 might be compromised and become a beachhead for potential attacks on the enterprise.\nSASE providers can supply varying qualities of service, so each application gets the bandwidth and network responsiveness it needs. With SASE, enterprise IT staff have fewer chores related to deployment, monitoring and maintenance, and can be assigned higher-level tasks.\nWhat are the SASE challenges?\nOrganizations thinking about deploying SASE need to address several potential challenges. For starters, some features could come up short initially because they are implemented by providers with backgrounds in either networking or security, but might lack expertise in the area that is not their strength.\nAnother issue to consider is whether the convenience of an all-in-one service meets the organization\u2019s needs better than a collection of best-in-breed tools.\nSASE offerings from a vendor with a history of selling on-premises hardware may not be designed with a cloud-native mindset. Similarly, legacy hardware vendors may lack experience with the in-line proxies needed by SASE, so customers may run into unexpected cost and performance problems.\nSome traditional vendors may also lack experience in evaluating user contexts, which could limit their ability to enforce context-dependent policies. Due to SASE\u2019s complexity, providers may have a feature list that they say is well integrated, but which is really a number of disparate services that are poorly stitched together.\nBecause SASE promises to deliver secure access to the edge, the global footprint of the service provider is important. Building out a global network could prove too costly for some SASE providers. This could lead to uneven performance across locations because some sites may be located far from the nearest PoP, introducing latency.\nSASE transitions can also put a strain on personnel. Turf wars could flare up as SASE cuts across networking and security teams. Changing vendors to adopt SASE could also require retraining IT staff to handle the new technology.\nWhat is driving the adoption of SASE?\nThe key drivers for SASE include supporting hybrid clouds, remote and mobile workers, and IoT devices, as well as finding affordable replacements for expensive technologies like MPLS and IPsec VPNs.\nAs part of digital transformation efforts, many organizations are seeking to break down tech siloes, eliminate outdated technologies like VPNs, and automate mundane networking and security chores. SASE can help with all of those goals, but you\u2019ll need to make sure vendors share a vision for the future of SASE that aligns with your own.\nAccording to Gartner, there are currently more traditional data-center functions hosted outside the enterprise data center than in it \u2013 in IaaS providers clouds, in SaaS applications and cloud storage. The needs of IoT and edge computing will only increase this dependence on cloud-based resources, yet typical WAN security architectures remain tailored to on-premises enterprise data centers.\nIn a post-COVID, hybrid work economy, this poses a major problem. The traditional WAN model requires that remote users connect via VPNs, with\u00a0firewalls\u00a0at each location or on individual devices. Traditional models also force users to authenticate to centralized security that grants access but may also route traffic through that central location.\nThis model does not scale. Moreover, this legacy architecture was already showing its age before COVID hit, but today its complexity and delay undermine competitiveness.\nWith SASE, end users and devices can authenticate and gain secure access to all the resources they are authorized to reach, and users are protected by security services located in clouds close to them. Once authenticated, they have direct access to the resources, addressing latency issues.\nWhat is the SASE architecture?\nTraditionally, the WAN was comprised of stand-alone infrastructure, often requiring a heavy investment in hardware. SD-WAN didn\u2019t replace this, but rather augmented it, removing non-mission-critical and\/or non-time-sensitive traffic from expensive links.\nIn the short term, SASE might not replace traditional services like MPLS, which will endure for certain types of mission-critical traffic, but on the security side, tools such as IPsec VPNs will likely give way to cloud-delivered alternatives.\nOther networking and security functions will be decoupled from underlying infrastructure, creating a WAN that is cloud-first, defined and managed by software, and run over a global network that, ideally, is located near enterprise data centers, branches, devices, and employees.\nWith SASE, customers can monitor the health of the network and set policies for their specific traffic requirements. Because traffic from the internet first goes through the provider\u2019s network, SASE can detect dangerous traffic and intervene before it reaches the enterprise network. For example, DDoS attacks can be mitigated within the SASE network, saving customers from floods of malicious traffic.\nWhat are the core security features of SASE?\nThe key security features that SASE provides include: \u00a0\n- Firewall as a Service (FWaaS)\nIn today\u2019s distributed environment, both users and computing resources are located at the edge of the network. A flexible, cloud-based firewall delivered as a service can protect these edges. This functionality will become increasingly important as edge computing grows and IoT devices get smarter and more powerful.\nDelivering FWaaS as part of the SASE platform makes it easier for enterprises to manage the security of their network, set uniform policies, spot anomalies, and quickly make changes.\n- Cloud Access Security Broker (CASB)\nAs corporate systems move away from on-premises to SaaS applications, authentication and access become increasingly important. CASBs are used by enterprises to make sure their security policies are applied consistently even when the services themselves are outside their sphere of control.\nWith SASE, the same portal employees use to get to their corporate systems is also a portal to all the cloud applications they are allowed to access, including CASB. Traffic doesn't have to be routed outside the system to a separate CASB service.\n- Secure Web Gateway (SWG)\nToday, network traffic is rarely limited to a pre-defined perimeter. Modern workloads typically require access to outside resources, but there may be compliance reasons to deny employees access to certain sites. In addition, companies want to block access to phishing sites and botnet command-and-control servers. Even innocuous web sites may be used maliciously by, say, employees trying to exfiltrate sensitive corporate data.\nSGWs protect companies from these threats. SASE vendors that offer this capability should be able to inspect encrypted traffic at cloud scale. Bundling SWG in with other network security services improves manageability and allows for a more uniform set of security policies.\n- Zero Trust Network Access (ZTNA)\nZero Trust Network Access provides enterprises with granular visibility and control of users and systems accessing corporate applications and services.\nA core element of ZTNA is that security is based on identity, rather than, say, IP address. This makes it more adaptable for a mobile workforce, but requires additional levels of authentication, such as multi-factor authentication and behavioral analytics.\nWhat other technologies may be part of SASE?\nIn addition to those four core security capabilities, various vendors offer a range of additional features.\nThese include web application and API protection, remote browser isolation, DLP, DNS, unified threat protection, and network sandboxes. Two features many enterprises will find attractive are network privacy protection and traffic dispersion, which make it difficult for threat actors to find enterprise assets by tracking their IP addresses or eavesdrop on traffic streams.\nOther optional capabilities include Wi-Fi-hotspot protection, support for legacy VPNs, and protection for offline edge-computing devices or systems.\nCentralized access to network and security data can allow companies to run holistic behavior analytics and spot threats and anomalies that otherwise wouldn't be apparent in siloed systems. When these analytics are delivered as a cloud-based service, it will be easier to include updated threat data and other external intelligence.\nThe ultimate goal of bringing all these technologies together under the SASE umbrella is to give enterprises flexible and consistent security, better performance, and less complexity \u2013 all at a lower total cost of ownership.\nEnterprises should be able to get the scale they need without having to hire a correspondingly large number of network and security administrators.\nWho are the top SASE providers?\nThe leading SASE vendors include both established networking incumbents and well-funded startups. Many telcos and carriers also either offer their own SASE solutions (which they have typically gained through acquisitions) or resell and\/or white-label services from pure-play SASE providers. Top vendors, in alphabetical order, include:\n\nAkamai\nBroadcom\nCato Networks\nCisco\nCloudflare\nForcepoint\nFortinet\nHPE\nNetskope\nPalo Alto Networks\nPerimeter 81\nProofpoint\nSkyhigh Security\nVersa\nVMware\nZscaler\n\nHow to adopt SASE\nEnterprises that must support a large, distributed workforce, a complicated edge with far-flung devices, and hybrid\/multi-cloud applications should have SASE on their radar. For those with existing WAN investments, the logical first step is to investigate your WAN provider\u2019s SASE services or preferred partners.\nOn the other hand, if your existing WAN investments are sunk costs that you\u2019d prefer to walk away from, SASE offers a way to outsource and consolidate both WAN and security functions.\nOver time, the line between SASE and SD-WAN will blur, so choosing one over the other won\u2019t necessarily lock you into a particular path, aside from the constraints that vendors might erect.\nFor most enterprises, however, SASE will be part of a hybrid WAN\/security approach. Traditional networking and security systems will handle pre-existing connections between data centers and branch offices, while SASE will be used to handle new connections, devices, users, and locations.\nSASE isn't a cure-all for network and security issues, nor is it guaranteed to prevent future disruptions, but it will allow companies to respond faster to disruptions or crises and to minimize their impact on the enterprise. In addition, SASE will allow companies to be better positioned to take advantage of new technologies, such as edge computing, 5G and mobile AI.