NordLayer - Network Security

What is Secure Access Service Edge (SASE)?

By NordLayer
27 Oct 2021
8 min read
What is SASE

The digital transformation of businesses globally has been accelerated significantly over the past two years. Vast cloud adoption now means that 50% of enterprise data is stored in the cloud and external network data security controls. 

There’s roughly a 6-fold increase in the number of cloud-native threats that evade traditional network security technology, which means more sophisticated counter-measures are required for data security and protection. 

As if that wasn’t challenging enough, work from anywhere (WFA) policies have dramatically risen due to the impact of the global pandemic — meaning that the network perimeter has dissolved, and a small number of offices can now be multiplied by how many employees a company has.  

Organizations have had to quickly adapt to large numbers of employees working off-site, which opens up challenges around insider threats and being able to access corporate resources safely and securely.

Outdated legacy networks are struggling to support distributed workforces using cloud resources with expensive fixed architecture and centralized data centers. Secure Access Service Edge, a.k.a. SASE — is a framework for cloud-based network security that was first presented by Gartner, towards the beginning of 2020. 

SASE is an approach that provides distributed workforces with secure remote access to cloud resources, offering speed, mobility, reduced complexity, and a reduction in costs. The combination of SD-WAN  capabilities, and cloud network security functions are the future for organizations that need to address numerous performance, scaling, and maintenance challenges. According to Gartner’s estimations  35% of SASE-enriched companies in 2020, will be increased to 60% by 2024. 

How does SASE work, and why is it so “sassy”?

Firstly, because it is pronounced that way. SASE is a fully cloud-based architecture with a combination of well-known wide-area networking SD-WAN features and a number of network security functions. They combine to provide ongoing monitoring of risk and trust levels, recognize sensitive data or malware, and possess the ability to decrypt data in a speedy manner. Such features allow data centers to be replaced with cloud services and provide remote network access to distributed workforces with a high level of security. 

Generally speaking, the SASE framework uses cloud and edge computing measures that integrate comprehensive coverage, easy connectivity, and remote user satisfaction as it brings mobility and globalization. Instead of connecting to the enterprise data center, it delivers SD-WAN technology and security as a cloud service right to the source of a connection. Moreover, secure access service edge complies with security policies and ensures real-time identity-proven connections — no matter if it’s a device, application, IoT system, or person —despite the location of an application or data source. SASE challenges a static and complex approach to network security as it can be managed from a single source. 

Core capabilities of SASE

Let’s deconstruct SASE in order to get a more detailed view on understanding the main components of secure access service edge that make it such a hot topic in the network security industry today. SASE capabilities are defined by five core components that can be  implemented in unison to establish a cloud-based framework, including : 

  • SD-WAN Service (SD-WAN)

  • Secure Web Gateway (SWG)

  • Firewall as a Service (FWaaS)

  • Cloud Access Security Broker (CASB)

  • Zero Trust Network Access  (ZTNA)

So now we know the key members of the SASE family by name (and acronym), let’s explore how the sum of its parts contributes to a fully integrated SASE approach. 

Components of SASE

Software-defined wide area network (SD-WAN) 

SD-WAN is a virtual high road that securely connects users to applications via any combination of transport services such as broadband internet services, LTE, or MPLS. This network service distributes the traffic across the now cloud-compatible WAN to ensure the best application performance by enhancing network quality, and security — altogether defusing complexity and costs of previously used primary wide-area networking technology.

Secure Web Gateway (SWG) 

A Secure Web Gateway is a security service that’s responsible for filtering unwanted traffic generated by user-initiated web-surfing via separate networks. Free-flow traffic increases the exposure to undesired software and malware. In order to prevent exposure to any cyber threat, SWGs enforce corporate or regulatory policies to keep organizations’ security compliant. Secure web gateways are also based on URL filtering, malicious software detection, and blocking technologies, including application control and data loss prevention.

Firewall as a Service (FWaaS) 

A security layer on a cloud-based network perimeter, FWaaS is unlimited by the geographic dispersion of the organization endpoints. Its aim is to detect and target any attempts of unauthorized access to a network. Firewall as a Service is dedicated to reinforcing network security, applies advanced threat prevention, and is focused on monitoring and filtering all incoming and outgoing traffic created by remote users.

Cloud Access Security Broker (CASB) 

This capability is deployed for security governance as a third-party security software tool that works as a middleman between cloud applications and cloud service users. CASBs monitor the ongoing transaction of services and enforce any action, including security policies to maintain healthy security functions.

Zero Trust Network Access (ZTNA)

The networking world is shifting its mindset to Zero Trust — from assuming that anyone once allowed to organization perimeter is always trustworthy, now has to be verified every time they try to access any internal IT resources. Zero Trust is a theoretical approach with many practical forms, and one of them is ZTNA. The purpose of ZTNA is to have ownership over access control via user verification. Such tools allow segmentation by setting personalized user permissions in an organizational network and this way improves a more secure environment against insider threats.

It’s clear that all components of secure access service edge are security-oriented and cloud-based to minimize unnecessary expenses that come with a centralized data center, maintenance, and other unwanted baggage that comes with scaling to a secure environment. 

A consolidated and uncomplicated user approach simplifies in-practice utilization and enables better and more efficient compliance to organizational security and data protection policies.

Alternative technologies SASE may utilize

Its main capabilities define a SASE service, however, the core is not strictly limited to only five components — a combination of additional features can help improve security levels of the approach. The aforementioned components including SD-WAN, SWG, FWaaS, CASB, and ZTNA can be complemented by additional network and security features. 

In the network department, SD-WAN can be supplemented by SD-WANaaS (same SD-WAN only provided as a service for business convenience); Cross Domain Solutions (CDS) for high-level security to ensure safe data traffic; and multi-cloud connectivity, which helps to integrate different cloud services (including those from different vendors) into an integrated network used by an organization. 

Meanwhile, the security department also has a couple of tricks up its sleeve — think Domain Name System (DNS) for an extra layer of blockers to misdirect incoming malware or spam; Remote Browser Isolation (RBI) which secludes each user’s browsing activity on the network; WAAP literally protects web applications and application programming interfaces from cyber threats and WiFi hotspots to prevent any unwanted connections to the network. 

Each of the aforementioned technologies works as a collection of tools, customizable into a framework to cover individual needs and capabilities of organizations giving space for freedom and flexibility to adapt what suits them best.

How can organizations implement SASE?

Given the times we live in, organizations are forced to rethink accustomed enterprise networking and detach from stationary data centers, pinning it on the most mobile units of any company – its users and devices. With daily actions and processes going remote, the ability to supervise and mitigate possible threats becomes limited, and the importance of manageable network infrastructure security grows expansionary.

However, as easy as it sounds, digital transformation to the Gartner describedmethod is highly unlikely to happen overnight. To succeed, a critical component of the transition is a good action plan: research → roadmap the strategy → implement & adopt best-acknowledged solutions in the market tailored to your organization.

What are the advantages of a SASE framework for organizations?

It wouldn’t be such a cutting-edge framework if SASE didn’t have significant benefits for businesses worldwide. In contrast to traditional networking, SASE delivers advantages that make it attractive for enterprises transitioning towards cloud architecture: 

Security first

The SASE framework, as contained in its catchy acronym, was built to ensure secure access — starting with end-points (users, devices) and by using zero-trust-based verification. Moreover, with the help of SWGs, the approach enables data encryption, maximizes privacy, and mitigates the possibility of data leaks. Nonetheless, FWaaS and CASB heavily focus on security to filter any incoming and outgoing traffic – this helps prevent malicious malware, cyber-attacks, and whatever else might come with it. 

Overall optimization 

A simplified approach to the cloud network infrastructure reduces excessive hardware that can consume both physical space and your IT budget. It not only adapts unified policy solutions for an organization’s entire network and its remote users, but the SASE framework is also easy to scale (up or down) on-demand in no time, considering ad-hoc organizational needs.

What are the challenges to realizing SASE?

With every pro, there must be cons, right? If it sounds too good to be true, it probably is – as the old saying goes. There are several considerations to ponder before transitioning to a cloud-defined environment.


First of all, like any innovation, SASE implementation requires resources. Change begets change, and a new set of skills will be necessary for employees to work efficiently. Similarly, with infrastructure upgrades in general – migration to full functionality doesn’t happen quickly. It might be expensive and time-draining, thus good management is required for successful implementation.


The SASE concept unionizes network security to a service level that depends on third parties instead of an organization itself. Therefore capacity and experience are in the control of the vendors. 

A potential gray area for discussion could be cutbacks on specialists for the organization – as SASE prioritizes the convenience of service and overall consolidation of human resources for healthy network operation in general. Overall, SASE reduces network complexity, yet it is complex to understand and deliver.

The future of cloud-edge computing

Understanding the security capabilities of SASE architecture allows for the safeguarding of a swift business transition to a more convenient and re-connected way of working. 

Analyzing your business and network requirements is key ahead of a potential migration. Key considerations should be focussed on the status of your current remote access security solution and the impact it has on threat prevention mitigation, network performance, scalability, cost structure, as well as the perceived levels of employee productivity it allows your workforce to produce.  

Share article
NordLayer logo
Should your business implement SASE?
NordLayer is here to help. Get a free personal consultation on what’s best for your business.

Related Articles

Protect your business with cybersecurity news that matters

Join our expert community and get tips, news, and special offers delivered to you monthly.

Free advice. No spam. No commitment.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.