SASE Architecture

Cloud-hosted security frees devices from the need to rely on protections hosted at a corporation’s physical data center.

FWaaS provides the same security features as a standard hardware firewall appliance but using software in the cloud. This is particularly helpful when trying to secure flexible, constantly changing software-defined network (SD-WAN) solutions. Users do not have to connect to a physical firewall. Instead, their transmissions are protected through the cloud-hosted software, giving them security no matter where they are.

Secure Web Gateway (SWG), also referred to as Secure Internet Gateway (SIG), blocks unauthorized traffic from getting into your organization’s network. In many ways, SWG does for your network what border patrol does for a country. It keeps unwanted people and data from getting in. 

In Secure Access Service Edge architecture, an SWG is implemented for every single device connected to your network. Among other technologies, SWG makes use of Domain Name System (DNS) information to identify the sources of unwanted traffic.

CASB is positioned between the user accessing the cloud and the cloud-based application they are trying to access. It is used to monitor activity and enforce an organization’s security policies.

ZTNA is built on the premise of "never trust, always verify." All users, devices, and applications are assumed to be threats, and until they prove otherwise, they are not allowed to connect.

Authentication involves checking to see if the user and device are what they claim to be. Verifying this is often the job of multi-factor authentication (MFA) technologies, which require at least two different methods of proof of identity from an entity trying to connect.

Authorization involves choosing where a user is authorized to go within a network, and control includes restricting their movement within the network’s environment. For example, a user may be allowed to access a cloud messaging app and word processor, but they may not be authorized to upload files to a central repository.

Monitoring in a SASE setup is a key component of security. It involves checking which devices are connected, what they are doing, and the kinds and volumes of data they are exchanging. Monitoring ensures users are not engaged in potentially dangerous activity, and a monitoring log can be examined after an incident to track down the source and cause of the breach.

Network services components have multiple connotations, but in the context of enabling efficient SASE architecture, they primarily refer to optimized path selection and application-based routing.

Optimized path selection involves ensuring the paths of different kinds of traffic are directed to the right resources at the appropriate times. An SD-WAN solution can decide where network traffic goes and how it is managed to ensure a high-quality experience for all users.

Instead of deciding what a user is allowed to access based on their location, such as in the office, application-based routing gives them access to the applications they need to do their jobs. This allows a SASE architecture to provide seamless, safe remote access to workers regardless of where they are.

The Fortinet FortiSASE solution enables distributed, remote workforces to connect to cloud-based applications securely, circumventing the delays created by routing traffic back to a central data center. FortiSASE provides:

1. FWaaS
2. DNS protections
3. Data loss prevention (DLP)
4. Intrusion prevention system (IPS)
5. SWG
6. ZTNA and virtual private network (VPN) capability
7. Sandboxing

With FortiSASE, remote workers get the same advanced protection they would experience with a hardware security appliance attached directly to their device, regardless of where they are.

Secure Access Service Edge (SASE) architecture refers to a cybersecurity environment that brings advanced protection right out to the farthest edge of the network: the endpoints of users.

The components of SASE architecture include cloud-hosted security, zero-trust network access (ZTNA) components, and network services components.

SASE architecture is important for the enterprise because it prevents the kind of latency that results from the backlogging of employee traffic all the way back to the central data center.

SASE security architecture enables users to take advantage of secure connections without having to worry about the latency that results from backhauling to the data center’s firewall.