Skip to content Skip to navigation Skip to footer

What Is a Secure Access Service Edge (SASE) Architecture?

Secure Access Service Edge (SASE) architecture refers to a cybersecurity environment that brings advanced protection right out to the farthest edge of the network: the endpoints of users. In this SASE architecture definition, users are provided robust security features directly to their devices from the cloud, enabling them to connect securely from anywhere.

A SASE architecture diagram would look nothing like a traditional hub-and-spoke structure with the central corporate data center in the middle. This structure necessitates the backhauling of data from remote endpoints all the way back to the data center before sending it on to the desired destination: the cloud. 

SASE network architecture, on the other hand, provides you with cloud security and allows users with laptops and other mobile devices to connect directly to the cloud while enjoying protective security running directly on their devices. In this way, SASE security architecture enables users to take advantage of secure connections without having to worry about the latency that results from backhauling to the data center’s firewall.

Components of SASE Architecture

Regardless of the structure, data flow map, or SASE reference architecture used, all SASE services have the same basic structure. They involve cloud-hosted security, zero-trust network access (ZTNA) components, and network services components.

Cloud-hosted Security

Cloud-hosted security frees devices from the need to rely on protections hosted at a corporation’s physical data center.

Firewall-as-a-Service (FWaaS)

FWaaS provides the same security features as a standard hardware firewall appliance but using software in the cloud. This is particularly helpful when trying to secure flexible, constantly changing software-defined network (SD-WAN) solutions. Users do not have to connect to a physical firewall. Instead, their transmissions are protected through the cloud-hosted software, giving them security no matter where they are.

Secure Web Gateway (SWG)

Secure Web Gateway (SWG), also referred to as Secure Internet Gateway (SIG), blocks unauthorized traffic from getting into your organization’s network. In many ways, SWG does for your network what border patrol does for a country. It keeps unwanted people and data from getting in. 

In Secure Access Service Edge architecture, an SWG is implemented for every single device connected to your network. Among other technologies, SWG makes use of Domain Name System (DNS) information to identify the sources of unwanted traffic.

Cloud Access Security Broker (CASB)

CASB is positioned between the user accessing the cloud and the cloud-based application they are trying to access. It is used to monitor activity and enforce an organization’s security policies.

Zero-trust Network Access (ZTNA) Components

ZTNA is built on the premise of "never trust, always verify." All users, devices, and applications are assumed to be threats, and until they prove otherwise, they are not allowed to connect.

Authentication

Authentication involves checking to see if the user and device are what they claim to be. Verifying this is often the job of multi-factor authentication (MFA) technologies, which require at least two different methods of proof of identity from an entity trying to connect.

Authorization and Control

Authorization involves choosing where a user is authorized to go within a network, and control includes restricting their movement within the network’s environment. For example, a user may be allowed to access a cloud messaging app and word processor, but they may not be authorized to upload files to a central repository.

Monitoring

Monitoring in a SASE setup is a key component of security. It involves checking which devices are connected, what they are doing, and the kinds and volumes of data they are exchanging. Monitoring ensures users are not engaged in potentially dangerous activity, and a monitoring log can be examined after an incident to track down the source and cause of the breach.

Network Services Components

Network services components have multiple connotations, but in the context of enabling efficient SASE architecture, they primarily refer to optimized path selection and application-based routing.

Optimized Path Selection

Optimized path selection involves ensuring the paths of different kinds of traffic are directed to the right resources at the appropriate times. An SD-WAN solution can decide where network traffic goes and how it is managed to ensure a high-quality experience for all users.

Application-based Routing

Instead of deciding what a user is allowed to access based on their location, such as in the office, application-based routing gives them access to the applications they need to do their jobs. This allows a SASE architecture to provide seamless, safe remote access to workers regardless of where they are.

Why SASE Architecture Is Important for the Enterprise

SASE architecture is important for the enterprise because it prevents the kind of latency that results from the backlogging of employee traffic all the way back to the central data center. While you can house equally effective security features in the data center, the time it takes from transmissions to make that extra hop can preclude the effective use of some applications. Therefore, SASE architecture can be an essential component of many companies’ productivity strategies.

Challenges in Realizing SASE Architecture

One of the biggest challenges in the implementation of SASE architecture is it does not protect devices when they are not connected to the cloud network. For example, someone could connect a Universal Serial Bus (USB) to a device with malware on it, and while the SASE architecture could protect the cloud-based resources, it could not protect the device itself.

Another challenge is employees still need a reliable internet connection with enough bandwidth. If they connect to a weak network, the latency they experience may significantly impact their ability to do their jobs while connected to the SASE system.

How Fortinet Can Help

The Fortinet FortiSASE solution enables distributed, remote workforces to connect to cloud-based applications securely, circumventing the delays created by routing traffic back to a central data center. FortiSASE provides:

  1. FWaaS
  2. DNS protections
  3. Data loss prevention (DLP)
  4. Intrusion prevention system (IPS)
  5. SWG
  6. ZTNA and virtual private network (VPN) capability
  7. Sandboxing

With FortiSASE, remote workers get the same advanced protection they would experience with a hardware security appliance attached directly to their device, regardless of where they are.

FAQs

What is SASE architecture?

Secure Access Service Edge (SASE) architecture refers to a cybersecurity environment that brings advanced protection right out to the farthest edge of the network: the endpoints of users.

What are the components of SASE architecture?

The components of SASE architecture include cloud-hosted security, zero-trust network access (ZTNA) components, and network services components.

Why is SASE architecture essential for enterprises?

SASE architecture is important for the enterprise because it prevents the kind of latency that results from the backlogging of employee traffic all the way back to the central data center.