Secure Access Service Edge (SASE) Key Requirements

3min. read

A secure access service edge (SASE) brings together networking and network security services in a single cloud-based platform. This way, organizations can embrace cloud and mobility while reducing the complexity of multiple point products as well as saving IT resources, manpower and budget. As you look for vendors to help you on your cloud journey, it is important to understand what a SASE solution encompasses.

The first part of a SASE solution includes networking capabilities an organization already uses. A SASE integrates the following networking features into a cloud-based infrastructure:

  • Software-defined wide area network (SD-WAN) edge devices provide easier connectivity for branch offices. With SASE, these devices are connected to a cloud-based infrastructure, rather than to physical SD-WAN hubs located in other locations. By moving to the cloud, organizations can eliminate the complexity of managing physical SD-WAN hubs and promote interconnectivity between branch offices.

  • Virtual private network (VPN) services incorporated by a SASE solution enable organizations to route traffic through a VPN to the SASE and then to any application in the public or private cloud, delivered via SaaS, or on the internet. Traditional VPN was used for remote access to the internal data center, but not optimized for the cloud.

  • Zero Trust Network Access (ZTNA) applies the Zero Trust philosophy—never trust, always verify—to the cloud by requiring every user to authenticate to access the cloud, restricting access and minimizing the risk of data loss. However, ZTNA products based on a software-defined perimeter (SDP) can lack content inspection capabilities needed for consistent protection. Moving to a cloud-based SASE infrastructure eliminates the complexity of connecting to a gateway. Users, devices and apps are identified no matter where they are connecting from, and the ZTNA concept of protecting applications can be applied across all services, including data loss prevention (DLP) and threat prevention. 

  • Quality of service (QoS) is an important tool for organizations to prioritize critical apps and services over others. A SASE solution incorporates QoS in the cloud, allowing you to easily mark latency-sensitive applications, such as voice over IP programs, as priorities over general internet browsing and entertainment apps.

The second part of SASE incorporates the network security service tools organizations rely on. In a comprehensive SASE solution, the following security services are delivered through cloud-based infrastructure:

  • Domain Name System (DNS) security protects an organization’s users by predicting and blocking malicious domains. Within a SASE solution, DNS security features provide consistent security across the network and users no matter their location.

  • Firewall as a service (FWaaS) provides next-generation firewall features in the cloud, removing the need for physical hardware at branch and retail locations. SASE integrates FWaaS into its cloud-based platform, allowing simplified management and deployment.

  • Threat prevention is crucial for protecting organization data and employees. With so many different technologies needed to protect different parts of your organization, it is difficult to manage and get a holistic view of your organization’s threat risk. SASE integrates all these point products and services into its cloud-based platform, providing simplified management and complete visibility into all the threats and vulnerabilities throughout your network and cloud environments.

  • Secure web gateways (SWG) prevent employees and devices from accessing malicious websites, enforce acceptable use policies before users can access the internet, and block inappropriate content. A SASE solution includes SWG to protect users no matter their location. 

  • Data loss prevention (DLP) protects sensitive data from being shared or misused by authorized users and alerts key stakeholders when policies are violated. DLP is useful for organizations that need to maintain compliance with regulations, such as HIPAA, PCI and GDPR. With a SASE, DLP tools are integrated into the cloud platform, eliminating the need for a separate DLP gateway. In a SASE solution, DLP should be applied in-line as well as search data at rest, whether in cloud- or SaaS-based data storage.

  • Cloud access security broker (CASB) technology gives organizations visibility into where their data resides (SaaS apps), enforces company policies for user access and protects data against unauthorized access. CASBs provide a gateway for your SaaS provider to your employees through cloud-based security policies. SASE integrates CASB services into a single cloud-based platform so stakeholders can easily manage access to apps and data.

A SASE solution combines networking solutions and security services into a unified, cloud-based platform. As your organization grows and adds more security products in the mix, consider consolidating to a comprehensive SASE solution to benefit from:

  • Greater business agility and speed

  • Reduced complexity 

  • Consistent security designed to stop cyberattacks

Learn more about these SASE requirements in our e-book, The 10 Tenets of an Effective SASE Solution.


Palo Alto Networks Blog: Next-Generation Network Security Is Cloud-Delivered

Gartner report: The Future of Network Security Is in the Cloud