Secure Access Service Edge (SASE) Key Requirements

3 min. read

A secure access service edge (SASE) brings together networking and network security services in a single cloud-based platform. This way, organizations can embrace cloud and mobility while reducing the complexity of dealing with multiple point products as well as saving IT, financial and human resources. As you look for vendors to help you on your cloud journey, it is important to understand what a SASE solution encompasses.

The first part of a SASE solution includes networking capabilities an organization already uses. SASE integrates the following networking features into a cloud-based infrastructure:

  • Software-defined wide area network (SD-WAN) edge devices provide easier connectivity for branch offices. With SASE, these devices are connected to a cloud-based infrastructure rather than to physical SD-WAN hubs located in other locations. By moving to the cloud, you can eliminate the complexity of managing physical SD-WAN hubs and promote interconnectivity between branch offices.

  • Virtual private network (VPN) services incorporated by a SASE solution enable you to route traffic through a VPN to the SASE solution, and then to any application in the public or private cloud, delivered via Software as a Service (SaaS), or on the internet. Traditional VPN was used for remote access to the internal data center, but it is not optimized for the cloud.

  • Web proxying provides an alternate means of securely connecting users to applications by inspecting web-based protocols and traffic. Proxies were historically used for web security enforcement, but due to their inherent security limitations, they are now seen as an architectural alternative for device traffic that cannot be fully inspected (e.g., personal devices that cannot accept an endpoint agent to force all web and non-web traffic through security inspection). When implemented as part of a SASE solution, proxies can offer organizations with legacy architectures an easier way of adopting the more robust security capabilities SASE has to offer. 

  • Digital Experience Monitoring (DEM) provides insight into the entire service delivery path between users and applications. These technologies synthesize real-time and simulated user traffic data to enable IT administrators to identify and remediate connectivity failures that may negatively impact a user’s remote work experience.     

The second part of SASE incorporates the network security service tools organizations rely on. In a comprehensive SASE solution, the following security services are delivered through a cloud-based infrastructure:

  • Zero Trust Network Access (ZTNA) applies the Zero Trust philosophy—never trust, always verify—to the cloud, requiring every user to authenticate to access the cloud, restricting access and minimizing the risk of data loss. However, ZTNA products based on a software-defined perimeter (SDP) model can lack content inspection capabilities needed for consistent protection. Moving to a cloud-based SASE infrastructure eliminates the complexity of connecting to a gateway. Users, devices and apps are identified no matter where they connect from, and the ZTNA concept of protecting applications can be applied across all services, including data loss prevention (DLP) and threat prevention.

  • Firewall as a service (FWaaS) provides next-generation firewall features in the cloud, removing the need for physical hardware at branch and retail locations. SASE integrates FWaaS into its cloud-based platform, allowing simplified management and deployment.

  • Secure web gateways (SWG) prevent employees and devices from accessing malicious websites, enforce acceptable use policies before users can access the internet, and block inappropriate content. A SASE solution includes SWG to protect users no matter their location.

  • Data loss prevention (DLP) protects sensitive data from being shared or misused by authorized users and alerts key stakeholders when policies are violated. DLP is useful for organizations that need to maintain compliance with regulations, such as HIPAA, PCI DSS and GDPR. With a SASE solution, DLP tools are integrated into the cloud platform, eliminating the need for a separate DLP gateway. DLP should be applied inline as well as search data at rest, whether in cloud- or SaaS-based data storage.

  • Cloud access security broker (CASB) technology gives organizations visibility into where their data resides, enforces company policies for user access and protects data against unauthorized access. CASBs provide a gateway for your SaaS provider to your employees through cloud-based security policies. SASE integrates CASB services into a single cloud-based platform so stakeholders can easily manage access to apps and data.

A SASE solution combines these networking solutions and security services into a unified, cloud-based platform. As your organization grows and adds more security products in the mix, consider consolidating to a comprehensive SASE solution to benefit from:

  • Greater business agility and speed
  • Reduced complexity
  • Consistent security designed to stop cyberattacks

Learn more about these SASE requirements in our e-book, The 10 Tenets of an Effective SASE Solution.


Palo Alto Networks blog: The Next-Generation of Network Security Is Cloud-Delivered

SASE for Dummies

Forrester TEI Spotlight Report

Gartner’s 2020 Market Guide for Zero Trust Network Access