What Is SASE and How Can It Benefit Federal Agencies?

A secure access service edge architecture can help agencies secure their environments in a world of distributed work.

Twitter

Your browser doesn’t support HTML5 audio

As federal agencies make progress on shifting to a zero-trust architectures, they also are facing a future in which agencies will allow telework much more often than before the coronavirus pandemic.

Those two factors — the need to move away from a perimeter-based cybersecurity approach toward a data-centric one via zero trust, and a world in which employees can access the enterprise from nearly anywhere — makes for a complicated security picture.

One avenue that agencies can and are traveling down to help with both developments is secure access service edge, or SASE. This relatively new security architecture can enhance agencies’ cybersecurity, particularly for users engaged in remote work.

Click the banner below to get access to a customized federal cybersecurity content experience and exclusive articles.

What Is SASE?

The research firm Gartner coined the term SASE in 2019. At its heart, it combines several different security and networking elements to enhance security in a world where cloud access and applications are ubiquitous.

Some of the common core ingredients of a SASE framework are software-defined wide-area networking (SD-WAN), zero trust, cloud access security brokers (CASBs) and Firewall as a Service.

According to Gartner, SASE combines those elements and delivers them as a service “based upon the identity of the entity, real time context and security/compliance policies.”

Or, as Robert Herriage, manager of enterprise networking and the SASE practice at CDW, puts it in a blog post, SASE is “an architecture that connects users to applications — regardless of location, in an effective manner and with corporate security controls and policies in place. Instead of traffic having to traverse the security stack in on-premises appliances, it is directed to the service, which performs any necessary inspections and then allows or disallows the traffic, depending on policy.”

Earlier this year, Gartner added a new, related term to the mix, known as security service edge, or SSE.

“A good way to view SSE is a term describing the evolving security stack that sustains the SASE journey — more specifically, a set of capabilities necessary to achieve the security SASE describes, focusing on core platform requirements including cloud access security broker (CASB), secure web gateway (SWG), and zero trust network access (ZTNA),” Jason Clark, chief strategy and marketing officer at Netskope, writes in a company blog post.

According to Clark, Gartner predicts that by 2025, at least 60 percent of enterprises will have “explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.”

“A comprehensive SSE solution provides organizations with the full set of security technologies they need to provide employees, trusted partners and contractors secure remote access to applications, data, tools and other corporate resources, and monitor and track behavior once users access the network,” Palo Alto Networks notes in a post on its site.

DIVE DEEPER: Read this white paper to learn more about secure access service edge.

Benefits of SASE Architecture

There are many benefits agencies can gain by deploying SASE. As Forcepoint notes on its site, that includes protecting workers anywhere against advanced threats and preventing data loss wherever it is used, from the endpoint to the cloud.

Jack Wang, a principal security solution architect at CDW, writes in a blog post that there are five key benefits of SASE. They include:

Simplified and highly sophisticated approach to network connectivity: “In a traditional office-based workforce model, secure connectivity was simple. Organizations built a strong network perimeter and placed their sensitive systems and information within that perimeter,” Wang writes. “They connected remote locations using a combination of VPN and multiprotocol label-switching technology, but those technologies proved difficult to maintain. SASE embraces SD-WAN technology that simplifies the end-user experience.”
Distributed enforcement of security policies: SASE helps agencies avoid making investments in traditional firewall technology and prevents agencies from having a single point of failure in their network monitoring. “SASE distributes policy enforcement closer to where users are before data traffic enters the corporate network,” Wang writes. “The enforcing point is often delivered in the cloud, so there is no hardware to install, which makes scaling and management easy.”
Facilitation of consistent security policies: This point is especially valuable for agencies with distributed workforces, which is becoming more common as agencies embrace hybrid work. It’s also crucial for enabling zero-trust cybersecurity, in which users’ identities need to be verified and authenticated before they can access network resources. “The SASE model simplifies the administrative burden of deploying appropriate security policies to each endpoint based on a user’s identity and location,” Wang writes.
Centralized visibility into user and device behavior: This is another area where SASE helps with the shift to zero trust. “A SASE approach offers aggregation of security information, enabling teams to quickly correlate information from multiple systems, gain insight into security events and improve their ability to troubleshoot connectivity problems,” Wang writes.
Scalable and easily managed solutions: “SD-WAN’s template-based configuration and automated deployment methods simplify the connection of branch offices and remote locations,” according to Wang. “Furthermore, SASE’s security technologies leverage the cloud, reducing the need to deploy and manage physical firewalls at branch offices. This also reduces the overhead on IT teams and provides easy scalability without large capital expenditures.”

Is SASE a VPN?

SASE is a much more comprehensive security architecture than a mere VPN, though it includes elements of a VPN’s function of securely connecting remote users to an enterprise network and applications.

SASE includes VPN services, Palo Alto Networks notes in a blog post. An agency can “route traffic through a VPN to the SASE solution, and then to any application in the public or private cloud, delivered via Software as a Service (SaaS), or on the internet.”

“Traditional VPN was used for remote access to the internal data center, but it is not optimized for the cloud,” the post adds.

How Is SASE Being Used by Federal Agencies?

Federal agencies are incorporating SASE into their overall security architectures, especially as they move to zero trust.

The Department of Homeland Security, for example, plans to replace its VPN with SASE cloud services, FedScoop reports.

“That is probably the first real, meaningful way to start implementing some hard, zero-trust access control policies and really lock down your agency,” Alma Cole, CISO of Customs and Border Protection, said earlier this this year, according to FedScoop.

The Defense Information Systems Agency earlier this year released a request for information in which the agency said it was planning to procure tools and systems to assist in deploying a zero-trust SASE capabilities, integrated SD-WAN technology and “Customer Edge Security Stacks and Application Security Stacks” on both the classified and unclassified elements of the Defense Department’s networks.

The federal government plans to implement zero-trust concepts within the SASE security framework, according to the RFI. “These are new operational capabilities for the DOD that will significantly improve routing and security services,” the RFI states. “The Government intends to prototype several tools and processes through the execution of this project leveraging commercial best practices where applicable.”

More On Cloud, Cloud Security, Networking, Software-defined networking, Network Access Control,