Secure Access Service Edge (SASE) is a relatively new cybersecurity concept first described by business consulting and analysis firm Gartner in August 2019.
It is a way to simplify wide-area networking and security by packaging both as a single cloud service delivered directly to a device, edge computing location, branch location, or user instead of relying on an enterprise data center.
This setup ensures the protection of apps with a cloud-based and always-available security stack whose performance is not entirely dependent on the resources of the devices or services being secured.
SASE provides an agile framework to comprehensively protect applications and data. It is not necessarily the solution that would facilitate the adoption of the shift-left movement, wherein security is incorporated at the early stages of software development. SASE is not designed to compel developers to put up security controls and mechanisms as they build their apps. However, its driving principles can guide how to develop secure software.
Key SASE features
Before going into the principles that can benefit secure software development, here’s a look at the highlighted features that define SASE. First, it is a combination of two distinct solutions that ensure secure and reliable connections for apps, namely software-defined WAN (SD-WAN) and security service edge (SSE). These improve the agility and reliability of connections and bolster network performance, especially for organizations that operate branch offices and have remote workers. With SD-WAN and SSE for all operations of an organization (across different geographical locations) handled by a single solution, security becomes more consistent and easier to manage.
Another vital feature of SASE is its cloud-native design and software-driven approach. It brings together several functions that protect apps and other assets as they go online. These include firewall-as-a-service, web gateways that maximize cloud security, and security brokers for cloud access. This unification of different security tools maximizes security benefits for organizations that rely on the cloud for their everyday operations.
Moreover, SASE is notable for zero-trust network access (ZTNA), which supplants conventional remote access security to ensure that trust is explicit, not presumed or implicit. It also features integrated advanced threat prevention to fend off emerging and unknown threats through technologies such as sandboxing, traffic inspection, and intrusion prevention systems (IPS).
SASE principle #1: Secure-by-design
Developers have full control over the software they build. As such, it makes perfect sense to bake security into the software itself whenever and wherever applicable. Doing this ensures that security controls are inevitable, something that may not be easily toggled down by users, let alone hackers. Examples of these security functions are encryption, session management, user authentication, input validation, cross-site request forgery protection, content security policy, and constant logging and monitoring. Also, developers should ensure secure API design, since APIs are becoming popular targets among persistent threat actors nowadays.
SASE principle #2: Software-defined security
In addition to implementing the secure-by-design principle, developers can also make more secure apps by adopting software-defined security. This entails the segregation of networking logic from the underlying hardware components. Developers can optimize connection routes (either from site-to-internet or site-to-site) by defining in the software itself the way traffic moves to its intended destination.
SASE principle #3: Zero-trust
One of SASE’s crucial components is zero-trust network access (ZTNA), which ensures that security is applied to everything and everyone regardless of their role in the system or organization. For instance, when handling remote access connections, all traffic is subjected to strict security inspection. Not even the CEO or other management-level users are granted certain privileges unless they are fully authenticated and the request for access is justified. This may sound inconvenient for some, but it is a must to ascertain security, especially in the face of more sophisticated and aggressive social engineering attacks.
SASE principle #4: Cloud-native security
As mentioned, SASE has several cloud-native defenses like firewall-as-a-service, secure web gateway, and cloud access security broker. These are designed to address new kinds of threats that take advantage of the growing prominence of cloud services and the inability of many organizations to keep up with the security requirements that come with cloud adoption. Cloud solutions provide the benefits of scalability and flexibility, something apps can benefit from from the start. Instead of switching to cloud-native solutions over time, developers can make their apps cloud-native security-ready and optimize defenses given cloud-targeted threats from the get-go.
SASE principle #5: Harmonious integration of security solutions
SASE serves as a good example of how the integration of different solutions results in significantly improved outcomes. Developers should consider using as many applicable security functions provided that they can work harmoniously and not result in conflicts that impact efficiency. Relying on basic protection no longer suffices given the growing complexity and insatiable aggressiveness of threat actors. Integrating different security technologies such as sandboxing, IPS, malware protection, and traffic inspection can radically enhance app security. Of note, SASE may be integrated directly into an app (through API) to take advantage of tried-and-tested third-party cloud-native and edge security functions.
SASE principle #6: Reduced costs and overhead
SASE’s efficiency can be translated to ways that can reduce the costs and overhead of app security. The consolidation of different security tools and services enables efficiencies that would otherwise be mired by the difficulties of managing disparate security tool dashboards. Developers can formulate, test, tweak, and further improve the security features of their apps during the development process instead of having an entirely separate phase for security testing. This is particularly important in the context of the need for cloud-native security, which can be difficult to implement for apps that were built without taking cloud challenges into account.
SASE principle #7: Compliance
This is not exactly an explicit guiding principle for SASE, but compliance with existing security regulations and laws is generally expected from SASE solutions. This is something developers can also keep in mind as they build their apps. It pays to adhere to best practices and regulatory requirements before proceeding with any app development project, especially if the app is intended for use in healthcare, finance, e-commerce, and other highly regulated industries.
Secure Access Service Edge is not just a cybersecurity solution organizations can adopt to ensure security, especially with their multi-location operations and remote work arrangements. It can also impart useful insights on adopting secure-by-design and software-defined security, the integration of different tools, cloud-native security, and the logicality of embracing zero-trust systems. SASE may not be directly made a component of an app, but developers can configure their apps to use SASE solutions if applicable. It is something developers should find useful to get acquainted with, given the growing prominence of the cloud and the threats aimed at it.