What is SASE? Exploring the reality behind the buzzword
Morgan Cyber. Reading time: 5.5 mins
You may have heard the term ‘SASE’ (Secure Access Service Edge) cropping up more and more in your conversations around cybersecurity and IT strategy over the past few years. It’s one of those terms that gets thrown around a lot but what is it… really?
Is it groundbreaking technology? Yet another new ‘best practice’ framework? Or just a clever marketing term that is slowly but relentlessly advancing from sales pitch decks and into day-to-day language?
Let’s strip away the jargon and get to the core of what SASE actually is to answer the most important question; Can it be utilised in my business to drive security, usability, reliability, and value?
At its core: SASE is about secure connectivity
Let’s start from a basic, non-technical perspective. SASE is, at its simplest, a firewall. A firewall that ensures your users are secure and protected against online threats no matter where they are working from.
That could mean:
- Working from home
- Traveling between your or a customer’s sites
- Operating from a regional office or a temporary network
- Accessing corporate systems while on the move in an airport or coffee shop
Sounds great. But what problem is SASE actually solving?
Traditional security was built around the idea that users operate inside a corporate network, with centralised data centres protected by firewalls and VPN’s. But in today’s world, users are not commuting into a single ‘head office’ space. They are everywhere, often not ending the day in the same location they started it, and are accessing cloud services without ever touching on premise infrastructure.
This is the problem SASE solves. In this new landscape where traditional network perimeters are no longer relevant for many organisations, SASE is moving this perimeter to the cloud, offering a way to apply consistent and reliable security policies that protect people and data regardless of their location by wrapping security around the individual user or device, without needing to install or maintain complex hardware in every location.
No, wait. ‘Integrating’ is a better word to use than ‘wrapping’. Wrapping has connotations of restricting movement, which is the opposite of what SASE achieves. This is important because while effective security is crucial, systems are being used by employees all of the time, so SASE must also deliver on a day-to-day operational level too.
Cloud-based firewalls from a technical perspective
As explained, SASE is essentially a set of firewalls hosted in the cloud. These cloud firewalls act as gatekeepers for your users and devices, enforcing policies like content filtering, malware inspection, and access control.
Users can connect to these firewalls in different ways, depending on where the device is located:
Office-Based
For devices located in an office, the user can connect directly to the cloud firewall using a site-to-site VPN. This VPN can be terminated on a simple router, which means:
- You don’t need expensive, full-featured firewalls in every office.
- You don’t need to worry about managing these complex pieces of hardware and licensing across multiple locations.
- You still maintain centralised visibility and control.
This approach works well with smaller offices or branches, where devices only need access to limited centralised services. However, if your site needs to host its own services or requires devices to talk to each other locally, you’ll likely still need a dedicated firewall on-site. If you are running a hybrid environment however, there are ways to connect on premise firewalls into most SASE platforms.
- Remote or mobile users
Here, there are a couple of common connection methods
Option 1: VPN Connection
A VPN can be installed on the user’s device, connecting them back to the cloud firewall. The most secure and user-friendly option is an always-on VPN, where the connection is automatically established when the device powers on. An on-demand VPN, which is activated manually by the user may be cheaper, but you are then reliant on human behaviour for your security, and this could allow a user or malicious actor to deliberately bypass your security controls.
Option 2: Authenticated Proxy
Another approach is configuring the device to route web traffic through an authenticated proxy. This ensures that all traffic goes through the cloud firewall for inspection and policy enforcement.
The downside? Only traffic that’s proxy-aware (mainly web traffic) will be monitored this way. Other types of traffic like file shares, voice calls, or applications may bypass your protection unless you have additional security tools in place.
If you have responsibility for a large number of mobile devices, or you operate a BYOD policy, authenticated proxy’s are worth considering, but it’s important to weigh convenience against potential security gains
Embracing SASE means giving up some control… but gaining on reliability, scaling, and maintenance
From an IT professional’s point of view, SASE is a firewall you don’t fully control.
You don’t get direct access to a full set of management tools, and you likely won’t have the same configuration options you’d get with an on-premises firewall. The SASE interface is designed to remove complexity, but the price of that is some limits to flexibility.
But here’s the trade-off:
- High Availability: Your vendor takes care of uptime, clustering, and fail over.
- Automatic Scaling: Performance automatically adapts to your growing or shrinking demand.
- Zero Maintenance: Patch management, firmware updates, and back end infrastructure that would have been your responsibility (and cost) with an on-premise firewall are now all covered for you.
So, you’re giving up some control in exchange for ease of management, better scalability, and faster deployment.
Maturity and limitations
While it is built on existing technologies like VPNs and firewalls SASE is a relatively new technology and is still evolving.
The firewalls running behind the scenes may be battle-tested virtualised versions of existing products. But the SASE management interface and the way features are exposed to users are still catching up. All the basics are normally there but if you are doing anything bespoke it might be worth running a proof of concept.
Exposing the full capability of a firewall via a cloud-native portal will take time and development effort, but this should not be a reason to immediately dismiss its potential at your organisation. The surfacing of whether SASE could make a difference within your environment can be accurately achieved with a member of the Morgan Cyber Solutions team on a single call.
Yes, some vendors (particularly challengers) could rush their development to compete and get to market quickly. However, we’ve all seen what happens when software is rushed to market, and the big players like Fortinet or Palo Alto are not in the business of putting their well-earned reputation on the line unnecessarily. Stable, secure code should always win over speed, especially in production environments.
So, is SASE right for you?
SASE is not a silver bullet, but it is a powerful option for many modern businesses. It shines when you need:
- Consistent security for a mobile or hybrid workforce
- Simplified IT infrastructure across multiple smaller sites
- Simple, centralised management with reduced operational overhead
- Scalable protection without the headaches of patching and hardware upgrades
It may not replace your on-prem firewalls overnight, especially in large data centres or complex IoT environments. But it can complement them, provide coverage where traditional solutions fall short, and help you adopt a more cloud-native, agile approach to security.
Final thoughts
So yes, “SASE” might have started life as a marketing buzzword. But behind the hype is a very real shift in how businesses think about network security. The perimeter has moved. Your users are everywhere. And the old castle-and-moat model no longer works. New thinking and ideas are without a doubt needed and SASE is just that.
SASE offers a practical, scalable solution to modern problems. Just be clear about what it can and can’t do. Choose the right tool for the right job, ask if you are unsure and you’ll be on a path toward simpler, more secure connectivity for your entire organisation.
How Morgan Cyber Solutions can help
- Navigating vendor complexity: It goes without saying that choosing the right vendor will underpin your entire SASE strategy. We deliberately work with multiple providers and will always take the time to understand your organisation before recommending a particular solution.
- Ensuring comprehensive coverage: While SASE offers a consolidated approach, certain scenarios may require a mix of cloud-driven and on-premises solutions to ensure seamless networking and security. We will clearly explain where SASE can be used, and where it can’t.
- Addressing tool sprawl: Transitioning to a SASE model will likely render some existing tools redundant. We will identify and mitigate these redundancies to prevent fragmented capabilities and ensure a cohesive and secure technological infrastructure.
- Be the trusted outside eye: Constructively reviewing projects is a proven way to improve performance, capability, and morale. Your team or an existing contractor may have already implemented your SASE solution, and have probably done a brilliant job. However, a fresh pair of eyes from experts in this specific technology will often spot an oversight, introduce fresh ideas, or suggest a real-world efficiency win, turning a good result into a great one.
