Maksim Kabakou - stock.adobe.com
Gartner defined a new cloud-based multifunction architecture service model called Secure Access Service Edge, or SASE, pronounced "sassy," in 2019. SASE offers a wide variety of services, primarily focused on software-defined network access, cloud service access management, VPN replacement and cloud access security broker services. One of the more intriguing capabilities offered with SASE is identity-driven access management, compared to traditional network-based controls and services.
SASE expands the definition of identity
The first major shift in the way SASE approaches access management is its definition of what constitutes an identity in the first place. While the more traditional concept of identity still applies -- users, groups and role assignments -- all edge locations and distributed WAN branches and network origins are also considered identities. In a cloud-focused enterprise, secure access decisions should be centered around the identity of the entity at the source of the connection. This would include users, devices, branch offices, IoT devices and edge computing locations, for example.
How SASE interpretation of identity affects its policies
The identity of the users, groups, devices and services in use remains the primary element of SASE identity access policies. Interestingly, SASE identity policies are evolving to include additional relevant sources of identity context that can factor into policy decisions and application. These may include some combination of the identity's location, time of day, device security evaluation or trust validation. The sensitivity of applications and data entities are trying to access may also be considered in SASE identity policies.
These factors can help organizations develop and refine a more progressive least-privilege access strategy that enables strictly enforced access control. The promise of SASE identity policies is that organizations will be able to control interactions with resources based on more varied relevant attributes, including application access, entity identity and the sensitivity of the data being accessed.
How SASE fits into a larger identity and access evolution
A shift in the security and identity landscape has been underway for some time. Specifically, zero-trust network access and microsegmentation based on applications and identity affinity policies are evidence of this change. Historically, it has been a largely internal technology shift. However, this has now branched out to a broad access control methodology. This approach facilitates identity-based controls for entire office locations, remote users, IoT devices and more.
The SASE model looks to significantly improve upon the classic access strategies that focus on only network information that may be complex to set up and maintain. For example, complex network information might include IP addresses and ranges or network edge devices with rigid connection methods.
This shift to policies oriented toward application, data, device and user affinity policies may streamline the creation and management of access policy. Once authenticated and authorized to access resources, a SASE service can then act as a VPN-like broker. The SASE model protects the entire entity session, regardless of where it connects to and originates from. In keeping with the theme of zero trust, SASE systems should have flexible options to apply end-to-end encryption of sessions. Options should also layer in additional web application protection, API inspection and security assessment, content inspection for data loss prevention and any other variety of security services in a brokered access model.
How the SASE model makes organizations more secure
A variety of attacks are likely to be mitigated with effective application of SASE services in the future. With strong unified policy management, more thorough validation of branch office connections, approved IoT devices, and edge services and locations can be built and maintained. This should help curtail some man-in-the-middle interception attacks, spoofing scenarios and malicious traffic.
End users can also benefit from this model. Leading SASE providers enable the secure encryption of all traffic from remote devices, regardless of location. SASE options will even apply more rigorous inspection policies based on public access, such as at airport and coffee shop networks. Depending on the identity of the user and originating device, privacy controls can be better enforced by routing traffic to points of presence in specific regions as well.
The move to building access models around identity will take time. It will also require a substantial initial effort to move away from tired access models based on IP addresses. But the ends may justify the means, considering how SASE identity policies and benefits will simultaneously make security operations more efficient and attacks more difficult for adversaries.