SASE shifts network security perimeter controls to the cloud, enhancing them to be faster, more application- and user-aware, and data-centric. It represents a new architectural approach to security and networking that organizations, like yours, will find beneficial. SASE addresses the need for a refreshed security and networking model in a cloud-centric world, highlighting key transformations in security, networks, applications, and data protection.

In practical terms, SASE integrates suites of security and networking services. These services are designed not only to provide users with secure cloud access but also to continuously monitor the activities, devices, and applications they use, ensuring data security at all times and across every access point without impacting the user experience.

Welcome to the world of SASE Math, where we combine key technology elements like assembling colorful building blocks. When snapped together in the right order, they form a strong, secure, and efficient architecture. Here’s the foundation:

• Secure Web Gateways (SWGs): SWGs act as the guardians of the web. They first inspect a website, checking its content for safety before letting you in. Think of them like a skilled surfer who tests the waves, ensuring the waters are safe for you to ride.
• Cloud Access Security Brokers (CASBs): These are the hall monitors of cloud applications, ensuring that only the right people gain access to the right cloud apps and data. They monitor who’s trying to enter, what they’re carrying, and what they’re doing, ensuring everything is secure. Imagine having a personal security detail for your cloud activities, keeping you in the right places with the right access.
• Zero Trust Network Access (ZTNA): ZTNA is like the bouncer for your private apps. Unlike old-school VPNs, ZTNA uses a smart key approach. Before granting access, the cloud bouncer verifies your identity and security posture, ensuring you enter only where you’re supposed to go. It provides secure, direct access to apps, no matter where you are or what device you’re using.
• Data Loss Prevention (DLP): DLP tools are like a vigilant librarian who ensures that no sensitive data gets lost, destroyed, or into the wrong hands, safeguarding against data breaches and exfiltration.

Now, let’s combine these elements:

• SWG + CASB = Next-gen SWG: Merging the gatekeeper and bouncer results in a powerful, all-encompassing gatekeeper with a cloud focus.
• Next-gen SWG + ZTNA = Security Service Edge (SSE): Add the ultra-vigilant bodyguard to create a robust security layer that protects all data pathways.
• SSE + SD-WAN = SASE: By adding SD-WAN to SSE, you get a smart, security-enhanced traffic manager for your digital environment. SASE becomes an all-knowing, omnipresent tool for handling and securing data traffic.

For additional protection, add:

• Firewall as a Service (FWaaS): A protective barrier between trusted and untrusted networks, monitoring and controlling incoming and outgoing traffic.
• Threat Protection: Measures that guard against cyber threats like malware, ransomware, and phishing, ensuring no disguised attacks enter your organization.
• Remote Browser Isolation (RBI): RBI acts as a chaperone for browsing, rendering websites safely on your behalf without exposing you to potential risks.

That’s SASE Math, where combining the right tech elements creates a secure, efficient, and intelligent digital ecosystem. It’s like playing with your favorite blocks, but these blocks protect your entire digital world!

One key feature of SASE is that every aspect of this architecture is purpose-built for cloud environments. Unlike traditional data center security, which focuses on access control, SASE is designed to understand the intricate connections and data flows in the cloud, providing a more nuanced, secure approach. As you evaluate security and networking options, keep this in mind.

Context is central to SASE, acting as its core element. It provides insight into the depth and complexity of this advanced security architecture. Below are some of the key contextual factors inherent to SASE that illustrate its sophisticated functionality:

• The user’s identity
• The identity and security posture of the user’s device
• The location, day, and time of the access attempt
• The type and identity of the accessed applications
• The nature of the requested data and its storage location
• The user’s behavior patterns
• The specific actions the user is attempting within the application

SASE continuously evaluates this dynamic flow of information and applies security based on policies that determine:

• The service level and type of network services to apply
• The appropriate traffic encryption methods
• The necessary data protection levels to prevent misuse
• The required authentication level
• Whether specialized security services like a CASB are needed for additional control

SASE architecture may seem complex, but when implemented correctly, it simplifies and enhances both your security and network connectivity. With SASE, these processes occur in real-time, ensuring continuous risk management.

By moving security services from your data center to the cloud, closer to both your vulnerabilities and users, SASE gives you improved visibility and control over all activities, who’s involved, and when. It helps network and security teams transition to support new applications and business models while ensuring secure access to legacy, on-premises applications.

When implemented effectively, SASE has two main objectives:

• Providing security services across the global edge network to ensure these services are readily accessible to users: This ensures that both users and organizations can consistently rely on this secure network to perform their work safely. By leveraging context-based security policies—such as who the user is and their location—it helps optimize security, reliability, and performance. This approach, delivered through SSE, is akin to ensuring a smooth and secure journey from the parking lot to the airport security checkpoint.
• Enabling a global edge network that allows users to access cloud services, regardless of their location: This network authenticates users and optimizes their connections to services like SaaS applications, data centers, and more, ensuring a seamless transition to their final destination. Just like guiding passengers from the airport security checkpoint to their departure gate, this capability, powered by both SASE cloud architecture and SD-WAN, ensures an efficient path through the digital landscape.

In upcoming posts, we will take a closer look at the implementation of Palo Alto’s SASE architecture, exploring the overall design and the inner workings of the Palo Alto Prisma solution, while detailing each building block, stay tuned!