The enterprise landscape is changing, and along with it cybersecurity needs. Employees are increasingly remote, applications are moving to the cloud, and IT infrastructure is becoming more complex, with IoT and mobile devices and branch offices among the many connection points outside of traditional firewalls. To keep up with all these changes, enterprises need a new approach to security.
That’s where secure access service edge (SASE) technology comes in. SASE can create a perimeter between an organization’s private network and public networks like the internet, which could otherwise be exposed to potential attackers.
Just as on-premises security has been consolidating under broad extended detection and response (XDR) solutions, security outside the firewall is increasingly getting combined into SASE solutions.
What is Secure Access Service Edge (SASE)?
Secure access service edge is a term coined by Gartner that refers to the convergence of network and security services into a single platform delivered as a service. SASE – pronounced “sassy” – consolidates and offers security services from a large-scale cloud network, including cloud access security brokers (CASB), secure web gateways, and firewalls as a service (FWaaS).
This shift is being driven by the need for organizations to provide better security and performance for their remote users. At the same time, they are looking for ways to reduce costs and increase flexibility in managing access to cloud-based applications. SASE provides end-to-end access control across wired, wireless, and mobile networks.
Also read: Deploying SASE: What You Should Know to Secure Your Network
How Does SASE Work?
SASE is a cloud-based security solution that offers a comprehensive set of security tools and services. SASE consolidates these tools and services into a single, easy-to-use platform, making it an ideal solution for businesses of all sizes. It provides the industry’s most advanced authentication, encryption, identity management, and access control features in one unified interface.
With robust reporting capabilities as well as multiple levels of granularity when configuring settings, organizations can make informed decisions on how they want their network secured while also meeting regulatory compliance requirements.
Organizations can quickly define who has access to what data without compromising performance. In addition, SASE helps mitigate insider threats by enabling federated identification to help ensure employees can only see data they have been granted access to.
Components of SASE
SASE includes a suite of enterprise-grade applications and software components that offer an integrated solution for securing remote access. The key components of SASE include:
Software-defined WAN (SD-WAN)
SD-WAN provides secure, high-performance IP connectivity to branch offices, data centers, and other networks across public or private cloud infrastructure. SD-WAN simplifies the design and operation of wide area networks (WAN) by automatically routing traffic based on application type, performance needs, security requirements, cost constraints, quality of service (QoS), and network topology changes — without any manual configuration or changes to applications or the underlying transport network.
SD-WAN enables enterprises to securely extend their existing network to the cloud, public internet, or third-party networks without needing expensive VPN hardware. It is often more cost-effective than MPLS (Multiprotocol Label Switching) over time.
Firewall as a service
A firewall as a service enables enterprises to centrally manage their organization’s firewall policies and protections regardless of where those endpoints are located in the organization — centralized, distributed or mobile. FWaaS provides a complete firewall service with robust data security and user privacy protection capabilities by leveraging next-generation firewall (NGFW) technology.
Zero-trust network access (ZTNA)
ZTNA is a robust access control framework that eliminates traditional barriers between internal resources and users who wish to connect outside the network. With ZTNA, IT administrators maintain complete visibility into all connections made through the network with granular detail about who is accessing what resources at what time while eliminating complexity and costly upfront investments. ZTNA ensures only approved devices can connect to corporate resources across all applications to protect against rogue devices and other threats.
See the Top Zero Trust Security Solutions & Software
Cloud access security broker (CASB)
CASB can help organizations meet compliance obligations related to information protection through authentication, authorization, monitoring, and reporting. CASBs also provide identity and access management capabilities, single sign-on (SSO) services, regulatory oversight, GDPR, fraud detection tools, SaaS app control, and more.
Data loss prevention (DLP)
DLP helps protect critical business assets such as intellectual property and sensitive customer data from unauthorized use by detecting when they leave your company’s network perimeter — intentionally or unintentionally. DLP protects against insider threats, too, by identifying inappropriate behaviors such as downloading confidential documents to removable media devices. DLP functionality includes encryption, classification, policy creation, and key management.
See the Top DLP Tools
Secure web gateway (SWG)
SWG features multilayered protections to provide customers maximum flexibility in balancing web security concerns with the organizational need for web accessibility. SWG offers multiple web filter profiles for enabling organizations to configure their ideal balance of content restrictions and website accessibility.
Unified management
SASE delivers unified, cross-platform device management that extends the capabilities of SASE for a seamless user experience that scales up or down according to the number of employees, devices, or locations. It allows IT admins to monitor the health and performance of SASE from anywhere on any device.
XDR vs. SASE
XDR (extended detection and response) is a security platform that takes data from multiple sources and uses it to detect, investigate, and respond to network threats. SASE, on the other hand, is a cloud-based security platform that provides users with secure access to applications and data from any location.
You’ll want an XDR solution if you’re trying to detect, investigate, and respond to cybersecurity threats, and you’ll want a SASE solution if you need secure access services or want user mobile or remote access capability. Both platforms offer robust protection against hacking and malware attacks.
XDR covers all aspects of on-premises security, from endpoint protection to network security, while SASE focuses on the edge, cloud security, and mobile device security. If you have most of your company’s resources stored in the office and rely heavily on IT infrastructure in the building, then XDR is probably better for you.
SASE would be better suited for your needs if you want to be more flexible with where work happens and is ideal for companies that wish to have remote access without giving up corporate data. You also get increased visibility into your devices by utilizing geolocation services.
Also see the Best Cloud Security Solutions
Top 10 SASE Solutions
Here are some of the best SASE solutions on the market, based on our assessment of product features, user feedback and more. These products range from low-cost ones appropriate for small businesses to higher-cost options aimed at protecting the most complex enterprises.
Perimeter 81
Perimeter 81 is a cloud and network security provider with a SASE offering that provides businesses a secure way to connect employees, devices, and applications. It uses a software-defined perimeter (SDP) to create a microsegmented network that limits access to only the resources users need. Plus, it’s cloud-based, so it’s easy to set up and manage.
Perimeter 81’s SASE offering includes a secure SD-WAN, next-generation firewall, CASB, and more. It’s easy to set up and manage and provides a high level of security for your network.
Key Differentiators
- Perimeter 81 offers ZTNA, FWaaS, Device Posture Check, and many more functionalities that enable remote and on-site users to securely access networks.
- Perimeter 81 uses AES-256-CBC cipher encryption to ensure all data transferred through their system is encrypted from point A to point B.
- Perimeter 81 monitors and secures the organization’s data from a single dashboard.
- This solution provides granular visibility into enterprise cloud resources, remote team members, and enterprise network management through its cloud management portal.
- An SWG utility is built into Perimeter 81 for those who want to protect employees from accidental malware infection by enforcing policies for browser traffic and CASB functionality to extend security policy to any cloud service provider’s architecture.
Features
- Multi-device usage
- Multiple concurrent connections
- Unlimited bandwidth
- User authentication
Cost
Perimeter 81 offers flexible licensing options that can be tailored to meet your business needs. The company has four pricing plans, including:
- Essential: $8 per user per month, plus +$40 per month per gateway
- Premium: $12 per user per month, plus +$40 per month per gateway
- Premium Plus: $16 per user per month, plus +$40 per month per gateway
- Enterprise: Prospective buyers should contact Perimeter 81 for quote
Cloudflare One
Cloudflare One is a SASE platform that provides enterprise security, performance, and networking services. It includes a web application firewall, DDoS (distributed denial-of-service) protection, and content delivery network capabilities.
Organizations with their own data centers can use it as an extension of their existing network infrastructure. It offers a secure communication channel between remote users, branch offices, and data centers.
Key Differentiators
- Cloudflare integrates a plethora of security and network optimization features, including traffic scanning and filtering, ZTNA, SWG, CASB, FWaaS, DDoS protection, the SD-WAN-like Magic Transit, Network Interconnect, Argo for routing, and WARP endpoints.
- Users can connect internet services, self-hosted apps, servers, remote users, SaaS applications, and offices.
- The solution protects users and corporate data by assessing user traffic, filtering and blocking malicious content, detecting compromised devices, and using browser isolation capabilities to stop the malicious script from running.
- With Magic Transit, networks can be secured from DDoS attacks.
- Cloudflare offers two access points (WARP and Magic Transit) to applications.
- Cloudflare’s Magic WAN offers secure, performant connection and routing for all components of a typical corporate network, including data centers, offices, user devices, and so on, allowing administrators to enforce network firewall restrictions at the network’s edge, across traffic from any entity.
Features
- Identity management
- Device integrity
- Zero-trust policy
- Analytics
- Logs and reporting
- Browser isolation
Cost
Prospective customers should contact Cloudflare for pricing quotes.
Cisco
Cisco’s SASE platform combines networking and security functions in the cloud to deliver seamless, secure access to applications anywhere users work. Cisco defines its offering using 3Cs:
- Connect: Cisco provides an open standards-based approach for integrating IT with any mobile device, whether it is BYOD or provided by the enterprise.
- Control: As enterprises move toward a unified approach to delivering employee experiences across all of their apps, they need a platform that provides consistent data protection policies while preserving employee choice on where they want to use apps.
- Converge: Enterprises also need to enable cross-enterprise collaboration capabilities by consolidating network and security policy management into one centralized place.
Cisco’s new approach converges these functions into a unified platform in the cloud that delivers end-to-end visibility and control over every application traffic flow between people, devices and networks.
Key Differentiators
- Cisco Umbrella unifies firewall, SWG, DNS-layer security, CASB, and threat intelligence.
- Cisco’s SASE architecture is built on its SD-WAN powered by Viptela and Meraki, AnyConnect, Secure Access by Duo (ZTNA), Umbrella cloud security with DNS, CASB, and ThousandEyes endpoint visibility.
- The solution uses machine learning to search, identify, and predict malicious sites.
- Rapid security protection deployment is available across various channels, including on-premises, cloud, remote access, and VPN.
- Cisco Umbrella combines a firewall, secure web gateway, DNS-layer security, CASB, and threat intelligence technologies into a single cloud service for companies of all sizes.
- Its ThousandEyes architecture decreases mean time to identify and resolve (MTTI/MTTR) by quickly identifying the source of problems across internal networks, ISPs (internet service providers), cloud and application providers, and other networks.
Features
- Analytics
- ZTNA
- End-to-end observability
- API (application programming interface)
- Automation
Cost
Pricing quotes are available on request.
Cato Networks
Cato Networks is a next-generation security platform that enables enterprises to securely connect users to applications, whether in the cloud, on-premises, or hybrid. Cato Networks provides a single point of control and visibility into all traffic flowing into and out of the network, making it easy to manage and secure access for all users.
Cato Networks also offers a variety of features to protect against threats, including an integrated intrusion prevention system (IPS), application-layer inspection engine, and NGFW. With this suite of protection features, organizations can quickly detect and stop an attack before it gets too far into their environment.
Key Differentiators
- Cato helps IT teams improve networking and security for all apps and users, its optimization and security features are readily available when provisioning additional resources.
- Cato’s unified software stack increases network and security visibility. This improves cross-team collaboration and business operations.
- Cato provides the redundancy required to guarantee secure and highly available service by linking the points of presence with several Tier-1 IPs.
- Cato connects physical locations, cloud resources, and mobile devices to the internet. Cato SD-WAN devices connect physical locations; mobile users use client and clientless access, and agentless configuration connects cloud resources.
Features
- Infrastructure management
- Access controls/permissions
- Activity monitoring
- Cloud application security
- Intrusion detection system
- Remote access/control
Cost
Pricing quotes are available on request.
NordLayer
NordLayer is a cloud-based security platform that helps businesses secure their data and prevent unauthorized access. NordLayer provides various features to help companies to stay secure, including two-factor authentication (2FA), encrypted data storage, and real-time monitoring. NordLayer is an affordable, easy-to-use solution that can help businesses keep their data safe.
Key Differentiators
- NordLayer supports AES 256-bit encryption.
- A dedicated server option is available.
- NordLayer automatically restricts untrusted websites and users.
- Users can connect to networked devices with the help of smart remote access by setting up a virtual LAN.
Features
- 2FA
- AES 256-bit encryption
- SSO
- Auto connect
- Biometrics
- Smart remote access
- Zero trust access
- Central management
Cost
NordLayer’s scalable plans also make it a cost-effective option for companies with different levels of need for securing data. NordLayer offers three plans, including:
- Basic: $7 per user per month as $84 billed annually or $9 per user per month with monthly billing
- Advance: $9 per user per month as $108 billed annually or $9 per user per month with monthly billing
- Custom: Quotes available on request
Zscaler
Zscaler SASE is a cloud-native SASE platform consolidating multiple security functions into a single, integrated solution. It offers advanced user and entity behavior analytics, a next-generation firewall, and web filtering. Its secure architecture is uniquely designed to leverage the public cloud’s scale, speed, and agility while maintaining an uncompromised security posture.
Key Differentiators
- Zscaler optimizes traffic routing to provide the optimal user experience by peering at the edge with application and service providers.
- Zscaler offers native app segmentation by allowing an authenticated user to access an authorized app off-network through the usage of business policies.
- Zscaler’s design encrypts IP addresses to conceal source identities and prevent unauthorized access to the internal network.
- Zscaler currently boasts a global presence with over 150 data centers worldwide.
- It offers a proxy-based architecture for comprehensive traffic inspection and zero-trust network access, eliminating application segmentation.
Features
- Automation
- Zero-trust network access
- Multi-tenant architecture
- Proxy architecture
- SSL (secure sockets layer) inspection at scale
Cost
Pricing quotes are available on request.
Palo Alto Networks Prisma
Palo Alto’s Prisma SASE is a secure access service edge solution that combines network security, cloud security, and SD-WAN in a single platform. Prisma SASE provides the ability to establish an encrypted connection between corporate assets and the cloud.
It provides granular control over user access, allowing users to protect their data and applications from unauthorized access and attacks. With Prisma SASE, enterprises can meet compliance obligations by encrypting all traffic to and from public cloud services and within their internal networks.
Key Differentiators
- Bidirectionally on all ports, including SSL/TLS-encrypted traffic, whether communicating with the internet, the cloud, or between branches.
- With Prisma, organizations can streamline their security and network infrastructure and increase their responsiveness by combining previously separate products. These include Cloud SWG, ZTNA, ADEM, FWaaS, and NG CASB.
- Prisma uses machine learning-powered threat prevention to block 95% of web-based attacks in real-time, significantly lowering the likelihood of a data breach.
- Prisma offers fast deployment.
- Prisma Access prevents known and unknown malware, exploits, credential theft, command-and-control, and other attack vectors across all ports and protocols.
Features
- Cloud-based management portal
- Open APIs
- Automation
- SSL decryption
- Dynamic user group (DUG) monitoring
- AI/ML-based detection
- IoT security
- Reporting
- URL filtering
- Enterprise data loss prevention
- Digital experience monitoring (DEM)
Cost
Contact the Palo Alto Networks team for detailed quotes.
Netskope
Netskope SASE is a cloud-native security platform that enables organizations to securely connect users to applications, data, and devices from anywhere. It provides a single pane of glass for visibility and control over all internet traffic, both inbound and outbound.
With this solution, enterprises can focus on securing the apps and data they use most by prioritizing access based on risk profile and selecting security controls selectively without interrupting business operations.
Key Differentiators
- Netskope may be a forward or reverse proxy for web, private, and SaaS applications.
- This platform helps secure users, apps, data, and devices.
- ZTNA, CASB, private access, next-generation SWG, public cloud security, and advanced analytics are part of its unified cloud-native and real-time solution.
- Netskope SASE helps customers protect themselves against threats like DDoS attacks and malware by removing access to malicious domains at the perimeter edge.
Features
- Automation
- Zero-trust network access
- Threat protection
- Data protection
Cost
Quote-based pricing is available on request.
Skyhigh Security
McAfee Enterprise’s Cloud business rebranded to form Skyhigh Security. Skyhigh’s SASE secures data across the web, cloud, and private apps. The platform enables enterprises to securely connect users to apps and data from any device, anywhere. The platform uses machine learning to generate insight into user behavior and analyze real-time threat intelligence data with predictive modeling.
Key Differentiators
- Skyhigh’s security solution provides granular reporting on top of bandwidth utilization, high-risk service, and user activities.
- It provides enterprise-grade security policies that allow employees to safely use applications on their devices without sacrificing protection or productivity.
- Skyhigh automates manual tasks to gather and analyze evidence.
- Machine learning insight identifies and analyzes risk factors and predicts users’ actions.
Features
- Automation
- Dashboard
- Analytics and reporting
- Remote browser isolation
- Data loss prevention
- Zero-trust network access
Cost
Skyhigh Security provides pricing quotes on request.
Versa
Versa is a SASE solution that integrates a comprehensive set of services through the Versa operating system (VOS), including security, networking SD-WAN, and analytics. The solution delivers holistic enterprise-wide IT strategy and management to meet the needs of both security professionals and network managers. The services are orchestrated and delivered integrated to provide enhanced visibility, agility, and protection.
Key Differentiators
- Versa supports cloud, on-premises, or blended deployment.
- Versa Next Generation Firewall features decryption capabilities, macro- and microsegmentation, and full multi-tenancy, giving comprehensive security along the enterprise’s perimeter.
- The solution protects all devices with varying potential vulnerabilities and exploits, including various operating systems, IoT devices, and BYOD.
- Versa scans user sessions for risk based on URL filtering and categorization.
Features
- Multi-tenancy
- Versa operating system
- Analytics
- Routing
- NGFWaaS
- URL filtering
- Automation
- Multi-factor authentication
Cost
Pricing is quote-based. Potential buyers can contact Versa for personalized quotes.
How to Choose a SASE Provider
The right SASE provider will have a global presence and can offer exceptional performance and security. They are also known for being flexible and customizable to the needs of their customers.
Plus, they must always be backed by the latest technologies to provide excellent service. When looking for a SASE provider, ensure you find one with all of these qualities, so you don’t run into any issues later on. There is no such thing as too much research regarding choosing your SASE provider.
Before settling for a provider, read user reviews, assess the provider’s product features, understand your enterprise needs, and evaluate their SLA (service-level agreement) commitments. Once you’ve found the perfect provider, ask about pricing plans and contracts. Make sure you get what you’re paying for because your IT infrastructure is very important at the end of the day.