Solution Brief

The top 3 benefits of SASE

and how to achieve them

© 2024 Zscaler, Inc. All rights reserved.

Why secure access

Solution Brief
service edge (SASE)?
Modern digital business models are allowing new
levels of customer and employee engagement by
delivering globally available access to applications and
services that is consistent, no matter where employees
and customers connect or what devices they are using.

The notion of network security when your users

and applications are distributed is no longer viable
in a digital world. Gartner developed a new model
of networking and security that matches the
requirements of the digital enterprise. They’re calling
it the secure access service edge (SASE).

“ SASE architecture matters. Ideally, the offering is cloud-native,

built on microservices with the ability to scale out as needed. To
minimize latency, packets should be copied into memory, acted
upon and forwarded/blocked, not passed from virtual machine
(VM) to VM or from cloud to cloud. The software stack should
have no specific hardware dependency and be instantiated when
and where needed to deliver the risk-optimized and policy-
based capabilities to the endpoint identity.” – Gartner1

© 2024 Zscaler, Inc. All rights reserved. 2

1
# Reduces IT cost and complexity
With data spread across cloud applications and SaaS services, and users often working from anywhere, the
traditional network-based security model has reached its limit. To compensate, organizations have been forced to
deploy additional services to fill the gaps in their security, while greatly increasing the deployment, management,
and operating costs with a team that isn’t growing fast enough. Even with this increase in cost and complexity, the
network-security model still can’t scale, isn’t agile, and is simply not effective in a digital world.

Instead of trying to use a legacy concept to solve a modern problem, Zero Trust SASE flips the security model. While
legacy approaches focused on creating perimeters around applications, SASE focuses on the entities, such as users,
that are accessing the applications, and pushes security as close to the entity as possible. As a cloud service, SASE
dynamically allows or denies connections to the service based on an organization’s defined business or agency rules.
It’s all done through a single service that unifies a number of previously separate functions such as SWG, ZTNA,
and so on.

WHAT TO LOOK FOR WHAT TO AVOID

The most important component of a great Gartner specifically cautions against
SASE offering is the architecture it is built traditional networking security approaches
upon. Gartner was specific about the type that use VM-based offerings running in
of architecture needed to deliver on SASE’s cloud provider infrastructures. The use of
promise. Most importantly, it must be built these VM-based approaches in an IaaS
from the ground up to address the scale compute environment will have difficulty
required for a fully cloud-delivered scaling and provide an inconsistent user
security service. experience because of the hair-pinning
needed to go between the cloud vendors and
This means it must be a distributed offering
the applications users are accessing.
that supports multi-tenancy, enabling it
to scale globally and dynamically based on This model relies on a single tenant
demand. It must move away from traditional architecture that tries to use network-based
networking concepts of policies and policy access policies in a SASE model based on
layers and instead be based on organizational user access, which creates vastly more
policy. Finally, this architecture must support complex deployments that do not translate
a truly integrated platform with unified to a SASE model. Further, these approaches
cloud-delivered management. are often based on multiple products that
are not truly integrated but are instead
stitched together through an overlay UI
of independent services often purchased
through acquisitions.

“ The secure access service edge is an emerging offering combining

comprehensive WAN capabilities with comprehensive network security
functions (such as SWG, CASB, FWaaS, and ZTNA) to support the
dynamic secure access needs of digital enterprises.” – Gartner1

© 2024 Zscaler, Inc. All rights reserved. Solution Brief 3

# 2 Delivers a great user experience
There’s a good reason why SASE’s primary focus is on user experience. When users were on the network, applications
were in the data center, and servers and infrastructure were owned and managed by IT, it was easy to control and
predict user experience. Now that applications are distributed across multiple clouds, your method of accessing these
applications is still based on the old model of a VPN connecting to a network for security. This model brings the user
to the security and not the security to the user, which is required for a great user experience. Zero Trust SASE calls
for security to be enforced close to the users, intelligently managing user connections at the internet exchanges, and
optimizing direct connections (peering) to cloud applications and services to ensure optimal bandwidth and low latency.

WHAT TO LOOK FOR WHAT TO AVOID

The key to delivering a great user experience Offerings based on VMs running in cloud
comes down to providing optimal bandwidth providers or IaaS will require traffic hair-
with the lowest latency. The only way to do pinning. Such offerings are specifically called
this effectively is to reduce hops to get to the out in the SASE paper as unqualified to be
applications and ensure the right bandwidth defined as a SASE solution and should
is allocated through bandwidth controls. be avoided.

The right approach places the security stack This is primarily because VM-based
as close to the user as possible in internet architectures do not scale and do not control
exchanges across a widely distributed the connection from the user, instead
geographic deployment. Accessing doing so from the application compute
applications from these exchanges requires environment and, thus, cannot guarantee
the ability to intelligently route traffic to the a good user experience. In addition, these
application’s closest geographic location offerings cannot dynamically scale and
through direct peering. require usage planning that lacks the
ability to allow changes later without
scheduled downtime.

“ SASE policy decision and enforcement capabilities need to be

everywhere the endpoint identities will be located...SASE offerings that
use only the internet backbone capacity of IaaS, but without local POPs/
edge capabilities, risk latency, performance issues and resultant end-
user dissatisfaction.” – Gartner1

© 2024 Zscaler, Inc. All rights reserved. Solution Brief 4

# 3 Reduces risk
Security is all about risk identification and avoidance. Zero Trust SASE as a cloud service is designed to address the
unique challenges of risk in the new reality of users and applications being so spread out. By defining security as a
function built into the very fabric of the model and not a function that’s separated from the connectivity of services,
it ensures that all connections are inspected and secured, no matter where users are connecting, what apps they are
accessing, or any encryption that may be used.

WHAT TO LOOK FOR WHAT TO AVOID

The key to risk reduction is the ability to Traditional approaches to perimeter security
abandon the concepts of network-based used a firewall-based model that looked at
connectivity and instead connect users to packet streams and determined risk based on
applications based on true zero trust network the inspection of those streams. While this
access (ZTNA). ZTNA ensures that only users model worked for perimeter-based security,
who are authorized to access an application it breaks down with the new challenges of a
can do so, and this authorization is defined SASE-based deployment.
through organizational policies and not
The biggest issue is that a firewall
complex multilayered policy definitions.
architecture running as a service determines
Another way a SASE platform reduces risk is threats after the fact, allowing them to
by removing the attack surface. By hiding the reach the destination before discovery.
corporate network and source identities from The reason is simple: they are incapable of
the internet, SASE prevents adversaries from holding the data and determining its results
targeting you with attacks such as DDoS. before sending it. This limitation makes
session decryption and data protection
The SASE model is delivered through a
exceptionally difficult because these are
proxy-based architecture that handles
functions that require the stream to be held
all communications between users and
and reassembled, similar to a proxy.
applications. This architecture ensures that
all traffic can be decrypted and inspected, With a firewall service, the decrypting,
and provides full visibility. Lastly, the SASE inspecting, and reassembling functions
architecture is built with full data context require a separate process that’s decoupled
being exchanged between entities from the service, complicating policy,
and applications to ensure that all introducing latency, and resulting in
connections meet compliance and data poor performance—and it often allows
governance requirements. limited functionality when implemented.
Furthermore, SASE requires a single-pass
architecture to process all of the content
at once. Stream-based firewall offerings
also expose the host network’s source IP
address to potential adversaries, effectively
advertising their attack surface which can
lead to targeted attacks.

© 2024 Zscaler, Inc. All rights reserved. Solution Brief 5

The Zscaler approach to SASE

Zscaler’s AI powered cloud security platform is a SASE service built from the ground up for performance
and scalability. As a globally distributed platform, users are always a short hop to their applications, and
through peering with hundreds of partners in major internet exchanges around the world, Zscaler ensures
optimal performance and reliability for your users, workloads, business partners and locations.

Zscaler Zero Trust SASE builds on the industry’s most proven SSE platform with a fresh approach to
SD-WAN. Today, more than 30% of the Forbes Global 2000 organizations trust Zscaler to lead them
into the digital era, securely.

Because of its time in the market, Zscaler has proven its architecture was built to scale, currently
processing over 360B transactions per day, and over 500T daily signals for AI/ML cloud effect.

The Zscaler Zero Trust SASE architecture is delivered across 150+ data centers globally, ensuring that
users get secure, fast, and local connections no matter where they connect.

To learn more about Zscaler’s approach to SASE go to

zscaler.com/capabilities/secure-access-service-edge

1
Gartner, The Future of Network Security Is in the Cloud; Lawrence Orans, Joe Skorupa, Neil MacDonald

About Zscaler © 2024 Zscaler, Inc. All rights reserved. Zscaler™,

Zero Trust Exchange™, Zscaler Internet Access™,
Zscaler (NASDAQ: ZS) accelerates digital transformation so that customers can be more agile, efficient, resilient, ZIA™, Zscaler Private Access™, ZPA™ and
and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss other trademarks listed at zscaler.com/legal/
trademarks are either (i) registered trademarks or
by securely connecting users, devices, and applications in any location. Distributed across more than 150 data service marks or (ii) trademarks or service marks
centers globally, the SSE-based Zero Trust Exchange is the world’s largest inline cloud security platform. of Zscaler, Inc. in the United States and/or other
countries. Any other trademarks are the properties
Learn more at zscaler.com or follow us on Twitter @zscaler.
of their respective owners.

+1 408.533.0288 Zscaler, Inc. (HQ) • 120 Holger Way • San Jose, CA 95134 zscaler.com