Home » SASE Architecture: SD-WAN + SSE, ZTNA, CASB, SWG, FWaaS, DLP และ Cloud Security Convergence
SASE Architecture: SD-WAN + SSE, ZTNA, CASB, SWG, FWaaS, DLP และ Cloud Security Convergence
SASE Architecture: SD-WAN + SSE, ZTNA, CASB, SWG, FWaaS, DLP และ Cloud Security Convergence
SASE (Secure Access Service Edge) เป็น architecture ที่รวม networking และ security เข้าด้วยกันในระบบ cloud SD-WAN ให้ connectivity ที่ยืดหยุ่น, SSE (Security Service Edge) รวม security services, ZTNA ให้ zero trust access, CASB ปกป้อง cloud applications, SWG กรอง web traffic, FWaaS เป็น firewall บน cloud และ DLP ป้องกันข้อมูลรั่วไหล
SASE เป็น การเปลี่ยนแปลงครั้งใหญ่ที่สุดของ enterprise networking ในรอบ 20 ปี: เดิม traffic ไหลจาก branch → MPLS → data center → internet (hairpin) แต่ปัจจุบัน 80%+ ของ traffic ไปยัง cloud/SaaS โดยตรง → hairpin ไม่สมเหตุสมผล SASE ย้าย security ไปอยู่บน cloud (PoPs ทั่วโลก) → users เชื่อมตรงจากทุกที่ → ได้ทั้ง performance (ไม่ต้อง hairpin) และ security (inspect ทุก traffic) Gartner คาดว่า 2027: 65% ของ enterprises จะใช้ SASE
SASE Components
| Component |
Category |
Function |
| SD-WAN |
Networking |
Intelligent routing, multi-link (MPLS+internet+5G), application-aware, WAN optimization |
| ZTNA |
Security (SSE) |
Zero Trust Network Access — identity-based access, replace VPN, least privilege |
| CASB |
Security (SSE) |
Cloud Access Security Broker — visibility and control over SaaS/cloud usage |
| SWG |
Security (SSE) |
Secure Web Gateway — URL filtering, malware inspection, SSL inspection for web traffic |
| FWaaS |
Security (SSE) |
Firewall as a Service — cloud-based L3-L7 firewall, IPS/IDS |
| DLP |
Security (SSE) |
Data Loss Prevention — detect and prevent sensitive data from leaving organization |
SASE vs Traditional Architecture
| Feature |
Traditional (Hub-and-Spoke) |
SASE |
| Traffic Flow |
Branch → MPLS → DC → Internet (hairpin) |
Branch/User → nearest PoP → direct to cloud/internet |
| Security |
Centralized at DC (firewall, proxy) |
Distributed at cloud PoPs (inspect everywhere) |
| Remote Users |
VPN → DC → Internet (slow, complex) |
ZTNA agent → nearest PoP → direct access (fast, simple) |
| Scalability |
Limited by DC firewall capacity |
Cloud-scale: auto-scale at PoPs worldwide |
| Performance |
High latency (hairpin through DC) |
Low latency (direct path, local PoP) |
| Management |
Multiple consoles (SD-WAN, firewall, proxy, VPN) |
Single pane of glass — unified policy management |
| Cost |
MPLS expensive, DC hardware CapEx |
OpEx model, reduce MPLS, eliminate DC security hardware |
ZTNA (Zero Trust Network Access)
| Feature |
VPN (Traditional) |
ZTNA |
| Trust Model |
Once connected = trusted (network-level access) |
Never trust, always verify — per-session, per-application |
| Access Scope |
Full network access after VPN connect |
Only specific applications authorized for that user/device |
| Visibility |
Applications visible on network |
Applications hidden — users can’t even see apps they don’t have access to |
| Device Posture |
Usually not checked |
Check device health: OS version, antivirus, disk encryption before granting access |
| Lateral Movement |
Possible — attacker on VPN can scan network |
Prevented — micro-segmented access, no network-level connectivity |
| User Experience |
Connect/disconnect VPN client |
Always-on, seamless — transparent to user |
CASB (Cloud Access Security Broker)
| Capability |
Description |
| Shadow IT Discovery |
Discover all cloud/SaaS apps being used — many organizations find 1,000+ unknown cloud apps |
| Access Control |
Enforce who can access which cloud apps — block unsanctioned apps, limit actions in sanctioned apps |
| Data Protection |
DLP for cloud: scan files in O365/Google Drive/Box for sensitive data, encrypt, quarantine |
| Threat Protection |
Detect malware in cloud storage, compromised accounts, suspicious sharing |
| Compliance |
Ensure cloud usage meets compliance (PCI DSS, HIPAA, GDPR) — audit trail, data residency |
SASE Vendors
| Vendor |
Strength |
Architecture |
| Zscaler |
SSE leader — largest cloud security platform, 150+ PoPs |
Cloud-native SSE (ZIA, ZPA) — partner with SD-WAN vendors |
| Palo Alto (Prisma SASE) |
Strong NGFW heritage + SD-WAN (CloudGenix acquisition) |
Single-vendor SASE: Prisma SD-WAN + Prisma Access (SSE) |
| Fortinet |
Integrated security + SD-WAN at competitive price |
FortiSASE: FortiGate SD-WAN + FortiSASE cloud (SSE) |
| Cisco |
Largest enterprise networking install base |
Cisco SD-WAN (Viptela) + Cisco Umbrella/Duo (SSE) |
| Netskope |
CASB/DLP leader + strong SSE platform |
Cloud-native SSE + partner SD-WAN or Borderless SD-WAN |
| Cato Networks |
Born-in-the-cloud SASE — single platform from day 1 |
Cato SASE Cloud: SD-WAN + full SSE built as one platform |
ทิ้งท้าย: SASE = Networking + Security Converged in the Cloud
SASE Architecture Components: SD-WAN (networking) + SSE: ZTNA + CASB + SWG + FWaaS + DLP (security) — all cloud-delivered vs Traditional: eliminates hairpin routing, distributed security at PoPs, single management, OpEx model ZTNA: replaces VPN — per-app access, device posture check, apps hidden from unauthorized users, no lateral movement CASB: shadow IT discovery (1,000+ unknown apps), cloud DLP, threat detection, compliance enforcement Vendors: Zscaler (SSE leader), Palo Alto (single-vendor), Fortinet (value), Cato (born-cloud), Netskope (CASB/DLP) Key: 80%+ traffic goes to cloud → security must follow — SASE delivers security at the edge, not the data center
อ่านเพิ่มเติมเกี่ยวกับ Zero Trust Network Identity-Based Access ZTNA และ SD-WAN Architecture Overlay Underlay ZTP ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
