Secure Access Service Edge (SASE) is an integrated workspace security management platform offered by Alibaba Cloud. Built on a zero trust model and a global network of edge nodes and leased line access, SASE extends security controls to the network edge—giving enterprises secure, centrally managed access for remote workers, branch offices, and mobile teams without overhauling their existing network architecture.
Key takeaways:
Consolidates network and security into one platform. SASE replaces fragmented VPNs and perimeter defenses with a single cloud-delivered service.
Built on zero trust. Access decisions are driven by dynamic identity authentication.
Covers three security layers. Private access control, internet data loss prevention, and real-time log analysis.
No architecture changes required. Employees install the SASE App; administrators configure policies in the SASE console. No manual username and password entry or certificate file import needed.
Available as a 7-day free trial with up to 100 client authorizations per Alibaba Cloud account.
Why enterprises need SASE
Traditional VPNs and perimeter-based security were designed for environments where users, data, and applications lived inside a corporate network. That model breaks down when:
Employees work remotely or across multiple locations
Enterprise applications move to the cloud
Branch offices and mobile devices become the norm
SASE addresses these challenges by consolidating network access and security into a single cloud-delivered platform. After an administrator configures policies in the SASE console, the platform delivers them automatically to employees through the SASE App—no manual certificate import or VPN client configuration required.
For data transmission to cloud services such as Elastic Compute Service, ApsaraDB, and cloud storage, SASE uses a combination of the Transport Layer Security (TLS) protocol and a proprietary protocol. For data storage and processing, it uses envelope encryption.
Key capabilities
Private access security
SASE provides Software as a Service (SaaS)-based Zero Trust Network Access (ZTNA) using software-defined perimeter (SDP) technology. It manages employee access permissions without exposing public IP addresses or changing the enterprise's existing network architecture.
Workspace network access
Supports 802.1X certificate-based network access. Install the SASE App to connect securely—no manual username and password entry or certificate file import required. For devices that cannot run the SASE App, such as printers and IoT devices, SASE supports dumb terminal and whitelisted account access with password authentication.
Zero trust internal network access control
Uses TLS and a proprietary protocol to enforce least privilege access control:
Endpoint-to-endpoint access over TCP
Endpoint-to-application access over HTTP and HTTPS
Dynamic identity authentication drives access decisions. Compared with traditional VPN access, this approach provides faster access, more efficient O&M, easier deployment, and higher system security.
Global workspace access
Supports employees outside China who need to access services both outside and within the Chinese mainland.
Internet access security
A cloud-based file analysis engine audits, retains, and sends alerts for outbound data transfers in real time without consuming terminal computing resources. It detects over 100 file types and includes more than 60 preset sensitive information dictionaries.
Monitored outbound channels include:
Portable storage devices
Instant messaging tools
Email, HTTP, and FTP
Printing and optical disc burning
Cloud drives
Three data protection capabilities are available:
Detect outbound files — Built on the Cloud Data Loss Prevention (DLP) service architecture, this monitors outbound sensitive data in real time and detects data breach threats.
Manage external devices — Controls data access permissions for external devices to detect unauthorized outbound transfers of sensitive files.
Manage watermarks — Enables screen and print watermarks to prevent unauthorized data exfiltration.
Log analysis
Log audit — Audits network traffic in real time and provides a basis for investigating suspicious activity.
Log analysis — Based on Alibaba Cloud Simple Log Service (SLS), collects and stores web access logs and mitigation logs from SASE. Supports query analysis, statistical charts, and an alerting feature.
Editions
SASE uses a subscription (prepaid) billing model. Use the following table to select an edition. For detailed billing information, see Billing overview of Secure Access Service Edge.
| Edition | Description |
|---|---|
| Private Access (Basic) | Zero trust VPN for remote access to cloud and on-premises enterprise applications. Suitable for enterprises with more than 100 employees. Office bandwidth must be purchased separately. |
| Private Access (Advanced) | Zero trust VPN for remote access, plus office network access control and global office access. |
| Internet Access (DLP) | Built on the Cloud DLP service architecture. Detects, monitors, and protects office data in real time. |
| Endpoint Protection (Antivirus) | Integrates with the Alibaba Cloud malicious file detection platform. Provides real-time defense against file viruses and real-time detection of endpoint security alert events. |
Free trial
First-time SASE users can apply for a free trial on the 7-day trial application page. The trial lasts 7 days and supports up to 100 client authorizations per Alibaba Cloud account.
Contact us
For pre-sales questions about product features, pricing, or edition selection, submit a ticket to consult our product technical experts.