Secure Access Service Edge (SASE) addresses the security challenges of distributed workforces, multi-branch networks, and diverse device types. The following scenarios describe where SASE applies and how it works in each context.
Remote work and mobile work
Traditional network security routes all traffic through a central data center for inspection, which degrades performance for employees working outside the office. SASE shifts security enforcement to edge nodes, so remote and mobile employees connect through the nearest node instead.
Deploy the SASE client on office devices to give remote and mobile employees the same security posture as those at headquarters — whether they are working from home, traveling for business, or on-site.
Data loss prevention
SASE includes a data loss prevention (DLP) feature powered by the Alibaba Cloud-based sensitive file analysis engine. When a user transfers files outbound, SASE audits, records, and generates an alert for the transfer across these channels:
Instant messaging (IM) tools
Email
HTTP file transfer
FTP file transfer
Mobile storage devices
Printing
Burning
The DLP engine identifies more than 100 file formats and applies more than 60 built-in sensitive information dictionaries, enabling consistent data protection across all outbound transfer methods.
Centralized security control for multiple branches and stores
Managing security across multiple branches or retail stores typically requires deploying and maintaining hardware at each site. SASE eliminates that requirement by delivering out-of-the-box security through Alibaba Cloud's nation-wide edge nodes and leased lines.
Choose one of two deployment models based on your environment:
| Deployment model | When to use |
|---|---|
| Smart Access Gateway + SASE client | Branches and stores that need both network connectivity and security enforcement at the edge |
| SASE client only | Sites where existing connectivity is sufficient and only security enforcement is needed |
Both models extend the same security capabilities to branches, stores, and headquarters without complex on-premises hardware stacks.
Network access control
SASE supports 802.1X-based network access control using certificates. Key capabilities include:
Automated certificate management: SASE establishes a comprehensive public key infrastructure (PKI) and manages certificates through a client-server (C/S) architecture, so administrators and end users do not need to manually generate or import network access files and certificates for each terminal.
MAC address and credential-based access: SASE enforces access control using both media access control (MAC) address and username-password information, allowing unmanaged devices such as printers and Internet of Things (IoT) devices to connect to the office network.
Behavior auditing
SASE provides real-time auditing of employee access to the internet and internal services. Audit data is visualized in dashboards that let administrators review and manage employee activity. Audit logs are retained for six months, meeting the audit requirements of enterprises.