Secure Access Service Edge (SASE) is a cloud-delivered workspace security platform from Alibaba Cloud. Built on zero trust principles and a global network of edge nodes and leased line access, SASE unifies network access and security management—giving enterprises secure, centrally managed connectivity for remote workers, branch offices, and mobile teams without changes to their existing network architecture.
Key takeaways:
-
Unified network and security. Replaces fragmented VPNs and perimeter defenses with a single cloud-delivered service.
-
Zero trust architecture. Access decisions are driven by dynamic identity authentication.
-
Three security layers. Private access control, internet data loss prevention, and real-time log analysis.
-
No architecture changes required. Employees install the SASE App; administrators configure policies in the SASE console. No manual credential entry or certificate import needed.
-
Available as a 7-day free trial with up to 100 client authorizations per Alibaba Cloud account.
Why enterprises need SASE
Traditional VPNs and perimeter-based security assume that users, data, and applications reside inside a corporate network. That model breaks down when:
-
Employees work remotely or across multiple locations
-
Enterprise applications move to the cloud
-
Branch offices and mobile devices become the norm
SASE addresses these challenges by unifying network access and security in a single cloud-delivered platform. After an administrator configures policies in the SASE console, the platform delivers them automatically to employees through the SASE App—no manual certificate import or VPN client configuration required.
For data transmission to cloud services such as Elastic Compute Service, ApsaraDB, and cloud storage, SASE uses a combination of the Transport Layer Security (TLS) protocol and a proprietary protocol. For data storage and processing, it uses envelope encryption.
Key capabilities
Private access security
SASE delivers SaaS-based Zero Trust Network Access (ZTNA) using software-defined perimeter (SDP) technology. It manages employee access permissions without exposing public IP addresses or changing the existing network architecture.
Workspace network access
Supports 802.1X certificate-based network access. Install the SASE App to connect securely—no manual credential entry or certificate import required. For devices that cannot run the SASE App, such as printers and IoT devices, SASE supports dumb terminal and whitelisted account access with password authentication.
Zero trust internal network access control
Uses TLS and a proprietary protocol to enforce least privilege access control:
-
Endpoint-to-endpoint access over TCP
-
Endpoint-to-application access over HTTP and HTTPS
Dynamic identity authentication drives access decisions. Compared with traditional VPN access, this approach offers faster connectivity, simpler deployment, more efficient O&M, and stronger security.
Global workspace access
Supports employees outside China who need to access services both outside and within the Chinese mainland.
Internet access security
A cloud-based file analysis engine audits, retains, and alerts on outbound data transfers in real time without consuming endpoint computing resources. It recognizes over 100 file types and includes more than 60 preset sensitive information dictionaries.
Monitored outbound channels include:
-
Portable storage devices
-
Instant messaging tools
-
Email, HTTP, and FTP
-
Printing and optical disc burning
-
Cloud drives
Three data protection capabilities are available:
-
Detect outbound files — Built on the Cloud Data Loss Prevention (DLP) service architecture, this capability monitors outbound sensitive data in real time and identifies data breach threats.
-
Manage external devices — Controls data access permissions for external devices to detect unauthorized outbound transfers of sensitive files.
-
Manage watermarks — Applies screen and print watermarks to deter unauthorized data exfiltration.
Log analysis
Log audit — Audits network traffic in real time and provides a basis for investigating suspicious activity.
Log analysis — Powered by Alibaba Cloud Simple Log Service (SLS), collects and stores web access logs and mitigation logs from SASE. Supports query analysis, statistical charts, and alerting.
Editions
SASE uses a subscription (prepaid) billing model. Refer to the following table to select an edition. For detailed billing information, see Billing overview of Secure Access Service Edge.
| Edition | Description |
|---|---|
| Private Access (Basic) | Zero trust VPN for remote access to cloud and on-premises enterprise applications. Suitable for enterprises with more than 100 employees. Office bandwidth must be purchased separately. |
| Private Access (Advanced) | Zero trust VPN for remote access, plus office network access control and global office access. |
| Internet Access (DLP) | Built on the Cloud DLP service architecture. Detects, monitors, and protects office data in real time. |
| Endpoint Protection (Antivirus) | Integrates with the Alibaba Cloud malicious file detection platform. Provides real-time virus defense and endpoint security alert detection. |
Free trial
First-time SASE users can apply for a free trial on the 7-day trial application page. The trial lasts 7 days and supports up to 100 client authorizations per Alibaba Cloud account.
Contact us
For pre-sales questions about product features, pricing, or edition selection, submit a ticket to reach our product technical experts.