Sase Sse Ag

Architecture Guide
Cisco Public
Cisco Secure Access Service

Edge (SASE) and Security
Service Edge (SSE)
Architecture Guide
February, 2023
© 2023 Cisco and/or its affiliates. All rights reserved. Page 1 of 51

Contents
Introduction 3
SASE 5
Security Service Edge 6
Software Defined WAN 11
Digital Experience Monitoring 13
Cisco SASE/SSE Architecture 14
Cisco SAFE Business Flows 15
Attack Surfaces 16
User and Device 16
Network and Cloud 16
Application and Data 17
Cisco SAFE Business Flows – Threat Vectors 18
Cisco SAFE Capabilities 18
Common Capabilities 18
Secure Access Service Edge 19
Endpoint Security 23
Zero Trust Network Segmentation 24
WAN/Internet Edge 24
Data Center Security 24
Application Workload Security 25
Cisco SAFE Business Flows - Capability Mappings 26
SASE/SSE Reference Architecture 27
Appendix 35
Appendix A – SASE/SSE Reference Architecture Security Capabilities 35
Appendix B – SASE/SSE Reference Design 40
Appendix C – SASE/SSE Detailed Business Flows with Capabilities 44
Appendix D – Acronyms Defined 48
Appendix E - References 51
Appendix F - Feedback 51

Introduction
Today’s workforce expects seamless access to applications wherever they are, on any device. With the rise of
remote work, the growing push of company data and infrastructure into the cloud, and the increasing number of
cloud applications such as Office 365 and Salesforce utilized by the workforce, the amount of traffic directed to
the Internet has increased significantly. The need for cloud-enabled security services expands daily as
contractors, partners, IoT devices and more each require network access no matter where they are. IT needs to
protect and ensure optimal application performance for users and devices as if they were located at a corporate
office or branch. Each requires secure access to applications and must now be treated as a ‘branch of one.’
Figure 1.
High level DC-Centric Architecture
Because of these changes, the DC-centric model has become costly and inefficient for handling this traffic.
Consider the following:
● Remote work and hybrid work are here to stay as people work from anywhere on a continuous basis.
This makes user mobility is a paramount capability for modern enterprises
● Distributed users and applications are hard to manage and increase security risk due to a larger attack
surface

● There are significant problems with application performance and user experience using traditional
networking architectures with modern cloud applications
Figure 2.
High level SASE Architecture
In this new paradigm, IT requires a simple and reliable approach to protect and connect with agility. This is
forcing a convergence of network and security functions closer to users and devices, at the edge—and is best
delivered as a cloud-enabled model called secure access service edge (SASE).

SASE
In 2019, Gartner published a report called The Future of Network Security Is in the Cloud. In this report, Gartner
introduced the SASE concept. Back in 2017, several vendors and analysts in the industry defined a new
concept – the secure Internet gateway (SIG). This cloud native solution offers multiple functions including
domain name system (DNS) security, secure web gateway (SWG), firewall as a service (FWaaS), and cloud
access security broker (CASB) to improve security and performance while reducing costs and maintenance
tasks. The SASE concept goes beyond the capabilities found within SIG and includes the convergence of
networking functionality as well.
Figure 3.
SASE Capability Overview
Cloud computing services offer convenient, pay-as-you-go models that eliminate costly expenditures and
maintenance. Cloud providers host a choice of infrastructure, platform, and software offerings on-site that you
“rent”, giving your organization the flexibility to turn cloud computing services up and down according to
changing requirements. There are three main cloud computing service options:
● Infrastructure-as-a-Service (IaaS): In this model, a cloud provider hosts infrastructure components that
are traditionally located in on-premises data centers. With IaaS, your organization can choose when and
how you want to administer workloads, without needing to buy, manage, and support the underlying
infrastructure.
● Platform-as-a-Service (PaaS): This model is one layer of abstraction above IaaS. Cloud providers, in
addition to providing infrastructure components, also host and manage operating systems and
middleware that your developers need to create and run applications.
● Software-as-a-Service (SaaS): With SaaS, cloud providers host and manage an entire infrastructure,
as well as end-user applications. When your company chooses a SaaS model, you do not need to install
anything; your users will be able to log in and begin immediately using the cloud provider’s application
running on their infrastructure.

The goal of SASE is to provide secure access to applications and data from your data center or cloud platforms
like Azure, AWS, Google Cloud, and SaaS providers based on:
● Identity: limiting application access to specified users and devices

● Context: risk-based assessment to prevent questionable users or compromised/insecure devices from
accessing the network
● Least Privilege: limit user and device access to only services that have been defined for their usage
Service edge refers to global point of presence (PoP), IaaS, or colocation facilities where local traffic from
branches and endpoints is secured and forwarded to the appropriate destination without first traveling to data
center focal points.
The Software Defined WAN (SD-WAN) and Security Service Edge (SSE) components of SASE are primarily
delivered as Networking-as-a-Service (NaaS) and Security-as-a-Service (SECaaS) models. This refers to the
ability to offer these services as SaaS. By delivering security and networking services together from the cloud,
organizations will be able to securely connect any user or device to any application without having to install and
maintain the network management and security infrastructure.
Security Service Edge

Cloud adoption, distributed workforces, and threats have been on the rise for years. As more users connect to
company networks from anywhere that has an internet connection, more data is being routed outside of
traditional on-premises data centers, creating security gaps that traditional DC-centric network architectures
aren’t built to handle.
In 2021, Gartner coined a new concept for businesses who may be ready to transition to cloud security without
a complete overhaul of their network architectures SASE requires. This concept is known as Security Service
Edge. The SSE architecture is a collection of security functions that can reduce complexity and improve user
experience by consolidating multiple disparate security capabilities and delivering them from the cloud. These
security functions include, but are not limited to, DNS-layer security, secure web gateway, firewall as a service,
cloud access security broker, and zero trust network access.
Figure 4.
Security Service Edge Capability Overview

Because of this, organizations have flexibility in determining whether to deploy SSE or move towards a full
SASE deployment. The answer may vary by each organization’s own unique needs. For organizations with a
hybrid workforce, however, when the additional security features of SSE are paired with the enhanced
connectivity features of SASE, the organization gets a holistic solution that protects uses and devices from
threats while boosting network performance. A full SASE solution makes it easier than ever to scale up or down
an increasingly distributed workforce. While moving towards SSE may be a first step, journeying beyond SSE to
include the network component may be in the best interest of organizations in a hybrid world.
Whether included in an SASE architecture or deployed standalone, a Security Service Edge architecture should:
● Provide secure seamless access for users

● Provide security with consistent policy
● Update threat protection and policies without hardware and software upgrades
● Restrict access based on identity and context
● Increase security staff effectiveness with centralized policy management
DNS-layer Security
DNS resolution is the first step when a user attempts to access a website or other service on the Internet. DNS-
layer Security logs and categorizes DNS activity by type of security threat or web content and the action taken,
whether it was blocked or allowed.
Figure 5.
DNS-layer Security Overview
It is critical that the DNS-layer security is underpinned by excellent threat intelligence sources. Threat
intelligence itself is not a solution but is a crucial security architecture component. A threat intelligence platform

centralizes the collection of threat data from numerous sources and formats and most importantly presents the
data in a usable format.
Secure Web Gateway
A cloud-based web proxy or SWG provides security functions such as URL and category filtering and real-time
inspection of inbound files for malware and other threats. SSL/TLS decryption is necessary to inspect encrypted
web traffic before other certain SWG security capabilities can enforced. Content filtering by category or specific
uniform resource locators (URLs) is used to block destinations that violate policies or compliance rules. Remote
browser isolation protects users from potential malware and other threats by redirecting browsing to a cloud-
based host. This isolation is achieved by serving the web content to users via a remotely spun up surrogate
browser located in the cloud.
Figure 6.
Secure Web Gateway Overview
Network anti-malware inspects files as they traverse the network, using dynamic threat intelligence to check
the disposition of files before they reach the device. File sandboxing is used to open and inspect untrusted files
which could compromise an endpoint.
Firewall As a Service
Firewall as a Service (FWaaS) is the cloud-based delivery of firewall functionality to protect non-web Internet
traffic. In addition to layer 3-4 filtering, FWaaS typically includes features for intrusion prevention and
application-level visibility and control.

Figure 7.
Firewall as a Service Overview
Some of the benefits provided by FWaaS when compared to on-premises firewalls include:
● Scalable due to the pool of resources available to cloud-delivered firewalls allowing easy growth or
contraction based on an organization’s need
● Centralized policy management for multiple remote locations
● Easier to deploy and maintain
Remote Access as a Service (RAaaS) provides cloud-delivered VPN services for roaming users covering use
cases for applications or services that ZTNA solutions do not support. Like FWaaS, RAaaS provides a scalable
alternative to on-premises VPN solutions and in addition to private application access, enables roaming users to
receive security capabilities provided by through the FWaaS such as Layer 3-4 traffic filtering and intrusion
prevention. RAaaS should still follow zero trust principles, incorporating multi factor authentication (MFA),
context checks, and least privilege access to private applications.
Cloud Access Security Broker
Cloud access security brokers help control and secure the use of SaaS applications. The value of CASBs stems
from their capability to give insight into cloud application usage across cloud platforms and to identify
unsanctioned use. CASBs use auto discovery to expose shadow IT, detecting and reporting on the cloud
applications that are in use across the network.

Figure 8.
Cloud Access Security Broker Overview
A vital ability of CASB is data loss prevention (DLP) - the capability to detect and provide alerts when abnormal
user activity occurs to help stop both internal and external threats.
Although included as part of CASB, inline DLP warrants its own mention and provides data security for user
traffic traversing the Internet or traversing data centers to utilize private applications. A common CASB
deployment is to install out of band and to provide API based DLP functionality. For increased security, DLP
should be implemented as a standalone inline feature of the SASE security stack to catch sensitive information
as it passes through the network. This can then be supplemented with DLP capabilities built into a CASB.
Zero Trust Network Access
In a DC-centric model roaming users are provided remote access to resources using full tunnel VPN, redirecting
all traffic, internal and internet destined, to the data center. Scalability issues can arise as users shift between
on-premises and remote work and VPN appliances are starved for resources. User experience suffers as
backhauled traffic causes high latency and users must enter credentials numerous times during the workday
creates password exhaustion. In a cloud-enabled model, access can be provided to private or public
applications leveraging a clientless or client based zero trust network access solution.
Zero Trust security takes a “never trust, always verify” approach to security. To do this, it is essential to verify
identity and context. Identity is determining who a user is. Traditional identity checks use passwords, but these
can be stolen, or brute forced making password-only identity checks unreliable forms of identity verification.
Context is the use of supplemental information to improve security decisions at the time they are made

according to Gartner. This supplemental information may include, but is not limited to, OS version, browser
version, firewall status, and location. An assessment is done based on this information to determine if access
should be allowed to the application based on the calculated risk. For example, the security policy for a
restricted application could require the user to use an updated browser not susceptible to certain vulnerabilities.
ZTNA verifies a user’s identity and context before granting least privilege access to permitted applications using
a trust broker, which is a system that facilitates identity and context checks against users and restricts visibility
and access to applications based on a configured policy.
After identity and context are verified, least privilege access is given based on granular policy rules and the user
only has visibility and access to applications they are authorized to. This access is segmented on a per-
application basis at layer 7 in the OSI model, limiting a potential attacker’s lateral movement within the network
and containing breaches. Because only traffic specific to the authorized application traverses the ZTNA solution
rather than all client traffic, the overall remote user experience is improved.
Figure 9.
Zero Trust Network Access Overview
As mentioned earlier, traditional identity checking may only use passwords can be unreliable. ZTNA requires a
strong, cloud-based, multi-factor authentication solution that ensures users are verified before granted access
to specified resources. User experience can be further improved using SAML/SSO or passwordless
authentication capabilities helping mitigate password exhaustion and poor security habits. ZTNA solutions
typically take the form of a reverse proxy for clientless ZTNA access via a browser or a software agent for client
based ZTNA access. While clientless ZTNA solutions can provide seamless access to users with managed and
unmanaged devices, client based ZTNA solutions offer enhanced security using additional device and policy
checks available with software agents.
Software Defined WAN

A traditional DC-centric network model made sense when the enterprise data center was the primary
destination for users to access applications and data across the network, however, the wide-scale use of cloud
applications has become fundamental to business operations at all locations. The centralized security approach
has also become impractical because of the high cost of backhauling traffic and the resulting performance
issues at remote locations.

To overcome these costs and performance issues, many organizations are adopting a more decentralized
networking approach to optimize performance, otherwise known as direct Internet access (DIA). DIA is an
architecture component in which certain Internet-bound traffic or public cloud traffic from the branch can be
routed directly to the Internet, thereby bypassing the latency of tunneling Internet-bound traffic to a central site.
The goal of SASE is to connect users and devices, regardless of location, to any application across any cloud. A
secure automated WAN is used to optimize performance by ensuring the fastest, most reliable and secure path
to the cloud.
Configuring multiple routers connected to different circuits (for example, an MPLS link and a broadband Internet
link) to route network traffic efficiently and optimally can be challenging. Beyond simple load balancing,
available bandwidth capacity may go unused during periods of congestion. For example, your broadband
Internet connection may be running slowly during a given period of time, while your costly MPLS link is relatively
uncongested and may actually be able to provide faster Internet connectivity. The inability to aggregate
disparate links means wasted bandwidth capacity and lower employee satisfaction.
SD-WAN combines and optimizes traditional WAN technologies, such as MPLS and broadband Internet
connections. This allows organizations to efficiently route network traffic to multiple remote branch locations
while providing enhanced monitoring and management capabilities. SD-WAN monitors network traffic across all
available links in real-time and dynamically selects the best route for each data packet traversing the network.
Additionally, through direct peering relationships to cloud providers middle mile optimization reduces overall
hop counts, which reduces latency and improves the overall user experience when accessing applications.
Figure 10.
SD-WAN Overview
The SD-WAN component of a SASE architecture should have the following qualities:
● Flexible, as a service WAN management for on-premises, cloud, and multitenant environments

● Route traffic across different links (MPLS, Internet, 5G, etc.) based on destination
● Route traffic across different links based on cost
● Aggregate multiple links to provide greater total bandwidth
● Rerouting traffic across an alternate link when a link is congested, unstable, or down
● Prioritizing certain application traffic to ensure quality of service
Digital Experience Monitoring

With the rise of remote work, employees are now connecting to enterprise services, applications, and networks
from distributed locations both within and outside of the corporate perimeter. Moving from a DC-centric
architecture using legacy WANs and security architectures to a cloud-enabled SASE or SSE architecture
increases agility, resilience, and performance. But with this change, organizations are challenged to deliver
reliable application performance because of the increased external dependencies in the new enterprise
ecosystem that they don’t own or control. When something goes wrong, network teams often carry the burden
of proving the network innocent with no visibility into end-to-end dependencies, such as ISP networks or SaaS
application performance. This leads to wasted resources, higher mean time to identify (MTTI) and mean time to
repair (MTTR), and negative impacts to the digital experience.
Digital experience from a SASE perspective is how end users experience any application, from wherever they’re
sitting whether that is from their home office or an on-premises branch site. Digital Experience Monitoring
(DEM) is a Gartner IT category that emerged in 2019 to address user experience, human or machine, across
every dependency, whether network or service, inside or outside your organization. DEM is used to ensure the
reachability and availability of business-critical SaaS, internally hosted applications, and cloud-based services
over any network, including the Internet and the corporate network.
Figure 11.
Digital Experience Monitoring Overview

The Digital Experience Monitoring component of a SASE or SSE architecture should have the following qualities:
● Provide metrics to improve the Digital Experience for users no matter where they are or what application
they are using
● Provide lower Mean Time to Identification (MTTI) of issues
● Eliminate wasteful finger-pointing between teams
● Hold providers accountable and get swift resolutions
Cisco SASE/SSE Architecture
Figure 12.
Cisco Secure Framework
Security is not a one-size-fits-all solution. To help understand the architecture, Cisco has broken it down into
three pillars:
● User and Device Security: making sure users and devices can be trusted as they access systems,
regardless of location
● Network and Cloud Security: protect all network resources on-prem and in the cloud, and ensure
secure access for all connecting users
● Application and Data Security: preventing unauthorized access within application environments
irrespective of where they are hosted

The Cisco SASE/SSE Architecture incorporates the principles of zero trust to create a comprehensive solution
to secure all access to applications from any user, device, and location. Furthermore, the architecture is
enhanced by extended detection and response (XDR) and Threat Intelligence technologies.
This architecture guide primarily focuses on securing these three pillars from a SASE/SSE perspective using
SAFE. For more information on Cisco Zero Trust security, refer to the Cisco Zero Trust Architecture Guide.
Cisco SAFE Business Flows

SAFE uses the concept of business flows to simplify the analysis and identification of threats, risks, and policy
requirements for effective security. This enables the selection of very specific capabilities necessary to secure
them. This is a sample set of business flows. Additional detailed business flows can be found in Appendix C.
Figure 13.
SASE/SSE Business Flows

Attack Surfaces
The next step in the SAFE methodology is to identify the threats for each business flow. This is the attack
surface, and the mitigation of these threats is the business problem to be solved.
User and Device

User and Device Security provides solutions that establish trust in users and devices through authentication and
continuous monitoring of each access attempt, with custom security policies that protect every application.
Threat Icon Threat Name Threat Description
Attackers can easily steal or compromise passwords via phishing

emails sent to users. With stolen credentials, they can log in to
work applications or systems undetected and access data.
Rogue Actor Brute-force attacks involve programmatically trying different
credential pairs until they work, another attack that can be
launched remotely. Once inside, attackers can move laterally to
get access to more sensitive applications and data.
Devices running older versions of software – such as operating

systems, browsers, plugins, etc. – can be susceptible to
Malicious Device vulnerabilities not patched by software vendors. Without those
security patches, devices that access work applications and data
can introduce risks by increasing the overall attack surface.
Often, devices that are not owned or managed by your IT team

can have out-of-date software and lax security.
Insecure Unmanaged Device (BYOD) Devices that do not have certain security features enabled – such
as encryption, firewalls, passwords, etc. – are considered riskier
or potentially out of compliance with data regulation standards
that require encryption, like healthcare industry compliance
standards.
Network and Cloud

Network and Cloud Security enables users to securely connect to your network from any devices, anywhere
while restricting access from non-compliant devices. Automated network-segmentation capabilities enable
administrators to set policy for users, devices, and application traffic without requiring network redesign.
Suspect data loss occurs when an abnormal amount of data has

been transferred out of the network. Suspect data hoarding
Data Exfiltration
occurs when an inside host is found downloading an abnormal
amount of data from other inside hosts.
Hosts attempting to compromise each other, such as through

Exploitation
worm propagation and brute force password cracking.
An unknown host on the network, or a host that has been

Malicious Insider compromised and has attempted deviant communication, such
as reaching out to a command-and-control server.

Application and Data
Application and Data Security secures connections for all APIs, microservices, and containers that access
applications, whether in the cloud, data center, or other virtualized environment. Enterprise networks are
increasingly becoming more complex as applications move to multi-cloud and leverage containers and
microservices, effectively creating new security, reporting, and compliance challenges.
For example, a malicious actor, on the public network, exploits a

PHP Code Injection vulnerability on the web application and
gains access to the details of the underlying operating system
and installed packages.
The attacker then exploits a known vulnerability in the underlying

operating system or the installed package to perform privilege
Advanced Threats escalation and then goes on to establish a command-and-
control channel to a malicious server running on attacker’s
network by remotely executing a piece of code.
The attacker then starts profiling the application environment and

exfiltrates sensitive data out through the established command-
and-control channel over an outbound UDP 53 port (DNS
protocol).
Zero-day malware attacks, poorly developed applications or

unpatched applications are all attack vectors that can be
Malware exploited by threat actors. If not protected, the attacker can push
malicious code in the source repository resulting in infected
software and potential propagation.
Without appropriate network visibility and segmentation policies,

unknown users / applications may exist in the network or known
applications may deviate from characteristic behavior. Malicious
Malicious Insider actors can take advantage of a flat network with little to no
visibility and infiltrate the network without triggering suspicion.

Cisco SAFE Business Flows – Threat Vectors
Figure 14.
SASE/SSE Business Flows with threats
Cisco SAFE Capabilities

The Cisco SASE/SSE Architecture is defined using the Cisco SAFE methodology. For more information on SAFE
please go to cisco.com/go/safe.
Common Capabilities
The following common capabilities are included in Cisco SASE and SSE.

Capability Icon Capability Name Capability Description
Anomaly detection maintains complex models of what is normal,

and, in contrast, what is anomalous. Not all anomalous traffic is
Anomaly Detection
malicious, and therefore deviations in the network are classified
into event categories to assign severity to the anomalies.
Network Detection and Response (NDR) solutions leverage pre-

existing infrastructure to offer enterprise-wide, contextual
visibility of network traffic. Flow information can be used to
Flow Analytics
conduct forensic analysis to aid in lateral threat movement
investigations, ensure ongoing zero trust verification is provided,
and modern tools can even detect threats in encrypted traffic.
Security Orchestration Automation & SOAR is a set of technologies that enable organizations to
Response (SOAR) collect information monitored by the security operations team.
Knowledge of emerging threats from active adversaries is shared

Threat Intelligence with solutions that will utilize the information to protect the
organization.
Secure Access Service Edge

The SASE Security Capability group includes the Digital Experience Monitoring and SD-WAN capabilities, and
the Secure Service Edge security capability group.
Digital Experience Monitoring
Digital Experience Monitoring (DEM) addresses user experience, human or machine, across every dependency,
whether network or service, inside or outside your organization. DEM looks at the entire digital journey and how
every part of it drives successful user actions. By focusing on visibility into digital experience as a whole, DEM
helps bridge IT initiatives to business outcomes.
SD-WAN
Provides a replacement for traditional WAN routers and are agnostic to WAN transport technologies. SD-WAN
provides dynamic, policy-based, application path selection across multiple WAN connections and supports
service chaining for additional services such as WAN optimization and firewalls.
Security Service Edge

The Security Service Edge security capability group includes the DNS-layer security capabilities and the
following security capability groups:
● Cloud Access Security Broker

● Firewall as a Service
● Secure Web Gateway
● Zero Trust Network Access
Cloud Access Security Broker
An intermediary between cloud providers, cloud-based applications, and cloud consumers to enforce an
organization’s security policies and usage.
Application Visibility & Control (AVC) Visibility and access control to approved web applications.
Data Loss Prevention (DLP) is designed to stop sensitive

information from leaving an organization. The goal is to stop
Data Loss Prevention (DLP) information such as intellectual property, financial data, and
employee or customer details from being sent, either
accidentally or intentionally, outside the corporate network.
DNS-layer Security
DNS security enforces security at the DNS layer to block malware, phishing, and command and control
callbacks over any port.
Firewall as a Service
Organizations are embracing direct internet access instead of backhauling traffic to the data center. FWaaS
provides cloud delivered firewall services without the need to deploy, maintain, and upgrade physical or virtual
appliances at a site.

Macro segmentation is the process of separating a network

topology into smaller sub-networks, often known as zones. A
Firewall
firewall is typically the enforcement point between zones in a
network.
An intrusion prevention system (IPS) provides network visibility,

Intrusion Prevention security intelligence, automation, and advanced threat
protection.
Enables users who are working remotely to securely access and

use applications and data that reside in the enterprise data
Remote Access as a Service
center and headquarters, encrypting all traffic the users send
and receive.
Secure Web Gateway
Secure Web Gateway protects your network against unwanted software or malware users may encounter on
the web. It does this by granting your IT or SecOps team granular control over what users on the company
network can do while online.
Inspects and analyzes suspicious files and URLs and their

Malware Sandbox
associated artifacts.
Advanced malware’s goal, in general, is to penetrate a system

and avoid detection. Once loaded onto a computer system,
advanced malware can self-replicate and insert itself into other
programs or files, infecting them in the process. Anti-malware
Network Anti-Malware
protection should be implemented in both the network (to
prevent initial infection and detect attempts of spread) and in the
endpoint (to prevent endpoint infection and remove unwanted
threats). This capability represents network anti-malware.
Provides an added layer of protection against browser-based

security threats for high-risk users. RBI moves the most
Remote Browser Isolation (RBI)
dangerous part of browsing the internet away from the end
user’s machine and into the cloud.
Ability to decrypt and inspect encrypted web traffic and block

TLS/SSL Decryption
hidden attacks.
Compares each new website visited against known sites and

Web Reputation Filtering
then blocks access to sites that launch malicious code.

A full proxy that can log and inspect all your web traffic for
greater transparency, control, and protection. IPsec tunnels, PAC
Web Security files and proxy chaining can be used to forward traffic for full
visibility, URL and application-level controls, and advanced
threat protection.
Zero Trust Network Access
Zero Trust Network Access allows organizations to provide granular and adaptive access controls to public and
private applications. Lateral movement is prevented through application layer segmentation while user
experience is improved due to traffic not being backhauled through a data center.
Least privilege access involves giving users and devices access

to only the resource required. Often, network segmentation
stops at layer 2 or 3 (Data link and Network layers, respectfully)
Application Segmentation
of the OSI model. Application segmentation involves segmenting
and preventing lateral movement at layer 7 of the OSI model or
the Application Layer.
The device posture assessment analyzes the device and

Device Posture Assessment assesses its security posture, and reports it to the policy
decision management system.
Establish trust by verifying user and device identity at every

access attempt. Least privilege access should be assigned to
Identity Authorization every user and device on the network, meaning only the
applications, network resources and workload communications
that are required should be permitted.
Authentication based on usernames and passwords alone is

unreliable since users may have trouble storing, remembering,
and managing them across multiple accounts, and many reuse
passwords across services and create passwords that lack
complexity. Passwords also offer weak security because of the
Multi-Factor Authentication (MFA)
ease of acquiring them through hacking, phishing, and malware.
Multi-factor authentication (MFA) requires extra means of
verification that unauthorized users will not have. Even if a threat
actor can impersonate a user with one piece of evidence, they
will not be able to provide two or more.
Security Assertion Markup Language (SAML) is an open

standard that simplifies the login experience for users. It lets
SAML & SSO them access multiple applications with one set of credentials,
usually entered just once. SAML is the underlying technology
that links applications with trusted identity providers.

Endpoint Security
Endpoint security solutions protect endpoints such as mobile devices, desktops, laptops, and even medical and
IoT devices. Endpoints are a popular attack vector, and the goal of an attacker is to not only compromise the
endpoint but also to gain access to the network and the valuable assets within.
Security practices such as turning on disk encryption, disabling automatic login, and installing anti-virus help
ensure an endpoint is “healthy” when joining the network or accessing an application.

Anti-Malware
threats). This capability represents endpoint anti-malware.
Anti-Virus typically deals with older established threats such as

trojans, viruses and worms. Anti-Virus is generally included in
Anti-Virus Anti-Malware solutions which also can detect new modern day
threats. Anti-Malware solutions typically also include Anti-Virus
capabilities.
The device health connector analyzes a device and assesses its

Device Health Connector security posture, and reports it to the policy decision
management system.
The DNS security connector enforces security at the DNS layer

DNS Security Connector to block malware, phishing, and command and control callbacks
over any port.
Mobile device management includes software that provides the

following functions: software distribution, policy management,
Mobile Device Management (MDM) inventory management, security management, and service
management for smartphones and media tablets. MDM provides
endpoint access control based on policies.
In a cloud-enabled SASE/SSE architecture, internet traffic is not

backhauled through a data center. This can create gaps in
visibility due to traditional network monitoring solutions being
Telemetry Connector bypassed. The telemetry connector gathers rich flow context
directly from an endpoint on or off premises and provides
visibility into network connected devices and user behaviors by
exporting flow records to a telemetry collector.
The Web security connector redirects all web traffic to a full web
Web Security Connector
proxy that provides secure web gateway security services.

Zero Trust Network Segmentation
Zero Trust Network Segmentation is a security solution that enforces network segmentation policies on user
and device traffic that access the network after verifying their identity and context.
The device posture assessment analyzes the device and

Device Posture Assessment assesses its security posture, and reports it to the policy
decision management system.
Policies that control tag assignment and allowed communication

between tagged traffic on network devices such as switches and
Identity Access Policy
firewalls. For example, Security Group Access Control List
(SGACL).
Establish trust by verifying user and device identity at every

access attempt. Least privilege access should be assigned to
Identity Authorization every user and device on the network, meaning only the
applications, network resources and workload communications
that are required should be permitted.
Segmentation using Endpoint Groups (EPG), TrustSec Security

Tagging
Group Tag (SGT), or VLANs.
WAN/Internet Edge
The following WAN and Internet edge capabilities are included within the Cisco SASE/SSE Architecture.
Provides protection against a cyber-attack in which the

Distributed Denial of Service (DDoS) perpetrator seeks to make a machine or network resource
Mitigation unavailable to its intended users by temporarily or indefinitely
disrupting services of a host connected to the Internet.
A Web Application Firewall (WAF) protects websites from

application vulnerability exploits like SQL injection, cross-site
Web Application Firewall (WAF)
scripting (XSS), cross-site request forgery, session hijacking,
and other web attacks.
Data Center Security
Data center security is the practice of applying security controls to the data center with the goal of protecting it
from threats that could compromise the confidentiality, integrity, or availability of business information assets or
intellectual property. Data center security follows the workload across physical data centers and multi-cloud

environments to protect applications, infrastructure, data, and users. The practice applies to traditional data
centers as well data centers in the public cloud.
Because the focus of this guide is on SASE/SSE, details regarding securing the data center are limited in scope.
More detail information about securing the data center can be found in the Secure Data Center Design Guide.
Application Visibility & Control (AVC) Visibility and access control to approved web applications.
Data Loss Prevention (DLP) is designed to stop sensitive

information from leaving an organization. The goal is to stop
Data Loss Prevention (DLP) information such as intellectual property, financial data, and
employee or customer details from being sent, either
accidentally or intentionally, outside the corporate network.
Macro segmentation is the process of separating a network

topology into smaller sub-networks, often known as zones. A
Firewall
firewall is typically the enforcement point between zones in a
network.
An intrusion prevention system (IPS) provides network visibility,

Intrusion Prevention security intelligence, automation, and advanced threat
protection.
Inspects and analyzes suspicious files and URLs and their

Malware Sandbox
associated artifacts.

threats). This capability represents network anti-malware.
Application Workload Security
Application Workload Security includes measures at the application level that aim to prevent data or code within
the application from being stolen or hijacked. It encompasses the security considerations that happen during
application development and design, but it also involves systems and approaches to protect applications after
they get deployed.
All application servers should be hardened and follow security practices such as disabling root access, using
SNMPv3 instead of SNMPv2, enabling certificate-based authentication for web clients, etc.

Creates a map of all the components of an application. enables

network admins to build tight network security policies based on
Application Dependency Mapping
various signals such as network flows, processes, and other side
information like load balancer configs.
Continuously acquire, assess, and take action on new

Continuous Vulnerability Scanning information in order to identify vulnerabilities, remediate, and
minimize the window of opportunities for attackers.
Micro-segmentation secure applications by expressly allowing

particular application traffic and, by default, denying all other
Micro-Segmentation traffic. Granular east-west policy control provides a scalable way
to create a secure perimeter zone around each workload with
consistency across different workload types and environments.
The systematic notification, identification, deployment,

installation, and verification of operating system and application
Patch Management
software code revisions. These revisions are known as patches,
hot fixes, and service packs.
The output of application dependency mapping provides an

Policy Generation, Audit & Change
allowed access list policy. This policy will need to be audited and
Management
changed as required.
Anomaly detection is provided by performing hash analysis of all

httpd binaries on the system, and reporting any mismatches. For
all processes across the workloads if the rootscope, executable
Process Anomaly Detection &
binary path, OS version or package info does not match the
Forensics
expected value, it is reported. Forensics enables monitoring and
alerting for possible security incidents by capturing real-time
forensic events and applying user-defined rules.
A security technology that is built or linked into an application or

Runtime Application Security application runtime environment, and is capable of controlling
Protection application execution and detecting and preventing real-time
attacks.
Segmentation using Endpoint Groups (EPG), TrustSec Security

Tagging
Group Tag (SGT), or VLANs.
Cisco SAFE Business Flows - Capability Mappings

Not all business flows have the same requirements. Some use cases are subject to a smaller attack vector and
therefore require less security to be applied. Some have larger and multiple vectors and require more.
Evaluating the business flow by analyzing the attack surfaces provides the information needed to determine and
apply the correct capabilities for flow specific and effective security. This process also allows for the application
of capabilities to address risk and administrative policy requirements.

Figure 15.
SASE/SSE Business Flows with SAFE Capabilities
SASE/SSE Reference Architecture

The Cisco SAFE Security Reference Architecture below includes the main architectural components needed to
deliver the security capabilities for each pillar. The Cisco SAFE Reference Architecture is included in the Cisco
Security Reference Architecture and is presented below in that format and merged with the SAFE methodology.

Figure 16.
Cisco SAFE Security Reference Architecture
The Cisco SASE/SSE Architecture below includes the architectural components needed location-by-location to
deliver the security capabilities for each pillar and is structured as follows:
● SASE (SD-WAN + SSE + DEM) and Cloud Security (Top)

● Consumers (Left)
◦ On-prem employees and IoT devices located at a Campus
◦ Remote Employees located at their Home Office or Public Location
◦ On-prem employees and IoT devices located at a Small Branch

● Providers (Right)
◦ Private applications located in Cloud Workloads (IaaS)
◦ Private applications located in a private Data Center
◦ Internet Website
◦ Public Application (SaaS)

Figure 17.
Cisco SASE/SSE Reference Architecture
User and Device Security
Security in this pillar involves making sure users and devices can be trusted as they access applications,
workloads, and data, regardless of location. With a hybrid workforce, users may be located on-premises at a
branch, at home, or a coffee shop. Regardless of their location, it is imperative that they are identified and have
the appropriate context before accessing company resources.

Identity involves the authentication, authorization, and accounting of entities accessing resources to confirm
they are who they say they are, they will only have access to the resources they need, and their access attempt
is logged in case there is a breach. For roaming users, this is done using ZTNA or RAaaS with the primary factor
of authentication using an identity provider such as Microsoft Active Directory but should be enhanced through
mechanisms such as MFA. On-prem users are identified with 802.1x before they are allowed to access the
network. User experience for both roaming and on-prem users can be improved by enabling SAML and SSO for
private and public applications, minimizing password exhaustion for users who have the option of signing into
multiple services using a single set of credentials. Along with identity, context is also important before access is
allowed. Device posture and other risk-based assessment checks against the device such as if the browser or
anti-virus definitions are out-of-date can prevent risker devices from accessing the network.
Figure 18.
SASE/SSE User & Device Security Business Flows with SAFE Capabilities
With managed devices, there is option to install endpoint security software to lower the risk of compromise to
devices connecting to trusted and untrusted networks. This software adds anti-malware security capabilities to
prevent and remove threats, connectors needed to forward traffic to the SASE or SSE cloud for inspection and
policy enforcement, and more. For visibility into the user’s digital experience, an agent is installed onto the
managed device to monitor application performance from the user’s perspective, providing additional
assistance to IT teams troubleshooting connectivity issues that user may experience. A cloud-based mobile

device management (MDM) solution can be used to distribute software, including endpoint security software,
and manage security policies on the device no matter where they are located.
When using an unmanaged device, such as a personal smartphone or PC, the user can verify their identity using
MFA and simpler context checks can be done, however, there is no insight into what services are running on
the device. Network controls must be put in place to limit network access and to detect suspicious traffic
patterns.
Users are not the only endpoints connected to the network. IOT Endpoints such as lighting, heating and air
conditioning have changed the way security must be enforced on the network. These devices are not only
absent a user, but many do not have the capability to leverage an 802.1X supplicant or a Certificate. In this
case, context checks such as posture and device profiling assessments can be used to control devices as they
connect to the network. Typically, the device MAC address is used to uniquely identity the device, and a profile
is built using information such as:
● Is the device secured using a strong method of authentication?

● What are the services it is trying to connect to?
● What ports is the device communicating on?
All of which allows us to build control policies and assign identifying tags to the devices traffic as it
communicates across the network.
Network and Cloud Security
After successful identity and context verification, user or device traffic must be routed to a public SaaS
application, private application within a datacenter or IaaS environment, or public Internet website. The Network
and Cloud security pillar handles providing secure transport for user, device, and application traffic as it is
routed over insecure underlay networks while enforcing the organization’s security policy to prevent
unauthorized access to protected applications and sensitive data. Traffic destined to public SaaS applications
or internet websites is routed through the SASE/SSE cloud where cloud security services are performed. Traffic
destined to private applications is routed through on-premises access where traditional on-premises security
services are applied.
For roaming users accessing public or private applications, least privileged access is provided by a ZTNA
solution after identity and context verification. As an initial step to accessing the application, the DNS request
for the application is verified using DNS security protecting the user from phishing attempts using similar
looking URLs. Traffic is proxied through the SASE/SSE cloud to provide security and enforce company policies
for web-based traffic (SWG), non-web traffic (FWaaS), and provide data loss prevention (CASB). ZTNA does
per application segmentation, preventing lateral movement by the user. For private applications in the data
center or IaaS environment, traffic is appropriately tagged and monitored as it passes through the network.
Firewalls enforce the security policy set by the identity & access control policy manager. For public SaaS
applications, access is monitored for any abnormal behavior by the CASB. Public Internet websites accessed by
the user, such as YouTube, don’t require identity checks controlled by the organization, however for managed
devices DNS security and SWG can be used to restrict access to insecure or inappropriate websites. Inline DLP
can prevent data loss and FWaaS can filter non-web traffic and provide intrusion prevention for inbound traffic.

Figure 19.
SASE/SSE Network & Cloud Security (Internet/SaaS) Business Flows with SAFE Capabilities
Alternatively, roaming users can connect to private applications using RAaaS services within SSE. This could be
for accessing legacy apps, or ones difficult to re-architect for SSO or Zero Trust model compatibility. Managed
devices (or unmanaged devices with an installed VPN client) may access the network over an encrypted tunnel
as if they were sitting on the corporate network. While some applications suit a ZTNA implementation, more
sensitive applications may require the extra layer of protection an IPsec tunnel would provide. Access could,
through the security policy, be limited to managed devices, where endpoint security software can be installed
to protect sensitive data from compromised devices. Like ZTNA, identity and context should still be verified and
least privilege access should be implemented through mechanisms like split tunneling and tagging. Split
tunneling will route only IP traffic associated with the specified application over the tunnel while enforcing
tagging will limit lateral movement.
For on-prem users and IOT devices, least privileged access is enforced by network devices in the branch and
data center (SD-WAN routers, switches, and firewalls) after identity and context verification. Traffic from these
users and devices is tagged and segmentation is applied based on the identity access policy distributed by the
identity and access policy manager. For private applications in the data center or IaaS environment, SD-WAN
routers securely route traffic to remote locations over underlay networks using IPsec tunnels while maintaining
tags and segmentation. Firewalls within the data center environment enforce the security policy, blocking
unauthorized access and checking for malware or intrusion attempts. For internet bound traffic (SaaS or public
website), like roaming users, DNS requests initiated by on-prem employees is verified by DNS security as an
initial step. After DNS security verifies the domain is safe, a DNS reply is sent, and the Internet bound traffic is

forwarded to the SASE/SSE cloud by the SD-WAN router. The SASE/SSE service provides security and
enforces security policies for web-based traffic (SWG), non-web traffic (FWaaS), and provides data loss
prevention (CASB).
Figure 20.
SASE/SSE Network & Cloud Security (Private Application) Business Flows with SAFE Capabilities
Finally, a digital monitoring experience agent is installed at the branch, data center, and IaaS environment to
monitor ISP and SD-WAN performance close to the users and close to the hosted private applications used by
employees.
Application and Data Security
While organizations can benefit from the scale and agility offered by hosting applications within hybrid and
multi-cloud environments, difficulties arise with managing the security of these distributed applications. For
example, with applications running across multiple infrastructures comes an increased attack surface. The
Application and Data Security pillar focuses on the security capabilities needed to prevent unauthorized access
whether those applications or workloads are hosted in the data center or in the cloud. Along with user-to-
application traffic, Application and Data Security must also be enforced for application-to-application traffic
where there may be API calls and other communications between microservices or containers.
Traffic to these applications initially passes a web application firewall which monitors and filters web-based
traffic for exploits and malicious connection attempts. DDoS protection blocks attempts to overwhelm the
application server and disrupt service availability. Successful DDoS attacks can cause productivity loss as well

as revenue loss for applications necessary for sales while successful exploits against the application servers
can allow exfiltration of sensitive customer data or software code.
Figure 21.
SASE/SSE Application & Data Security Business Flows with SAFE Capabilities
On the application server, an anti-malware software agent is deployed to provide defense in depth, preventing
and removing malicious threats not detected by endpoint security software, SASE/SSE, or network firewalls. For
comprehensive security, workload protection software should be deployed to on the server including features
such as:
● Micro-segmentation to reduce the attack surface for application traffic and only allowing known and
required communications
● Visibility into application behaviors, dependencies, and vulnerabilities as this is important for baselining
normal behavior to quickly identify abnormal or suspicious behavior
● Continuous vulnerability scanning to allow for quick detection and quarantining of workloads affected by
risky vulnerabilities
Through these features, the attack surface of distributed applications is reduced, lateral movement is minimized
in the event of a security incident, and the identification of anomalies and suspicious behavior is accelerated.

Appendix
Appendix A – SASE/SSE Reference Architecture Security Capabilities
Considering the architecture discussed in the previous section of this document, all the capabilities and Cisco
solutions can be mapped as below.
Capability Icon Capability Name Cisco Security Solution
Cisco Secure Network Analytics

Cisco Cyber Vision
Anomaly Detection
Cisco Secure Cloud Analytics
Cisco Secure Access by Duo
Cisco Secure Endpoint (integrated with Secure Connect,

Anti-Malware Umbrella, Firewall & SD-WAN)
Cisco Secure Malware Analytics
Cisco Secure Endpoint (integrated with Secure Connect,

Anti-Virus Umbrella, Firewall & SD-WAN)
Cisco Secure Malware Analytics
Application Dependency
Cisco Secure Workload
Mapping
Cisco+ Secure Connect

Application Segmentation
Duo Network Gateway
Cisco Umbrella
Cisco Secure Firewall
Cisco AppDynamics
Application Visibility &
Cisco Secure Application
Control (AVC)
Cisco Secure Web Appliance
Cisco Cloudlock
Cisco Meraki
Asset Management Cisco Secure Cloud Insights

Cisco Umbrella
Cloud Access Security
Cisco Cloudlock
Broker (CASB)
Continuous Vulnerability
Scanning
Cisco Cloudlock
Data Loss Prevention (DLP) Cisco Umbrella
Distributed Denial of
Radware DDoS
Service (DDoS) Mitigation
Device Health Connector Cisco Duo Device Health
Cisco Identity Services Engine
Device Posture Cisco Secure Access by Duo

Assessment Cisco Secure Firewall
Digital Experience
ThousandEyes
Monitoring (DEM)
Cisco Umbrella
DNS Security
Cisco Secure Client (AnyConnect)

DNS Security Connector
Cisco Umbrella Virtual Appliance

Cisco Umbrella
Firewall Cisco Secure Workload
Cisco Meraki MX

Cisco Cyber Vision

Cisco Secure Network Analytics
Flow Analytics
Cisco Secure Cloud Analytics
Identity Access Policy Cisco Identity Services Engine

Identity Authorization Cisco Identity Services Engine

Intrusion Prevention Cisco Umbrella
Malware Sandbox Cisco Secure Malware Analytics
Cisco Identity Services Engine

Micro-Segmentation Cisco Secure Workload
Mobile Device
Cisco Meraki Systems Manager
Management (MDM)
Multi-Factor Authentication
(MFA)

Cisco Umbrella
Cisco Meraki MX
Cisco Secure Email Appliance
Cisco Secure Web Appliance

Patch Management Cisco Secure Workload
Policy Generation, Audit &

Change Management
Process Anomaly
Detection & Forensics
Cisco Secure Firewall (ASA (Adaptive Security Appliance))

Cisco Secure Firewall (FTD (Firepower Threat Defense))
Remote Access VPN
Cisco Meraki MX
Remote Browser Isolation

Cisco Umbrella
(RBI)
Runtime Application
Security Protection

SAML & SSO
Cisco Meraki
SD-WAN
Cisco Viptela
Security Orchestration
Automation & Response Cisco SecureX
(SOAR)
Tagging Cisco Secure Workload

Telemetry Connector Cisco Secure Client (AnyConnect)
Threat Intelligence Cisco Talos

TLS/SSL Decryption Cisco Umbrella
Radware Alteon
Cisco Kenna
Vulnerability Management
Web Application Firewall Radware WAF

(WAF) Radware kWAF
Cisco Umbrella
Web Reputation Filtering Cisco Secure Web Appliance
Cisco Umbrella
Web Security Cisco Secure Web Appliance
Web Security Connector Cisco Secure Client (AnyConnect)

Appendix B – SASE/SSE Reference Design
The following is the Cisco SAFE Security Reference Design which identifies the products that deliver the
security capabilities required in the Cisco SASE/SSE Reference Architecture.
Figure 22.
Cisco SAFE Security Reference Design
The Cisco Unified SASE Design below identifies the products that deliver the security capabilities required
location-by-location in the Cisco SASE/SSE Reference Architecture. A unified SASE solution is more than just a
SaaS service provided by a single vendor that provides all SASE network (SD-WAN) and security (DNS-layer
security, SWG, FWaaS, CASB, ZTNA) capabilities within a single product. A unified SASE design must also be
highly integrated and provide ease of management. Some of the benefits of a unified SASE design are:
● Unified management allowing for efficient creation and deployment of network and security policies
● Improved user experience through consistent security policy enforcement regardless of the user’s
location
● Improved visibility with integrated SASE components due to unified data
This unified SASE design uses Cisco+ Secure Connect for the primary SASE security capabilities and is
complemented by Cisco Secure Access by Duo for MFA and Cisco ThousandEyes for DEM. The hardware
model numbers for SD-WAN routers are only mentioned for reference. Further analysis is required to determine
the correct hardware model for your sites.

Figure 23.
Cisco Unified SASE Design
The Cisco SASE/SSE with Self-Hosted ZTNA & Remote Access Design below also identifies products that
deliver the security capabilities required location-by-location in the Cisco SASE/SSE Reference Architecture.

Unlike the unified SASE design, this design provides more flexibility for choosing different products for each
security capability at the expense of integration and compatibility between products. Still, this design can allow
organizations to gradually modify their network rather than moving to a full SASE or SSE architecture all at once.
Still, a single vendor unified SSE offers benefits over disparate SSE solutions. These benefits can include:
● Consistent and easier security policy enforcement as all user traffic will get routed through the same SSE
cloud for SWG, FWaaS, and CASB functions
● Unified security policy management through a single pane of glass
● Single agent deployment on managed devices, simplifying security software deployment and
maintenance
At this time, Cisco’s solution for unified SSE uses Umbrella for DNS-layer security, SWG, FWaaS, and CASB
security functions but ZTNA and/or Remote Access VPN solutions must be self-hosted. Hardware model
numbers for SD-WAN routers are only mentioned for reference. Further analysis is required to determine the
correct hardware model for your sites.

Figure 24.
Cisco SASE/SSE with Self-Hosted ZTNA & Remote Access Design

Appendix C – SASE/SSE Detailed Business Flows with Capabilities
Remote Employee with Untrusted Device: Clientless ZTNA - Accessing Private Application (web/ssh/rdp)
(DC/IaaS)
Remote Employee with Trusted Device: Clientless ZTNA - Accessing Private Application (web/ssh/rdp)
(DC/IaaS)
Remote Employee with Trusted Device: Remote Access - Accessing Private Application (any tcp/udp)
(DC/IaaS)

Remote Employee with Trusted Device: Accessing Public Application (SaaS)
Remote Employee with Trusted Device: Accessing Internet Website

On-prem Employee with Trusted Device: Accessing Private Application (DC/IaaS)
On-prem Employee with Trusted Device: Accessing Public Application (SaaS)

On-prem Employee with Trusted Device: Accessing Internet Website
Trusted Branch Device: Accessing Private Application (DC/IaaS)

Application: API calls between microservices across Multiple Cloud Providers
Appendix D – Acronyms Defined

Considering the design discussed in previous sections of this document, all the capabilities and Cisco solutions
corresponding to each capability can be mapped as below.

Acronym Definition
AD Active Directory
API Application programming interface
ASA Adaptive Security Appliance
AVC Application Visibility and Control
AWS Amazon Web Services
BYOD Bring Your Own Device
DC Data Center
DDoS Distributed Denial of Service
DEM Digital Experience Monitoring
DIA Direct Internet Access
DLP Data Loss Prevention
DMZ Demilitarization Zone
DNS Domain Name System
EPG Endpoint Groups
FMC Firepower Management Center
FQDN Fully Qualified Domain Name
FTD Firepower Threat Defense
FWaaS Firewall as A Service
IaaS Infrastructure as a Service
IoT Internet of Things
IPS Intrusion Prevention System
ISE Identity Services Engine
ISP Internet Service Provider
MDM Mobile Device Management
MFA Multi-Factor Authentication
MPLS Multiprotocol Label Switching
MTTR Mean Time to Repair

Acronym Definition
MTTI Mean Time to Identify
MX Meraki Security
NaaS Networking as a Service
NDR Network Detection and Response
OS Operating System
OSI Open Systems Interconnection
PaaS Network Time Protocol
PAC Network Visibility Module
PoP Point of Presence
RAaaS Remote Access as a Service
RBI Remote Browser Isolation
SaaS Software as a Service
SAML Security Assertion Markup Language
SASE Secure Access Service Edge
SD-WAN Software Defined Wide Area Network
SECaaS Security as a Service
SGACL Security Group Access Control List
SGT Security Group Tag
SIG Security Information and Event Management
SQL Structured Query Language
SSE Security Service Edge
SSL Secure Sockets Layer
SSO Single Sign On
SWG Secure Web Gateway
TLS Transport Layer Security
URL Uniform Resource Locators
VLAN Virtual Local Area Network

Acronym Definition
VPN Virtual Private Network
WAF Web Application Firewall
WAN Wide Area Network
XDR Extended detection and response
XSS Cross site scripting
ZTNA Zero Trust Network Access
Appendix E - References
● Cisco SAFE
● Cisco SASE
● Cisco SD-WAN powered by Meraki
● Cisco SD-WAN powered by Viptela
● Cisco Security Refence Architecture
● Cisco ThousandEyes
● Cisco Umbrella
● Cisco Secure Data Center Architecture Guide
● Cisco Zero Trust Architecture Guide
● Cisco+ Secure Connect
● SASE for Dummies
Appendix F - Feedback
If you have feedback on this design guide or any of the Cisco Security design guides, please send an email to
ask-security-cvd@cisco.com.

Sase Sse Ag

Uploaded by

Copyright:

Available Formats

Sase Sse Ag

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sase Sse Ag

Uploaded by

Copyright:

Available Formats

Architecture Guide

Cisco Secure Access Service

© 2023 Cisco and/or its affiliates. All rights reserved. Page 1 of 51

© 2023 Cisco and/or its affiliates. All rights reserved. Page 2 of 51

© 2023 Cisco and/or its affiliates. All rights reserved. Page 3 of 51

© 2023 Cisco and/or its affiliates. All rights reserved. Page 4 of 51

© 2023 Cisco and/or its affiliates. All rights reserved. Page 5 of 51

● Identity: limiting application access to specified users and devices

Security Service Edge

© 2023 Cisco and/or its affiliates. All rights reserved. Page 6 of 51

● Provide secure seamless access for users

© 2023 Cisco and/or its affiliates. All rights reserved. Page 7 of 51

Secure Web Gateway

© 2023 Cisco and/or its affiliates. All rights reserved. Page 8 of 51

Cloud Access Security Broker

© 2023 Cisco and/or its affiliates. All rights reserved. Page 9 of 51

Zero Trust Network Access

© 2023 Cisco and/or its affiliates. All rights reserved. Page 10 of 51

Software Defined WAN

© 2023 Cisco and/or its affiliates. All rights reserved. Page 11 of 51

© 2023 Cisco and/or its affiliates. All rights reserved. Page 12 of 51

Digital Experience Monitoring

© 2023 Cisco and/or its affiliates. All rights reserved. Page 13 of 51

Cisco SASE/SSE Architecture

© 2023 Cisco and/or its affiliates. All rights reserved. Page 14 of 51

Cisco SAFE Business Flows

© 2023 Cisco and/or its affiliates. All rights reserved. Page 15 of 51

User and Device

Threat Icon Threat Name Threat Description

Attackers can easily steal or compromise passwords via phishing

Devices running older versions of software – such as operating

Often, devices that are not owned or managed by your IT team

Network and Cloud

Threat Icon Threat Name Threat Description

Suspect data loss occurs when an abnormal amount of data has

Hosts attempting to compromise each other, such as through

An unknown host on the network, or a host that has been

© 2023 Cisco and/or its affiliates. All rights reserved. Page 16 of 51

Threat Icon Threat Name Threat Description

For example, a malicious actor, on the public network, exploits a

The attacker then exploits a known vulnerability in the underlying

The attacker then starts profiling the application environment and

Zero-day malware attacks, poorly developed applications or

Without appropriate network visibility and segmentation policies,

© 2023 Cisco and/or its affiliates. All rights reserved. Page 17 of 51

Cisco SAFE Capabilities

© 2023 Cisco and/or its affiliates. All rights reserved. Page 18 of 51

Anomaly detection maintains complex models of what is normal,

Network Detection and Response (NDR) solutions leverage pre-

Knowledge of emerging threats from active adversaries is shared

Secure Access Service Edge

Digital Experience Monitoring

Security Service Edge

© 2023 Cisco and/or its affiliates. All rights reserved. Page 19 of 51

● Cloud Access Security Broker

Cloud Access Security Broker

Capability Icon Capability Name Capability Description

Data Loss Prevention (DLP) is designed to stop sensitive

© 2023 Cisco and/or its affiliates. All rights reserved. Page 20 of 51