Secure Access Service Edge (SASE): A reflection of our times

Gartner makes the claim that the shift to SASE will make obsolete existing networking and security models.

There’s a buzz in the industry about a new type of product that promises to change the way we secure and network our organizations. It is called the Secure Access Service Edge (SASE). It was first mentioned by Gartner, Inc. in its hype cycle for networking. Since then Barracuda highlighted SASE in a recent PR update and Zscaler also discussed it in their earnings call. Most recently, Cato Networks announced that it was mentioned by Gartner as a “sample vendor” in the hype cycle.

Today, the enterprises have upgraded their portfolio and as a consequence, the ramifications of the network also need to be enhanced. What we are witnessing is cloud, mobility, and edge, which has resulted in increased pressure on the legacy network and security architecture. Enterprises are transitioning all users, applications, and data located on-premise, to a heavy reliance on the cloud, edge applications, and a dispersed mobile workforce.  

Our technologies must evolve

Digital transformation improves agility and competitiveness. However, at the same time, it impacts the way we connect and secure these connections. Therefore, as the landscape evolves must our technologies. In such a scenario, the introduction of a SASE is a reflection of this change.

The new SASE category converges the capabilities of WAN with network security to support the needs of the digital enterprise. Some of these disparate networks and security services include SD-WAN, secure web gateway, CASB, software-defined perimeter, DNS protection, and firewall-as-a-service.

Today, there are a number of devices that should be folded into a converged single software stack. There should be a fabric wherein all the network and security functionality can be controlled centrally.

SD-WAN forms part of the picture

The hardest thing is to accept what we have been doing in the past is not the best way forward for our organizations. The traditional methods to protect the mobile, cloud assets and sites are no longer the optimum way to support today's digital environment. Gartner claims that the shift to SASE will make the existing networking and security models obsolete.

Essentially, SASE is not just about offering SD-WAN services. SD-WAN is just a part of the much bigger story since it doesn't address all the problems. For this, you need to support a full range of capabilities. This means you must support mobile users and cloud resources (from anywhere), in a way that doesn't require backhauling. 

Security should be embedded into the network which some SD-WAN vendors do not offer. Therefore, I could sense SASE saying that SD-WAN alone is insufficient.

An overview of the SASE requirements

Primarily, to provide secure access in this new era and to meet the operational requirements will involve relying heavily on cloud-based services. This is contrary to a collection of on-premise network and security devices.

Whereas, to be SASE enabled, the network and security domain should be folded in a cloud-native approach to networking and security. This provides significant support for all types of edges.

To offer SASE services you need to fulfill a number of requirements:

  1. The convergence of WAN edge and network security models
  2. Cloud-native, cloud-based service delivery
  3. A network designed for all edges
  4. Identity and network location

1. The convergence of WAN edge and network security models

Firstly, it requires the convergence of the WAN edge and network security models. Why? It is because the customer demands simplicity, scalability, low latency and pervasive security which drive the requirement for the convergence of these models.

So, we have a couple of options. One may opt to service the chain appliances; physical or virtual. Although this option does shorten the time to market but it will also result in inconsistent services, poor manageability, and high latency.

Keep in mind the service insertion fragments as it makes two separate domains. There are two different entities that are being managed by limiting visibility. Service chaining solutions for Gartner is not SASE.

The approach is to converge both networking and security into the cloud. This creates a global and cloud-native architecture that connects and secures all the locations, cloud resources, and mobile users everywhere.

SASE offerings will be purpose-built for scale-out, cloud-native, and cloud-based delivery. This will notably optimize the solution to deliver low latency services.

You need a cloud-native architecture to achieve the milestone of economy and agility. To deliver maximum flexibility with the lowest latency and resource requirements, cloud-native single-pass architecture is a very significant advantage.

2. Cloud-native, cloud-based service delivery

Edge applications are latency sensitive. Hence, these require networking and security to be delivered in a distributed manner which is close to the endpoint. Edge is the new cloud that requires a paradigm shift to what cloud-based providers offer with a limited set of PoP.

The geographical footprint is critical and to effectively support these edge applications requires a cloud-delivery-based approach. Such an approach favors providers with many points of presence. Since the users are global, so you must have global operations.

It is not sufficient to offer a SASE service built solely on a hyper-scale. This limits the providers with the number of points of presence. You need to deliver where the customers are and to do this, you need a global footprint and the ability to instantiate a PoP in response to the customer demands.

3. A network designed for all edges

The proliferation of the mobile workforce requires SASE services to connect with more than just sites. For this, you need to have an agent-based capability that should be managed as a cloud service.

In plain words, SASE offerings that rely on the on-premises, box-oriented delivery model, or a limited number of cloud points of presence (without agent-based capability), will be unable to meet the requirements of an increasingly mobile workforce and the emerging latency-sensitive applications.

4. Identity and network location

Let’s face it, now there are new demands on networks emerging from a variety of sources. This results in increased pressure on the traditional network and security architectures. Digital transformation and the adoption of mobile, cloud and edge deployment models, accompanied by the change in traffic patterns, make it imperative to rethink the place of legacy enterprise networks. 

To support these changes, we must reassess how we view the traditional data center. We must evaluate the way we use IP addresses as an anchor for the network location and security enforcement. Please keep in mind that anything tied to an IP address is useless as it does not provide a valid hook for network and security policy enforcement. This is often referred to as the IP address conundrum.

SASE is the ability to deliver network experience with the right level of security access. This access is based on the identity and real-time condition that is in accordance with company policy. Fundamentally, the traffic can be routed and prioritized in certain ways. This allows you to customize your level of security. For example, the user will get a different experience from a different location or device type. All policies are tied to the user identity and not based on the IP address. 

Finally, the legacy data center should no longer be considered as the center of network architecture. The new center of secure access networking design is the identity with a policy that follows regardless. Identities can be associated with people, devices, IoT or edge computing locations.

A new market category

The introduction of the new market category SASE is a reflection of our current times. Technologies have changed considerably. The cloud, mobility, and edge have put increased pressure on the legacy network and network security architectures. Therefore, for some use cases, SASE will make the existing models obsolete.

For me, this is an exciting time to see a new market category and I will track this thoroughly with future posts. As we are in the early stages, there will be a lot of marketing buzz. My recommendation would be to line up who says they are claiming/mentioning SASE against the criteria set out in this post and see who does what.

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022