SASE: What It Is, What It Isn't, and Why Should You Even Care

Secure Access Service Edge is bigger than SD-WAN and a lot more than stuffing virtual appliances in the cloud.

dilbert
© Scott Adams. Used By permission of ANDREWS MCMEEL SYNDICATION. All rights reserved.

For years, enterprise networking and security leaders have had to weather the complaints and consternation of IT and business executives. IT costs too high? Blame that MPLS network.  Web taking too long to load? It’s that darn VPN client again. 

Now a new product category, Secure Access Service Edge (SASE), is supposed to put networking and security teams firmly ahead of the game. So impactful is this new sector that Gartner’s termed it “transformational,” a lofty status that not even SD-WAN, with all of its market impact, ever achieved. Within four years, Gartner expects 40% of enterprises will have strategies to adopt SASE.

And Gartner isn’t alone. Analysts and pundits across the industry have long talked about the convergence of security and networking. Vendors have only happily fueled the fires. I confess, as Cato’s technology evangelist, I’m guilty as charged, but you can also blame my compatriots at Netskope, Palo Alto, and Zscaler. Marketers just love to polish legacy technology, claiming it be this bright, shiny, new SASE thing.

But how can SASE really help you, and, more importantly, how do you know if that SASE product you’re evaluating really does deliver the goods? Read on and learn about the tarnish underneath all too many of those supposed, glitzy SASE solutions.

What Is SASE in a nutshell?

Gartner ignited the SASE firestorm, defining the category in its July 2019 Hype Cycle for Enterprise Networking report and going into greater depth in an August 2019 report, The Future of Network Security is in the Cloud. The premise: anchoring legacy networking (i.e., MPLS) and security around the corporate data center no longer makes sense now that most enterprise computing workloads lie in the cloud and are accessed by users inside and outside branch offices.

What’s needed is a cloud platform that connects and secures any type of edge device based on user identity. SASE, as this solution is called, converges WAN capabilities (including SD-WAN) and security services (such as CASB, ZTNA, anti-malware, and FWaaS) into one, seamless service. The “edge” connecting to SASE can be a branch office but just as easily a mobile device, IoT system, or edge computing location. Identity includes the user’s identity as well as real-time characteristics, such as the user’s device and location. Putting it all together, SASE solutions should deliver the optimum possible network experience with just the right degree of access and protection for any user at that given time.

To meet those performance expectations, Gartner sees SASE delivering networking and security capabilities from globally dispersed Points of Presence (PoPs). All processing should occur in those PoPs, requiring no backhaul that might otherwise impact performance. And because the unpredictability and latency of global Internet routing can disrupt voice and other latency-sensitive applications, PoPs should have high-performance, predictable interconnections, such as private global backbone. The only time traffic traverses the public Internet is the short hop from the edge to the nearest SASE PoP.

Nearly a dozen benefits and uses of SASE are listed by Gartner in its report.  There’s reduction in complexity and costs, performance improvements over legacy networks, and better security. Read the report for detail, but in short, you gain an agile, efficient, and secure infrastructure needed to meet today’s – and tomorrow’s -- “digital” business requirements.

The Cloud is Fundamental to SASE

It’s important to understand that cloudand, more specifically, cloud-native—is the operative term here. SASE is not a carrier-managed service, installing hardware appliance or NFV software in your data center or branch offices. Nor is SASE “managed from the cloud” or “hosted in the cloud.” It is a service built for the cloud, as Gartner says plainly in the title, The Future of Network Security is in the Cloud (bolding is additional).

Cloud-native is the most critical factor in distinguishing between SASE solutions. Gartner notes in the report that no solution offers all of the anticipated SASE features today. What’s important, however, is that the platform is built right versus those that are fundamentally flawed.

A cloud-native service delivers on the cloud “ilities”—scalability, velocity, efficiency, and ubiquity —that have made the cloud the breakthrough that it is. Such a service depends on a scalable, ubiquitous multitenant software platform. The cloud-native service provider is responsible for maintaining the underlying shared infrastructure while you maintain your own network implementation across that cloud. Think of it as AWS (or Azure) for networking and security.

This means IT is freed from many of the complexities and costs inherent in building out a global network. The availability and scaling of infrastructure to meet peak demand is on the provider, not IT. High availability (HA) planning, where IT had to worry about appliance redundancy, failover times, and alternate pathing, becomes an implicit part of a cloud service (or at least one claiming to deliver HA).

With its inherent elasticity, economies of scale, and efficient use of infrastructure, cloud-native services deliver these capabilities to customers with maximum cost efficiency. As Zscaler’s Jay Chaudhry pointed out, anything other than a multitenant cloud service would be similar to a stack of DVD players in a data center somewhere calling itself Netflix.

SASE Is Not About Hosting Virtual or Physical Appliances

Vendors being vendors, of course, are racing to capitalize on the SASE phenomenon. Several are hosting virtual or physical appliances in the cloud and calling it a SASE service, as has already been pointed about by Shlomo Kramer in What Palo Alto Networks Won’t Tell You About Its New SASE Service and Richard Steinnon in his Forbes column, Gartner Has it Right. Palo Alto Networks Has it Wrong.

But as Gartner points out, SASE is not a collection of WAN and security point solutions chained together—even if those appliances are virtual ones. It is a single integrated service that inspects all traffic with these functions in a single pass. As such, no time is wasted repacketizing and inspecting data multiple times for different security functions. Nor does IT waste time managing multiple siloed security solutions or configuring individual security functions for new users.

By contrast, basing a service on hardware or virtual appliances introduces all sorts of inefficiencies. We’ve already spoken about the complexities of HA planning with appliances at the edge, but the story remains the same when those appliances sit in the cloud. Someone—the provider or the enterprise—needs to ensure appliance redundancy and test for failover. Regardless of who takes on that responsibility, the same person will pay for it—you.

And then there’s the ubiquity problem. With an appliance-based service, IT is left having to anticipate requirements, deploying appliances wherever the enterprise might require them. Perhaps that might have worked but with the digital business’s need for fast site deployment and global user connectivity, such an approach is no longer effective. Enterprises are forced to either over-invest in deploying more appliance than necessary or compromise performance by backhauling traffic. With a cloud-native service, though, the provider invests in the infrastructure based on the needs of all customers, not just one. There’s a better than good chance, then, that your mobile users—and any other device—will be located near one of the provider’s distributed PoPs.

The Future of Networking and Security Is, You Guessed It, SASE

Everyone “gets” that the cloud and mobility are part of everyday life. It’s time that those trends become part of our IT infrastructure. Having one network to connect sites, another for remote users, and still other technologies for the cloud is so, well, last century. SASE, or frankly whatever you want to call it, is an idea whose time has finally arrived. Pick a cloud-native SASE platform and gain a lean, agile infrastructure to shepherd your company into the digital era. Select wrong and continue being the brunt of user complaints for years to come. 

Related: