The global pandemic now hitting almost every corner of the world is forcing countless millions of people to work from home. In one sense, we\u2019re fortunate to now have the technology that allows us to do that. Between broadband Internet access in the home, corporate VPNs, team workspaces and videoconferencing services, many people can continue to do their jobs as effectively as if they were in their regular office environment.\nThat doesn\u2019t mean it\u2019s all smooth sailing for the IT departments that have to enable and support those critical work-from-home services. Depending on the type of network architecture a company has, it can be relatively easy or significantly challenging to support tens of thousands of employees now suddenly working from home.\n\nI recently talked with Mark Casey, CEO of the network infrastructure services provider Apcela, who conveyed the challenges that many large enterprises have. It\u2019s these companies that typically still have a traditional hub-and-spoke kind of WAN anchored in a physical data center. Corporate traffic is backhauled from branch and remote locations (like workers\u2019 homes) to a centralized data center to pass through a security stack before it is sent to the internet or to cloud services. Unfortunately, this legacy network architecture doesn\u2019t adapt well to the dramatically different traffic patterns resulting from a massive surge in telework.\nWhen you look at the VPN architecture in this environment, it\u2019s largely dominated by Cisco with its AnyConnect solution that pairs with the vendor\u2019s ASA firewall products. Countless large enterprises have these hardware appliances in their on-premises data centers. Whether it\u2019s Cisco equipment or some other vendor\u2019s, the VPN\/firewall combination is a real workhorse under normal conditions, but the vast increase in remote workers is causing a strain.\nVPN capacity is strained\nA home-based worker brings up a VPN connection that creates a secure tunnel to take him straight into the data center. This might be fine when the company expects 10% to 20% of its employees to work remotely at any given time, but now the numbers might approach 50% or 70%. This creates contention for resources and a poor VPN experience for all. What\u2019s more, workers are routing a bunch of internet traffic to the data center along with traffic destined for on-premise applications like Microsoft Office 365. This is the landscape that Casey sees every day as he engages with large enterprise organizations.\n\u201cWe\u2019ve talked to a number of companies recently that say they need to expand their VPN capacity but the legacy network architecture is holding them back. Cisco, Palo Alto and others are offering free VPN client licenses but the enterprises still need to expand the VPN terminating appliances. It\u2019s hard to quickly scale capacity in this environment,\u201d says Casey. \u201cWhether it\u2019s coronavirus or some other catalyst that puts stress on the legacy network environment, we advocate that enterprises should diversify and shift portions of their network architecture to the cloud. This will give them much more flexibility to provide security and remote access services to their workforce in the long run.\u201d\nSASE for flexibility and capacity on demand\nCasey points to the Secure Access Service Edge (SASE, pronounced \u201csassy\u201d) framework as a model for re-architecting the enterprise network. SASE is Gartner\u2019s name for a combination of SD-WAN capabilities with a number of security services that are primarily delivered through a cloud-based delivery model.\nGartner defines the service edge as an offering that supports the access needs of digital enterprises by combining SD-WAN functions with network security services such as secure web gateway (SWG), cloud access security broker (CASB), and cloud-based firewall. In short, a SASE offering helps simplify network management by offering highly customizable policy-based control that can be tailored by user identity, session context, and application needs for performance and security \u2013 and it\u2019s delivered from the cloud.\u00a0\nCasey explains the concept of a service edge with a geographical example. \u201cSuppose an employee is VPNing into his corporate network from his New York area home, and the data center happens to be in Chicago. Ordinarily the traffic would all be directed to Chicago, but if he\u2019s accessing internet content, it would be optimal to egress that traffic via secure web gateway much more locally to where the user is. It\u2019s better to go to a site in New York where the VPN terminates on a local firewall, and there\u2019s a secure web gateway there so the Internet traffic can be offloaded there instead of backhauling it to Chicago. This site in New York is called the service edge.\u201d\nCasey continues his explanation: \u201cA virtualized version of a company\u2019s firewall sits in the hub. The VPN terminates on the VPN concentrator in the local hub and then the traffic is routed appropriately. That traffic going to the internet goes out through secure web gateway and that traffic that's destined for an application in the data center goes over a private network inside the security parameters. This is essentially another tunnel back to the data center. And that's a great use case for this whole concept of SASE, which is to lift some of your core security components and move them out to the cloud.\u201d\nWith the word cloud, people tend to think of AWS or Azure or Google Cloud Platform, but Casey gives cloud a broader definition. \u201cCloud is Software as a Service, like Salesforce and ServiceNow,\u201d says Casey. \u201cIf you\u2019re an enterprise, cloud is an Equinix data center. Cloud is anything that\u2019s not you, and it\u2019s delivered as a service.\u201d\nThe service edge is a powerful hub\nIn Apcela\u2019s parlance, a service edge is called an application hub, or AppHub. Other companies call them communication hubs, cloud hubs, or simply Points of Presence (PoPs). Regardless of the name, the concept is the same.\nThese hubs consist of racks of switching and routing equipment that are typically deployed in carrier-neutral co-location centers. Then these data centers are interconnected with high-capacity, low-latency circuits that create a high-performance core network. SD-WAN, VPN and security stacks are typically deployed in the hubs. At the edge of this network, an enterprise can directly connect its own data centers, branch offices, remote and mobile users, and even third-party partners. The leading SASE providers have built hubs, or PoPs, around the world so that organizations and their workers can connect to the closest hub to obtain the communication and security services they need. Each enterprise chooses what services it wants to utilize.\nWhen considering how to deploy security as a virtual service, Casey says, \u201cYou don't necessarily want to put all the security in AWS because then it will work great with AWS, but it won't work for GCP or Azure, and it certainly won't help you for your SaaS applications. So having this hub environment that sits between the application clouds \u2013 Salesforce, Office 365, Workday, etc. \u2013 and the users and enterprise locations is the perfect location to put these security services. And because the hubs are essentially an Infrastructure as a Service, you're not stuck with having to move to some proprietary cloud-based platform.\u201d\nSASE infrastructure is essentially on demand, so it\u2019s fairly easy for new customers to adopt it. \u201cIt\u2019s not complicated,\u201d says Casey. \u201cWe have to find a place, somewhere in the world, and cross connect back into an enterprise\u2019s infrastructure to deliver private connectivity. But it's all very cloud-like. It takes the agility of cloud and the speed of cloud and enables you to act quickly.\u201d\nSASE has VPN capacity pre-built\nThe SASE model allows companies to expand their VPN platforms easily because the capability is all pre-built. Once the service is turned on, the company is well positioned to support thousands of new home-based workers.\nI asked Casey about a realistic timeframe for companies that are new to the SASE approach before they can expect to be up and running with expanded VPN capacity. \u201cI can only speak to the solution Apcela offers, of course, but I\u2019d say it\u2019s a matter of days to weeks, but certainly not months,\u201d he says. \u201cIn our case, it depends on their security platform because we leverage virtualized network functions on the security side, so the whole concept of procuring and shipping equipment goes away.\u201d Other vendors might do the deployment in different ways.\nContrast this approach to the legacy model of installing new hardware in a data center to provide more capacity. By the time the company orders the hardware, gets it shipped to the data center, and then installed and configured, two or three months might pass.\nAnother benefit of the SASE framework is that traffic travels over a private core network rather than the public Internet. \u201cThe Internet shouldn\u2019t become your new WAN \u2013 certainly not for business and mission-critical platforms. You need a specialized sort of MPLS-like network for your cloud apps, which is what a SASE platform does,\u201d says Casey. \u201cTraffic is taken off the Internet at the secure edge, put onto a private secure network and routed directly to the appropriate SaaS or IaaS platform data center.\u201d\nHaving a private core network is especially important at this time because the public Internet is under great strain due to the traffic and content pattern shifts now that so many people are staying home or working from home. The strain is so bad that companies like Facebook and Netflix have been asked by the European Commissioner for internal market and services to throttle their services to consume less bandwidth. As Casey says, \u201cYou don\u2019t want your corporate traffic to compete for bandwidth against Netflix and all these different videoconferencing services.\u201d\nIf your organization is struggling with ramping up work-from-home capacity in a hurry, consider how a SASE service might help you.