SASE: A Reality Check

Have you heard the classic Indian fable where six blind men touch different parts of an elephant only to land on completely different perceptions of what an elephant is? The story gets you to think whether one can claim out-and-out authority on a subject, based solely on a subjective experience?

Before I tell you how that narrative applies to the current SASE landscape, let’s take a moment to relish John Godfrey Saxe’s catchy version of ‘Blind Men and the Elephant’:

It was six men of Indostan,
To learning much inclined,
Who went to see the Elephant
(Though all of them were blind),
That each by observation
Might satisfy his mind.

The Secure Access Service Edge, or SASE (pronounced “sassy”), as defined by Gartner, has been the trending topic in both the security and networking industry for the past year. And for good reasons. Enterprises have been burning the candle at both ends to keep up with sprawling digital transformation initiatives that span networking and security, and with the limited resources and budget at their disposal.

The network team that was already stretched thin trying to accommodate SaaS applications, multi-cloud environments, IoT, and big data initiatives is now tasked with providing rapid and reliable access to all of these services and applications to numerous remote users and devices trying to access these business applications from their homes and other locations. The last thing they wanted was more complexity and trends to keep up with. But perhaps, all this hustle makes it the best time to adopt SASE.

Deciphering SASE

Before we get into “why” and “how,” it’s essential to first understand, what is SASE? It is an enterprise technology architecture and category introduced by Gartner in 2019. According to Gartner, the short definition of SASE is that it converges the functions of networking and security point solutions into a unified, global cloud native service. It is an architectural evolution of enterprise networking and security that facilitates an adaptive and agile service to the digital business.

Too much jargon? Simply put — the primitive hub-and-spoke method of pumping all branch and cloud based traffic through the corporate data center to provide security doesn’t cut it anymore. Nor does looking at networking and security as two separate silos. SASE aims at delivering the same networking security stack via the cloud, making sure the cloud native traffic does not have to hit the corporate networks. But wait…it is not that easy. There is a reason I started this blog with that elephant story.

Too Many Chefs Spoil The Cake

If you google “What is SASE?”, you are likely to end up with ten different descriptions that are tailored by ten different SASE vendors to suit their narratives. While the newness of SASE contributes to the confusion, it is imperative to understand what SASE truly stands for.

SASE is not merely network and security convergence. The idea behind SASE goes beyond the concept of consolidation and delves into how this converged solution should look, feel, and be delivered. Your SASE blueprint should have a strong emphasis on a cloud-based services model from a single managed service provider.

Furthermore, even though SASE is generalized as a cloud delivered service, there may be scenarios where an organization may need to complement the cloud-based solution with a physical one for better results. For example, the necessity for edge security when processing sensitive data instead of moving the data to the cloud for inspection. This merger of physical and cloud delivered security capabilities ingrains the role of SASE deep into the network, rather than outsourcing security to an entirely siloed system at the edge or in the cloud.

Why It’s SASE and SD-WAN, Not SASE vs. SD-WAN

It’s funny how SASE offerings are being hyped as the successor to SD-WAN technology. If anything, they are complementary to each other. A SASE converges cloud security with comprehensive WAN capabilities, and when mixed in the right proportion, it provides the utmost efficiency in traffic flow and cybersecurity adaptability.

While SASE mitigates latency from the backhauled architectures via local internet breakouts, it does little to eliminate the public internet’s unpredictability. How do you ensure that your mission-critical applications get the priority lane over YouTube traffic? Moreover, you still need the power of edge computing for branch to DC or branch-to-branch connectivity because many data-sensitive business applications are not moving to the cloud anytime soon. SD-WAN is central to network functionality, while SASE converges it with other security services such as a Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), FWaaS, and Cloud Access Security Broker (CASB) as core abilities. With combined forces, it has the potential to create a holistic WAN connectivity and security solution.

But Does It Save Me Money?

Organizations generally depend on multiple point products for securing different breach-sensitive network points. These may include application firewalls, VPN appliances, or other physical products for different locations. Most of them come with their own policies, protocols, interfaces, and support. The end result? A disjoint solution with administrative complexities and higher operational costs.

SASE gives you an option to do away with this disjointed model assembled via virtual and physical appliances from varied vendors. Instead, it offers a single hand-to-shake model, thus eliminating the cost of miscellaneous appliances and mitigating the unwanted complexities that might occur at different integration points. Which also means cutting down on IT staff that run it. Eventually, users are bound to see better savings.

Aryaka: Paving the Road To SASE

Enterprises need the power of choice to suit their architectural and/or regulatory needs. Aryaka’s security strategy has always revolved around providing the power of choice.

An access firewall within the ANAP, Aryaka’s Secure Access Service Edge (SASE), offers ‘north-south’ control at the branch. Aryaka Zones extends this to the LAN with ‘east-west’ security, through site-segmentation with policy-based access. Together, the two capabilities segment WAN traffic to Aryaka and internet, from LAN traffic, both internal and DMZ.

Our solution also integrates advanced Next-Generation Firewall (NGFW) functionality in Aryaka’s ANAP service edge CPE as a VNF (Virtual Network Function). Aryaka can partner with best-of-breed vendors to offer enterprises solutions that are optimally tailored to their particular enterprise architecture and regulatory requirements.

Aryaka integrates with Check Point CloudGuard Connect at the Aryaka PoP, optimizing and securing all the traffic that lands on it. A third capability extends security into the cloud through Aryaka’s security partners, including Zscaler, Palo Alto Networks and Symantec. As an example, an enterprise may consume Zscaler’s complimentary cloud-based security-as-a-Service, with Aryaka directing traffic appropriately. Alternatively, remote workers may access Aryaka via Palo Alto’s Prisma Cloud Security Suite, providing authentication and acceleration.

The combined solution provides tight integration of Aryaka’s fully-managed, cloud-first WAN capabilities with Check Point’s security solutions. It provides the building blocks for enterprises to adopt emerging architectural approaches such as SASE, while taking advantage of the service delivery footprint through Aryaka’s global service points-of-presence (PoPs) and its multi-cloud networking capabilities. And it is all delivered as-a-service.

In parallel, the Aryaka private core delivers partitioned connectivity to all enterprises, encrypting the data and protecting against DDoS attack. Within the branch, enterprises have access to Syslog and Netflow logging, and at the network level, the MyAryaka cloud portal provides a single pane of glass for service configuration, monitoring and health.

As a closing note, let’s address the elephant in the room. Should you take the DIY or a Fully Managed approach to SASE? It is not a very well-kept secret that staying on top of every aspect needed to configure, operate and update all the elements that comprise a state-of-art security solution is a complex undertaking and may strain your IT Team to the brink. More importantly, given that SASE follows the cloud paradigm, a fully managed service following the OpEx cloud consumption model aligns more closely with the concept and it is a great way to switch IT spending to a pay-as-you-go model.

For in-depth details of how our security architecture looks like, read our Security Architecture white paper..

Want to know more about the most prevalent global WAN Trends? Register for our webinar and understand what IT and Network professionals are thinking, their key focus areas and how priorities have changed over the past year.