What is SASE?
SASE, or the Secure Access Service Edge, brings together managed networking and security for a cloud-first world. The intent is to deliver these capabilities in a simple, flexible, and secure architecture offering consistency across the cloud and edge. The business objective is to deliver vastly better application performance with reduced security risk to employees irrespective of location.
As depicted below, SASE is a combination of Network as-a-Service and Network Security as-a- Service. The ‘as-a-Service’ is crucial, in that SASE is meant to be consumed as a managed service, aligned to cloud services adoption. Core networking capabilities include SD-WAN for connectivity, application optimization, and multi-cloud access, while security includes firewalls and secure web gateways amongst others.
Why SASE And Why Now? Drivers For
Enterprises need a new architecture built on proven cloud-first principles that bring together network and network security as-a-service in a time of shifting workloads, workforces, and expectations. This simple, flexible, and secure architecture with consistency across the cloud and with edge control is the Secure Access Service Edge, or SASE for short, and is an outgrowth of these three key trends.
|Shifting Workloads||Shifting Workforces||Shifting Expectations|
|Applications are shifting to the cloud, accessed by any and all devices.||Workforces are located anywhere, at home, in the office, or on the go.||Employees and partners expect consumer experiences in the workplace.|
SASE addresses challenges that include how to ensure consistent network and application performance, how to ensure pervasive security across distributed users, devices, and applications, and how to deliver seamless support experiences that are delivered as-a-service. It leapfrogs traditional approaches with their inefficient, costly, and complex traditional hub-and-spoke architectures that don’t align to a cloud-first world.
Is SASE Just About Security?
Though much of the discussion surrounding SASE seems to focus on security, it is much broader than this. Remember, the definition of SASE is a combination of both Network as-a-Service and Network Security as-a-Service. One doesn’t exist without the other. But there is a third element, just as critical.
Think of SASE as a three-legged stool. One leg is security, the second networking, and the third, and often overlooked, is lifecycle services. The core value of SASE comes from the convergence of critical network and security components (WAN-optimization, last mile, zero trust, and more) into one easily consumed cloud-based service.
This sometimes-neglected “lifecycle services” leg is critical in accelerating adoption, removing barriers, and enabling a more productive and secure hybrid workforce. A focus on integrated lifecycle services, from design, implementation to orchestrating and managing a SASE solution can make a significant difference. For example, common troubleshooting that might take a traditional hub-and-spoke vendor team weeks and months can take a one-stop managed service partner just hours and days to identify and remediate. This saves both time and money.
Who Requires SASE?
The real question is who doesn’t require SASE. With cloud adoption and the increasing sophistication of security threats, traditional on-premises ‘heavy’ security stacks no longer offer the flexibility required by enterprises. Enterprises also require security capabilities to be deployed in the cloud where they consume IaaS/PaaS/SaaS. It is an approach that is applicable to any organization irrespective of size, location, or industry, if they have begun their journey to the cloud.
Why Should I Care? SASE Business Benefits
SASE delivers the benefits of the cloud consumption model, now applied to networking and security. In the same way that the cloud delivers scale, simplicity, scalability, and optimal TCO, freeing IT from just keeping the lights on, SASE now brings these benefits to networking and security. It introduces the ease of deployment and consumption demanded by enterprises of all sizes.
Protecting ‘anywhere’ employees, data moving between public and private clouds, and complying with new regulations has never been a more vital concern for enterprises. With workforces distributed across the globe in offices, homes and on the go, maintaining reliable and secure network performance is also critical to driving desired business outcomes. The cloud-based SASE architecture eliminates traditional capital and operational expenditures while streamlining network maintenance, security, and scalability.
Businesses can consolidate traditionally disconnected network and network security functions into an ‘as-a-service’ model, consuming these in the same way they increasingly consume other cloud-based services and applications. And SASE, when deployed as part of a Services PoP architecture, efficiently and flexibly brings together both on-premises and remote workers under a common security policy framework, enhancing the enterprise’s security posture.
Different Approaches for SASE And Why Should I Adopt SASE As a Managed Service?
While SASE can be implemented in a DIY (do-it-yourself) architecture by expending capital and retraining and reskilling IT staff, the managed service route leverages a cloud-based delivery model that fits into the true SASE approach that fuses Network-as-a-Service and Network Security as-a-Service. Managed service delivery is more flexible, scalable, and easy to consume, freeing up IT staff to focus on empowering business outcomes instead of being overwhelmed by basic network operations.
This transition to a network and network security consumption model parallels proven enterprise evolution to the cloud consumption model, with movement from legacy data centers to the cloud and its advantages. Here, the transition is from legacy network and security architectures to cloud-delivered capabilities.
Deploying the WAN and network security elements required to empower cloud access, application performance, and pervasive security across a distributed enterprise is a major undertaking. IT is already under more pressure than ever before, and expending additional capital to hire, train and reskill staff may only be a tenable approach for the most massive of organizations. Meanwhile, many are already relying on a lean in-house team to handle an increasingly complex and taxing workload, something especially relevant for smaller enterprises.
By engaging a managed service provider for SASE deployment, enterprises can reduce overhead costs and instead rely on an on-demand team of experts to reduce risk, remove barriers, fast-track deployment and adoption and ensure overall success. The right MSP will also supercharge productivity, further alleviating administrative burdens with highly efficient troubleshooting and support, greater visibility across hybrid environments and agility to make changes.
Ultimately, a managed offer delivers higher productivity irrespective of location, application or resources, operational simplicity, and security that de-risks unified network and security deployments though integrated observability and control, as well as agility with lowest TCO via better change management and support across the service lifecycle.
What Is the Role of Services PoPs In SASE?
SASE is based on a cloud-edge services architecture that relies on what we term Services PoPs. These are sophisticated hardware platforms, within the cloud, that integrate not only routing and switching, but also compute and storage, and supporting both on-premises as well as remote workers. This provides a foundation for the deployment of SASE capabilities, different from branch-centric architecture that can’t effectively leverage cloud capabilities, or a less-sophisticated transport PoP architecture that is incapable of supporting the mix of networking and security services.
How Is SASE Different From SD-WAN,
And, If I Have SD-WAN, How Do I Introduce SASE?
An SD-WAN is a foundational element of a broader SASE architecture. It is designed to greatly simplify the management of enterprise WANs which have grown increasingly complex and cumbersome to manage over time as workloads and workforces have shifted dramatically. What is clear is that SASE without SD-WAN for connectivity is a hollow promise, as recently emphasized by Gartner.
This connectivity, leveraging a solid and stable network, is what is required to deliver the application performance and productivity enterprises demand. Building on a Services PoP-centric SD-WAN service, enterprises can easily consume additional security capabilities at the cloud edge as they become available. This type of edge control doesn’t all need to happen at once and can be phased in based on the enterprise’s unique requirements.
What Should I Look for In a SASE Solutions Provider and Where Do I Begin?
For many enterprises use cases, yesterday’s ‘hub and spoke’ network architecture solutions (MPLS, DIY, Telco + Box) have become cumbersome to adapt, less effective and less secure for distributed workloads and workforces, and cost-prohibitive to maintain, all seemingly overnight.
As enterprise needs have evolved and security threats have proliferated, traditional providers have responded by stitching together solutions from many different sources. This trend has become costly to maintain with the rise of cloud adoption. The quality of service and support also suffers from games of telephone and finger-pointing, making an already complex networking and security industry even more difficult to navigate.
The right SASE solution must embrace digital transformation from a converged network and security standpoint, offering the flexibility to integrate with existing vendors while also consolidating managed service into a stellar single point of contact approach.
As a start, remember that SASE network architecture represents the convergence of a cloud-managed SD-WAN networking solution with cloud-delivered security, consisting of over 10 complex functional elements. According to Gartner, no networking or security company is offering a complete SASE solution now, nor is any company likely to until 2023 or later. For a path forward, enterprises may gradually adopt best of breed SASE technologies in a hybrid deployment co-existing with existing security and networking systems over the next few years.
Here are some key questions to consider for SASE vendor selection:
- Is the platform cloud-native? For the full benefits of the SASE model, a cloud-native platform covering all edges (on-premises, mobile and cloud) is a necessity.
- Are networking and security are truly converged into an as-a-service offering? Remember the three legs of the “SASE stool” – networking, security, and lifecycle services.
- Is network performance important? These days, performance is critical for cloud-based enterprises. Select a provider with network experience that can guarantee quality network and application performance for anyone from anywhere worldwide.
- How flexible is the vendor? Is interoperability between currently deployed security and WAN providers assured? And do they provide a path forward that doesn’t require ripping everything out vs starting with select locations on top of an existing network. Vendor ownership of the technology and quality of managed service can also make or break the entire experience.
What Does SASE Mean for My Existing Network and Security Investment?
Before SASE, enterprises had increasingly taken a split approach to security, with some capabilities at the branch, many times leveraging dedicated hardware, and some capabilities in the cloud for secure handoffs to the internet. There are also security functions as part of the public cloud providers.
The SASE Security framework describes the move from on-prem security, an evolution from a ‘heavy branch’ to a ‘light branch’ with most security functions in the cloud. This is not to say that branch security will go away, sometimes dependent upon compliance, privacy, and location. SASE migration is also a journey, and enterprises should judiciously introduce the architecture rather than jumping into what could be a sub-optimal solution.