Since software-defined WAN’s have entered the market a number of years ago, the technology has been widely adopted by enterprises to make networks more flexible, scalable and easier to manage. And most importantly: ready for the cloud. However, today, SD-WAN seems like old news already and the new buzz in the industry is all about Secure Access Service Edge or SASE, a concept coined by Gartner in 2019.
The need for SASE is clear: users and applications are moving from corporate offices and datacenters to the internet and the cloud, or even multiple clouds. The adoption of 5G and IoT will lead to an explosion of devices that will be connected. The traditional network perimeter is dissolving and the internet is becoming the new corporate backbone. This calls for a network and security architecture that is capable to provide secure, reliable and centrally controlled connectivity between everything and everyone connected to the internet.
SASE provides just that. It’s an integrated and converged network and security architecture which includes a number of mandatory, recommended and optional capabilities such as FWaaS, ZTNA, SWG or CASB. With a single-pass architecture, driven by a single set of policies that is managed from a single pane of glass. According to Gartner, SASE should primarily be delivered as cloud-based service, preferable from a single vendor.
Why is a cloud-only SASE solution not sufficient?
My experience with implementing cloud-delivered networking and security solutions for customers over the last few years, is that a cloud-only SASE solution is not sufficient. Many customers have local security requirements, typically for their datacenter, but also for large branch offices where they have a requirement to secure traffic between different network segments. These segments may also host local applications or systems. A typical use case would be to secure OT and R&D environments from office IT environments.
Local security requirements will not disappear in the next few years. Moving local security services to the cloud doesn’t seem to make sense in many cases yet. Sending local traffic back and forth to the cloud for security inspection and controls adds bandwidth cost and latency. Gartner therefore states that SASE offerings should provide a worldwide fabric of points-of-presence to provide low-latency access anywhere. However, in the real world, the footprint of most SASE vendors is still limited to key business centers, and local infrastructure availability or cost is also prohibitive in many parts of the world.
A cloud-first strategy, blended with seamless edge-based services, is the way forward.
Some customers have opted to implement a separate appliance-based security solution, on top of the cloud-based solution. Needless to say that this is far from ideal, as customers end up with two distinct security solutions, with different functionality and separate management consoles. Gartner acknowledges that on-premise CPEs will still be needed, virtual or physical, and advises that these should be part of a thin branch, cloud heavy architecture and cloud-managed and provisioned.
I have seen very few solutions that already offer both cloud- and edge-delivered SASE capabilities, and believe this is still a gap in the market. I strongly believe in a cloud-first strategy, but solutions must be able to deliver the same functionality from the edge where needed. The edge-based services should blend seamlessly with the cloud-delivered services, managed by the same set of policies.
We are curious about your thoughts and experiences: which SASE delivery model would best suit your needs? Please let us know what you think!
Author: Ferran van den Berg, Managing Director at Cerebo Networks