SASE Isn't All About Disruption

If the wrapper has SASE on it, you are pretty much assured an audience. But while SASE gets the marketing department’s hearts aflutter and has some disruptive elements, its impact on network security is more an evolution than a revolution. 

SASE (Secure Access Service Edge) has been a long time coming and marks the consolidation of several key security trends in networking and is part of the promise of SD-WAN. Suppose you consider that the idea behind creating a fortress-like network perimeter (think a castle and moat analogy) has been slowly making way for more intrinsic security that encompasses data and applications, not just sites and users. Then SASE makes perfect sense. 

But what it lacks in pizazz, it makes up for in practical application and it undoubtedly has blurred the lines between the role of the security and networking vendor. SASE is creating the perfect environment for new entrants who see an opportunity in change.

Blame it on the cloud

The growth in cloud computing and applications has driven this shift. We no longer have workers sitting in one location, accessing one set of data assets on a single network. The physical technology asset linked to the individual is more challenging to locate, subject to change, and can be made up of multiple edge devices. And where the traditional corporate datacenter still exists, it is usually part of a hybrid cloud environment. This hybrid cloud dynamic has forced the private network concept to evolve into a logical security overlay over the internet, which is helped along by software-defined approaches, as opposed to something separate to it. Now “the network” is defined more by policy than by geography.

Connectivity, design, performance matters

This disconnect or change in approach to how we view the corporate network doesn't make connectivity less important. The performance and reliability of your internet connectivity is a key success factor in how well your network functions and while SD-WAN can ensure you make the best use of what you have, it is not in the business of working miracles. 

If we look at the benefits of what SASE can deliver, you could argue that its core benefit comes from SD-WAN. Here, the promise of performance, security, and consolidation come to fruition because the connectivity is superior and combines with traditional Next-Gen Firewall (NGFW) and Unified Threat Management (UTM) security. It becomes a one-stop-shop security and network performance management system that is viewed, managed, and monitored centrally. 

The benefits of both your security and connectivity intelligence being bound in software (SD-WAN) means a user can optimize performance without compromising security and vice versa. SASE allows security to become fluid. You can export security enforcement to the cloud, and consistent security policies follow the user, the applications, and the data to manage outbound web usage effectively. 

Flexing its muscles

While many are still asking when SASE will become dominant, I would argue that it already is. Because it has been an evolution in security - multiple vendors are standing up to be counted as SASE providers. And to be fair, they aren't trying to force the shoe to fit, and many have been delivering cloud security as a service for years. Now consider that SD-WAN is fast replacing traditional MPLS-based IPVPN networks as the new de facto standard in networking, and we see a convergence in the making. 

I would urge caution, however, in thinking that one SASE vendor can be all things security. Yes, newer players are doing very well at providing the now somewhat mature NGFW/UTM feature stack in both an on-prem and cloud-based format. However, there is still room for improvement when looking at an overarching security picture that extends to broader aspects such as container security, Data Loss Prevention (DLP), and Cloud Access Security Broker (CASB) technologies. There is far more differentiation between vendors in these more ‘outlying’ areas, but they are becoming increasingly important.  Everything from a single vendor may be convenient, but that alone doesn’t necessarily make it the best answer for your organization. 

Users navigating the SASE journey should group its core functionality into three main areas. Network security covers basic segmentation features like VLANs, and stateful firewalling, Advanced Threat Protection (ATP (News - Alert)) covers the more intrusive, processor-intensive security features like anti-malware and intrusion prevention, and compliance manages the risks associated with employee web usage, such as URL filtering, DLP, and CASB. Not all three should be treated equally, nor do they have to run from the same environment. For example, network security can be done in the cloud, but is still often better done onsite, compliance naturally lends itself to cloud-based enforcement given its inherent focus on employee web usage, and ATP could follow a hybrid approach, depending upon where your key data assets reside and whether you’re looking at inbound or outbound traffic. You don’t want a complex soup of multiple vendors, but there’s still scope to mix one or two depending upon the kind of functionality you want to deploy.

This way lies consolidation

We are definitely seeing significant convergence here, with many different vendors coming together in the SASE marketplace. Nevertheless, true SASE does not have to mean a one-size-fits-all approach.  Take time to consider the features you need and how and where you need to deploy them, and don’t let vendors force-feed you their particular view of the world.

Practically, the promise of SASE is what has been needed for years. But again, it is an evolution of security as opposed to a revolution. To some degree, SASE is not the debut of a new security paradigm but rather its college graduation.