If you are in the security or networking industry, there is no doubt that you’ve been hearing the latest Gartner inspired buzz word being dropped in conversations with your colleagues, customers, and vendors alike. In case you haven’t already guessed, I am referring to SASE (pronounced “sassy”). Although it is a hot topic of conversation, it is clear to me that there is still a considerable amount of confusion about what SASE is, its purpose, and what sort of level of urgency it should be given.
SASE stands for Secure Access Service Edge and is an architecture model (I’ve also heard it referred to as a concept or framework) developed by Gartner in 2019 that combines software-defined wide area networking (WAN) with comprehensive security functions in order to support the dynamic nature of today’s modern workforce. Applications are moving out of the data center and into the cloud, more employees are working from remote locations than ever before, and data is being accessed from a wide range of company and personally owned devices. All of these factors make it very difficult for network and security administrators to know what applications and data are being accessed by whom as well as their usage. And what you cannot see, you cannot manage or secure. Some of the key principles of SASE are:
- The data center is no longer the center of the network and organizations that continue to route all of their network traffic through the data center, using a legacy hub-and-spoke topology, will create a situation where their network becomes a business inhibitor. Backhauling remote users’ traffic to the data center that is destined to the cloud inevitably produces latency and affects productivity.
- Access to data should be based on identity, not the location of the user. The old approach to security was that everyone on the network was trusted while traffic originating from outside of the network should be scrutinized. This philosophy does not work in today’s environment of employees and partners working from just about anywhere and conducting business off network. But besides being antiquated, providing open access to anyone on network is just reckless because it does not take into account the possibility of insider threats.
- Users and applications are more distributed than ever before, therefore technologies that offer worldwide points of presence and peering relationships should be an important consideration. Having a point of presence that is geographically near a user facilitates a shorter logical path between them and the resource they are accessing, allowing them to focus on accomplishing their job duties or tending to customers, as opposed to waiting for applications and web pages to load.
- Consolidating the number of vendors can help reduce the complexity of management. This is especially true when network and security technologies are integrated to share data in order to provide contextual intelligence and automation or when they can be managed through one pane-of-glass.
AT&T Secure Access Service Edge (SASE)
AT&T Business combines leading managed SD-WAN services, cybersecurity capabilities, and the power of 5G to deliver cutting edge SASE solutions.
Learn moreThese digital transformation trends and diversification within vendor portfolios started well before Gartner had coined the phrase SASE, but businesses have been very receptive to their recommendations for how they should approach networking and security in the future.
Something important to note, and I cannot stress it enough, is that despite what all of the great marketing may lead you to believe (and this is coming from a marketer), there is not one off-the-shelf SASE solution on the market. That’s because there is no cut and dry definition of what combination of technologies must be offered to be called SASE.
Gartner does specify that there are five technologies that are core to the architecture, although there are many others (such as DLP or sandboxing) that could be included. The five technologies outlined by Gartner are:
|
|
Software-defined wide area network (SD-WAN): SD-WAN was introduced to the market back in 2014. Businesses need more bandwidth to support VoIP, videoconferencing, and cloud-based applications. In response, many are transforming their network to connect branch offices directly to the internet using low-cost circuits such as broadband and LTE, while retaining their MPLS lines for traffic routed to the data center or between sites that require higher levels of reliability and performance. SD-WAN provides centralized visibility of all circuits across locations and a way to manage data flows. Benefits of SD-WAN include greater network performance, resiliency, ability to prioritize bandwidth to business-critical applications, and potential cost savings. |
|
|
Firewall-as-a-service (FWaas) A staple in network security since 2007, NGFWs protect users and assets located on-prem or connected via VPN against a wide range of modern-day threats. These can be deployed as a dedicated appliance at the data center or branch office, a virtual appliance (on-site or hosted in a public cloud) or hosted in the vendor’s/MSSP cloud. |
|
|
Zero-trust network access (ZTNA): Zero trust is a framework, coined by Forrester in 2010. Some of its core tenants are the principles of least privilege and that all traffic, regardless of its origin be inspected. Legacy access technologies, including VPN, typically provided users access to everything within a network segment, which is often more than needed to complete job duties and may needlessly expose sensitive data. ZTNA enables administrators to grant access to specific applications, by role or by user, often times without having to connect to the network. |
|
|
Secure web gateway (SWG): The term secure web gateway was first used by a Gartner analyst in 2006. Employees browse websites to conduct research and to interact with vendors or customers but also for reasons completely unrelated to their jobs. The protection of a secure web gateway follows users virtually anywhere they are located to help provide that the sites they visit are both safe and appropriate for the workplace. |
|
|
Cloud-access security broker (CASB): CASB solutions first started hitting the market around 2013. Shadow IT is a constant concern for security administrators because unsecured applications greatly increase the potential for malware or sensitive data loss. CASB provides visibility into which SaaS or cloud-based applications are being accessed by users, so security controls may be applied. Some may even offer an analysis of identified vulnerabilities for a particular application. |
So, could a vendor that offers an NGFW with integrated SD-WAN claim they offer SASE? What about a vendor that offers four of these technologies, but they are each managed through separate platforms? The answer is yes to both scenarios. That is why it is important that businesses look beyond the sales pitch to understand a vendor’s full suite of offers, where the policy decision points are hosted, and how they interoperate. I think of it as being similar to compliance with industry regulations or frameworks. There isn’t one security solution, that if deployed, will check every box to demonstrate compliance. It is typically a stack of security products, policies, and procedures and there are many ways of accomplishing the end goal.
SASE is still a relatively new concept, and like many others will be rolled out in phases, over time. Even Gartner acknowledges in their publications that SASE is early in its hype cycle, with mass adoption likely to occur over the next several years. As organizations come up on their refresh cycles or get new funding approved, it may be a good time to consider sourcing multiple technologies from a single vendor. But does that mean sourcing all SASE technologies from the same vendor? Not necessarily. There has been a surge in acquisitions as vendors try to build out a complete suite of network and security offers. Often, it takes months or even years to integrate newly attained products into their management platforms. Some vendors may have developed a disruptive technology with capabilities that cannot be sourced anywhere else. And finally, sometimes businesses (especially large enterprises) have separate teams to manage their network and their security. Or, even a separate team for cloud or compliance. In these cases, it may be most important to consolidate vendors and management platforms for the tools that each team will be responsible for.
In the end, there are many possible paths to take when deciding how and when to deploy each SASE technology. Some businesses choose to source SD-WAN from their security vendor, while others prefer to stack security on top of their existing network infrastructure. Acquiring the technology and outsourcing the management to an MSSP is yet another alternative, and can be an especially attractive option given the industry’s cybersecurity skills shortage. Building a roadmap of upcoming network and security transformation initiatives and starting the proof of concept (POC) process to qualify SASE solutions early can help setup businesses for increased productivity, fewer risks, and simplified management.
