When the COVID-19 pandemic hit, companies around the world were faced with finding ways for their employees to work from home without inadvertently breaching network security or causing too much downtime. While some organizations resorted to VPNs, larger companies immediately began experiencing bottlenecks due to increased demand by large numbers of remote employees. Some also experienced an increase in phishing, brute-force attacks and other malicious threats.
While businesses found a way to muddle through the worst of it, the situation has prompted IT decision-makers to rethink the way they are addressing networks and security. The complexity of today’s environment, which can include multiple clouds and on-premises locations along with a growing array of cybersecurity tools, has become unwieldy and expensive.
A small but growing segment of organizations is turning that thinking into action by embracing the concept of the Secure Access Service Edge (SASE). The idea is to combine software-defined security and software-defined networking (like an SD-WAN) and consume it as a service. With this approach, a third party is charged with managing and maintaining networking and security, allowing employees to access resources securely and efficiently and enabling companies to scale the service up and down as needed. A SASE solution can also enforce security policies on user sessions.
“Most organizations today have a hub-and-spoke network inside their data centers, and they are concerned about availability, routing, firewalls and quality of service,” said James Christiansen, vice president of security transformation at Netskope. “The network-as-a-service component of SASE handles all of that; instead of you deploying and maintaining and paying for all of that infrastructure, a service provider does it as a cloud service.”
The same is true of security. Historically, companies have built their security controls around data, but SASE extends those security controls to network traffic. Typically, companies run network security controls on network traffic as it enters the data center and then sends it back to the cloud to access an application. This can cause a lot of stress on the network. SASE moves security controls from the data center to the cloud.
But what about all of the security technologies your company already has deployed, such as secure web gateways, firewalls, web APIs and cloud access security brokers (CASB)? Depending on the solution, some of them may be woven in, and some may remain external. In many cases, the SASE platform will form one part of a four-part protection scheme, along with endpoint protection tools, security information and event management (SIEM), and identity management tools. The SASE solution will communicate with the other parts of the technology stack, and alerts can be exchanged between them. So while SIEM, for example, isn’t part of SASE, a tight interface between them creates two-way communication.
Simpler, More Efficient, Cheaper
Because SASE is a single service, there are fewer vendors to deal with, less hardware required, and virtually no maintenance, upgrades or troubleshooting that’s not taken care of by the provider. These benefits alone can save organizations real money, but there is more; the cloud-based nature of the service means you don’t have to pay for capacity overage you don’t need, and you can retire those expensive MPLS networks that route traffic from branch offices to data centers and go with a software-based alternative.
The SASE option also simplifies and centralizes the entire process of managing both networking and security. For example, if malware is discovered in the environment, the SASE approach can address it from a centralized portal and propagate the fix throughout the entire environment. With the traditional method, IT staff would have had to physically reprogram firewalls, one at a time.
Because everything is managed by a single console, visibility can improve dramatically. This can be a big help to organizations that have quickly migrated hundreds or even thousands of applications to the cloud and can’t easily keep track of the applications and the data being moved in and out of them. And if a user goes rogue and signs up for a new application that wasn’t sanctioned by the company, that move would be caught.
Consistency and reduced complexity are other real plusses. “If you have a company with thousands of retail locations, for example, you want consistency. You don’t want to have to deal with a different situation every time you need to shift a device or fix a network issue,” said Raviv Levi, vice president of cloud security at Cisco. “If you can minimize everything going on in the branch because it’s all managed in the cloud, you’re enabling a lot more consistency and saving at lot of money at the same time.”
While the SASE approach doesn’t add much in the way of security tools (instead, it’s essentially consolidating the functions of myriad security tools and marrying them with network management), it can, in fact, improve an organization’s cybersecurity posture. Because it’s a consolidated solution, it ensures that policies are enforced equally, regardless of where users are located. And as new threats pop up, it can rise to the occasion, protecting the organization without having to add more hardware or other point solutions.
Simply eliminating the complexity of managing numerous security solutions can help improve security, Levi added.
“One of the things CISOs fear the most is human error, because there are so many tools and single panes of glass and overall complexity that people make mistakes,” he said. “SASE is an opportunity to have all of that as part of your network, from identity and endpoint security all the way through network security. The simplicity itself helps improve visibility and reduce human error, which in itself improves security.”
It can also help ensure the security of a remote workforce. “The most security most employees have in their home office is software running on a laptop, or perhaps a small appliance with embedded security that the company has provided,” said Zeus Kerravala, principal analyst at ZK Research. “By using SASE and having services located and delivered from the cloud, you can actually have top-tier enterprise-grade security in the cloud and your remote workers can connect to that cloud, so you get the benefits of that security.”
Slow but Steady Growth
While the benefits seem obvious, relatively few companies have made the leap to SASE. One survey found that while many public and private sector organizations have some elements of SASE in their IT stack, only 12% worldwide currently have a comprehensive SASE architecture.
That makes sense, Kerravala said; many companies are still focusing on migrating to SD-WAN, which often comes first. SASE will come, he said: “You can’t use legacy security to secure an SD-WAN.”
Some companies may choose to move to SASE in stages. For example, they may choose to use existing network and security systems for existing connections between branch offices and data centers while using SASE for new connections, users, devices and locations.
But they will move toward SASE—eventually. A new report from Dell'Oro Group predicts SASE will grow at a CAGR of 116% through 2024.
So how do you choose which vendor—and which type of SASE model—to target? There are two basic types to consider: the cloud-native model, which provides all security functions in a cloud-only package; or the traditional vendor approach, which allows companies to incorporate some of their own point solutions and can accommodate both cloud and on-premises environments. Cato Networks and ZScaler are examples of the first model, while Cisco, Netskope, Cloudflare and Fortinet are examples of the second.
The decision isn’t actually that complicated. If your company has made the wholesale shift to the cloud or was “born in the cloud,” go with a cloud-native SASE vendor. This choice may also be best for highly distributed organizations with many small locations.
If you still have some on-premises workloads and you want to keep your existing firewall or CASB, go the traditional vendor route. If you choose that route, make sure your SASE vendor partners with the vendors of the security tools you want to keep, which will make management easier. Also, make sure you can get as many of the capabilities that you need from the fewest number of vendors. “You can’t have 200 vendors in your environment that have to be managed separately,” Kerravala noted.
As businesses continue adopting cloud resources, vendors continue to push forward with SASE. Today, for example, more SASE solutions have added features of some security tools, like CASB, secure web gateways and cloud-delivered firewalls. In three or four years, many expect the same thing to happen across identity, endpoint and workload security solutions.
“Whether you call it SASE or cloud transformation, it’s all going in the same direction,” Christiansen said. “If you want to compete today, you’re going to end up moving in that direction.”