cloud hovering over ceiling tile Getty Images

SASE Model Proving Value Beyond Remote Work Scenarios

When the pandemic hit, enterprises rushed to the new cloud-based networking solutions for remote employees. Now it’s being applied to on-prem data centers and WANs.

Gartner only coined the term SASE — secure access service edge — two years ago to describe a cloud-based service that combines SD-WAN networking with all the latest security features in a single, easy-to-manage and easy-to-deploy SaaS product.

Back then, SASE, which is pronounced "sassy," was more of a philosophy, or direction to move in, rather than an actual product category. Few vendors offered a full SASE stack and, when they did, usually required customers to buy it in pieces, often a lot of pieces, with confusing names and overlapping functionality.

Getting to the SASE model was going to take years, experts said.

Then COVID-19 hit.

Companies couldn't get into their data centers to install new VPN boxes and, even if they did, hardware shortages and shipping delays meant that VPNs weren't a practical option.

"Lead times for products went through the roof," said Mike Moore, practice development manager at Insight, a technology consulting firm based in Tempe, Arizona.

Some clients didn't get rid of their VPNs completely, he said, but used SASE to off-load a lot of the traffic. For example, traffic to systems running in on-premises data centers was still handled via traditional VPNs, but traffic to cloud services bypassed the data centers entirely.

"And this gave a better application experience for users because they weren't sending traffic through the data center and then back out to the cloud," he told Data Center Knowledge.

The SASE model offered an easy alternative. You signed up for it like any cloud service. Employees downloaded a client onto their home laptops. And you were in business. The process was quick, easy, cheap and scalable.

Adoption exploded.

A June report from Sapio Research, commissioned by Versa Networks, found that 34% of companies are already using SASE, and another 30% plan to in the next six to 12 months.

And vendors began adding missing pieces to fill out their SASE technology stacks, either building new features or acquiring other companies.

Product selection got simpler and easier.

"For early adopters, they had 10, 15, 20 SKUs," said JJ Safer, practice development manager for security at Insight.

That made it difficult for the first buyers to adopt the SASE model.

"Now we're getting down to just two, three or four SKUs," Safer told Data Center Knowledge. "Part of it is bundling; part of it is consolidation of the technology itself."

What Is the Basic SASE Stack?

Here are the top five features, according to Gartner:

  • SD-WAN: Cloud-based networking is the core functionality of SASE. SASE vendors have points of presence around the world, located near enterprise data centers, branches, devices and employees as well as at or near all the top cloud services providers. When traffic flows through the public internet instead of the SASE provider's secure network — as in the last mile to the user's house — it goes through an encrypted tunnel. The SASE vendor manages the network to optimize delivery of, say, video conference calls with clients, and blocks malicious traffic and DDoS attacks before they ever hit enterprise data centers or applications.
  • Firewall as a service: This is a cloud-based firewall that protects the edges of the enterprise network, even when those edges are getting more and more distributed.
  • Cloud access security broker (CASB): When employees log into cloud services like Office 365 from their home computers, CASB ensures the corporate security policies are still being followed.
  • Secure web gateway: Employees don't just need to access approved cloud services like Office 365. They often go to a lot of other places on the internet. The secure web gateway ensures that they don't visit malicious sites to try to upload sensitive data to unapproved destinations.
  • Zero-trust network access: Today's holy grail of security, zero trust reorients security around identity instead of around location. There is no longer a trusted perimeter, so every connection is deemed risky until it's fully authenticated. Zero trust is hard to do in legacy environments, but comes standard with most SASE offerings.

SASE Model: New and Emerging Features

Those five key components were just the start.

Since the pandemic began, vendors have been innovating at a rapid pace, adding services and tools to their SASE platforms.

They include:

  • Remote-browse isolation: What happens in an employee's browser window stays in the employee's browser window. It doesn't get out and infect their computer, or spread to corporate networks.
  • Data loss prevention: Is sensitive corporate data leaking out to unapproved destinations?
  • Automation: SASE vendors have access to enormous amounts of data about network issues or cyberattacks, data that can be used to train AI systems to respond automatically. SASE customers are also increasingly getting access to some of this AI-powered functionality to customize their own automated responses.
  • Observability: SASE vendors are increasingly making it easier for enterprises to see, on a very granular level, what's happening on their networks, both in terms of network performance and security.
  • Endpoint security: Does the employee have malware on their laptop that can infect a network — or a keylogger that can steal their passwords? Is the antivirus up to date? Endpoint security is a front line in the war against cyberattacks and is harder to achieve when employees are working remotely or are working on personal devices.
  • Direct connections to counterparties: Leading SASE vendors are increasingly working with major cloud service services like Office 365 and Zoom, AWS and Google Cloud, as well as ISPs and other partners, to improve connectivity speeds and reliability.

Today's SASE Vendors Have the Full Stack

With everyone jumping on the SASE train, the vendors stepped up. They built or bought technology to fill in missing pieces, simplified the product lineups and made sure all the pieces worked together.

At Palo Alto Networks, Prisma SASE billings have been growing at a compound annual growth rate of 154%, said Kumar Ramachandran, senior vice president of SASE products at Palo Alto.

Ramachandran was the founder of CloudGenix SD-WAN, which Palo Alto acquired in April 2020.  "We were one of the first companies to be sold over a Zoom call," he told Data Center Knowledge.

Palo Alto itself transitioned from fewer than 100 branch offices to 10,000 home offices.

Some of its customers have sent tens of thousands, or more, employees to work from home.

"The scale is crazy," he said. "And the vast majority of our customers have figured out that the new work model is going to be hybrid, and that is causing some of the biggest acceleration and adoption of SASE."

Before the pandemic started, it was expected that the transition to the SASE model would take five or 10 years, he said. "SASE was barely a twinkle in most people's eyes."

"Then, in the last 12 months, we've seen 10 years of transition," he said.

At first, he said, users were more forgiving when it came to connectivity issues.

There was a state of emergency, and bad connections were tolerated.

"But three to six months into it, most people stopped having patience with that," Ramachandran said. "This is my work. I'm in my office. I have an expectation of high-quality performance."

To address that, Palo Alto — as well as other vendors — have been adding user experience management.

If an employee's connection to Office 365 or Zoom is having problems, where is the problem coming from?

"Is it because their laptop is running hot?" Ramachandran asked. "Is it because they're sitting in the corner of the house where the Wi-Fi signal isn't as strong?"

Or the problem could be with the local cable company — or with Zoom itself.

"As part of our SASE solution, we now have that deep visibility and can take action to automatically adjust," he said. "Try alternate paths to deliver the best user experience."

SASE Moving Into On-Prem Data Centers

The initial benefit of the SASE model, and where most companies first deploy it, is to support newly remote employees.

But, increasingly, enterprises are interested in getting the same usability and management features and apply them to their existing wide-area networks and on-prem data centers.

"Almost all of the conversations I've been having with customers are about SASE," said Raviv Levi, vice president for cloud security at Cisco. "And the next step that we're seeing customers ask us is not just about remote access."

They want more of their infrastructure connected to SASE, he said, such as existing SD-WAN appliances.

"We're continuously working to make that more seamless and consistent and unified," he told Data Center Knowledge.

"People are looking for simplification," said Jay Chokshi, director of product management for secure SD-WAN and SASE at Cisco Meraki.

And, like other SASE vendors, Cisco has been adding features and services, acquiring other companies, and building partnerships to improve its SASE stack.

For example, Cisco now has over 2,000 peering relationships with other providers, said Levi.

It's no longer enough just to have points of presence near enterprise data centers and near customers and employees, he said. "They want to go to Microsoft Office 365 or Salesforce. If you connect directly to those places, performance is going to be amazing. But that costs money and requires expensive infrastructure to be put in place."

Shifting Staff to SASE Mindset

SASE might be easier to set up and manage than traditional networking, but it still requires specific skills.

But the technology is so new that those skills are not readily available.

To help enterprises address this lack, SASE vendors are offering training and certification programs.

The best known is the free SASE certification from Cato Networks.

The company launched  its advanced Level 2 version of its SASE certification on Sept. 1, after launching Level 1 last November.

As of Sept. 1, more than 1,000 people have earned the Level 1 certification, according to Dave Greenfield, Cato’s director of technology evangelism.

The Level 1 certification takes about a day to complete and Level 2 takes about half a day and requires that applicants first complete Level 1. Both are completely free and online.

SASE vendor Netskope launched its own SASE accreditation course in June.

The course takes two days to complete and costs $1,000. It is also online.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish