The acceptance of a secure access service edge (SASE) has gathered steam in the security industry. By converging SD-WAN with a broad range of security features, SASE offers much needed simplicity, but CISOs face a big challenge:
Every SASE offering looks different, and each provider takes a unique approach, consolidating different technologies into one platform labeled “SASE.” Understanding how to navigate this issue has become critical in today’s increasingly crowded and complex market.
SASE’s core capabilities: a basic measuring stick
Gartner says SASE has the following five capabilities:
- Secure Web Gateway (SWG)
- Firewall-as-a-Service (FWaaS)
- Cloud Access Security Broker (CASB)
- Zero Trust Network Access (ZTNA)
Pros: Using this Gartner checklist offers a great starting place for clear apples-to-apples comparisons. But it’s not always that simple. Few providers offer a complete solution today with all five core capabilities in one platform. Meanwhile, many providers add in other capabilities not included on this list.
Cons: While the five criteria lean heavily into network security, some CISO critics claim the core capabilities don’t go far enough given the security requirements of remote and hybrid work. They want more, claiming SASE does not always satisfy needs around endpoint security, comprehensive cloud security, 24x7 threat detection and response, and AI-based analytics. Critics are also quick to mention that solutions may hit the five checkboxes only once, and when a company needs in-depth security, CISO’s may prefer to check some boxes twice.
Tech stack: navigating homegrown vs. best-of-breed solutions
SASE must consolidate many tools into one toolbox and providers typically take two different approaches. They either consolidate all their own homegrown technologies/services into one platform, or they consolidate the technologies/services of outside providers, using a “best-of-breed” approach. There are pros and cons to both, so it’s a matter of selecting what works best for each company.
Pros: With all the same brand of tools in one toolbox, interoperability offers a big benefit.
Cons: Companies may not always get the best technology available on the market. Some CISOs are skeptical that one single provider can produce the leading security technologies across all five core capabilities. After all, that’s a lot of ground to cover considering each capability operates as its own industry. Plus, clients may need to rip and replace any overlapping technologies where they have already made investments.
Pros: With these options, the leading brands can combine in the SASE toolbox because providers have the freedom to partner with top tech manufacturers — including those recognized by Gartner as leaders in their respective Magic Quadrants.
Cons: Integration can cause complexities. And that’s where the underlying SASE architecture matters most. When tools from different manufacturers need to interoperate, how are they united under a single operating system? CISOs say it pays to understand the integration and uniformity of the underlying architecture. Does integration happen at the source-code level? How many vendors are behind the solution, and how much “daisy chaining” will they need to connect everything together? When providers use their own private network to serve as SASE’s common ground, is that network software-defined across the world? How many dashboards are needed to manage everything?
Tech flexibility: understanding cloud-only products
Gartner stressed the importance of SASE’s cloud-based technologies. But many CISOs take that with a grain of salt, particularly when thinking about firewalls and design for large offices. Some CISOs will draw a dividing line between products offering only cloud functionality and those offering the versatility of both cloud and on-premises technologies.
Pros: Cloud-only products undoubtedly deliver agility and speed-at-scale. With cloud firewalls, security policies are easy to maintain with consistency across all deployments. But this isn’t the only way to go. In some cases, SASE shouldn’t be cloud-only.
Cons: Cloud-only products can limit flexibility. Take for instance, large enterprises where cost of ownership and high performance are top priorities. In these use cases, security teams may prefer on-prem next generation firewalls alongside secure web gateway appliances. Despite the on-prem hardware, these appliances are cloud-managed. Thus, they can achieve cloud benefits alongside on-premises performance.
SASE means that companies will rely on a single provider to deliver a broad mix of services across many industries, and every option will likely yield a very different set of capabilities all with different client experiences. With hybrid work here to stay, it’s more critical than ever to understand the components of SASE, the manufacturers behind them, as well as the unified platform architecture. When every SASE package looks different and every decision comes with pros and cons, we recommend handling the tradeoffs by prioritizing flexibility and letting the needs of the business drive the final decision.
Ajay Pandya, director of product management, Masergy