Last year Gartner introduced the term Secure Access Service Edge or SASE in their technology hype cycle and almost immediately it grabbed enormous attention from the vendors and enterprise consumers.
Existing and new technology players already started highlighting the benefits of SASE and marketing their offering to attract customers. But what is this SASE? Why should we care about it? Is it truly a game changer?
In my opinion, the concept is not entirely new, rather the branding and the timing of the terminology is so appropriate that it caught the real attention. SASE is nothing but providing networking & security as a cloud-based service as opposed to discrete solutions not relevant in today’s environment where application and data access is needed from everywhere, and always from any types of device formfactors. Before we delve into the world of SASE, let’s examine the technologies used by organizations for connecting and securing applications and why do they need to look at newer alternatives?
Enterprise applications used to be hosted in corporate datacenters and within the perimeters of the organization. Users had to backhaul to company network for accessing applications. Introduction of cloud hosted applications, increasing dependency on third party SaaS (software as a service) and workforce mobility has made the traffic backhauling inconvenient and perimeter centric security as less efficient. Nevertheless, a plethora of networking and security solutions made the integration even more challenging, security incident response more cumbersome and responsible for lowering of the return on technology investments. Organizations started looking for “integrated” solutions that bind networking with security services and make it a single pane of glass for easier operations, better context and data sharing between controls for improved efficiency and increased portability of the solution suite to address ever changing form factor of user compute. Gartner’s SASE concept is the reflection of the same in a cloud-based service offering. The future of networking and security will be in an integrated “as a service offering” from cloud to enable users to access data from anywhere, anytime and any type of device.
Major components of a good SASE security plane may include a proxy based secure web gateway, URL filtering, SSL interception, data leakage protection, content isolation, advanced threat protection including dynamic detonation, firewall/IPS as a service, DDOS/WAF as a service, DNS security, CASB or cloud access security broker(for SaaS) and other security controls based on zero trust security model. Where as the network plane integrated with security controls may include intelligent connectivity solutions like SD-WAN(software defined wide area networking to minimize connectivity cost & intelligent latency reduced routing to the applications hosted anywhere – cloud or corporate datacenter), VPN replacement with SDP(software defined perimeter), Content distribution service, WAN optimization, policy based routing, class of service and quality of service assurance form the cloud. There is no prescriptive list of networking or security controls within the SASE framework, key is to have the integrated as a service offering. That’s where the industry vendors are stretching by offering solutions in their stronghold as SASE.
Challenges early adopters will face here will be no different from what they see in on-premises technologies. Distinct technology controls offered as a service with minimal integration and context sharing between those, basically shifts the problem from datacenter to the cloud. The reason for it lies in the fact that there is no set definition of controls needed to be in SASE space. Classic networking vendors are either building a few security features or acquiring some security companies without any better integration to emerge as a “new” SASE player. Same holds true for traditional security players, they lack expertise in networking space and thence “partner” with network players to provide “an on-paper integrated” SASE offering. Here is what an organization should consider while evaluating a SASE vendor,
- An integrated networking & security as a service.
- Avoid a “stitching approach” which means multiple vendor products offered “together” as partners or acquired solutions with poor integration capabilities.
- Look for solutions built from group up with offerings in networking and security space.
- Look for solutions with better data and context sharing for a complete end to end picture.
- Prefer solutions written in cloud native technology.
- Hardware instances or virtualization will be less preferred compared to container-based offerings leveraging microservices technology.
- Identity based security filtering based on the principles of zero trust networking.
- Select products allowing granular policies based on immutable identities of humans and machines.
- Prefer solutions with open APIs for better integration with rest of the control suite
- Built on next generation technologies like artificial intelligence and machine learning
To conclude, SASE is the direction organizations should be looking to embrace without repeating the same mistakes of on-premises network with too many independent solutions at the cost of higher level of complexity and lower integration capability. Industry solutions offered in this space fall into three distinct categories – strong network as a service offered by traditional networking vendors, strong security players providing security as a service or CDN providers helping with content distribution from cloud. Network vendors not having a stronghold in security can either acquire a security solution or partner with other security vendors. The same is true for classic security vendors entering into SASE space.
The net impact is lack of context sharing, poor integration and operational complexity that defeats the core goals of SASE concept. We should prefer solutions having the most depth and broader breadth covering network and security areas well enough to provide one integrated “as a service” solution written in cloud native development platforms with open integration capabilities. Market is still full of network or security niche players, may be a little cautious approach of waiting till solutions come up with equally strong network & security offerings will be a prudent thing to do. Everybody is selling SASE concept in their offerings now but to me it is exactly the same as on-premise problem moved in cloud except few vendors bridging the gap with an integrated cloud based networking & security offering. Again, the goal here is not to be prescriptive but to bring in the facts in front of you and the final decision stays with the individuals in charge of technology selections based on organizational objectives and risk appetite.
Parthasarathi Chakraborty, Director – Infrastructure & Cloud Security Architecture Currently at Bank of Montreal.