Migrating your organization's networking and security functions to a secure access service edge (SASE) framework offers cloud-based scalability, flexibility and cost savings that would be hard to match with a traditional perimeter- and data-center-based implementation. SASE extends protection to remote workers in any location and using any platform, making it an ideal solution for today's geographically dispersed companies.
Yet implementing SASE begins with a lot of investigation and planning. There are vendors that offer all-inclusive SASE solutions, but most organizations will be repurposing at least some of their existing technologies to deploy their SASE framework.
"Only in very rare instances can a single [SASE] vendor truly deliver a full suite of products to an industry-leading standard," wrote Joel Windels, former chief marketing officer at NetMotion software, in a 2021 blog post. "The more likely outcome is that businesses are managing several solutions from several vendors (just as they were for traditional network security stacks)."
Here's how to make sure your IT is ready for SASE.
See what you have, assess your needs and determine what to buy
The first step is to inventory and assess your existing networking tools, security tools and hardware. What do you have that would work well in a SASE environment? What would need to be replaced? Can any of your software or tools be redeployed from an on-premises setup to the cloud?
Consult your IT, networking and security teams for their input, as they know the subjects best and will be working together more closely if your organization moves to SASE.
"SASE adoption is not installing another technology," wrote Darwin Hernandez, product marketing manager for Lumen, in a 2022 blog post. "It requires dedicated coordination between networking and security teams, a solid understanding of the business's current state, and considerable expertise."
What you need for true SASE implementation
More specifically, you need to see which of the core SASE components are already attainable with your existing technology, and which you will need to build or acquire. The core five components of SASE are:
- A software-defined wide-area network (SD-WAN). This uses the public internet, private networks or even cellular networks to create an overlay that securely links your organization's main office, branches, data centers, work-from-home users and users' mobile devices.
- A cloud-based secure web gateway (SWG). Monitors, inspects and logs each user's web traffic and blocks malware and intrusions, no matter where the user happens to be.
- A cloud-access security broker (CASB). Essential security software for all cloud deployments, as it monitors and regulates communications between your organization's users and your cloud instances and applications.
- A firewall-as-a-service (FWaaS). Creates a cloud-based firewall that governs user network traffic according to your organization's rules and policies.
- Zero-trust network access (ZTNA). A cloud-based framework that makes sure all users and devices are continuously verified and all access requests are individually considered, no matter their location.
Other, more familiar components may be added on, or may be bundled with the five core parts:
- A cloud-based data-loss-prevention (DLP) system. May be part of the FWaaS.
- Domain-name-system-layer (DNS-layer) security. Blocks malicious or unwanted servers and may be part of the SWG or FWaaS.
- Cloud-based endpoint detection and response (EDR) software. You probably already have this, or at least antivirus software, in place — see if it can be migrated to the cloud.
- A cloud-based intrusion-prevention or intrusion-detection system (IPS/IDS). Likewise, see if your existing IPS/IDS can be repurposed for the cloud.
Get an idea of the shape of your SASE deployment
Determine which of these SASE components you truly need and what your SASE setup will look like. Even more important, determine what you hope to gain from your SASE adoption, and what kind of benchmarks can be used to assess those gains after the deployment.
It's likely that you will be purchasing software to fill in the gaps in the SASE framework. If so, see if you can get something your existing hardware can handle. Ideally, your hardware should be software-agnostic, but that won't always be the case.
While you're sketching out the shape of your SASE implementation, solicit input from and analyze the use cases of your employees, clients, vendors and service providers. How well would each of them work with SASE? Which aspects of their roles would improve — and which would not?
"Every organization has a unique user base, and these users and their needs will determine the required configuration for SASE," wrote Eyal Webber Zvik, VP of product marketing at Cato Networks, in a 2021 blog post. "If you don't know how your IT environment is used on a daily basis, it is much harder to secure it."
Assess the regulatory and compliance aspects of your organization's business to see how SASE would fit. Are you subject to data-residency rules that govern where user data can be geographically stored? How about HIPAA, PCI DSS, GDPR or other data-protection regulations? How would migrating the networking and security systems to SASE comply with these rules?
Last but not least, find out whether there are hardware or software contracts that you can't get out of for a few more years. These would not necessarily be deal-breakers, because your SASE implementation might take years to achieve, but you need to factor legal and business obligations into your SASE deployment plan.
Once you've completed the inventories and the assessments of needs, then you'll be ready for the next steps: planning and implementing your SASE migration.