SASE: the future of network and network security architectures

Secure Access Service Edge, or SASE, is the convergence of network and network security services that have previously been delivered through separate physical appliances into an integrated cloud-native service. SASE promises to deliver comprehensive and holistic network security services to support the needs of business and empower digital business transformation. It will increase the adoption of cloud native services and edge computing platforms and enable enterprises to deliver IT services at high speed with strongly secured access and reduced costs.

The full extent of SASE’s capabilities can be found in a report presented by Gartner entitled “The Future of Network Security Is in the Cloud.”

Since its release in August of 2019, the SASE report released by Gartner has generated a lot of chatter regarding what SASE is all about. People are wondering whether it will be disruptive to the current network and network security designs and are curious about who the representative providers will be.

SASE is still in the early stages of development. Gartner placed it on the far left of the Hype Cycle for Cloud Security 2019 report with an estimate of five to ten years until this new paradigm reaches the mainstream.

This article is focused on the benefits of SASE, the main barriers to implementing SASE, and the major due diligence steps enterprises should take to prepare for SASE.

SASE benefits

The main benefits of implementing SASE are:

  • Improved cloud security posture

SASE offerings will provide centralized and cloud-based policy management with distributed enforcement points logically close to the entity. This means that any access session can be inspected by the same centralized policy regardless of the entity’s location and can identify sensitive data and malwares. SASE will also provide an end-to-end encryption mechanism with integrated web application and API protection (WAAP) services. Strict access controls will be applied using the Zero Trust Network Access (ZTNA) model.

  • Improved network performance

In addition to the SD-WAN benefits and SASE worldwide latency-optimized provider networks, the integrated security service approach may boost the network performance as user sessions are inspected only once before security engines are operated in parallel with a scale-out approach. This will introduce lower network latency than traditional network security architectures such as security service chaining.

  • Improved user experience (UX)

SASE offerings will reduce the number of agents on user devices and edge network appliances at a branch. It will provide transparency and make it easier for users regardless of their location and the location where the data is accessed. Security policies will be applied to user sessions without any user interaction.

  • Reduced overhead costs

Consolidated network and network security services will reduce complexity and costs. The number of branch devices, agents and vendors will be drastically reduced. On the other hand, SASE takes advantage of cloud computing to overcome security stack scaling issues and software upgrades and caters to changing business requirements and new threats; thus, reducing the operational overhead.

SASE adoption hurdles

SASE contributions are only now emerging with exceptionally low adoption rates – less than 1% according to Gartner. Implementing new security features in SD-WAN products and providing cloud-based SWG and CASB solutions by security-centric vendors are the early manifestations of SASE. However, implementing SASE can be a challenge for all industries. Below are the three major barriers to its adoption:

  • Lack of in-depth expertise

With the rise of SASE, the market could be bombarded by a wave of inexperienced vendors that may have a lack of in-depth expertise in cloud-native network and security functions.

The danger in this is that SASE offerings would begin to be offered by cloud providers and some emerging SASE vendors, but it could also be developed and delivered by vendors who are new to the security market and do not understand the context of data. This is critical to setting security policies. We would also encounter legacy hardware network and network security vendors who don’t have a cloud-native mindset and the necessary expertise for SASE to work effectively.

  • Complexity and performance

The market of cloud-native network and security solutions continues to flourish, but many changes are still occurring. Further mergers and acquisitions are expected over the next few years. Thus, there will be SASE components that will stitch different network and security features, which may lead to unmanageable complexity, high costs and poor performance. In such cases, service integration should be closely evaluated.

Furthermore, smaller SASE vendors, who may not have the network POPs and peering relations to deploy a SASE policy decision and enforcement points everywhere, and as closely as possible to the identity endpoints, may result in high costs and poor performance.

  • Enterprise culture and politics

Network and network security services would be managed by different teams. These different teams, confronted with an opportunity to reduce complexity and improve operations by adopting SASE, will in turn invest more time and energy into blocking it because their focus would be towards protecting their “turf.” Significant leadership support is required to drive SASE adoption.

Getting to SASE

By now, the benefits that SASE can offer to businesses have been well communicated and are undoubtedly appealing to most enterprises. However, SASE adoption is no easy undertaking and requires a thorough transformative strategy to ensure that it delivers the expected results. In addition to the risks discussed above, SASE adoption can cause disruption and introduce business risks. So how can you anticipate network and network security changes while minimizing disruption?

Including SASE into the network and network security strategy

It becomes a challenging initiative to include SASE in an enterprise’s network and network security transformation strategy. It requires considerable efforts to evaluate multiple vendors against the unique requirements and objectives that enterprises have to meet. IT leaders should start challenging network and security vendors to provide roadmaps for SASE capabilities to build a comprehensive and appropriate network and security transformation strategy.

 

CISO should take a seat at the table

SASE is a disruptive technology that requires CISO involvement during each and every discussion that involves acquiring or transforming a new network or network security solution. CISO and lead architects should be involved to evaluate the offerings and roadmaps of the emerging vendors. Otherwise, management should consider the resistance from team members and break turf-protecting and individual team thinking.

 

Study core SASE capability integration

Enterprises should start studying core SASE capability integration and consolidation. They should include network and security service providers to evaluate SD-WAN, SWG, CASB and ZTNA solutions and identify short-term opportunities. Short-term contracts should be negotiated, as licensing models are changing and prepare for integrated and consolidated SASE architecture. Many SASE components will be stitched together for multiple mergers and acquisitions, so integrating SASE services should be closely assessed.

 

What should be done?

SASE should offer an integrated network and security capabilities using a “single scan” architecture that avoids traditional service chaining, which are orchestrated from a single administration console. SASE policy decision and enforcement points should be distributed and be logically located close to the entity with low latency network access. SASE providers should offer distributed points of presence and peering relations that align with an enterprise’s access latency and data residency requirements.

Enterprises should build a long-term SASE strategy and identify short-term opportunities for SASE service consolidation. Resistance from internal team members that are wedded into traditional network and security architectures is expected; therefore, it is time to begin integration with SASE.

To dive deeper into SASE’s evaluation factors, you can browse Gartner’s publication, which details SASE’s components and main ideas surrounding SASE.

If you want to anticipate these network and security architecture changes while minimizing disruption, then share your challenges with Orange consulting. We apply proven consulting techniques and tools to address key issues, including: building long-term network and network security strategy, aligning business and infrastructure transformation strategies, managing complex infrastructure transformations and ensuring appropriate risk and cost management.

Zied Turki
Zied Turki

I am a Senior Infrastructure and Security Consultant within Orange Business. I have been involved over the last 10 years in building transformation strategies and designing network and security solution architectures. In my spare time, I like reading books, learning about cosmology and trying something new.