SASE misconceptions: How to take a pragmatic approach to network & security convergence

Secure Access Service Edge (SASE) has been a hot topic since Gartner defined it as a new category of offerings combining WAN capabilities with network security functions. Everyone agrees that conceptually SASE makes sense, but when it comes to turning idealistic frameworks into realistic IT approaches misconceptions abound. Here’s where SASE principles can be taken too far and where IT buyers may get a bit too starry eyed.

Misconception #1: SASE mandates zero daisy chains

Gartner’s “2019 Hype Cycle for Enterprise Networking” included this warning statement about virtual machine service chaining (as known as daisy chains) that can sometimes lead people astray:

“Software architecture and implementation matters. Be wary of vendors that propose to deliver services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability and high latency.”

Solution architecture is important, and yes, you want to minimize the number of daisy chains to reduce complexity. However, it doesn’t mean you cannot have any daisy chains in your solution. In fact, dictating zero daisy chains can have consequences–not for performance, but for security.

SASE consolidates a wide array of security technologies into one service, and yet each of those technologies are their own standalone segments today–with their own industry leaders and laggards. Any buyer who dictates no daisy chains is trusting that one single SASE provider can (all by themselves) build the best technologies across a constellation of capabilities that is only growing larger. Being beholden to one company is not pragmatic given that the occasional daisy chain greatly increases the ability to unite multiple best-of-breed technologies under one umbrella. Here are a few more reasons why daisy chains are needed:

• No single vendor, particularly start-ups, can effectively deliver on all areas of SASE security with a level of product maturity, mastery, and best practices that businesses need and expect in today’s landscape of relentless attackers. SASE capabilities should be proven on the harsh cyber battlefield, and most startups don’t survive.
• Any incremental complexity stemming from a strategically placed daisy chain or two should be managed by the provider and should not impact the customer. If a SASE platform performs above expectations, then why should the number of daisy chains matter? For instance, Masergy’s SASE offering does a great job of eliminating the complexity of using multiple vendors. Clients get security technologies from many trusted companies named as Leaders in their respective Gartner Magic Quadrants. And, they get all those perks in one service all from Masergy.
• No daisy chains implies technology acquisitions and large market consolidation, meaning a small number of very large SASE providers may well have too much market power, stifling innovation and raising prices. That’s not always good for IT buyers.

Misconception #2: You must take an all-cloud approach with SASE

SASE revolves around the cloud and is undoubtedly about speed and agility achieved through cloud-deployed security. But SASE doesn’t mean the cloud is the only way to go–ignore everything else. Instead, IT leaders should take a more practical position, using the best technology given the situation and problem. For example, on-premise next-gen firewall appliances are usually still the best option for large offices where performance and total cost of ownership are the key goals. If your SASE approach is cloud-first but not cloud-only, make sure your solution follows suit. Not all solutions allow for both cloud and on-premise firewalls!

Misconception #3: SASE will solve all your security problems

Don’t assume SASE is a total solution. SASE covers a lot of ground, but it does not cover all the technologies a company needs to secure a remote-work and multi-cloud environment. For example, Cloud Workload Protection (CWP) and Endpoint Detection and Response (EDR) are critical in securing user and cloud computing environments, but are not part of the SASE framework. Although EDR is a primary technology used to address ransomware, a threat vector skyrocketing today, it is excluded from SASE because it does not require network traffic inspection to function. Rather, it’s an agent-based solution that monitors operating system activity and integrity.

Moreover, SASE addresses only the technology components of an effective security program, leaving out the experts required for 24/7 security monitoring and mature incident response. Without a dedicated team of security analysts at the ready, security technologies are ineffective–whether they are included in SASE or not. Professional skills are necessary to further investigate threats and stop them before major damage is done.

Misconception #4: With SASE, SD-WAN doesn’t matter anymore

The security arena is the source of much SASE buzz, but let’s not forget that SASE solutions don’t work without SD-WAN and its centralized management platform pulling everything together. Plus, SASE is essentially dead on arrival unless the underlying network performs at acceptable levels. In selecting a SASE provider, IT leaders should check that both security and networking capabilities meet their needs, otherwise the entire “solution” can fail. Evaluations should touch on scalability, access flexibility, visibility and control, performance, as well as the ability to separate, prioritize, and secure bandwidth for remote employees.

Conclusion: Soften hard-lined expectations to maximize security and business outcomes

SASE is all the rage, promising the ideologies that IT leaders have dreamed about for years, but taking a purist approach can have consequences. Hard-lined expectations around daisy chains and the cloud should be softened in favor of maximizing security excellence and business outcomes. Likewise, SASE solutions need to be compared against the broader security and network strategy, seeing where it adds value and where it may still fall short. By taking a pragmatic approach and wrapping SASE with fully managed network and security services, companies can make ideologies tangible, achieving agility and productivity all with ready-made security.