Setting a course for SASE: Best practices and questions to address along the way

Posted on August 10, 2021

The Secure Access Service Edge (SASE) model is on track to become the standard approach to SD-WAN and network security. But, how does an enterprise get from where it is today to an effective SASE deployment? Best practices are surfacing that offer organizations a clear roadmap for converging network and security into one cloud-based approach. The migration process raises many questions, however, including the scope of SASE, the process and pace of implementation, vendor strategies and more. Here, we explore the processes companies are taking to achieve a SASE architecture and the difficult questions they address along the way.

The state of SASE

SASE is gaining traction, with Gartner projecting that 60% of enterprises will have explicit strategies and timelines for SASE by 2025. This is up from just 10% in 2020. SASE’s growth derives partly from its ability to simplify security for remote employees and branch offices. More broadly, the concept has caught on because today, everyone and every device is inherently remote. Even users inside the firewall are remote from cloud and Software-as-a-Service (SaaS) resources. With the need for secure edge networking, companies of all sizes are seeking out an edge-oriented security structure. SASE is exactly that.

SASE converges SD-WAN with security capabilities including  firewall-as-a-service (FWaaS), cloud access service broker (CASB), secure web gateway (SWG), and zero trust network access (ZTNA). Moreover, SASE calls for all of these capabilities in one cloud-based solution. With these network and security technologies in one dashboard, it becomes possible for companies to securely access digital resources from anywhere on any device. The SASE model also helps with IT flexibility, cost-cutting, systemic simplification and data protection.

Where do I start with SASE?

As appealing as SASE may be, it’s not always clear how to get started with an initiative to build SASE in your organization. SASE is more like a network security framework that can be expanded and improved upon over time. The good news is that you probably already own some of the core components for the SASE framework, even if they are not connected inside one solution the way SASE requires. You can start the SASE thought process by identifying gaps between what you have and what you need, in terms of SD-WAN, FWaaS, SWG, CASB and ZTNA.

Gartner, in their 2021 Strategic Roadmap for SASE Convergence, offers guidance on realizing SASE. One of their main points is to view SASE as a transition from existing hardware, software and policies. For example, they suggest inventorying equipment and contracts to implement a multi-year phasing out of traditional perimeter hardware in favor of cloud-based SASE capabilities. They also recommend implementing ZTNA for all users regardless of location. Get a free copy of the Gartner paper here.

Masergy also recently published an infographic for our “12 Step Roadmap to SASE.” The first step is to form a cross-functional planning team. It should have members from IT, security, network operations, remote workforce members and business managers. The team can map SASE against existing capabilities and prioritize areas where it will provide the most value. From there, the 12-step phased process includes activities like identifying how SASE can make your network infrastructure more virtualized, along with how security technologies can be consolidated into one platform. The process suggests developing an understanding of where network and security teams will need support from service providers.

Issues to resolve along the way

As you navigate your path to SASE, you will have to address some key questions, including:

What should I put in the cloud?
SASE stresses a cloud-first approach, but not every element of SASE needs to be cloud hosted, and certainly not at the start of the migration process. (Not to mention, for many organizations a premise will always exist somewhere.) For example, not all firewalls belong in the cloud. Some will do their jobs better if left on-premises, especially in large enterprises. Identify which capabilities belong in the cloud and define your requirements for which aspects still need the flexibility to be both cloud and on-premise. Here’s more information.

How many providers should I have?
Getting SASE right has a lot to do with determining the right provider. Ideally, SASE solutions come from a single vendor with one dashboard. After all, SASE was designed to solve the IT complexity problem — too many vendors, dashboards, and policies. The market is still maturing, meaning few providers today offer all five SASE capabilities in one clean solution with one dashboard. However, it won’t be long before ideals become reality. Thus, it still makes sense to consolidate to as few vendors as possible. Say, no more than one or two.

What should my SASE tech stack look like?
As providers compile the swath of security tools into one SASE toolbox, they may use all of their own homegrown, proprietary technologies or they may consolidate technologies from outside companies into one service experience, labeling it as SASE from best-of-breed providers. Tech stack compilation and integration are often key factors in decision making, helping companies select between providers. Learn more about how SASE tech stacks differentiate providers.

How do I make SASE a part of what we’re already doing?
SASE does not have to be a major disruption. It can flow into existing projects and practices, such as the hardware replacement cycle. As you update network hardware, you can shift to equipment that supports the SASE model.

The approaches that resolve these issues tend to overlap. Deciding what to put in the cloud affects hardware purchases. Consolidating vendors may involve moving workloads to the cloud, and so forth. Getting to SASE can be an iterative, incremental process.

Thinking beyond SASE with additional security capabilities

SASE should not be your final destination. Improving your overall security posture and reducing risk is part of  the bigger trend of widening security protections to the edge and engaging with the right service providers. For example, advanced endpoint security is a critical area of cyber defense that one should not neglect in the pursuit of SASE, as is shadow IT discovery. Moreover, Managed detection and response (MDR) services can be a big help in ensuring SASE strategies have the right people and proven processes to back new security technology investments. 24/7 threat monitoring by certified security experts that include an action team operationalizing ideas like branch IP security, CASB, and ZTNA, so you don’t have to increase your IT headcount. At the end of the day, SASE is useless without people mitigating security risks identified by these advanced technologies.

Conclusion

SASE is here, and likely coming soon to your organization, if it hasn’t already arrived. You need a plan and a roadmap for this promising security model. Industry thought leaders like Gartner are weighing in with recommendations based on research and emerging best practices. Getting there will mean addressing a variety of issues, such as provider selection and cloud migration choices. It’s a process that should involve more than just IT and security. The whole organization should be represented in the planning process. It will be worth the effort, with SASE making it possible to protect anywhere, anytime access to digital capabilities.

Trevor Parks

Trevor Parks is the director for security solutions at Masergy. He is responsible for guiding the development, evolution and implementation of Masergy's Unified Enterprise Security services platform. Trevor contributed to the development of the patented Network Behavioral Analysis technology at the core of the Masergy’s security solutions aimed at detecting APTs and other advanced threats effecting customer networks.

Related Content