Think of SASE as a Framework — Not a Checklist

Avatar for Rich KornBy Rich Korn|Aug 9, 2022|7:30 am CDT

According to a recent study, 94% of IT leaders have accelerated adoption of SASE solutions to make digital services and hybrid work sustainable for the long term. With the masses (98%) flocking to these solutions for their ability to converge networking and security, it’s important to understand SASE within a broader context around its definition. In fact, some IT professionals find it far more helpful to stop focusing on what SASE is exactly and take a step back, thinking of it as a framework or approach instead of a checklist for success.

To unpack this, let’s start with Gartner’s definition of SASE, as this is the information IT leaders typically get when they first inquire about converged solutions.

Gartner coined the acronym secure access service edge (SASE), describing it as offerings combining SD-WAN capabilities with network security functions. This new category of solutions combines five components into one platform:

  1. SD-WAN
  2. Firewall as a Service
  3. Cloud Access Security Broker (CASB)
  4. Secure web gateway
  5. Zero Trust network access

While this concrete list makes SASE instantly tangible and easy to understand, the problem is it creates a tendency for IT leaders to think of it as a recipe, using the components as ingredients for success. It becomes a formula of checkboxes, making it easy to forget about what SASE is trying to accomplish, how it should guide your IT strategy, and how it should work within your specific environment.

Why a Checklist Approach to SASE Can be Problematic

Masergy has encountered many executives adhering to this strict definition of SASE. The result is often frustration and even the creation of new IT problems. Taking the five components as hard-and-fast rules can even cause unforeseen issues with application performance, security, or both. That’s because critical thinking gets missed with a prescriptive approach.

For example, SASE is a forward-leaning solution that emphasizes cloud-based technologies and approaches, but solutions shouldn’t dictate design. IT leaders should still be asking questions like:

  • Does this mean every component MUST be in the cloud?
  • Are there cases when it makes sense for some SASE parts and pieces to remain on-premise? If so, when and with which components?
  • Does my solution allow for design and deployment flexibility?

Given that most IT infrastructures are hybrid environments, with data both in the cloud and on-premise, you may want to design your solution to match.

At Masergy, we find IT leaders come up against SASE challenges, particularly when it comes to next-generation firewalls and the related components of Zero Trust Network Access and Secure Web Gateway. Cloud firewalls, like SWG and ZTNA, are all right there in the SASE recipe, and indeed they are very nimble and easy to manage. However, firewalls don’t have to be in the cloud in order to gain the ease of centralized management, and there are still instances when cloud firewalls may hurt application performance.

Our advice: security policy should be enforced wherever it needs to be enforced, without degrading application performance – whether it be on-premise, in a data center, in the cloud, or even on the endpoint. Digging into these nuanced judgment calls can make the difference between success and a flop.

Using SASE as a Framework

Instead of strict adherence to a checklist, many find it’s better to take a framework approach. First, understand what problem SASE solves and validate that you share this challenge, and then tailor your perfect solution to get there. Too often IT teams get caught in the minutiae of the various technology definitions and capabilities, instead of keeping their eye on the end game.

Think of it this way: At its core, SASE improves security and optimizes application performance.

How these goals are best accomplished will vary widely, as each company is unique with its own IT architecture, risks, security gaps, internal expertise, and existing technologies already in place. While one business may need all five components, another may need only one or two. In fact, it’s not all that different from network solution design. For instance, each site’s transport needs may vary based on individual requirements. MPLS, Internet, wireless, etc. can all be part of the overall network solution, just as SD-WAN, FWaaS, and SWG can be part of a SASE solution individually or as a collective group.

Still, other companies may need more than SASE – it’s not always considered an exhaustive solution. For instance, managed detection and response may be a critical add-on, as many need the help of a 24/7 team of security analysts. Meanwhile, others argue machine learning and SASE should be working together for stronger innovation.

Another thing to note: Because many security capabilities overlap, SASE can be a confusing landscape to navigate. For instance, Next generation firewalls include SWG and ZTNA principles that may satisfy the security goals of many organizations.

In the end, companies and their IT leaders should focus on their desired SASE outcomes, improving security for clouds, users, and endpoints, and optimizing application performance for all users at all locations. Let your own use cases dictate your technology needs, not the other way around. Pick the network and security components you need to accomplish your goals.

SASE? We're here to answer all of your questions.

Call us now to arrange a consultation (855) 238-1463.
Or arrange for a consultation through our request form.