Traditional network architectures and the strategies of yesterday are being fiercely challenged:
- The centralized data center is dying. Meanwhile the WAN edge is gaining importance, forcing IT leaders to reverse their perspective–looking from the network edge in, rather than looking from the data center out.
- Security is moving away from the data center, shifting to the cloud and to the WAN edge.
- Technology advances like SD-WAN and cloud security are tightening the relationship between the network and security, triggering an IT rethink.
All of this is giving rise to a new unified approach to IT services called SASE (pronounced “sassy”). Here’s why every IT leader should grasp this new acronym.
What is SASE?
Gartner coined the acronym, defining secure access service edge (SASE) as “converged offerings combining WAN capabilities with network security functions.” For instance, a SASE solution consolidates a global software-defined network service or SD-WAN with firewalls, secure edge gateway, cloud security monitoring, as well as managed threat detection and incident response services into a single unified approach. While Gartner reports SASE solutions are still emerging, many are already defining solution characteristics as:
- Cloud-based: Cloud delivery platforms help enterprises transition from hardware to software, reduce costs with multi-tenancy and are superior for supporting a remote, distributed, and mobile workforce. They are also good for edge computing.
- Globally distributed: A global software-defined network for low-latency routing across worldwide points of presence is part of the SASE solution, which aids in supporting real-time communications and putting the compute power at the WAN edge. But SASE also provides security for today’s globally distributed and multi-cloud IT environment.
- Identity focused: Today, identities are the new focus for security and access decisions—not the data center. Security policy design is based on the identity of the device or person (or both), their connection location and other contextual details like the application and the time of day. Thus, identity activity tracking and analytics are needed for SASE. These capabilities are often the missing pieces enterprises need to enable advanced strategies like Zero Trust security models.
- Edge flexibility: Rapidly evolving digital enterprises need an IT edge that can be shaped and reshaped as needs change. SASE connects all edges (WAN, cloud, IoT, and mobile) while never leaving security as an afterthought. Furthermore, agnostic approaches to device manufacturers, connectivity types, and cloud service providers empower clients to switch providers and strategies as leaders and laggards shift in these ever-changing markets.
What are the benefits of SASE?
Network and security staff supporting the infrastructure will experience:
- Increased effectiveness: By reducing and eliminating routine tasks setting up the infrastructure, network security professionals will be able to focus on business, regulatory, and application access requirements. SASE delivers centralized policy management with local enforcement.
- Cost savings: SASE supports more capabilities with fewer vendors and may not require the enterprise to invest in new hardware and software. Costs can also be reduced as more and more SASE services come online in the future.
- Stronger security posture: SASE supports content inspection such as sensitive data and malware where all the same security policies are applied. The SASE security updates allow quicker adoption of new capabilities. SASE can even reportedly block new threats as they emerge without requiring new deployments.
- Simplified security: Identity-based security and Zero Trust are essentially network access based on the user, device, and the application identity which simplifies security policy management. SASE also streamlines security by providing end-to-end encryption for each session with optional web application and API protection that can be extended to Wi-Fi networks. Transparency of the security policies will reduce the number of software agents required. SASE helps avoid software agent and appliance expansion. Plus, it can automatically be applied to access policies without user interaction.
SD-WAN vs. SASE: What’s the difference?
SD-WAN is network-as-a-service, and SASE takes that one step further by adding security to the mix. SASE is considered network-security-as-a-service.
They are complementary, not competitors. By bringing SD-WAN and SASE together under one provider and a single solution, enterprise clients can leverage SD-WAN services with a fully embedded security capability. Beyond simply addressing the basic security concerns of SD-WAN’s public internet connectivity option, here are some examples of why this pairing is particularly advantageous:
- SD-WAN, a global software-defined network service, and end-to-end security services all in one solution with one platform and one partner
- Consistent security policy across all SD-WAN devices
- A single source of truth for SD-WAN visibility, identity analytics, and security threat information — now security data and network data can come together in the same dashboard for heightened levels of visibility and insight
- Keeping SD-WAN and security strategies fully aligned is easier now — network micro-segmentation strategies can be easily leveraged for security monitoring based on segmented flow data
- Less friction between network and security — as tools and services are unified, operations and teams will likely follow suit
Why is SASE the next big thing?
SASE is popping up everywhere because it solves significant IT challenges. Existing network security architectures were designed for the centralized data center and fail to serve the needs of digital transformation, SaaS, real-time applications, edge computing, IoT, and other cloud-based services.
Historic network security architectures made the data center the epicenter of connectivity and security strategies. But this design can constrain the dynamic nature of IT and the agility required in the age of digital business. A security strategy focused on the data center is insufficient when it comes to:
- Supporting more users, devices, applications, services, and data located in cloud services, outside the enterprise
- Addressing network latency and complexity requirements
- Analyzing encrypted traffic for security purposes
These challenges actively drive the adoption of security-as-a-service capabilities and have triggered enterprises to shift toward a cloud-delivered secure access service edge.
Additionally, SASE needs to be on the radar of every IT leader because change on the inside calls for change on the outside. Executives who grew up with a data-center focus are realizing that IT environments are looking quite different now, and providers and services need to meet the needs of the modern network:
- The enterprise is running more IaaS/PaaS and SaaS workloads.
- User work performed off of the enterprise network is greater than on the enterprise network and data center.
- Sensitive data is located outside of the enterprise data center in cloud services.
- The traffic destined for public cloud services is greater than to the enterprise data center.
- Branch offices are also increasing their access to cloud services and bypassing the data center.
Isn’t it time for network and security convergence? Are your network services keeping up with your security, multi-cloud, edge-focused strategies?