As companies increasingly adopt cloud architectures, they are looking for ways to increase security while reducing complexity and operating costs. And, of course, the move to remote work, which increases the need for hybrid cloud and software as a service – it just accelerates the need for these requirements.
All of these requirements can be addressed by an emerging technology that figures prominently in today’s business security advertising cycle: Edge secure access serviceor SASE. The benefits are exceptional: SASE is an architecture that combines network concepts like VPN and SD-WAN, along with security concepts like Zero Trust (another compelling but often overdone concept) and contextual access.
But at this point, SASE represents more of a goal or concept for most organizations than a product. However, almost all major vendors have embraced this concept (eg, Cisco, Palo Alto Networks, Zscaler, Akamai, McAfee, etc.) and have rated many of its components as critical to achieving SASE.
But as attractive as the concept may seem, in practice there are many hurdles that companies must overcome to turn the hopes of SASE into reality.
Challenges of SASE implementation
Generally speaking, SASE is the integration of network services with security services so that user access, SaaS and multicloud functions are completely secure. It includes capabilities inherent to SDWAN implementations, such as path flexibility and redundancy. It also offers routing, application visibility and reporting, vendor-specific software-defined capabilities, and VPN.
SD-WAN, which helps virtualize networks and their operations, is widely deployed, but requires companies to replace older single-function switches and routers with new equipment. This virtualization of networks has been going on for several years and most companies have virtualized most of their networks, or at least a significant part.
This is a critical step, since SASE requires a virtualized network to be implemented. Additionally, all public cloud networks are virtualized, so regular users of these services have a built-in advantage.
The hardest part about realizing SASE is the need for a security architecture that can be fully integrated and managed, just like software-defined networks. But most companies today have a hodgepodge of security products that are almost always independent.
In fact, some organizations have dozens, if not hundreds, of unique security applications running in everything from their data centers or cloud instances, to networks, hardware endpoints, and individual applications. Even the ubiquitous VPN required to connect securely across networks may not be supported by all devices and servers within the organization. And with an increasing number of network options available (eg 5G, WiFi 6, broadband), this presents its own compatibility challenges.
SASE requires a uniform method of policy management, secure access, threat protection, and device management to be fully implemented. And with so many security components in place that generally don’t work well, this is a daunting task.
A final obstacle to overcome is the organizational one. In most companies, network and security operations are single groups, not necessarily always in close contact. For SASE to be fully implemented, both network operations and security operations must be on the same page and work together. Without this interaction, the SASE implementation is not possible.
SASE implementation requires heavy integration
Despite what many vendors promote when selling their products, achieving SASE is really a huge integration challenge. And many smaller organizations don’t have the resources to make this happen, even if they already have some components in place (eg SD-WAN, cloud access gateways, etc.).
Even the largest companies will have a difficult time making sure that all of their network and security tools and cloud management products they are capable of sharing information and managing themselves through a single interface. While it is possible to have a SASE implementation without a universal control plane or single panel console, the cost of such a solution is much higher in terms of the skills required, the people required, and the time invested compared to a single administration interface. It is also problematic because it is much easier for problems to arise due to lack of visibility when unsupported systems are managed manually.
For many companies, the best path to SASE is to find a systems integrator who can not only integrate the necessary tools, but can also manage the day-to-day operations of their SASE architecture implementation. However, companies should be aware that SASE is a “moving target”, as few companies have all the components in place, and even those that do are likely to face infrastructure updates and changes over time as for capabilities to mature.
Network operators (for example, Verizon) have created SASE practices that can provide “SASE as a service” in addition to their connectivity and security service operations, but companies will still need to manage the relationship and dedicate resources to ensure the latest updates in network and security is fully implemented as business needs and infrastructure changes occur.
Additionally, service providers will have their own set of preferred partners that may not be compatible with the provider’s products that the business currently has. Still, this can be an advantageous path, as these operators can leverage both their ability to influence vendor applications and their acquired experience to make SASE work effectively.
Market consolidation required before SASE maturity
SASE as a concept has a lot of merit in that it can significantly improve the security posture of organizations, particularly in the cloud-heavy world we now reside in. But getting SASE done is not as straightforward as many vendors’ hype seems.
In fact, we expect at least 3-5 years to pass before the SASE market makes up its mind on what the architecture actually looks like and which vendors will be at the forefront (while market consolidation will remove many players from the field in the meantime. ).
Businesses should definitely be evaluating the SASE architecture as a way to increase security, but should also be aware that current products may not be the end products deployed in the future and therefore implementation flexibility will be required.