year Gartner introduced the term Secure Access Service Edge or SASE in their technology
hype cycle and almost immediately it grabbed enormous attention from the vendors
and enterprise consumers.
and new technology players already started highlighting the benefits of SASE
and marketing their offering to attract customers. But what is this SASE? Why
should we care about it? Is it truly a game changer?
my opinion, the concept is not entirely new, rather the branding and the timing
of the terminology is so appropriate that it caught the real attention. SASE is
nothing but providing networking & security as a cloud-based service as
opposed to discrete solutions not relevant in today’s environment where
application and data access is needed from everywhere, and always from any
types of device formfactors. Before we delve into the world of SASE, let’s
examine the technologies used by organizations for connecting and securing
applications and why do they need to look at newer alternatives?
applications used to be hosted in corporate datacenters and within the
perimeters of the organization. Users had to backhaul to company network for
accessing applications. Introduction of cloud hosted applications, increasing
dependency on third party SaaS (software as a service) and workforce mobility
has made the traffic backhauling inconvenient and perimeter centric security as
less efficient. Nevertheless, a plethora of networking and security solutions
made the integration even more challenging, security incident response more
cumbersome and responsible for lowering of the return on technology investments.
Organizations started looking for
“integrated” solutions that bind networking with security services and make it
a single pane of glass for easier operations,
better context and data sharing between controls for improved efficiency
and increased portability of the solution suite to address ever changing form
factor of user compute. Gartner’s SASE concept is the reflection of the same in
a cloud-based service offering. The future of networking and security will be
in an integrated “as a service offering” from cloud to enable users to access
data from anywhere, anytime and any type of device.
components of a good SASE security plane
may include a proxy based secure web gateway, URL filtering, SSL
interception, data leakage protection, content isolation, advanced threat
protection including dynamic detonation, firewall/IPS as a service, DDOS/WAF as
a service, DNS security, CASB or cloud access security broker(for SaaS) and
other security controls based on zero trust security model. Where as the network plane integrated with
security controls may include intelligent connectivity solutions like
SD-WAN(software defined wide area networking to minimize connectivity cost
& intelligent latency reduced routing to the applications hosted anywhere –
cloud or corporate datacenter), VPN replacement with SDP(software defined
perimeter), Content distribution service, WAN optimization, policy based
routing, class of service and quality of service assurance form the cloud.
There is no prescriptive list of networking or security controls within the
SASE framework, key is to have the integrated as a service offering. That’s
where the industry vendors are stretching by offering solutions in their
stronghold as SASE.
early adopters will face here will be no different from what they see in
on-premises technologies. Distinct technology controls offered as a service
with minimal integration and context sharing between those, basically shifts
the problem from datacenter to the cloud. The reason for it lies in the fact that there is no set
definition of controls needed to be in SASE space. Classic networking vendors
are either building a few security features or acquiring some security
companies without any better integration to emerge as a “new” SASE player. Same
holds true for traditional security players, they lack expertise in networking
space and thence “partner” with network players to provide “an on-paper
integrated” SASE offering. Here is what an organization should consider while
evaluating a SASE vendor,
- An integrated networking & security as a service.
- Avoid a “stitching approach” which means multiple vendor products offered “together” as partners or acquired solutions with poor integration capabilities.
- Look for solutions built from group up with offerings in networking and security space.
- Look for solutions with better data and context sharing for a complete end to end picture.
- Prefer solutions written in cloud native technology.
- Hardware instances or virtualization will be less preferred compared to container-based offerings leveraging microservices technology.
- Identity based security filtering based on the principles of zero trust networking.
- Select products allowing granular policies based on immutable identities of humans and machines.
- Prefer solutions with open APIs for better integration with rest of the control suite
- Built on next generation technologies like artificial intelligence and machine learning
To conclude, SASE is the direction organizations should be looking to embrace without repeating the same mistakes of on-premises network with too many independent solutions at the cost of higher level of complexity and lower integration capability. Industry solutions offered in this space fall into three distinct categories – strong network as a service offered by traditional networking vendors, strong security players providing security as a service or CDN providers helping with content distribution from cloud. Network vendors not having a stronghold in security can either acquire a security solution or partner with other security vendors. The same is true for classic security vendors entering into SASE space.
The net impact is lack of context sharing, poor integration and operational complexity that defeats the core goals of SASE concept. We should prefer solutions having the most depth and broader breadth covering network and security areas well enough to provide one integrated “as a service” solution written in cloud native development platforms with open integration capabilities. Market is still full of network or security niche players, may be a little cautious approach of waiting till solutions come up with equally strong network & security offerings will be a prudent thing to do. Everybody is selling SASE concept in their offerings now but to me it is exactly the same as on-premise problem moved in cloud except few vendors bridging the gap with an integrated cloud based networking & security offering. Again, the goal here is not to be prescriptive but to bring in the facts in front of you and the final decision stays with the individuals in charge of technology selections based on organizational objectives and risk appetite.
Parthasarathi Chakraborty, Director – Infrastructure & Cloud Security Architecture Currently at Bank of Montreal.