Secure access service edge (SASE) is a network architecture that provides a security-focused alternative to SD-WAN.
First outlined by Gartner in 2019, SASE converges SD-WAN services with a range of Security-as-a-Service offerings. Gartner now forecasts that by 2024 at least 40 per cent of enterprises will consider adopting SASE.
The leading SASE vendors are a mix of networking incumbents and well-funded startups. These include Cato Networks, Cisco, Fortinet, HPE, Palo Alto Networks, Perimeter 81, Versa, VMware, and Zscaler.
If your organisation is evaluating its WAN options, SASE should be in the mix. But how do you know whether SASE is the right WAN option for your organisation? Here are five key questions that will help you determine whether or not SASE is a good fit for your business:
1. What are your current WAN investments?
For some large enterprises, SASE will only make sense if their existing WAN architecture is becoming too costly or complicated to maintain. For many enterprises, this problem is already a pressing one. The complexity and cost of hybrid WAN solutions have prompted many enterprises to hand the management of their SD-WANs to incumbent MPLS providers (typically large carriers).
For those struggling with complicated hybrid WANs and considering a change, SASE offers simplicity through outsourcing and consolidation. For large enterprises that view their existing WAN investments as sunk costs, SASE offers a way to break that path dependency.
However, switching away from existing architectures, such as MPLS for mission-critical traffic and SD-WAN for everything else, may be premature for some, especially since the Holy Grail of SASE – a single pane of glass for networking and security – is not yet today’s reality.
For mid-market and smaller businesses, however, SASE will not only simplify their WANs, but it will also deliver security and networking features that they couldn’t previously afford, maintain, or manage as a collection of standalone point products.
2. Does your organisation prefer best-of-breed or consolidated cybersecurity tools?
Many analysts say that SASE is particularly beneficial for mid-market companies because it replaces multiple, and often on-premises, tools with a unified cloud service.
Many large enterprises, on the other hand, will not only have legacy constraints to consider, but they may also prefer to take a layered security approach with best-of-breed security tools.
Another factor to consider is that the SASE offering might be presented as a consolidated solution, but if you dig a little deeper is might actually be a collection of different tools from various partnering vendors, or features obtained through acquisition that have not been fully integrated.
Depending on the service provider, SASE offers a unified suite of security services, including but not limited to encryption, multifactor authentication, threat protection, Data Leak Prevention (DLP), DNS, and traditional firewall services. Many providers also deliver advanced security services, such as Next-Generation Firewall (NGFW), Cloud Security Gateway (CSG), and Zero Trust Network Access (ZTNA).
With incumbents such as Cisco, VMware, and HPE all rolling out SASE services, enterprises with existing vendor relationships may be able to adopt SASE without needing to worry much about protecting previous investments.
3. How large is your hybrid/work-from-home staff?
Prior to the COVID-19 pandemic, enterprise IT teams typically only needed to provide secure, remote access to centralised resources for a small percentage of the workforce. Some combination of VPN (for remote and mobile workers) and MPLS plus SD-WAN (for branches) usually sufficed.
The pandemic dramatically changed that equation. Now, as the pandemic slowly morphs into a lingering endemic, the aftereffects of COVID-19 remain.
According to research from the National Bureau of Economic Research (NBER), many workers are more productive in hybrid or work-from-home (WFH) environments, and they don’t intend to lose the productivity boost, nor the flexibility that comes with remote work.
NBER found that fewer than 30% of WFH employees intend to return full time to offices, while a Morning Consult survey discovered that as many as 39% would quit if forced to return to offices full time.
SASE providers responded to the WFH trend by investing in capabilities that extend the enterprise edge to wherever workers are, including home offices, branches, co-working spaces, mobile, etc.
SASE enables businesses to authenticate users at the edge and enforce policies once users are granted access to corporate resources.
At the same time, businesses with small cybersecurity teams now need to figure out how to secure networks that extend to a far-flung edge, while also ensuring that BYOD and IoT end points don’t introduce malware and other threats into the corporate network.
Businesses without the technical know-how or resources to manage security for a distributed workforce should consider SASE as a way to bolster both security and productivity via speedy, secure access to on-premises and cloud resources.
The SD-WAN side of SASE is important here too, since many remote workers rely on residential broadband connections that may be shared with other WFH or school-from-home family members.
Thus, features like traffic steering, the ability to aggregate 4G and 5G bandwidth, and advanced content delivery network (CDN) capabilities help provide a user experience very similar to the office.
4. What hybrid and multi-cloud challenges does your business face?
In its recent Global Cloud Survey, Frost Sullivan found that 75 per cent of IT decision makers believe that a strong cloud strategy is essential in order to remain competitive.
The enterprise migration to the cloud is still occurring, but today’s multi-cloud strategies now involve much more than moving the data center out to service provider locations.
In the post-COVID era, cloud-native tools are essential to WFH productivity, and new development architectures are facilitating the expansion of the corporate edge.
At the same time, cloud-native architectures are breaking applications out of silos, allowing apps to share data throughout the organisation and from cloud to cloud, but getting that data to the right place at the right time can be tricky.
SD-WAN is a powerful tool for delivering access to centralised resources, be they on-premises or in the cloud. However, providing bandwidth and application access to everything from WFH laptops to IoT devices to industrial sensor networks to medical devices leaves critical privacy, security, and compliance gaps that SASE can handle for you.
5. What does your network edge look like?
Frost Sullivan’s Global Cloud Survey found that 43% of businesses had already deployed branch or edge locations as of October 2021, while another 41% expect to expand their edges by 2023.
Modern development tools, containers, and microservices continue the trend of freeing software from underlying hardware and infrastructure. SD-WAN worked well when organisations were connecting to branches and cloud providers, but now that organisations must support a distributed workforce and a complicated edge, a policy-based approach to access, bandwidth, and security is essential.
With SASE, the SD-WAN half of the service gives enterprises the ability to automate network selection based on policy. Thus, expensive MPLS links can be automatically reserved for mission-critical applications (HR, ERP, CRM, etc.), while isolated IoT devices may connect to edge data centers over 4G or 5G.
Meanwhile, SASE decentralises security, delivering security from the cloud. SASE enforces multifactor authentication for WFH users, protects the network from malware through CSGs, and provides threat protection for each endpoint.
For many organisations, the overhead of managing all of those security tools is becoming unsustainable, which makes offloading these tasks to a SASE service provider appealing.
Over time, the line between SD-WAN and SASE may begin to blur, but for now, if your organisation needs to support a distributed workforce, a complicated edge, and hybrid/multi-cloud applications, SASE should be on your WAN radar.