Secure Access Service Edge architecture describes the convergence of security and networking into a global cloud service. SASE connects and secures all enterprise edges -- sites, mobile users, cloud data centers, SaaS and IoT devices -- with one service.
Gartner crystallized key trends in networking and security in the fall of 2019 with its introduction of SASE. While Gartner might not have invented this shift from discrete appliances to one converged global service, its approach has undoubtedly caught on. At SD-WAN Experts, we've seen several of our enterprise clients requesting SASE elements in their requests for proposal. Several vendors are, in turn, responding with SASE pitches.
As radical as SASE architecture sounds, its implementation is part of the natural WAN transformation process that's been sweeping the industry for some time. Enterprises are already transitioning from MPLS. In some cases, for example, they're adopting software-defined WAN and all internet-based connectivity; in other cases, they're shifting to a hybrid deployment where SD-WAN devices connect to MPLS and internet circuits. Pulling the cloud and mobile access into one secure network is a natural extension.
SASE vs. SD-WAN
The difference in choosing SD-WAN or SASE architecture is selecting a platform that meets requirements for the future. By building all networking capabilities and the necessary security into one service, SASE becomes the platform that supports changes beyond MPLS replacement, which has been the most common use case for SD-WAN. SASE enables organizations to support global connectivity, remote access, cloud connectivity and more by activating features of the service. With SD-WAN alone, each additional stage would require an enterprise to go out to bid, evaluate new products, select the right one and deploy the offering.
A great example of the differences between SASE and SD-WAN was the recent rush to deliver large-scale remote access during the COVID-19 crisis. Remote access is not part of SD-WAN, and SD-WAN companies have had to jump through hoops to help their customers address issues related to the novel coronavirus.
By contrast, SASE platforms build remote access into the network. Users are equipped with mobile clients or, in some cases, clientless access. Either option enables large-scale deployment to thousands of users in minutes and hours -- not weeks. Because remote access is built into SASE, remote users benefit from the complete security stack and network optimization in SASE architecture.
Networking and security deployment considerations
As organizations look at SASE adoption, they should be able to avoid forklift migrations. On the networking side, SASE offerings include SD-WAN edge devices, and enterprises could even deploy a SASE offering as an SD-WAN alternative. Like SD-WAN, SASE implementations support gradual migrations, coexisting not only with existing network services, but also existing security services. Remote access and cloud connectivity should be optional.
On the security side, SASE offerings replace a wide range of security functions, including next-generation firewalls, secure web gateways, cloud access security brokers and zero-trust network access. Some SASE vendors will support limited, heterogeneous vendor deployments in various ways. In this case, limited means they support site-by-site deployment granularity; don't expect to be able to swap out some of their security components for third-party offerings.
Enterprises can run sites without the SASE provider's security services or only activate them to protect some locations. In the latter case, they can connect legacy firewalls to the SASE platform through IPsec tunnels, while the SASE provider's security services protect the rest of the sites.
Where organizations insist on maintaining legacy firewalls, particularly in the branch, they can consider an approach called firewall bursting. Like cloud bursting -- where an application in a private cloud or data center bursts into a public cloud when the demand for computing capacity spikes -- firewall bursting maintains the legacy firewall appliance at the edge, bursting excess traffic up to the SASE cloud for processing.
Many of my clients are surprised to learn how much they can reduce security costs with SASE. These traditional security costs include rack space, power, internet connectivity, MPLS connectivity, hardware costs and maintenance. Also, the operational costs, license costs, and eventual upgrade and replacement costs of security infrastructure can be quite significant.
Further, enterprises face constant urgency to maintain security infrastructure. When security teams discover a new attack or vulnerability, they must race against time to upgrade their infrastructure. SASE providers maintain the security infrastructure themselves, addressing this problem.
Because security features might be licensed differently, enterprises with security investments that aren't fully depreciated must decide to activate SASE security features or not. In many cases, enterprises can maintain security investments through the end of their contract to save the cost of such a feature in the SASE offering. In most cases, though, companies prefer to write off such investments due to the operating efficiencies the new offering introduces.
SASE architecture is a compelling option
SASE is a natural progression of the WAN's development. Cloud, remote access and mobile access are too essential to be thought of separately from other locations. Security has become inseparable from connectivity. Enterprises can't possibly give users access to anything if those connections aren't secured. SASE adoption then becomes less of a question of if but when. I believe most companies will adopt SASE in the next five years. The value proposition is just too compelling.