Answering the big SASE questions
The adoption of Secure Access Service Edge (SASE) is speeding up as enterprises look to enforce Zero Trust and cut back on security complexity while pushing forward with digital transformation strategies. But SASE is still a mystery for some, and many are unaware they have actually started their SASE journey. This blog will demystify the concept and help you get on the right road.
Gartner forecasts show that by 2025, more than 50% of organisations will have strategies in place to adopt SASE, up from 5% in 2020.1Refer to references at end of content As most data from branches and edge computing will no longer go into enterprise data centers, CIOs will look to SASE to secure access anytime, anywhere, on any device.
SASE is a networking and security model first described by the analyst firm Gartner. It converges wide area networking (WAN) and networking services into a single cloud-delivered solution. A complete SASE offering includes network edge capabilities, notably SD-WAN, and a set of security service edge (SSE) capabilities, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA).
Perimeter-based approaches to securing anywhere, anytime access have pulled together an assortment of vendors and policies, which have increased complexity for security administrators and users alike, according to Gartner.2Refer to references at end of content
Security must become software-based and cloud-delivered to protect users effectively in this new world. This is where SASE comes in.
Understanding the SASE Model
SASE isn’t a single product or standard. It is a model, and no one-size SASE fits all. However, all the components that make up the SASE model – connectivity, networking, and security – must seamlessly integrate as part of a centrally managed solution.
Because of the many SASE variations, every enterprise needs to have a carefully thought-out SASE deployment and management plan.
Moving to SASE is not a big bang process; it is a transformational series of actions that will slowly replace hardware, such as firewalls, and software contracts as they reach the end of life.
SASE is still maturing, and there are still many queries around it. Here are the answers to five questions we regularly get asked, which will help you determine your SASE journey.
1. How important is it to have a robust SASE strategy?
It is imperative that you put a SASE strategy in place. You need to review and analyse your infrastructure and the resources required. While developing the architecture, you can see where there are any skills gaps, define how they can be filled, and draw a roadmap accordingly. Many enterprises find it faster, easier, and more efficient to bring in consultancy to help with this process.
Look at a SASE framework that does not lock you in but allows you to select best-of-breed solutions going forward. As SASE solutions evolve and functionality becomes more advanced, you want to be able to choose the very best solution for your organisation.
2. We understand the benefits of SASE, but are apprehensive about having the in-house capabilities to manage it adequately.
Yes, SASE requires long-term commitment and resources. SASE is a concept that covers not only the technology but also the people and processes required to connect users effectively and securely to devices and services. Wherever you are on your SASE journey, managed SASE provides a single source and point of contact for all SASE services. This is an ideal option for enterprises that have skills and resource constraints. With the current skills drought, it is proving a popular route for many enterprises.
Here at Telstra, we partner with a variety of customers to define their SASE frameworks, developing and deploying technologies, including ongoing managed and co-managed services. Managed SASE services enable in-house IT teams to switch their focus to business outcomes.
3. Do we need Security Service Edge (SSE) and SD-WAN to achieve our SASE ambitions?
This really is dependent on your enterprise’s size and requirements. SD-WAN and SASE are compatible but largely independent technologies that create a high-performance, scalable, and secure connectivity solution when combined. SD-WAN comes with security features that SASE builds on. SD-WAN does not require SASE, however, and SASE can work on traditional networks.
Secure Service Edge (SSE) is the primary security component of SASE, and many organizations are adopting SSE as part of a phased approach to full-blown SASE. SSE provides Zero Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), and Secure Web Gateway (SWG). Providing these capabilities in a single platform enhances scalability and management.
For smaller organisations with minimal internal applications, it can make sense to connect all traffic straight into the SSE service without needing an internal WAN domain. Larger organisations with more branches and internal applications will require SD-WAN to keep internal bound traffic on an intelligent overlay outside of the SSE. This is designed to provide the best connectivity experience and control
4. What is the best for my enterprise – a single-vendor SASE solution or a mixed-vendor SD-WAN and SSE solution?
As I mentioned in my previous blog, each enterprise has its own set of requirements, and multiple solutions are possible. The role of the network architect is to design the solution right for that enterprise taking in all requirements, including technical, geographic, service, cost, etc.
A single-vendor SASE solution might appear to meet a set of high-level requirements, but there may be some more specific areas where it struggles, such as hardware availability in certain countries. At Telstra, we promote a best-in-breed SASE solution integrating Palo Alto Prisma SASE with VMWare and Cisco SD-WAN offerings.
5. How important are points of presence (PoPs) to the SASE end-user experience?
PoPs are extremely important. The edge of SASE depends on a globally distributed network fabric made up of PoPs. These PoPs are either operated by the SASE vendor or through a partnership with a public cloud provider. SASE connects users to these PoPs instead of routing them back into a data center. This enables organizations to effectively adopt the latest security features without any degradation or disruption in the user experience.
If a SASE vendor does not have adequate PoPs, it can end up sending traffic down a funnel, creating inefficiencies and latencies. It is thus important to ask prospective SASE providers how many PoPs they have, who provides them and where they are located.
Additionally, where Telstra are providing the underlay connectivity for a branch, we solution enterprise grade Internet connectivity from our own network and our partner portfolio to provide the best and most direct connection to SASE PoPs to minimse unnecessary latency.
Learn more about Telstra Purple’s SASE assessment, designed to help steer you in the right direction and consolidate your business and technical requirements in an overarching SASE strategy.
References:
1. Gartner cloud will be the centerpiece of the digital experience 2021