There’s a lot of talk about Secure Access Service Edge (SASE), but what does it really mean?
The term itself was coined by Neil MacDonald and Joe Skorupa at the analyst firm Gartner in 2019 – so it’s still fairly new. Furthermore they admit that it represents an integration of multiple existing functions (like SD WAN and Security) into one system, which also involves exporting some or all of that functionality to a cloud-based SaaS (Software as a Service) model, rather than loads of actually new features or technology per se. So how much of a change is it really?
With the advantage of hindsight, the preceding Software Defined Wide Area Networking (SD WAN) development was the biggest change at the underlying level. Turning private networking into an overlay function that was deployed independently of the underlying network layer, wrested control of the private network away from Telcos and threw the market open to a wider spectrum of players.
From there, the growth of security as a key feature-set was all but assured: SD WAN is after all a private network built on public internet connections.
The security industry has seen this consolidation before – ‘Next-Generation’ firewall and Unified Threat Management (UTM) trends saw what was once a range of separate security devices and functions merged into one platform. In fact, this was a ready-made integration stack that the security players could very easily slide into the SD WAN discussion.
Much of this core functionality had already been commoditised, which meant that it was relatively quick and easy for new players to also get on board. Hence a very rapid escalation that has seen the SD WAN marketplace begin to morph into the SASE marketplace.
However there is a tension here, which is where the cloud element comes in.
As bandwidth requirements continue to grow, routing functions rely on the minimum possible packet processing for the maximum possible efficiency. From a security perspective, more and more advanced functionality requires more and more invasive examination and processing of traffic content (HTTPs decryption, IDS/IPS, Anti-Malware), turning all of this on can easily destroy routing performance on customer premises equipment (CPE) if it’s not appropriately dimensioned. In the cloud, providers have the flexibility and economies of scale to manage these processing challenges in a more effective, efficient and scalable manner. So whilst this doesn’t automatically mean that all security features have to move to the cloud, it’s no surprise that’s where the lion’s share seems to be headed.
This didn’t all start with SASE. These fundamental performance conflicts, along with the diminishing importance of location versus the increasing importance of identity in security have been gradually pushing advanced security functionality into the cloud for years. For example, one of our key security partners at Colt is Zscaler, and they have been providing SaaS-based security services from the cloud since their inception in 2008, over a decade before the term SASE was first coined. Versa Networks will soon be celebrating their ten year anniversary and their founders saw the need to converge and integrate in the cloud and on-premises security, networking, and analytics within a single software operation system.
Many of the SASE providers still provide some of the more basic security features like stateful firewalling on the CPE. It makes sense for some of these features to remain within a CPE-based deployment model, particularly when you consider that they also provide some degree of LAN segmentation for East-West (within the site) traffic as opposed to just North-South (in and out of the site). You don’t necessarily want to push everything through the cloud if it’s not headed that way anyway.
When you weigh up all the evidence then, it seems that SASE is more of an evolution than a revolution. It does though still represent change – it’s a coming-together of many different strands, together with the potential for much greater flexibility in security deployment within one’s network.
With hybrid work set to stay for the long term and security threats only continuing to grow, every organisation should weigh it up and assess how it could work for them.
Last week Colt launched SD WAN Remote Access to support surge in hybrid working – becoming one of the first to deliver a managed SD WAN service integrated with Versa SASE. Find out more here.
Chris Peregrine is Cybersecurity Product Manager at Colt