Brian Jackson - Fotolia

3 SASE case studies exploring real-world deployments

Three case studies demonstrate how SASE technology helps organizations securely connect geographically distributed workforces.

Secure Access Service Edge, or SASE, sparked immediate interest when Gartner introduced the concept in 2019. The COVID-19 pandemic fallout then pushed the cloud architecture model to the top of countless networking and security project lists, due to its ability to securely connect geographically dispersed workforces.

"We didn't realize just how big of a benefit [SASE] would be. It's been our saving grace for the past 12 months," said Bill Wiser, vice president of IT at third-party call center provider Focus Services. "We now have 500 remote users [on a SASE service], which we just never would have been able to do with our internal equipment."

SASE secures and manages distributed access by bundling diverse network and security functions into a single software stack. Gartner has predicted that by 2024, at least 40% of enterprises will have explicit plans for adoption. The following SASE case studies outline the benefits organizations have seen from their deployments.

Early SASE adoption

Company: Akamai Technologies

Industry: Content delivery network, cybersecurity and cloud services provider

Size: 7,700+ employees across 50+ offices worldwide

SASE vendor: Internal project

Patrick SullivanPatrick Sullivan

In 2012, Akamai Technologies began to move customer-facing security functions to the edge as a response to the advent of cloud computing and the proliferation of distributed denial-of-service attacks, according to CTO Patrick Sullivan. This migration, which happened seven years before Gartner popularized the term SASE, would lay the groundwork for the company's eventual internal SASE implementation.

"We didn't use the vernacular of SASE, but the core tenets were there," Sullivan said.

In contrast to the traditional network security model in which discrete security devices sit separately in a centralized data center, Sullivan said SASE features "a single security stack running at the edge with applications that feed off each other and answer a bunch of different questions." For instance, SASE can assess if a request is valid or malicious; the author is a human being or a bot; there are indicators of fraud; or the entity has bombarded other customers on the platform with suspicious requests.

We didn't realize just how big of a benefit [SASE] would be. It's been our saving grace.
Bill WiserVice president of IT, Focus Services

Within several years, Akamai also started to embrace a SASE model for its internal-facing applications. "Corporate end users started to look more like the end users visiting a public website," Sullivan said. "They're not all clustered in the corporate office. They're working from home, in airports, on planes, so it made a lot of sense to shift that security inspection to the edge."

Before SASE, the Akamai network's paths were circuitous and convoluted. For instance, it would route traffic from Sullivan's home office in Virginia to the security stack at the Massachusetts headquarters, before sending it back down to a cloud data center that Sullivan said he can practically see from his house.

"That was extremely inefficient and costly, a horrible user experience and a bad security model, in that we were establishing trust at the network layer," Sullivan said. "Fast-forward to SASE, and if I want to access a Jenkins instance that's hosted in one of the local cloud facilities, I just hit one of the dozens of edge nodes in my area. All of that security takes place on a per-request basis in an integrated stack."

The SASE model also enables secure, zero-trust network access for everyone from Akamai's third-party contractors to employees at newly acquired companies. Over the past two to three years, Akamai has gradually phased out its VPN, use case by use case and user community by user community, according to Sullivan.

"We certainly didn't anticipate the pandemic, and it, of course, has had major impacts on our workforce. But, from an IT perspective, it was sort of a nonevent because we'd already externalized the users and implemented these efficient, safe traffic flows," he said.

While security is often at odds with UX, Sullivan believes that SASE has the unusual distinction of improving both: "What's great about SASE is you don't have that tension. Everybody's aligned."

Unexpected SASE benefits

Company: Focus Services

Industry: Third-party call centers

Size: Nine call centers in North America, two in Central America and one in the Philippines

SASE vendor: Cato Networks

As a third-party call center provider with locations around the world, Focus Services relies heavily on its global WAN. Several years ago, in the midst of several new international site rollouts, the company's IT team started thinking about how to use software-defined WAN (SD-WAN) to support a more efficient, affordable and secure expansion.

Bill WiserBill Wiser

"As we saw the technology continue to develop and get better and the pricing came down, we became more and more interested," Focus' Wiser said.

With a single, companywide active directory, massive amounts of mission-critical voice traffic and heavy reliance on cloud-based automatic call distribution (ACD) services, Wiser and his team ultimately decided they needed better network redundancy. And, with its modest price point compared to MPLS, SD-WAN fit the bill. Initially, Focus subscribed to an SD-WAN platform resold and managed by CenturyLink. Wiser declined to name the original manufacturer and product names but described the offering as "mainstream."

"We tested that within our centers for about six months," he said. "It was a new offering for CenturyLink, so we learned together. It was fairly painful."

The SD-WAN service didn't do all Focus needed it to. The intelligent routing software succeeded in monitoring dual connections and dynamically assigning high-priority traffic to the stronger of the two. But the technology's ability to duplicate traffic across both connections -- critical for Focus Services' VoIP use case -- was limited, according to Wiser.

"Even the slightest bump in a connection, any latency or jitter, impacts voice," he said. "If one provider [link] went down and then the other took over, you still lost all your voice traffic."

Focus ultimately abandoned its initial foray into SD-WAN. In 2018, a different technology service provider suggested the company try Cato Networks' offering, which Wiser's team ended up deploying across all U.S. locations over a three-month period.

"Two of our core centers were a little more difficult because we had multiple firewalls and different scenarios to overcome," Wiser said. "But, in the majority of our centers, it was very simple -- unplug out of one location, put a switch in between and plug two connections back in."

Focus was pleased with the software's performance, which Wiser said dramatically improved VoIP call quality and ACD connectivity. With on-site firewalls, web filtering and traditional VPN capabilities already in place, however, it initially passed on using the Cato platform's SASE features. But then, COVID-19 hit. Like countless other organizations, the company had to pivot to a work-from-home model almost overnight, and Wiser realized it needed the edge security functionality SASE provides.

Focus quickly adopted Cato's internal traffic and web filtering functions, part of its SASE offering, and moved to add hundreds of newly remote call center representatives and administrators to the SD-WAN/SASE platform. "It has been a huge, huge benefit," Wiser said.

A timely SASE deployment

Company: Thornton Tomasetti

Industry: Engineering consulting

Size: 42 offices worldwide

SASE vendor: Versa Networks

In 2019, the IT professionals at global engineering consulting firm Thornton Tomasetti started taking a long, hard look at how they managed their WAN, especially in terms of network security and access control.

Lance BrophyLance Brophy

"We recognized we were in a very reactive mode," said Lance Brophy, IT director of operations transformation. With diverse hardware deployed inconsistently across the company's 42 branch sites, the WAN security strategy lacked cohesion. Standardizing and streamlining WAN management, without increasing total spending, would be a win. "And, if we could manage the network better using fewer resources, that's the home run we were looking for."

His team launched a formal study exploring their options, and SD-WAN and SASE technology quickly caught their attention. Thornton Tomasetti's leading vendor contenders included two established players, plus relative newcomer Versa Networks.

"Versa brought everything to the table we needed," Brophy said, including cloud security, next-generation firewalls, threat management and role-based access control. "Under their SASE umbrella of services, they delivered more security-based features and at a lower price."

Achieving a SASE model with either of the two alternative vendors would have required Thornton Tomasetti to replace much of its existing infrastructure, he added. "Versa allowed us to just replace our firewalls. We didn't have to make an investment across our entire network portfolio."

Brophy's team, together with a third-party network management partner, began rolling out the SASE technology in January 2020 and wrapped up deployment across all 42 offices within 90 days. They started with Thornton Tomasetti's two biggest offices, both in New York, with the idea that any unforeseen technical challenges would quickly become apparent there. Working around the network's demilitarized zones required extra consideration and planning, for example. The team also found, through trial and error, that it had to involve some circuit providers in reassigning customer premises equipment devices but not others.

"That sounds fairly simple, and it was, once we understood what the problem was," Brophy said. "But, at three in the morning when we were trying to figure out why we couldn't connect to a telco provider, it was painful."

The team had a couple of long, sleepless nights. In retrospect, Brophy said he might advise starting with a small pilot site and working up to larger locations later in a deployment project. "But we learned a lot and came out of it in a better position to move forward with the remaining offices," he added. By the time the team had converted a third of Thornton Tomasetti's total locations, they had reduced the cutover time to just 30 to 60 minutes per site.

"We finished just before COVID really hit. Folks were being sent home literally the Monday after we completed the last site," Brophy said.

The SASE deployment's lucky timing enabled Thornton Tomasetti to immediately pivot to securely supporting a newly dispersed workforce, which probably wouldn't have been possible on the company's traditional network infrastructure, Brophy said.

"We've been able to prove as a business that we can work as a remote workforce, something that we wouldn't have even dreamed about a year ago," he said. "And it's got to be secure -- that is key."

Thornton Tomasetti has been extremely satisfied with Versa Networks' SASE offering, but Brophy encourages organizations to do their own homework. "There are different feature sets and capabilities from vendor to vendor, so be aware of those. You need to find the one that meets your business requirements to make that right decision," he said.

Dig Deeper on Network security