Alex - stock.adobe.com

Guest Post

SASE operational pain points and how to fix them

SASE offers companies a compelling security strategy, but it takes time to ensure network teams have the visibility and management oversight they need.

Secure access service edge is becoming ubiquitous in enterprise networks. This is partly because many of the individual components -- among them software-defined WAN and the cloud-delivered services that constitute the security stack of SASE architecture -- are already common.

The only work that remains is to pull together these components into a unified architecture.

But that's when things get difficult. According to a 2023 Enterprise Management Associates (EMA) study probing WAN strategies, only 26% of IT professionals termed the transition from software-defined WAN (SD-WAN) to SASE as "very easy."

With SD-WAN, network engineers spent months building hundreds of site-to-site and site-to-cloud tunnels over the WAN underlay. With SASE, they must point all their tunnels to various cloud security points of presence (PoPs). Plus, they must integrate change management, policy management and observability across both SD-WAN and cloud security technologies.

Operational pain points of SASE

In 2024, EMA dug deeper into SASE. As part of the 2024 edition of our biennial Network Management Megatrends research, we asked network managers to tell us what they find most challenging about managing and monitoring SASE technology. In our survey of 401 IT professionals, more than 39% told us they struggled significantly to manage security policies and controls in SASE.

Ostensibly, SASE is a viable security strategy. Why would it be so hard to manage security in a security platform?

1. Single-vendor vs. multivendor

Two obvious issues stand out. First, most SASE deployments are multivendor. More than half of companies that responded to EMA's WAN study said they pursued multivendor SASE options. That makes it difficult to apply security policies and controls in a coordinated and consistent manner.

Second, many single-vendor SASE options are not single-product. Instead, vendors use software acquired from previous mergers to assemble a SASE product that checks all the boxes on capabilities vendors are supposed to offer.

2. Visibility

Companies also wrestle with monitoring the health and performance of SASE PoPs, and they rank visibility as the second-biggest management challenge. All network traffic is routed through SASE PoPs, where it either receives multiple layers of security inspection or breaks out directly to the internet as basic web browsing. SASE PoP performance issues can add tremendous latency to a network session. It's important to detect disruptions because network engineers can then route traffic through an alternative SASE PoP. Unfortunately, it appears many network managers struggle to gain this critical visibility.

Additionally, nearly 34% said they find it hard to gain visibility into traffic between SASE PoPs and cloud infrastructure -- an issue EMA believes will get more challenging. Much of this traffic is encrypted, making visibility an even bigger obstacle for network operations teams. Before SASE, a probe at the network edge could track and monitor network paths from that edge to the cloud. Now, that traffic can get obscured after it exits the SASE PoP.

As a network security architect at a Fortune 500 cybersecurity company recently told EMA: "Things have changed drastically since we implemented SASE. Users are proxied through these [SASE PoPs], and that makes troubleshooting a little different. It's hard because we're no longer looking at things from the laptop to the application. It's really about looking things from the SASE node to wherever your user is going."

3. Integration

Managing integrations between different SASE components is another pain point. These integrations happen at the management layer, control plane layer and data plane layer. Integration starts with building tunnels from sites to SASE PoPs, requiring teams to build rules for where traffic should be routed across those tunnels and integrating the management interfaces of these different components.

4. PoP latency

Finally, almost a third of companies polled by EMA said minimizing SASE PoP latency is a continuing headache. More specifically, companies need to make sure user traffic takes the best overall path to its destination. SASE PoPs are typically deployed globally, so user traffic should go to the nearest PoP and, from there, to the nearest cloud.

To that end, engineers need to ensure these paths are efficient and don't change over time. Downtime at one SASE PoP, for example, could cause traffic to fail over to a second PoP that adds latency. This fix might be fine in the short term. But, once the first SASE PoP comes back online, the network team should ensure that traffic goes back to the more efficient network path.

This requires careful monitoring during all stages of SASE implementation and ongoing operations. An IT operations manager at a large government agency said they face this issue right now.

"We're running all these different kinds of network tests, trying to find out if we're using the right paths," the manager told EMA. "We have to run them frequently to get a baseline of environments. That takes time and investment."

By now, it should be clear that SASE can break network operations in any enterprise. The question is: What should you do about it?

How to fix SASE operations

By now, it should be clear that SASE can break network operations in any enterprise. The question is: What should you do about it?

1. Choose single-vendor SASE

First, EMA recommends a single-vendor option. Most analysts, consultants and vendors push customers in that direction, and they aren't wrong. Our research found that enterprises do better with SASE when they adopt a single-vendor strategy.

But keep in mind that single vendor doesn't necessarily mean fully unified. Evaluate single-vendor products carefully to make sure the connection points between the multiple products under the hood are up to standards.

2. Consider managed SASE

Second, consider managed SASE. A managed approach abstracts away many of the complexities this article examines. A service provider's whole business depends on its ability to implement and manage a SASE offering effectively and efficiently. If the provider can't make an offering kludged together from multiple products work, it won't stay in the SASE business for long. A managed offering also comes with a service-level agreement (SLA) customers should enforce vigorously.

3. Update tools for visibility and integration

Finally, update your tools to ensure you have sufficient visibility, even when adopting SASE as a service. Most enterprises that deploy SD-WAN and SASE as managed services adopt a hybrid operating model, where the network teams and the provider share responsibility for daily operations, such as monitoring, troubleshooting and change management.

This enables the customer to validate SLA compliance. But it also empowers the network operations team to solve problems faster than the service provider can do alone. After all, networks are complex, and a SASE managed service is usually focused on the WAN. It doesn't account for what's happening in the cloud, data centers, campus and branch networks, nor the home offices of remote employees.

Many SASE MSPs don't even own the internet connectivity that constitutes the WAN underlay. They see everything from the point of view of the tunnels that traverse that underlay. Only the internal network team has that context, so monitoring SASE with your own tools enables them to get the full end-to-end view of things. The EMA study, in fact, found that 61% of companies adopted new network monitoring tools capable of providing SASE observability.

Network teams are in the process of integrating traditional tools that collect flow records and device metrics with SASE products. These integrations include Simple Network Management Protocol management information bases and traps, as well as API calls. They're also adopting synthetic network monitoring tools. Many network monitoring vendors are partnering with SASE vendors to make this work for their customers.

Wrap-up

SASE adoption is underway. The potential network operations pitfalls are clear, and your mission is clear: Operationalize this technology to the best of your ability by picking the right technology, working with the right provider and modernizing its tool set for optimal observability.

Shamus McGillicuddy is vice president of research for the network management practice at Enterprise Management Associates (EMA). He has more than 15 years of experience in the IT industry and has written extensively about the network infrastructure market. Prior to joining EMA, McGillicuddy was the news director for TechTarget Networking.

Dig Deeper on Network security