Software-defined WAN created an opportunity to displace carrier-led architectures and keep established vendors from having a lock on the enterprise WAN business. However, the use of direct internet access, or DIA, and broadband connectivity at remote locations created a management issue when it came to security requirements at these edge locations.
Enterprise-grade security uses a literal stack of devices. While this strategy is cost-effective in centralized instances, it doesn't make sense in a branch office model. Splitting access between secure tunnels to enterprise services and DIA for applications, like Microsoft 365, was desired for performance reasons, but security teams and regulators had trouble approving this type of access.
This is where Secure Access Service Edge (SASE -- pronounced "sassy") comes in. This Gartner-defined architectural concept is driving the convergence of networking and security functions at the edge.
Organizational silo issues
IT departments in large enterprises grew over time and, out of necessity, resulted in organizational cultures that created separate silos for networking, servers, desktops and security. In the centralized world before software-defined WAN (SD-WAN), security equipment was centralized at data centers and managed by a separate team.
This article is part of
The complexity of security created the need for specialized personnel working on issues with specialized equipment. These systems included, but weren't limited to, devices such as intrusion prevention systems (IPSes), intrusion detection systems, firewalls, next-generation firewalls, data loss prevention tools and the like. But almost no one could afford to manage these separate systems at the edge.
SD-WAN addresses scale but complicates security
Software-defined routing using SD-WAN technology solved many scale and performance issues for enterprises but didn't resolve the issue of complex security. In fact, if anything, SD-WAN made the problem harder.
To address the security issue, most SD-WAN users chose to leave security as a separate process. As a result, branch users would ride the SD-WAN connection to a data center -- just like they did with MPLS -- where the enterprise demilitarized zone would permit internet access. So, a DIA- or broadband-connected branch would transit the internet to get to the internet.
The two following approaches emerged in an attempt to improve this SD-WAN security situation:
- Colocation hubs
- This model created new security stacks operated by the security team that were distributed geographically to improve client performance but maintained full separation on an approved security stack.
- An example architecture is the Equinix Performance Hub reference architecture, in which clients can aggregate SD-WAN traffic and establish enterprise-grade security stacks that permit internet, SaaS and cloud connectivity.
- Security as a service
- Zscaler pioneered this model, in which the branch has secure tunnels to both the enterprise data center(s) and to Zscaler data centers.
- Cato Cloud from Cato Networks and Fortinet's OPAQ Networks unit also operate this model.
In both these cases, the security and networking teams operate fully independent of each other.
SASE convergence and vendor moves
Zscaler, Fortinet's OPAQ Networks unit and a host of cloud-based offerings all claim to be native SASE, but they cover only half the story -- i.e., the security side. The other side of the SASE equation is networking functions, and this is where most of the SD-WAN vendors shine.
No single vendor has a perfect offering, but all the leaders are pursuing an integrated vision. Cisco, Fortinet, Palo Alto Networks and VMware VeloCloud have stitched together their networking and security offerings through series of acquisitions and are all on the path to having native SASE offerings. Separately, Versa Networks is the last independent vendor in Gartner's leader quadrant in the "2020 Magic Quadrant for WAN Edge Infrastructure," as Silver Peak was recently acquired by HPE.
A new class of vendors is emerging that offers end-to-end SASE services. For example, Cato Networks and Versa Networks have offerings that include all the local components associated with SASE for both networking and security. Cato converges SD-WAN and network security into a global, cloud-native service. It connects sites, mobile users, cloud data centers and cloud applications into its private backbone, running a security stack that includes a next-generation firewall, a secure web gateway, antivirus, and managed detection and response. With the SASE announcement from Gartner last year, Versa adjusted its product development to fill in the cloud-based gaps. In addition, Versa runs on commodity-based universal customer premises equipment (uCPE) platforms and supports both multi-tenancy and role-based access control (RBAC).
Organizational barriers to SASE
The barriers to SASE are mostly organizational. Network teams aren't fired for buying Cisco or Juniper, and security teams love Palo Alto. SASE requires enterprises to look at a CPE and its network and security functions holistically. However, an organization might have difficulty implementing the system if it can't support multi-tenancy and RBAC because most larger firms have distinct architecture, engineering, implementation and operations teams. In addition, they fully separate functions between security and networking.
For example, a security operations team member might need read access to a router and have write access to a firewall. Conversely, a network troubleshooter might need write access to a router but need read access to the IPS and firewall. Organizations with these silos live by ITIL separations and provide tiered access to infrastructure devices. Unfortunately, situations arise in which enterprise teams will not share management of a device -- even where security and networking functionalities have fully separated management interfaces.
This is where logic and reality collide. We often need to understand what we can accomplish, as opposed to defining the perfect solution and never getting there.
Factors to consider about SASE convergence
An organizational construct with rigid silos written in stone probably won't look at a native SASE offering, but it should. The cost benefits of integrated offerings are huge, offering fewer devices, fewer vendor contracts and less maintenance.
Enterprises should evaluate whether a native SASE platform supports the four following aspects:
- an integrated uCPE device that can do all local networking functions;
- a single-pass process for doing all local networking and security functions at the uCPE;
- a cloud or content delivery network offering to provide the SASE model's centralized functions, such as DNS and cloud access security broker; and
- RBAC, which provides true multi-tenancy and permits the separation of management and operations with both the networking and security functions.
You know your own organization's appetite for change and desires for cost reductions. Have potential vendors answer these questions, and your options will emerge.