Before IPsec and software-defined WAN, the typical remote location -- such as a bank branch or retail store -- functioned on private circuits, like time-division multiplexing or MPLS, which connected to a corporate data center or other hub location to egress to the internet, cloud or SaaS providers.
The cost savings with dropping telecom services in favor of dedicated internet access (DIA) and broadband services are so desirable that the use of SD-WAN grew astronomically over the past five years. Unfortunately, this also increased the diameter of internet security issues exponentially.
A simple internet search of Common Vulnerabilities and Exposures and SD-WAN, or CVE SD-WAN and the name of any SD-WAN vendor, reveals the scope of the issue. Bad actors are using SD-WAN tunnel endpoints and device physical addresses for a variety of attack vectors.
To solve the security issue, several proprietary methods emerged to harden SD-WAN endpoints. Enterprise security teams can no longer trust these methods and are adopting Gartner's Secure Access Service Edge (SASE) model to standardize and strengthen the security stack.
This article is part of
Yet, a cloud-only model for SASE is insufficient. The SASE device -- let's call it universal customer premises equipment, or uCPE -- must have the minimum capability to harden the control plane and protect the site from attack. This means it must have more than encrypted tunnels at its disposal. At the same time, a uCPE-only strategy will also not work. SASE is about balance.
As this nascent framework of SASE continues to emerge, let's examine some possible SASE use cases.
SASE use case 1: Network performance
In geographically diverse systems -- such as branch banking or retail -- prior communications models traversed the enterprise network to a hub where an enterprise-grade security stack existed. So, as applications morphed into the current web, cloud and SaaS models, the performance issues became obvious.
One example might be a retail business based in Seattle that has distribution centers and stores across the U.S. A remote node, like a store in Miami, might need to traverse the entire country to use a data center in the Pacific Northwest to get to the internet to process a transaction with a bank back in Florida. While the added latency probably works for a financial transaction application, imagine the problems that real-time apps, like voice and video, would endure.
With SASE, the Miami store would connect with enterprise applications over secure tunnels but egress locally for SaaS and IP-based services with local vendors. This improves performance and optimizes the experience for users and applications.
Is this a cloud or uCPE setup? The answer is both. A uCPE system is necessary for site hardening and tunneling at a minimum. But cloud features, such as distributed denial-of-service mitigation and cloud access security broker, are also required. These cannot be solved at the site level.
How much cloud and how much at the site? That's the balance issue.
SASE use case 2: Cloud-heavy
In geographically diverse networks, the cloud model is driving most SD-WAN vendors. In this space, a leading cloud security vendor is Zscaler, which offers powerful security tools. This type of vendor needs to be coupled with another that provides the uCPE and networking side of SASE. Although Zscaler does not offer an SD-WAN, it partners with SD-WAN vendors to offer security controls.
Additionally, vendors with hardened uCPE also work with Zscaler but also expect to see this class of vendor buying or developing their own uCPE capability.
SASE use case 3: UCPE-heavy
In the uCPE-heavy model, most of the service is distributed to the edge. An example here is Versa Networks with its fully functional routing, next-generation firewall and other capabilities. Other vendors working toward this model include Cisco and Palo Alto. All of these vendors are deploying some cloud-based services to complete the SASE model.
SASE use case 4: Network as a service
Typically, businesses develop a company around a product offering. But an emerging class of vendors, such as Cato Networks, offers an end-to-end service that ties together sites to their own backbone and cloud services. Several content delivery network vendors and new carrier services are also moving in this direction.
SASE use case 5: Consistent security
SD-WAN solved several scale and performance issues for enterprises, but it did not solve the security complexity issue. In fact, if anything, SD-WAN made the problem harder. The number of internet access points based on DIA and broadband connections to the SD-WAN sites increased significantly.
Even in geographically compact businesses -- like a medical system with a few dozen clinics in a single metropolitan area or small region -- SASE can still be used. While these environments may not experience serious performance issues, there is an inherent problem with an SD-WAN device without native security to harden its connection to the internet.
To sum up, SASE was created to define how to offer services over the internet securely and address the inherent issues of doing so. It addresses connectivity, routing and security for the enterprise and will evolve quickly over the next couple years.
Enterprises should invest in services offering a balance between the connectivity savings they need and the security required to protect their users, data and systems.