kentoh - Fotolia
Why Secure Access Service Edge is the future of SD-WAN
Secure Access Service Edge -- or SASE -- architecture transitions from network designs that revolve around the data center to a model based on identity and user context.
When software-defined WAN was first introduced, it quickly became synonymous with WAN transformation. If you were going to fix the ills of wide area networking, the road led through SD-WAN. But, in truth, SD-WAN ignores many other networking and security challenges that face the digital business.
A new architecture is taking hold that some analysts expect to address those challenges: the Secure Access Service Edge model. SASE -- pronounced "sassy" -- was first coined by Gartner analysts Neil MacDonald, Lawrence Orans and Joe Skorupa in Gartner's "Hype Cycle for Enterprise Networking, 2019" report and in more depth in "The Future of Network Security Is in the Cloud" report.
Let's find out what Secure Access Service Edge is and why it matters.
What's wrong with SD-WAN and why we need SASE
Legacy enterprise architectures center around the data center. Internet access comes through secure gateways in the data center. Replacing MPLS with SD-WAN doesn't change that paradigm -- and that's a problem. With the adoption of the cloud, mobility and edge computing, the private data center is no longer the epicenter of the enterprise network. Backhauling traffic to the data center for enforcement makes no sense.
Beyond simply fixing the connectivity issues of MPLS, we need to find a way to deliver security inspection everywhere. We also need to do this in a way that's consistent for mobile users and branch offices.
What is SASE?
Enter SASE, a new kind of security and networking architecture. SASE platforms connect and secure entities based on their real-time context in accordance with company policies.
Instead of forcing traffic to be backhauled to inspection engines in the data center, SASE brings the inspection engines to a nearby point of presence (PoP). Clients send traffic to the PoP for inspection and forwarding to the internet or across the SASE global backbone to other SASE clients. A SASE client might be a mobile device with a SASE agent, but it could also be an IoT device, a mobile user with clientless access or an appliance in a branch office.
SASE converges the previously disparate networking and security services for addressing fixed and mobile users -- as well as IoT devices and cloud resources -- into one coherent service based on the user's context.
Key attributes of SASE
Gartner defined well over a dozen different SASE characteristics, but these can be boiled down into four main attributes.
Global SD-WAN footprint. SASE aims to deliver the optimum possible network performance for all applications everywhere. To that end, SASE includes a global SD-WAN service that operates over a private backbone. Using a private network overcomes the latency problems of the global internet. The backbone should connect distributed PoPs that run the company's security and networking software. Enterprise traffic should rarely touch the internet; it does so only to reach the SASE backbone.
Distributed inspection and policy enforcement. SASE services don't just connect devices; they protect them. Inline traffic encryption and decryption scale are table stakes. SASE services should inspect traffic with multiple engines that operate in parallel. Inspection engines include malware scanning and sandboxing. SASE should provide other services as well, such as DNS-based protection and distributed denial-of-service protection. Local regulations, such as GDPR, should be enforceable in the SASE's routing and security policies.
Cloud-native architecture. Ideally, a SASE service will use a cloud-native architecture that has no specific hardware dependencies. Ideally, appliances should not be service-chained together. As software, the SASE service can scale as needed, is multi-tenant for maximum cost savings and can be instantiated quickly for rapid service expansion.
On-premises, customer premises equipment deployment options are available, but these SASE endpoints should be turnkey black boxes where users "turn it on and forget it," as Gartner said.
Identity-driven. Unlike other managed network services, SASE architecture provisions services based on the identity and context of the connection source. Identity considers a variety of factors, including the initiating user, the device being used and real-time factors, such as the time of day and device location.
Benefits of SASE
SASE brings many benefits to the enterprise, including the following.
Reduced complexity and costs. SASE reduces complexity and cost by reducing the number of vendors IT teams need. The model requires fewer branch appliances -- physical or virtual -- and end-user device agents. SASE competition will further lead to cost savings.
Improved performance. With their own backbones, SASE providers will be able to offer latency-optimized routing among their PoPs worldwide. This is especially critical for latency-sensitive apps, such as collaboration, video, VoIP and web conferencing.
Better security. SASE vendors inspecting content will enable enterprises to apply data policies across every user, regardless of device or context. Access will also be improved as companies set policy based on identity and not user -- zero-trust networking access, or ZTNA.
Improved IT operations. With SASE providers maintaining the inspection engines, organizations are freed from having to worry about updating for protection against new attacks, appliance scaling and multiyear hardware refreshes. Centralized policy definition is also a given. With IT operations teams unencumbered by those mundane tasks, they can spend more time on what matters: bringing value to the business.
SD-WAN and SASE: What are my options?
Gartner is clear that SASE is a market in flux with vendors coming at it from different angles -- some from the content delivery network space, others from the security world and still others from the SD-WAN market.
Several SD-WAN players are moving into the SASE space. Cato Networks is the most notable in this regard. It offers all four elements of SASE service: global footprint, distributed inspection and policy enforcement, a cloud-native platform and identity awareness.
Other SD-WAN vendors are taking a black box edge approach to SASE. Open Systems is a case point. It offers security and networking, is fully managed -- Open Systems handles all changes -- and offers a comanagement option as well. Open Systems relies on the internet or Microsoft Azure Virtual Network as a global backbone. Versa Networks takes a similar approach when resold by its partners, though each partner individually determines which Versa features it offers its customers.