Denys Rudyi - Fotolia

Guest Post

Why SASE should be viewed as an evolution, not revolution

The hype around secure access service edge (SASE) is palpable. But by taking a step back, security leaders can align an emerging trend to their long-term goals.

It's hard to remember a security trend that has gained so much traction in such a short amount of time as SASE.

Gartner coined the term "secure access service edge" in August 2019 when it published The Future of Network Security Is in the Cloud. The report details how SASE is the natural evolution of two trends: network as a service and network security as a service.

While the introduction of SASE gave IT leaders plenty of food for thought, it seemed like it would take a while for business drivers to justify the major departure from traditional on-premises architectures. Then came COVID-19.

As IT departments around the world scrambled to enable a remote workforce, SASE seemed less of a future-state concept and more of a near-term fix for an unexpected use case. What was initially positioned as an evolution started to be repositioned as a revolution.

Considering SASE solely in the context of a remote workforce can lead to rushed decision-making. Instead, when IT leaders view SASE as an evolution, they can make security decisions that align to a long-term security strategy based on business drivers that existed long before COVID.

The rise of SASE platforms

In order to see SASE as an evolution, it's important to understand how SASE platforms started. While employee usage of SaaS applications has been on the rise for years, SASE platforms really started to gain traction when Microsoft moved Office 365 to Azure.

Unlike other SaaS applications, there was no way for organizations to send Office 365 branch traffic back to the data center for inspection without a cringe-worthy amount of latency.

Early SASE providers satisfied the Office 365 use case by allowing organizations to point Office 365 branch traffic to their cloud-based platforms. Because SASE providers had data centers near Azure data centers, they could perform the necessary traffic inspection without compromising application performance.

At the time, organizations were exploring SD-WAN to solve for increased branch traffic. Why not layer a cloud firewall and other security services on top of SD-WAN and kill two birds (performance and security) with one stone?

Shortcomings of an on-premises approach

Another driver behind increased SASE adoption involves underutilization of the on-premises security stack.

For example, most organizations refuse to inspect secure sockets layer (SSL) encrypted traffic because it can severely degrade the performance of their hardware security stack. This is a scary thought considering that 80% to 90% of today's internet-bound traffic is encrypted. You can buy the best intrusion prevention system (IPS) on the market, but if you don't have visibility into a large percentage of your traffic, your advanced security stack is worthless.  

Let's also consider data loss prevention (DLP). On-premises DLP approaches are notoriously hard to implement and are ineffective with encrypted data. SASE providers solve encrypted traffic and DLP problems by providing hardware-accelerated decryption of all internet traffic coupled with inline content inspection, delivering line-rate DLP as a service.

Right-sizing for uncertainty

Since COVID-19, SASE has been repositioned, almost exclusively, as a solution for securing the remote worker. It wasn't hard for SASE providers to tweak their branch use case to enable remote employees using a direct residential internet connection to access corporate applications. 

But even pre-COVID-19, security leaders were coming up against two harsh realities. First, that business moves much faster than the refresh cycle of firewalls, proxy servers and IPS. Second, IT staff is spending more time keeping up with upgrades between refreshes. The problem of right-sizing the on-premises security stack was already there. COVID-19 simply accelerated it.

Now IT leaders must make some difficult decisions as their security hardware comes up for refresh. They'll have to ask: Do I really need such a large firewall with a fluctuating remote workforce? The scalability, flexibility and hassle-free upgrades that SASE provides will become increasingly attractive.

The next evolution

It can be difficult to see SASE's value beyond the current crisis, but it's important to. If organizations don't, they may commit to a dual-platform approach: a pure SASE platform for cloud applications, and another on-premises platform for legacy applications.

As SASE continues to evolve, smart organizations will make their technology decisions in the context of this evolution, not as a reaction driven by current circumstances.

About the author

Mike McGlynn is vice president and general manager for global security at World Wide Technology, where he leads a team of senior security advisors and architects to drive security technologies and services sales across the company. Previously, he spent over 25 years at the National Security Agency as a technical director, where he won numerous honorary awards including the Presidential Rank Award for Meritorious Executive Service.

Next Steps

SASE reality check: What should organizations expect?

Dig Deeper on Network security