Americas

  • United States

IT pros need to weigh in on that ‘sassy’ security model

News Analysis
Jan 29, 20205 mins
Access ControlNetworkingSD-WAN

The secure-access service edge (SASE) model developed by Gartner ties into SD-WAN, edge computing and SD-Branch, so it warrants attention from networking teams.

access control / authentication / privileges / security / key
Credit: Cybrain / Getty Images

Cloud services that provide both network and security intelligence are gaining popularity because they are easy to consume and they improve agility. Similarly, a model known as SD-Branch is providing network and security functionality at the WAN edge on a single platform.

Both of these trends have contributed to the development by Gartner of a network architecture known as the secure-access service edge or SASE, which “converges network (for example, software-defined WAN) and network security services (such as [secure web gateways], [cloud access security brokers] and firewall as a service).” SASE (pronounced “sassy”) would primarily be delivered as a cloud-based service, Gartner says.

This model is gaining awareness among enterprise IT leaders, and it has the potential to become a leading architecture at the edge during the 2020’s, but these leaders should be cautious about jumping immediately on the SASE bandwagon.

The status of SASE

Today, SASE is an intellectual discussion; it is not a market, and comprehensive solutions are not currently available. The breadth of technology required to deliver SASE means that suppliers have incomplete offerings, often with limited integration between elements such as LAN, WAN and security. Dozens of vendors are positioning themselves as SASE suppliers, but none is likely to emerge as a clear leader in the next two years.

How to deliver SASE remains in flux, with traditional network hardware, network software, services and cloud-based solutions all part of the equation. Most IT organizations will need the help of strong partners to implement SASE fully, and these potential partners have work to do.

Large suppliers have broad technology capabilities but are slow moving.  Innovative smaller suppliers have limited resources and are likely acquisition candidates. Managed service providers, communications service providers and channel partners will need to greatly enhance their converged edge solutions to meet this demand.

Why SASE?

Cloud and SaaS adoption by enterprises has changed network traffic patterns, requiring fundamental change in network and security architectures.

As Gartner notes, the role of the enterprise data center has changed dramatically. More user traffic goes to cloud services than to those data centers, and more workloads run in IaaS than the data centers. Cloud services contain more sensitive data than enterprise data centers.

The use of the enterprise network has also changed, with more user work done off the network than on, and more applications accessed via SaaS than the enterprise, Gartner says. So, controlling access and applying security policies based on the user, device and application that are connecting to the network makes more sense than focusing access control on the data center.   

Advances in network/security software and cloud intelligence have enabled new solutions which are quick to deploy, scalable, flexible and simple to manage such as SD-WAN, SD-Branch and CASB.

Edge computing and IoT applications require distributed, low-latency networking and security that are likely to be delivered as cloud-based services.

Impact on SD-WAN

SD-WAN is the leading network technology to watch with regards to SASE. SD-WAN is gaining significant traction as distributed organizations are looking to improve application performance at their branch locations. The SD-WAN market has dozens of suppliers, highly fragmented market share and lacks a dominant vendor. The SD-WAN market will continue to see dynamic innovation, especially with regards to cloud-based intelligence, native security functionality and security partnerships. Leading SD-WAN platforms, over time, will be able to deliver SASE-like functionality.

Network security markets remain highly competitive, and, as is the case with SD-WAN, have dozens of suppliers, fragmented market share and no dominant player. Network security intelligence is moving to the cloud (i.e. CASB) and solutions are increasingly being delivered as a service. Leading network security providers are adding network functions including routing and SD-WAN.  Over time, leading network security platforms with these improved networking capabilities will start to offer SASE functionality.

Impact of IoT and mobile edge computing

IoT and other edge applications may require low-latency network and security services.  The SASE architecture, with its distributed, cloud-based intelligence, can meet the demanding latency requirements of edge-computing applications. Organizations with existing or planned IoT deployments will benefit from SASE technology trends by improving IT intelligence at the edge/branch. 

SD-Branch

SD-Branch, which combines LAN, Wi-Fi, SD-WAN, routing and security functionality in an integrated solution, is a prime example of what SASE solutions might look like. Suppliers are will improve their SD-Branch solutions by providing better functional integration between technology elements and offering IT end-to-end quality of service, security policies and unified management.

IT, security silos complicate SASE

Deployment of SASE architectures will be strongly influenced by existing network and security organizational structures, whose silos have hampered deployment of software-defined data centers. Deploying SASE will require approval from a full range of IT and security teams.

Large organizations with dedicated security and IT teams will likely take significant time to evaluate SASE offerings. Each team will have its own biases with regards to technology and each will have preferred suppliers.

Those organizations with lean IT teams or no dedicated security personnel are leading candidates for SASE adoption.  These organizations lack the expertise to integrate the wide range of network/security functionality from multiple vendors.  SASE, with its all-in-one cloud model, should be well suited to small and mid-sized organizations to consume as a managed service because they are least likely to have dedicated teams.

Evaluating SASE

IT and security leaders should educate themselves on the coming SASE technology options becoming available over the next few years. The convergence of network and security with cloud-based intelligence will dramatically alter the architectural options they have for delivering secure IT services.

While the trend is clear enough today, the timeframe for mainstream deployment of SASE solutions may extend out five years or more. As with any nascent technology, the initial SASE solutions will have significant drawbacks in terms of functionality and integration but will improve greatly over time.

lee doyle

Lee Doyle is principal analyst at Doyle Research, providing client-focused targeted analysis on the evolution of intelligent networks. He has over 25 years’ experience analyzing the IT, network, and telecom markets. Lee has written extensively on such topics as SDN, SD-WAN, NFV, enterprise adoption of networking technologies, and IT-Telecom convergence. Before founding Doyle Research, Lee was group vice president for network, telecom, and security research at IDC. Lee holds a B.A. in economics from Williams College.

More from this author