If you’re not considering a Secure Access Service Edge (SASE) strategy, you’re missing an opportunity to improve both IT and business agility as well as the security of your entire network. SASE provides secure connectivity for all the remote devices accessing your network and applications. Gartner wrote simply, “Security and risk management leaders should build a migration plan from legacy perimeter and hardware-based offerings to a SASE model.”
However, to ensure security and agility and reap the full benefits of SASE, you need to follow four key guidelines for success.
Guideline #1: When it comes to security, think beyond SASE
While the scope of SASE is large and getting bigger, it is not comprehensive security. By design, it is limited to network-related security. For example, SASE does not include Endpoint Detection and Response (EDR), a key approach to battling ransomware, because EDR inspection for malicious activity happens within the operating system — not the network.
Similarly, SASE does not include Cloud Workload Protection (CWP), which keeps workloads in Infrastructure-as-a-Service secure. It’s excluded because it implements security controls outside the scope of the network. But counterintuitively, Cloud Access Security Broker (CASB), a technology solution that secures cloud applications and related data, is indeed a part of SASE. That’s because CASB is considered inside the scope of the network. It enforces security controls using the enabling network.
Remember that SASE is a technology strategy, not a complete security program with mature processes and much-needed expertise. It does not include 24/7 monitoring by an expert security team. Today, no matter how sophisticated the technology is, securing your cloud as well as your on-premises infrastructure requires security analysts who can understand what the technology is detecting and quickly respond with an effective defense, as illustrated by the widely adopted NIST Cyber Security Framework.
Guideline #2: Let use cases drive your technology selections (not the other way around)
While SASE’s cloud-centric architecture is increasingly the best choice for provisioning smaller offices that need to be up and running quickly, the cloud is not necessarily the best choice for large offices. This is particularly the case with firewalls. On-premises next-generation firewalls coupled with secure web gateway appliances often remain the best choice for situations where performance and cost of ownership are most important, as cloud firewalls have limitations in these areas. Therefore, don’t force a cloud-only strategy across the board. Instead, pick the best technologies for the use cases at hand.
For those who need to rely on on-premises firewalls, the good news is these appliances can still be part of your SASE strategy. Since they can be managed from the cloud, you can achieve the ease of management without a firewall-as-a-service performance hit or the higher cost. However, you must give up the agility advantages, which are typically not a problem for large offices. The real advantage here is the flexibility to use both cloud and on-premises firewalls and have both environments consistently managed for policy. In the end, look for a provider that offers both firewalls, but most importantly, one that can consistently manage policies across all. You want a solution at the intersection of flexibility and simplicity.
Guideline #3: Maintain a degree of vendor diversity despite SASE market consolidation
Gartner's 2019 Hype Cycle for Enterprise Networking warns of this, saying, "Software architecture matters. . . Be wary of vendors that propose to deliver services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships.”
Gartner's warning is valid. Daisy-chaining SASE capabilities can result in clunky, hard-to-manage, and underperforming services. But there is more to unpack. A SASE offering that has ZERO daisy chains creates security challenges. Taking Gartner’s advice too far will almost certainly result in replacing a myriad of best-of-breed security solutions with a tech stack of homegrown or acquired tools from a single technology provider. The drawback here is potentially less robust security when compared to a variety of market leaders. Plus, the components cannot be interchanged — solutions present all-or-nothing propositions.
A more advisable strategy is to have an optimal balance of minimal daisy chains and some degree of vendor flexibility. This allows SASE solutions to include industry-leading security technologies. This is best done via a service provider that can manage any extra complexity on your behalf but still deliver the benefits of such an approach. Furthermore, no single technology provider, especially a SASE startup, can deliver mature, best-of-breed solutions in the vast areas covered by SASE. Any smart provider will minimize daisy chains, partnering with no more than one or two external tech vendors and consolidating everything into a unified service with one dashboard. This is how customers are best protected from any additional complexity arising from a mix of tools and services while maintaining a more competitive SASE vendor ecosystem.
Guideline #4: Don’t ignore the importance of SD-WAN
The excitement of SASE is the ability to more effectively manage cyber risk. So, all too often, IT decision-makers overlook SD-WAN and the reliability and performance requirements that are at the heart of SASE solutions. It's essential to ensure the network component of SASE can deliver on the demands of today's increasingly distributed organizations. This includes evaluating performance, scalability, access flexibility, visibility, and control, as well as the ability to separate, prioritize, and secure bandwidth for remote employees. If you don't get past a successful SD-WAN rollout, security won't work. They go hand in hand.
If you’re just getting started with SASE, don’t fall prey to rigid thinking that can limit solution effectiveness and agility. The key is to be realistic about the power and limitations of SASE and then develop a pragmatic approach that works for your environment. Keep in mind that the larger and more diverse your infrastructure – or the more aggressive your growth plans – the more your SASE approach will need to deliver all the security you require now without limiting your options for the future.
Jay Barbour is Director of Security Product Management at Masergy.