Gartner’s Nat Smith Explains What Is and Is Not SASE

Dave Greenfield
June 29, 2021

A good portion of my day is spent speaking with the news media about Cato and the SASE market. There’s a routine to these conversations. Many will groan over an acronym that’s pronounced “sassy.” They’ll listen but often dismiss the area as “just more Gartner hype.”  For many, SASE seems like another marketing exercise like Big Data or Cloud Computing.

And I get that. For 20+ years, I too was an IT journalist. As a feature journalist, I was lucky. I could specialize and dive deep into the nuances of technologies. News journalists aren’t so fortunate. They must move between many technology areas, making it incredibly difficult to uncover the differences between slideware and reality.

So, I understand skepticism around SASE, particularly when every little networking and security vendor claims to be a SASE company. And if every security device, virtual appliance, or managed service is SASE, what have we accomplished? Nothing.

Which is why a recent session by Nat Smith, Senior Director in the Technology and Service Provider (TSP) division of Gartner, was so interesting. Smith pierced the confusion around the SASE market, explaining what is and what is not SASE in a very plain spoken kind of way.

Join Our Webinar –Strategic Roadmap for SASE

SASE connects people and devices to services

Smith’s explanation was very straight forward: SASE is taking the networking service and those kinds of capabilities and also the security service and those capabilities and putting them into a single offering. Some people will simplify it a little bit and say SASE is connecting people and devices to services.

His simple definition alludes to two innovations. The first is convergence, the bringing of all networking and security functionality together. For too long, enterprises have had to grapple with the complexity of managing and integrating network security appliances. The assortment of appliances dotting enterprise networks extracted a significant operational burden on IT teams. They had to patch and maintain appliances. As encrypted traffic levels grew and CPU demands soared, branch appliances had to be upgraded. Gaps were created for attackers to exploit, required significant investment to integrate solutions. Visibility grew limited as critical data was locked behind silos requiring additional management tools to overcome those issues.

Convergence solves these issues, pulling networking and network security functions into one seamless solution. Packets come into the SASE platform, get decrypted, and functions applied in a single pass before sending the packet onto its destination. Performing operations in parallel rather than moving them through a service chain of devices reduces latency and allows the SASE platform to scale more efficiently.

While Gartner documents point to a wide range of functions converged by SASE, Smith broke them down into five main areas: SD-WAN, FWaaS, SWG, CASB, and ZTNA.

In truth, security and networking convergence preceded SASE. UTMs are probably the best example, and even some SD-WAN appliances have added security capabilities (Figure 1).  Which brings us to the next innovation —cloud-native services.

SASE is not

Figure 1: Network security appliances are “thick,” performing all functions themselves.

SASE: It’s not an appliance 

SASE is a true cloud service. It’s not a single-tenant appliance stuck in the Cloud. It’s a multitenant platform designed as a cloud service. I think of it as the difference between O365 and Word. Microsoft, and all cloud providers, push out new features and new capabilities all the time. There’s no need to download, test, and deploy a new version worrying all the while the repercussions for my laptop. And while desktop software only works for that computer, the Cloud is available to me wherever I go, from whatever device I’m using. I don’t have to worry about running out of storage or patching software. The provider handles all of that.

SASE brings those same cloud benefits to networking and security. SASE breaks functionality into two, keeping the bare minimum at the edge while moving core functioning into the Cloud (Figure 2). There are no patches or updates to test and deploy; they just “appear” in the service. Storage and scaling are things the provider has to worry about, not IT.

SASE creates a “light” appliance

Figure 2: SASE creates a “light” appliance at the edge, providing just enough processing to move traffic into the Cloud where compute-intensive security and networking services can benefit from the scalability and elasticity of the Cloud.

Shifting processing to the Cloud leverages the Cloud’s scalability and elasticity. Compute-intensive services, like content inspection, normally force branch appliance upgrades to accommodate traffic growth. But within the Cloud, they can run at line-rate regardless of traffic volumes. And by being in the Cloud, SASE services can be made available to users anywhere without a perceptible difference.  

SASE: It’s not just in the Cloud; it is the Cloud 

And this point, SASE services being made available to the user efficiently; that’s critical. Smith pointed to the below example where security processing happens in Shanghai PoP that services three locations — Shanghai, Singapore, and San Francisco (Figure 3). He posed the question, “Is this SASE or not?”

SASE is not a single PoP

Figure 3: SASE is not a single PoP converging networking and security services, as users located far away (in San Francisco, in this case) will not experience local performance.

Shanghai users will experience pretty good response time. Singapore less so, but San Francisco? With a thousand kilometers to the Shanghai PoP, San Francisco users will experience significant latency as traffic is brought back to Shanghai for inspection. Users probably won’t call it that. They’ll likely talk about “the network being slow” or applications taking forever to load.” But the culprit will remain the same: the latency needed to get back to PoP for processing. A single PoP does not make SASE.

SASE is meant to give local performance to all users regardless of location. As such, Smith points out that SASE must be distributed, delivering a cloud edge service that brings security processing near the source. A global network of PoPs is needed, where PoPs are close to the company locations and mobile users using that service (see Figure 4).

SASE security processing

Figure 4: With SASE, security processing is distributed across a global fabric of PoPs. Users experience local performance regardless of location.

Convergence and Cloud-Native Define SASE 

SASE is the convergence of networking and security, but it’s also about moving from the edge to the Cloud. Smith sees both of those elements — convergence and cloud-native — as essential for realizing SASE’s promise.

Failure to deliver on both of those elements isn’t SASE. It’s just hype.

 

 

 

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.