Listen to post:
SASE (Secure Access Service Edge) is a new architecture that converges networking and security into cloud-native, globally available service offerings. Security inspection and policy enforcement is performed at the cloud edge, instead of backhauling all traffic to a centralized data center for inspection. This enables organizations to strengthen their security posture while ensuring high performance, scalability and a good user experience.
Unfortunately, many vendors attempt to market loosely integrated products and partnerships as SASE. they find the fastest way to enter the SASE market is to virtualize existing hardware-based products and deploy them into public cloud providers (AWS, Azure, GCP). and then enhance them with additional capabilities.
So, which approach is best? In this blog post we explore the two options, converged and integrated, and the differences between them. To learn more about which SASE vendor you should choose you can read the whitepaper this blog post is based on: “Integrated vs. Converged SASE: Why it Matters When Ensuring an Optimal Security Posture”.
Why Do Some SASE Vendors Offer an Integrated SASE Solution?
Integrating siloed point solutions is the fast track to entering the SASE market. But this type of solution is full of drawbacks. These include:
- Increased Complexity – Integrated solutions add management layers, which reduces agility. Integration does not deliver the required SASE capabilities and requires more effort and risk from the customer. This is the opposite of what Gartner envisioned SASE to be.
- Poor Performance – SASE solutions that rely on integration can’t provide a single-pass architecture. Single Pass is critical for SASE’s promise of high performance because all engines process and simultaneously applies policies to traffic flows at the cloud edge. Integrated solutions do not have this single-pass architecture, so they are vulnerable to higher latency issues.
- Limited Vendor Control – Some vendors with an incomplete SASE solution will partner with other technology vendors to build their offerings. This means each vendor only controls and supports their product, and customers subsequently are left with multiple security technologies to deploy and manage. Because of the numerous risks this creates, including security blind spots, customers will not enjoy the full promise of SASE.
- Security Gaps – Technology integration increases the chance of security events being ignored or overlooked. Because each product in an integrated architecture is configured to inspect certain activities within traffic flows, they view it in its own context. This leads to insufficient sharing of all necessary context, thus leaving networks exposed to security gaps.
- Lack of Full Visibility – Integrated offerings tend to rely on multiple consoles and sources that prevent accurate correlation of network and security traffic flows and events. Because of this, customers do not have full visibility and context of these flows and will not have the same level of control that a converged SASE solution has.
What are the Benefits of Converged SASE?
Converged SASE is built from the ground up to deliver both security and networking capabilities. This benefits the customer in the following areas:
- Rapid Deployment – Integrated solutions have longer deployments since they have multiple consoles and multiple policies that require extensive manual effort from the customer and this risks policy mismatches or other errors during the deployment. A converged architecture, on the other hand, simplifies deployments with a single management application for configuration and a single policy for all customer sites. This makes the deployment less complex, allowing quick and easy implementation.
- Decreased Overhead – Converged SASE provides a single management application for management and reporting that decreases administrative overhead and simplifies investigation and troubleshooting.
- Low Latency – A true single-pass architecture decreases latency by ensuring all security engines simultaneously inspects and applies policies on all traffic once at the cloud edge before forwarding on to its destination.
- Cloud-Native Possibilities – Solutions that are born in the cloud are purpose-built for scalability, agility, flexibility, resilience and global performance. This is unlike cloud-delivered solutions that are virtual machines based on appliance-based products that are deployed in public cloud provider data centers,
- No Hybrid or On-Premises Deployments – SASE was defined by Gartner as being delivered from a cloud-native platform. Vendors that offer hybrid or on-premises options are not cloud-native and customers should proceed with caution and remember the core requirements of SASE when considering those options.
Integrated vs. Converged SASE
Which type of solution is best for modern enterprises? Here are the main functionalities offered by each type of solution:
- SD-WAN from partners
- Multiple management consoles
- Require VM deployment
- Require tunnel configuration
- Hosted in the public cloud
- Separate authentication flows for security and access
- Require SIEM for network and security event correlation
- Hybrid deployment
- Networking, security and remote access products are separate
- Requires multiple products
- Different PoPs offer different capabilities
- Native SD-WAN
- A single management application
- Full mesh connectivity
- Optional use of IPSEC tunnels
- Optional export to SIEM
- Better collaboration among converged technologies
- Holistic security protections
- All PoPs are fully capable
- There is consistent policy enforcement
Which Vendor Should You Choose?
There is are fundamental differences in SASE capabilities between an integrated and a converged platform. This includes their ability to eliminate MPLS, simplify and optimize remote access, enable easy cloud migration, and securing branch and mobile users. SASE solutions are designed to address numerous customer use cases and solve multiple problems, and it is important for customers to conduct a thorough evaluation of both approaches to ensure their chosen platform meets their current and future business and technology needs.
Read more about how to choose a SASE vendor from the whitepaper.