Network Security is Not a Sports Car

July 6, 2020

I grabbed a beer with a close friend of mine the other night. He’s in his 30’s, recently married, and expecting his first little one. As we chat about his new life, the matter of car buying came up. “My wife told me to go look at this SUV. I know it’s the right move and all, but there’s this hot, little Maserati…”

He didn’t need to finish. I knew what he was getting at. The Maserati, he confessed, made him feel young and free. He could go from 0 to 60 in less than 4 seconds, which we both agreed is great on paper but seldom used in city traffic. The SUV? It’s not quite as sleek and shiny but came with the latest car security features, perfect for his family’s future expansion.

“So, where’s the dilemma?” I asked him. He already answered his life-and-death question. “You’ve got to protect your family.”

“I know,” he said, “but I like having the fastest car I can afford, even if I never really drive that fast.”

Everybody Likes Sports Cars. Even IT Geeks

I wasn’t surprised. I can’t tell you how many times I’ve had similar conversations with IT professionals. The details might be different but the story is the same. A network or security appliance has reached end-of-life, and a project is kicked-off to find the latest and greatest replacement. A natural affinity for big brands with never-ending datasheets and feature lists immediately (and often subconsciously) takes hold. As we all know, “No one ever got fired for buying…” And, so, the team buys the Biggest, Baddest, Brand Appliance loaded with the newest features. Will they ever be used? Probably not. But just having them makes IT feel a bit better, like getting to 60 in less than 4 seconds.

The thing is, there is a penalty paid for that kind of speed. In my friend’s case, it’s the SUV’s security features he’ll be missing from his Maserati. In the case of IT, it’s the overhead that comes with appliances.

We’ve all seen how switching, routing, and, yes, even SD-WAN have rapidly approached commoditization as new vendors have jumped into the market. The core features, once so unique, have become commonplace. Differentiation increasing becomes about price and highly specialized features that are only applicable to a handful of companies. Increasingly, the real value of a solution is less about specific capabilities and more about the operational overhead and agility of the solution. As Gartner puts it “After decades of focusing on network performance and features, future network innovation will target operational simplicity, automation, reliability and flexible business models.”*

But regardless of the vendor, appliances as an architectures come with certain implicit limitations. There’s a whole lifecycle that burdens IT with costs and complexity. Appliances need to be bought, deployed, maintained, upgraded, and retired. As patches are released, they need to be staged, tested, and deployed. It’s a complex, time-consuming operation that often necessitates disrupting network operations. And as traffic volumes grow or feature activated, the load on appliance grows, forcing upgrades outside of budgetary cycles. What’s more, appliances cover only a small part of the network, requiring additional solutions for the rest of the network making overall visibility control difficult.

Appliances are good for one thing – making money. So Big Brands built on appliances have a vested interest in perpetuating those architectures. They focus on their long lists of increasingly obscure features, many of which you will never be used. But like the sex appeal of a Maserati, you only realize the mistake in buying into the Big Brand marketing when it’s too late – after the crash comes, or, in IT’s case, when the company needs to meet a key business requirement, such as mergers and acquisitions (M&A), cloud migration, and global expansion. Suddenly, the limitations of appliances become all too clear.

Take an M&A, for example. How are you going to get all of the acquired sites and your sites onto common security levels and enforced by the same policy? From a management perspective, how are you going to gain visibility into all security events?

With a NGFW appliance, your options are limited. One solution would be to align everyone to a single vendor. An enormous headache. Another solution is to keep the existing stack and buy additional products for orchestration and monitoring of the multiple security products. More expense. A third option would involve a lot of integration – manual work that no one really has the time for. Which pain would you prefer?

SUV: It’s All About Maturity, Responsibility…And Fun

The other approach is to forgo the sex appeal of the sports car, or in IT’s case, the Big Brand appliance and focus on solutions that really do meet today’s requirements for agility. Gartner terms these cloud-native services SASE (Secure Access Service Edge). They converge networking and security moving the heavy processing of edge appliances into a global, cloud-native platform where they can benefit from all of the elasticity, scalability, and affordability of the cloud.

True, cloud-native SASE services might not have the appeal of the Biggest Brands. They don’t necessarily have legions of features or claims of terabit performance.

What they do bring, however, is a global networking and security platform that empowers IT to be a business enabler and champions. By connecting and securing all enterprise edges – mobile users, remote users, branches, datacenters, cloud applications, and cloud datacenters – SASE is ready for any networking challenge the CIO might face. With all edges on one network, SASE provides the deep, enterprise-wide visibility that makes management and operations much simpler. And with SASE providers running the networking and security on global, cloud-native appliances, appliances are left to be highly scalable, easily upgradable, and always maintained by the provider.

In short, IT gains a platform, not just a product that, like the SUV, brings overall benefits to many areas. All of which makes meeting modern day requirements, simple.

Take that M&A, for example. There’s no need to deploy new appliances or even force a security change. Just have the acquired company connect their branch firewalls to the SASE cloud, and security is immediately unified, enforced, and monitored in a single place.

The same goes for other critical business challenges. Need to deploy five new pop-up stores per month? Good luck configuring, deploying and installing the necessary appliances. With SASE, you can make it 10 or even 100. Small stores can be first brought online instantly by establishing an IPsec tunnel from an existing firewall to the local SASE POP or by equipping the users with the SASE mobile client. Meanwhile, adding SASE’s self-configuring, edge SD-WAN device to the store is easy and gives the store not just SD-WAN, but security and cloud connectivity as well.

Today Is the Day of the SASE SUV

The day has arrived when someone will be fired for buying on brand alone. My friend’s wife couldn’t care a hoot how much he had a need-for-speed or that the car is named Maserati if it put her future children at risk or required them to buy yet another car to accommodate the stroller and car seat.

And the business won’t care about the logo on your router, edge SD-WAN, or NGFW appliance if you can’t be more efficient, agile, and enable the company’s success. If you can’t complete the logistics behind the M&A quickly or if you can’t enable the business to open those stores every month — and do so with all the needed security and reliable cloud connectivity they require — then it doesn’t matter if your HQ NGFW appliance comes from a Gartner MQ leader.

So, go enjoy that wonderful weekend with your family, take some time off from work, and don’t worry about what the new ask waiting for you from the CEO. SASE has you covered.

 

* Gartner, 2019 Strategic Roadmap for Networking, Jonathan Forest, Neil Rickard, 10 April 2019

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Eyal Webber Zvik

Eyal Webber Zvik

Eyal Webber-Zvik is Cato Networks' Senior Director of Product Marketing and Business Development at Cato Networks with over 20 years of experience in security and networking companies.