SASE – The Strategic Difference Is in the Middle

SASE (Secure Access Service Edge) is the new, shiny toy of networking and security providers. Defined in 2019 by Gartner, SASE is a new, converged, cloud-native, elastic, and global architecture that will dominate the way enterprises deliver a broad set of networking and security capabilities.

Since then, SASE messaging has been adopted by most vendors in the market for an obvious reason: SASE creates a disruption of the legacy IT architecture of edge appliances and multi-vendor point solutions. Vendors that built their business around the distribution, upgrades, and replacement of physical boxes face obsolescence. The same is true for service providers that profited from managing that inherent complexity.

Why was this change of architecture necessary? The complexity of IT infrastructure is increasing exponentially. The ability to control a multi-vendor infrastructure depends on resources, skills, and budgets that can’t grow at the rate needed to securely connect the business anytime, anywhere, and on any device. Case in point is the need to support the sudden migration of the entire workforce from branches and offices to work from home. A complex, fragmented, and appliance-centric infrastructure simply can’t accommodate this shift – it was never built to support work from anywhere, anytime and on any device.

We saw a glimpse of that problem over the past decade with the requirement to secure access to cloud resources by mobile users. If all your traffic is secure at your datacenter and branches, how do you inspect mobile-to-cloud traffic? One option was to force that traffic via the company datacenter so it can be protected by the main firewalls. This solution impacts performance and the user experience and is often rejected by the end users. The answer was cloud-based security that addressed the latency problem, but further fragmented and complicated the IT security stack by introducing yet another point solution.

SASE is the new architecture for connecting and securing the digital business that is built to be fast, adaptable, and resilient. How does SASE achieve that? By placing the vast majority of enterprise networking and security capabilities in the cloud. The cloud sits in the “middle” of the enterprise – it is an ideal place to scale, expand, and evolve the security and networking capabilities needed by all enterprise resources: people, locations, devices, and applications. By being in the “middle,” SASE holistically inspects, optimizes, and protects all traffic from all sources to all destinations.

The “middle” is a scary place for product vendors. It is a cloud service that requires a new set of operational capabilities and know-how to deliver. Amazon Web Service (AWS) compute is uniquely different than the product that is a Dell server. AWS makes the virtual server you use available, redundant, scalable and connected with a click of the button. It is by no means someone else’s computer.

SASE requires vendors to become like AWS. Some will never get there. Some will try to acquire their way into it. Some will prioritize current cloud capabilities over similar appliance-delivered ones. And this process will have to go through a sales and support channel that is even more challenged by the SASE transition. This is going to be messy.

When you look at the SASE field, and you want to separate true from fake SASE providers, look for the “middle.” Ask yourself:

• Has the SASE provider’s cloud service been field tested to deliver the global reach, scalability, and degree of functional convergence needed by enterprises?
• Does the SASE service provide holistic visibility? The service should offer a single view showing all enterprise traffic flows regardless if they’re across the Internet or the WAN, between sites, remote users, or cloud resources.
• What security and networking capabilities can be applied to that traffic? Is the service limited to access restrictions, or can it also optimize and accelerate traffic?
• What degree of centralized management control does the service provide? Is there a single pane-of-glass where you can set or change all capabilities relating to networking, security, remote access, and the cloud or must the service provider get involved at some point?

If the answers are opaque, you are looking at a SASE wannabe. And unlike other solutions where features can be added to a roadmap, SASE requires the creation of a totally new architecture.

To begin to know a true SASE – look at the middle.