SASE, SSE, ZTNA, SD-WAN: Your Journey, Your Way

Listen to post: Getting your Trinity Audio player ready...

Organizations are in the midst of an exciting period of transformational change. Legacy IT architectures and operational models that served enterprises over the past three decades are being re-evaluated. IT organizations are now driven by the need for speed, agility, and supporting the business in a fiercely competitive environment.   

What kind of transformation is needed to support the modern business? The short answer is “cloudification.” Migration of applications to the cloud had been going on for a decade, offloading complex datacenter operations away from IT, and in that way increasing business resiliency and agility. However, the migration of other pillars of IT infrastructure, such as networking and security, to the cloud is a newer trend.  

Transforming Networking and Security for the Modern Enterprise 

In 2019, Gartner outlined a new architecture, the Secure Access Service Edge (SASE), as the blueprint for converging a wide range of networking and security functions into a global cloud service. Key components include SD-WAN, Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Zero Trust Network Access (ZTNA). Two years later, Gartner created a related framework focused exclusively on the security pillar of SASE, the Security Service Edge (SSE).  

By moving to a converged cloud design, SASE and its major components of SD-WAN and SSE aim to eliminate the pile of point solutions, management consoles, and loose integrations that led to a rigid, costly, and complex infrastructure. This transformation addresses the root causes of IT’s inability to move at the speed of business – budgetary constraints, resource limitations, and insufficient technical skills. 

The Journey to a Secure Network for the Modern Enterprise  

As customers started to look at the transformational power of SASE, many saw a long journey to move from their current set of appliances, services, and point solutions to a converged SASE platform. IT knows too well the challenges of migrating from proprietary applications in private datacenters to public cloud applications and cloud datacenters, a journey that is still on going in many enterprises today. 

How should enterprise IT leaders proceed in their journey to transform networking and security? There are two dimensions to consider: the use cases and the IT constraints.  

Driving Transformation through Key Use Cases 

There are several key use cases to consider as the entry point to the networking and security transformation journey.  Taking a platform approach to solving these immediate challenges will make addressing future challenges much easier and more cost-effective as the enterprise proceeds towards a full infrastructure transformation.  

Work from Anywhere (ZTNA) 

During COVID the need for secure remote access (ZTNA) became a critical IT capability. Enterprises must be ready to provide the entire workforce, not just the road warriors, with optimized and secure access to applications, on-premises and in the cloud. Deploying a ZTNA solution that is part of the SSE pillar of a single-vendor SASE platform overcomes the scalability and security limitations of appliance-based VPN solutions. ZTNA represents a “quick win,” eliminating a legacy point-solution and establishes a broad platform for continued transformation.  

Cloud access control and sensitive data protection (CASB/DLP) 

The adoption of public cloud applications enables users to get work done faster. However, while the cloud may only be a click away, unsanctioned applications increase business risk through security breaches, compliance violations, and data loss. Deploying the CASB and DLP capabilities in the SSE portion of a SASE platform addresses the need to control access to the cloud and protect sensitive data.  

Firewall elimination (FWaaS) 

One of the biggest challenges in managing an enterprise security footprint is the need to patch, upgrade, size, and retire discrete appliances. With Firewall as a Service (FWaaS), enterprises relieve themselves of this burden, migrating the WAN security and routing of firewall appliances to the cloud. FWaaS is not included in Gartner’s SSE definition but is a part of some SSE platforms, such as Cato SSE 360. 

Migration of MPLS to Secure SD-WAN 

The legacy MPLS services connecting locations are unsuitable for supporting cloud adoption and the remote workforce. By migrating locations from MPLS to SD-WAN and Internet connectivity, enterprises install a modern, agile network well suited toward business transformation. Customers may choose to preserve their existing security infrastructure, initially deploying only edge SD-WAN and global connectivity capabilities of a SASE platform, like Cato SASE Cloud. When ready, companies can migrate locations and users to the SSE capabilities of the SASE platform.  

Whether the enterprise comes from networking or security, the right platform should enable a gradual journey to full transformation. Deploying SD-WAN that is a part of a single-vendor SASE platform, enables future migration of the security infrastructure into the SSE pillar. Conversely, deploying one of the security use cases of ZTNA, CASB/DLP or FWaaS that are part of a converged SSE platform enables seamless accommodation of other security use cases. And if SSE is a part of a single-vendor SASE platform, migration can be further extended into the network to address migration from MPLS or third-party SD-WAN into a full SASE deployment.  

Accelerating Your Journey by Overcoming Enterprise IT Constraints 

The duration and structure of your journey is impacted by enterprise constraints. Below are some examples and best practices we learned from our customers on dealing with them.  

Retiring existing solutions 

The IT technology stack includes existing investments in SD-WAN, security appliances, and security services that have different contractual terms and subscription durations. Some customers want to let current contracts run their course before evaluating a move to converge existing point products into a SASE or SSE platform. Other customers work with vendors to shorten the migration period with buyout programs.  

Working across organizational silos 

SASE project is cross functional, involving the networking and security teams. Depending on organizational structure, the teams may be empowered to make standalone decisions, complicating a collaborative decision. We have seen strong IT leadership guide teams to evaluate a full transformation as an opportunity to maximize value for the business, while preserving role-based responsibility for their respective domains.  

If bringing the teams together isn’t possible in the short term, a phased approach to SASE is appropriate. When SD-WAN or SSE decisions are taken independently the teams should assess providers that can deliver a single-platform SASE even if the requirements are limited to either the networking or the security domains.  

The Way Forward: Your Transformation Journey, Done Your Way 

As the provider of the world’s first and most mature single-vendor SASE platform, that is powered by Cato SSE 360 and Cato’s Edge SD-WAN, we empower you to choose how to approach your transformation journey. You can start with either network transformation (SD-WAN) or security transformation (SSE 360) and then proceed to complete the transformation by seamlessly expanding the deployment to a full SASE on the very same platform. Obviously, the deeper the convergence the larger the business value and impact it will create.  

To learn more about visit the following links: Cato SASE, Cato SSE 360, Cato Edge SD-WAN, and Cato ZTNA.