What is not SASE?

May 17, 2020

When Gartner published “The Future of Network Security Is in the Cloud” late last August they did two things. First, according to experts in the industry, they nailed identifying and describing where enterprise network and security architectures are headed in the 2020s. Second, as the Google Trends numbers imply, to describe this new approach they created one of the biggest IT buzzwords of the last year: SASE short for “Secure Access Service Edge”.

Because of all the buzz around SASE, many “SASE vendors” are marketing solutions that have features found in SASE. However, most of these solutions miss the mark when it comes to achieving SASE’s promise of a holistic and converged network security solution. Here, we’ll look at what is not SASE to help identify what value SASE vendors should deliver to enterprises.

SD-WAN isn’t SASE

In some contexts, SASE is viewed as the next generation of SD-WAN. From the perspective of bringing agility and convergence to network infrastructure, it’s understandable why the comparison gets made. In fact, the ability to optimally route traffic and abstract away the underlying physical medium (which are core benefits of SD-WAN) is an important part of SASE.
However, SD-WAN alone is only a piece of a broader solution SASE vendors should provide. Further, not all SD-WAN implementations are created equal. For example, SASE aims to support all network edges (WAN, edge computing, cloud computing, and mobile), but with many SD-WAN appliances, mobile support is lacking or non-existent.

Cloud-based security is not SASE

As with SD-WAN, there are many security features that are important parts of a SASE solution. Examples include IPS (intrusion prevention system), NGFW (next-generation firewall), and SWG (secure web gateway).

Since identity-driven security and cloud native architecture are key characteristics of SASE, it may be easy to buy into the idea that a feature rich cloud-based firewall can serve as a method to implement SASE. However, in practice, this doesn’t work out well. Security is only half SASE architecture, and a cloud-based firewall and IPS alone can’t help with routing and WAN optimization at a global scale.

Again, as with SD-WAN the benefits of these technologies make them an important part of SASE, but even while bundled-together they are not in and of themselves SASE.

Multiple disparate appliances patched together isn’t SASE

The SD-WAN functionality that enables agile and efficient routing is an important part of SASE. Similarly, security features such as IPS, SWG, and NGFW are an important part of SASE. However, simply deploying appliances and solutions from “SASE providers” that check all the boxes of the SASE feature set won’t deliver the promise of SASE.
This is because creating a patchwork of network and security appliances and cloud solutions simply can’t provide the agility, visibility, simplicity, and performance a single converged solution can. Sourcing, deploying, managing, and integrating multiple products not only drives up costs, but it also increases network complexity. As a result, a patchwork of solutions that look good on paper often create operational bottlenecks and security oversights at scale. While some may argue for shifting the complexity to a service provider, this doesn’t resolve the underlying issues and often leads to higher costs for sub-optimal performance.

Virtual appliances on edge devices isn’t SASE

Running virtual appliances on an edge device reduces the hardware footprint but does little for operational costs. Appliances still need to be deployed, integrated, upgraded, deployed, and maintained. The underlying silos and complexity don’t go away. True SASE platforms eliminate the appliance form factor. Functions are delivered as a multi-tenant, cloud-native platform. SASE providers manage and maintain the underlying platform for the benefit of all customers. Neither the enterprise nor the provider incur the operational overhead of managing appliances.

So, what exactly is SASE?

SASE is about the convergence of networking and security in a way that improves performance, simplifies operational complexity, and enhances security posture at a global scale. To meet these criteria, a true SASE solution needs the following characteristics:

  • Support for all edges. Mobile, cloud, WAN, and edge locations must all be supported without sacrificing performance or functionality. Many virtual and physical appliances struggle to meet this criterion. This is because security appliances are often inherently tied to a specific location.
  • Identity-driven security. The SASE security model is built around granular identification of resources. SASE requires that every app, person, and device can be accounted for and data flows can be analyzed in-depth. Doing so enables full-network visibility and contextual awareness to help mitigate threats.
  • Cloud native architecture. To simplify management complexity and deliver elasticity, resilience, and self-maintenance that make SASE performant and scalable for the enterprise, a multi-tenant cloud native architecture is a must.
  • Globally distributed network connectivity. A globally distributed cloud platform ensures that all the features of SASE are available no matter where enterprise network edges are located geographically. This means that SASE PoPs (points of presence) need to go beyond public cloud data centers and ensure low-latency connectivity for all WAN endpoints.

Real SASE vendors understand convergence is key

The fundamental takeaway here is this: SASE isn’t just about a robust network and security feature set, it’s about converging that feature set to improve performance and security while reducing complexity and cost. Cato Networks was a SASE sample vendor in Gartner’s recent Hype Cycle for Enterprise Networking and the Cato Cloud approach to SASE was built with convergence and the modern digital business in mind.

For a deep dive on SASE and what it means for your business, check out our free eBook The Network for the Digital Business Starts with the Secure Access Service Edge (SASE). Alternatively, if you’d like to try our cloud-based SASE solution for yourself, please contact us or sign up for a demo today.