By Graham Robinson, Chief Technology Officer, Data#3 Limited
[Reading time: 3.5 minutes]
Our industry is full of language which wraps useful technologies in unhelpful terms, and unfortunately, that language often confuses the very people who would most benefit from those technologies.
SASE (Secure Access Service Edge) is one such term.
Coined by Gartner in 2019, SASE is somewhere between an approach, a grouping of features and functions, and a security architecture that describes how to protect your company in the face of distributed networks, multi-cloud services, and a hybrid workforce.
However, while the technologies underneath the SASE wrapper often offer real value, SASE itself has grown from an analyst buzzword to a marketing term championed enthusiastically by vendors trying to level the playing field by claiming they have a SASE strategy too. It is somewhat equivalent to Ford positioning itself as a viable alternative to Ferrari on the grounds that Ford also has a ‘personal mechanical transport strategy’. It’s easy to invoke a false equivalency when you’re adding layers of abstraction.
That doesn’t mean that what SASE is trying to convey isn’t important, but just that the language creates an additional layer of abstraction, further detaching people from the specific problems they’re trying to solve. It makes it hard to separate the wheat from the chaff. If SASE, in context with other terms like cloud, edge, WAN, workforce etc is explained well, it makes a lot of sense in our post-pandemic world – unfortunately, it’s rarely explained well.
Focusing on the underlying problems though yields a different result. Until recently, remote working used VPNs for secure access to corporate apps resulting in hairpinning Internet traffic via security services located in data centres. However, this approach falls short in today’s work-from-everywhere, cloud-heavy world, and VPNs stand in the way of application performance.
Direct to cloud isn’t just what our employees want, but it’s what we need too. Employee apps continue to use more bandwidth and every meeting is now a video meeting, so hairpinning their traffic via our data centres isn’t a viable option unless we want to deal with a mountain of performance complaints.
Direct access also bypasses the security controls we’ve carefully built out over the last decade, and so now we scramble to extend those same security controls and protect our cloud-based assets, our cloud-connected sites, and our cloud-native workforce. From SD-WAN to Web Application Firewalls, Cloud Access Security Brokers (CASB) and Secure Internet Gateways (SIG), we look to combinations of security tools to protect our people… which, by the way, is what SASE is.
Securing the edge isn’t a new concept, and most of the customers I talk to aren’t asking about SASE anyway. They’re seeking solutions that will support their digital transformation strategy; one which now includes the secure transition to the cloud with a scalable hybrid working model. Yes, a salesperson might describe them as SASE solutions, but using the term does nothing to help us solve the problem – which perhaps explains why many still find the term confusing.
The question is “how do I secure my assets when neither my people nor my information, have anything to do with my data centre?” Cloud-enabled workers require cloud-enabled security. Moving away from legacy-centralised strategies requires us to think about security from a few perspectives:
Creating a solution that addresses all three requires a common element – identity. Distributed work practices require a user-centric security model with consistent enforcement to secure our assets, irrespective of where someone is working, or what they need to access.
Vendors have rushed to market with a range of excellent “SASE” solutions, and many businesses have deployed them with enthusiasm, but they often come with a hidden complexity tax. Products from different vendors bring feature overlaps, meaning you’re paying twice for similar functionality, and without deep cross-product testing, you’re likely to find there are still gaps in your protection. Add to this the administrative cost of multiple management dashboards and you’re commonly left with TCO blow-outs, an avalanche of uncorrelated security alerts, and exposed assets.
The days of relying upon standalone best-of-breed products are over. Regardless of whether the technologies are from the same or different vendors, integration is everything.
This is perhaps the area where the principles behind SASE stand up. Starting from an expectation of deep integration can help us piece together security solutions for today’s work practices which provide a user-centric approach to securing distributed assets.
Our security practice often works with Cisco for exactly that reason. Their platform approach means products are tested to ensure alignment without overlap, and a broad set of enforcement technologies, which can be added as it makes sense. This approach of integrating the old and the new enables us to protect almost any type of asset, anywhere. Where Cisco’s expertise stops, their integration frameworks allow us to ingest information from security partners and present the findings to operational support teams in a clear and actionable manner.
So, while Cisco (like many others) continue to wrap their security technology in SASE, underneath that unhelpful term is a suite of useful tools that are perfectly aligned to protect today’s workforce.
Ultimately, look beyond the SASE marketing and ask questions about what the vendor will actually deliver compared with the specific problems you have. Look for an identity-based framework with deep integration across components. One that offers consistent enforcement but doesn’t have you paying twice for the same features, and one that avoids a complexity tax on your already stretched support team.
Don’t buy it because it’s SASE, buy it because you’re sure it will work.