By Zachary Malone, SE Academy Manager at Palo Alto Networks
What Does SASE (Really) Mean?
Coined in late 2019 by Neil MacDonald and Joe Skorupa of Gartner®, SASE (secure access service edge) describes a strategy that converges cybersecurity and WAN edge networking to address challenges that organizations are facing now. Specifically, organizations need to manage an ever-growing technology stack across an increasingly dynamic “service edge” that now includes branches, mobile users, SaaS applications, and shifts in data centers between on-premises and the cloud. Individual cybersecurity technologies, like SD-WAN, WAN optimization, NGFW, ZTNA, SWG, CASB, and more, frequently lead to scalability problems if left as separate services. This scaling issue is compounded if these technologies must also be self-managed, upgraded, and maintained. What SASE attempts to achieve is unified, secure access—connecting and securing users as they fluidly shift between home, branches, headquarters, and being on the go, while accessing resources in data centers, cloud, SaaS, or on the web with a single, unified platform.
How did it originate?
Gartner originated the term SASE. Its analysts kept being called upon to suggest “a better way” to maintain security and agility in light of the shifting nature of SaaS delivery for business-critical applications, cloud computing, and branch expansion. The need became apparent for a convergence of these services that operated in the same fashion as these cloud, SaaS, and other application implementations. The SASE strategy was the Gartner answer to this need.
Why is it important in cybersecurity?
The concepts of SASE, much like the principles of Zero Trust, look to move security closer to the actual assets being protected. Today, too many executives are forced to accept inordinate amounts of risk to keep up with the changing times of SaaS and cloud-delivered applications and services. The old standard of backhauling (forcing traffic to a security device at a hub such as a data center) was causing unacceptable performance issues and user experiences. SASE calls for delivering services from a single platform. It simplifies the tech stack, administration, and policies while ensuring consistency for all access. This simply can’t be achieved with an approach using several disparate products, even from the same vendor. As companies start to adopt a SASE strategy, particularly during the current vast shift we’ve seen to a remote/hybrid workforce, many organizations are encountering a gap in understanding their workers’ day-to-day experiences. Complaints of slowness or bad connectivity have grown exponentially, leading to more need for in-depth visibility at every step along the path. This is typically referred to as digital experience management or user experience management.
What is the spin around this SASE buzzword?
Vendors have quickly caught onto the popularity of SASE and also realized that they do not have the product portfolio to cover the broad scope of everything SASE is looking to converge together. In attempts to cover up this issue, many have been trying to build a narrative that the scope of SASE is much smaller than the vision that Gartner is driving. Some vendors tout that a specific piece of security, like IAM and SWG, is “all you need” for SASE. Other vendors claim SD-WAN is the most crucial part of SASE and the security is just a nice addition, so they leave it to third parties. These attempts miss the point because SASE is about putting all the underlying features together into a single platform and delivering it “as a service” as much as possible. Any approach that attempts to exclude pieces or relies on multiple parties to cover all components is not SASE; it’s just business as usual, sheathed in the hype that has built up around SASE.
Our advice: What executives should consider when adopting SASE
SASE is about the convergence of network and security services. Both verticals are equally crucial for any company’s SASE strategy to succeed. Therefore, the main focus should be more services converged into a single service—not just a single vendor, managed from multiple pieces—without losing effectiveness or visibility. The secondary focus, just as important, is about delivery and administration. Delivery and administration of all SASE services should be as close to a SaaS model as possible. So, while some physical assets will still be required to direct traffic to the edge, like a WAN edge connector (SD-WAN preferred), all the advanced policy, administration, and computation for these should be cloud-delivered. As the workforce becomes more remote/hybrid, the user’s experience should not deteriorate, which brings the third focus. Experience management is crucial and should again converge into the SASE service offerings, just as much as the network and security technologies.
Here are some questions to ask your team for a successful SASE adoption:
- Have we looked at access broadly enough, meaning everywhere users are working— home, branch, or on the go, and all the resources they are seeking to access—across data center(s), cloud, SaaS, and web? What solutions are in place to provide this access?
- Can we ensure security posture consistency that prevents sensitive data loss and malware across all traffic flows, including private apps, regardless of where the user is working from or the applications they access?
- If we can maintain consistent security while simplifying the tech stack, what prevents us from consolidating the tools we use today?
- How will we retain visibility of the entire application delivery path—from endpoint to application—to ensure we provide a good user experience?
- How can we decouple the concept or policy of our network edge from the specific parameters of any one site, so consistent excellent experience and simple scalability are achieved?
To learn more, visit us here.
About Zachary Malone:
Zachary is the SE Academy Manager at Palo Alto Networks. With more than a decade of experience, Zachary specializes in cyber security, compliance, networking, firewalls, IoT, NGFW, system deployment and orchestration.