By John Maddison, EVP of Products and CMO at Fortinet.
Secure Access Service Edge (SASE) is an emerging enterprise strategy that incorporates multiple solutions to enable secure remote access to on-premises, cloud-based, and online resources. Unfortunately, there has been a lot of hype that has left some organizations wondering what exactly SASE is. Understanding the basic concepts and components of SASE is important, as the benefits can be significant for many organizations. Fortunately, getting to the bottom of this is easy, as many of the fundamentals of SASE – such as bringing networking and security together– are trends that customers have been gravitating to for years. However, it is still critical to properly define SASE upfront in order to avoid adding complexity or worse, missing the true value of SASE at all.
Today’s organizations require immediate, uninterrupted access to the network and cloud-based resources and data, including business-critical applications, no matter where their users are located. The reality is that consumption patterns are changing due to the implementation of 5G, cloud migrations, sustained work from home, and similar outcomes from digital innovation efforts. This has transformed the traditional network to a network of many edges.
At the same time, these dynamically changing network configurations, and the rapid expansion of the attack surface, means that many traditional security solutions no longer provide the level of protection and access control that organizations and users require. In this environment, security has to be delivered anywhere from any place, at any time, and for any device – the WAN Edge, Cloud Edge, DC Edge, Core Network Edge, Branch Edge, and Mobile Remote Worker Edge. This requires the convergence of traditional and cloud-based security, as well as deep integration between security and fundamental networking elements.
SASE is designed to help organizations secure these new distributed networks. However, as with any emerging technology category, there is still some uncertainty about what precisely a SASE solution means—and what technologies are included. In addition, vendors are attempting to redefine this market in ways that best reflect their current offerings – which means that some elements are being overemphasized and others, often essential elements get overlooked. Unfortunately, some market definitions of SASE already include important omissions that are leaving some organizations confused about how to best select, implement, and manage the right sort of solution for their unique environments.
SASE is generally classified as a cloud-delivered service, providing secure access to cloud-based resources, secure communications between remote users, and always-on security for devices off-premises. However, there are situations where organizations may require a combination of physical and cloud-based solutions for SASE to work effectively. This may include supporting a physical SD-WAN solution in place that already contains a full stack of security, or the desire to provide protection at the edge when processing confidential or sensitive information rather than shuttling it out to the cloud for inspection.
By combining physical and cloud-based elements, the role of SASE can also be easily extended deep into the network, rather than simply handing off security to an entirely different system at the edge. This ensures that a secure SASE connection is seamlessly integrated with critical solutions that also rely on hardware, such as network segmentation and compliance requirements that a strictly cloud-based security approach can’t address, to provide end-to-end protection.
Some SASE definitions also omit things like Secure LAN and Secure WLAN that are essential considerations for many organizations. Including these sorts of technologies in a SASE solution helps ensure that security is applied consistently across an entire security architecture, rather than deploying separate security components for their SASE deployment – which could create gaps in security policy enforcement and limit visibility.
But regardless of which tools are used or where they are deployed, there is a central issue that needs to be remembered. Every SASE solution must not only meet the access needs of today, but also have the capability to quickly adapt to rapidly evolving network changes and business requirements as they occur. This explains a key criteria for SASE, which is flexible consumption models that give organizations choices depending on their unique use-cases in order to achieve the true vision of SASE.
Any true SASE solution must include a core set of essential security elements. To realize the full potential of a SASE deployment, organizations must understand and implement these security components across the WAN-edge, LAN-edge, and Cloud-edge.
At a high level, implementing SASE really comes down to enabling secure connectivity and access to critical resources from anywhere on any edge. Unfortunately, very few vendors can provide this because their portfolios are full of disparate, acquired products, or they simply don’t have enough breadth to provide all of the security elements that a robust SASE solution requires. And even when they do, their solutions simply do not interoperate well enough to be effective.
This is a problem because for SASE to work well, all of its components need to interoperate as a single integrated system – connectivity, networking, and security elements alike. This means every component needs to be designed to interoperate as part of an integrated strategy bound together by a single, centralized management and orchestration solution. They also need to seamlessly integrate with the larger corporate security framework, as well as dynamically adapt as networking environments evolve. If not, it’s not a true SASE solution.
The recent market momentum around SASE is exciting because it underscores the need for a Security-Driven Networking approach. In the era of cloud connectivity and digital innovation, networking and security must converge. There’s no going back to outmoded and siloed architectures.