- SASE promises the unification of security and network routing policies.
- To achieve a SASE methodology, enterprises need to think about both policies and technology.
The COVID-19 crisis has accelerated the move towards cloud/SaaS adoption and work from home (WFH). The crisis has proven that, even with rushed deployments in less than ideal circumstances, both cloud and WFH are efficacious ways of doing business. However, they are not without challenges, and one of the biggest challenges is how to architect and secure networks when dealing with a more distributed IT estate – particularly given the significant increase in cyberattacks that has occurred during the pandemic.
‘Secure access service edge,’ or SASE, has emerged as the favorite buzzword and concept of network service providers (SPs) and network and security technology vendors. SASE, sometimes also referred to as zero-trust networking, speaks to securing an enterprise’s IT services wherever they are located and of unifying both security and routing policies – both of which have traditionally been seen as separate entities. Vendors such as Cisco, Fortinet, Juniper, and Versa have made big plays about their SASE technology stacks combining SD-WAN and firewall into a single ‘box’ (whether physical CPE or as a virtualized function). SPs such as AT&T, BT, Orange, and Verizon (among many others) have all spoken about their SASE capabilities. However, these providers have also highlighted that they do not think that the technology stack is in place to deliver a truly unified SASE solution. So, what should enterprises do?
The answer depends on the circumstance and is likely to require a number of technologies. SASE solutions from vendors such as Versa, Fortinet, and Cisco Meraki are likely to offer good ‘single-box’ options for smaller sites (e.g., branch offices or retail stores), as they offer a combination, in varying ratios, of security, SD-WAN, and WiFi. But even for smaller sites with high security and/or complex routing requirements, it may be necessary to deploy separate SD-WAN and security devices. For the largest sites and more advanced networks, service chaining (i.e., integration of separate network functions) of dedicated firewall, SD-WAN, and optimization functions is inescapable for the short-to-medium term.
Edge networking deployments by service providers can help, however, and also offer a solution for homeworkers. Edge networking is a process whereby the service providers deploy more resources (e.g., compute, SD-WAN nodes, DDoS mitigation platforms) at distributed points across their network. This proximity of the various service components can help to reduce the latency impact of any service chaining. It also means that homeworkers who are relying on desktop clients rather than on-premises hardware are closer to network functions such as firewall and SD-WAN.
The other factor for enterprises to consider is their own policies. Enterprises should ensure that they no longer view network, security, and applications as separate, but as different features of a holistic IT estate. In order to make SASE work as a concept, enterprises should work with their network and security partners to develop security and routing policies as a single process rather than potentially conflicting interests.