SASE Evaluation - The Thoughts Of A Founding Father

Now here’s something a little different.

On this ‘ere blog, you are used to hearing my views on the world of networking, comms, security and occasionally wine. You may also have read my recent blueprint for defining an eval strategy for potential SASE providers. This post was picked up by the former #Gartner legend Joe Skorupa and one of the founding fathers of SASE, so I took the opportunity to get Joe involved in the conversation. For those not familiar with Joe and his work, there’s a brief bio at the end of the blog but, meantime, here are the thoughts of Mr Skorupa in the form of a Q&A and thanks, in advance, to Joe for his collaboration here:

1. Joe, I noticed the recent blog I did on “Network Scorecard For Evaluating SASE Clouds” captured your attention. Why is that?

“SASE is the convergence of security SSE and networking SD-WAN. In order to capture all the benefits of SASE, you have to adopt an end-to-end system approach. SSE gets a lot of attention because it’s more visible. It seems like nearly every day there is another high visibility breach, which keeps the focus on the security aspects of SASE. But SASE is more – it’s about providing secure access to applications regardless of the location of the consumer and the applications. You don’t have access without the network and it’s not just the SD-WAN and ZTNA endpoints. It includes the transport, and all transports are not created equal. Your blog did an excellent job of framing the issues around the end-to-end, systems approach that is required to achieve the best outcome for SASE adoption.”

2. While SASE has been simplified as the convergence of security and networking, the conversation often gets skewed in the direction of the “services” alone – whether SSE security (like web security or zero trust network access) or SD-WAN alone. In some cases, this is due to the vendor’s pedigree or based on how customers are approaching their SASE initiative… but from your perspective what is the role of networking/infrastructure in SASE?

“As IT professionals we live in a highly distributed world. Our applications and data can be on-premises, cloud-hosted, at a SaaS vendor, or in edge computing/IoT nodes and our users can be on-campus, in a branch office, working from home, or on a business trip. The user of data could be a distributed application running in thousands of edge computing nodes. If we don’t build a high-performance, low latency, highly robust, secure network fabric, our SASE deployment won’t meet the needs of the business – it won’t deliver the promised business value. It takes more than just picking a bunch of PoPs and some high-speed links. The underlying architecture is critical.”

3. Many vendors have defaulted to relying on public clouds for delivering their solution. What do you see as the pros and cons of this approach, versus alternative approaches like private clouds or CDN-based architectures?

“Designing, building and operating a state-of-the-art, global network is hard. For a number of vendors, the easy answer is to punt. They pick a big-name cloud vendor and abdicate responsibility for the network. The narrative is something like, ‘We leverage the global network of Mega-Super Cloud because they are big and have smart network guys.’

Networks to deliver ads, deliver their streaming service, or ecommerce site transactions are compute-light at the edge with concentrated compute deep in the network. CDNs are very similar in design. SSE requires heavy compute at the edge for performance and fault-tolerance. Additionally, with a third-party network, it’s important to know who controls QoS when the network gets busy or who sets maintenance outages that result in users shifted to distant PoPs?  Redirecting users to a remote PoP can be OK for serving up ads or cat videos or video streaming or ecommerce, but not for real time interactive traffic. Then, there is a regulatory issue – geofencing. Can you sign an attestation that your traffic NEVER leaves your trading block? Not if you don’t control the network.

Even if the SASE vendor controls the network, architecture matters. Where is the dense compute, and how much backhaul is required? Do you have control over egress points or egress IPs so end users always get the correct localized traffic? Can the network deliver private IPs if needed and regardless of location? Some folks might suggest that the way around all these issues is to just put everything in a client – SWG, CASB, Cloud FW, RBI, and DLP, and use the Internet. It seems interesting until you dig deeper. First, I’ve never met an endpoint admin that wanted a big, complex, bloated client in tens of thousands of PCs, Linux clients, iPhones, Android phones, iPads and who knows what else. It’s an operational nightmare, especially when you have to do a global client upgrade due to a vulnerability.

Then consider how you force a client into a SaaS application like Salesforce or Workday. Of course, geofencing is impossible. Add edge compute nodes with proprietary operating systems and it gets really messy. Now add IoT devices that don’t have the resources to run a client, even if you could write one.  The heavy lifting for SSE requires highly distributed heavy compute, and to do that right, the SASE vendor must control the network, including routing, redundancy, peering and availability. Sure, client DLP is a powerful, necessary tool to protect data when the client is off the network, but that’s a limited use case.”

4. What questions in the network scorecard stood out for you the most and are critical for enterprises to ask? Are there others you feel like are missing?

“I think the scorecard is a terrific guide. The only thing I’d add is to get your business stakeholders involved early so you can understand emerging and evolving business needs. A SASE initiative supports a strategic business transformation. The technology is available but you can’t make the right choices unless you understand the business needs.”

5. How do you foresee the responsibilities of security and networking changing in the coming years? Any predictions on which side of the enterprise will drive SASE adoption, or will it be a CIO-led top-down initiative?

“Early SASE deployments were a tactical response to a business initiative that depended upon access to cloud-based assets from remote locations like branch offices or reimagined retail outlets. Sometimes a direct-to-internet project from branch offices forced an SD-WAN deployment that resulted in the CISO running into the planning meeting with their hair on fire. This resulted in a cloud SWG and branch firewall deployment. Over time things like cloud-delivered CASB and DLP were added and SASE was born.

A little over two years ago a major market transition occurred. SASE deployments became part of strategic business transformation projects driven proactively by the CIO and CISO, in response to plans from senior business leaders. The VP of I&O, chief network architect and security architect were involved as contributors, but the shift to business drivers was unmistakable.  This demonstrates that SASE is no longer seen as the latest in a long list of buzz-word driven technology sales. It’s a key strategic business enabler.”

6. As literally one of the “fathers of SASE”, any final thoughts or recommendations to provide Computer Weekly readers as they embark on their own SASE transformation?

• Involve a broad team when planning your SASE deployment – business leaders, edge computing and IoT teams, application architects and network and security architects. Understand the organization’s business imperatives and how they are driving technology requirements.
• Do the hard work – Most importantly, think about the end-to-end requirements for your users and applications, and that includes end users, devices and distributed applications. Don’t just accept the vendors’ claims that everything will be fine. Understand where SSE compute resources are deployed. Who controls the network including routing, peering, egress identity? How do you support emerging needs like edge computing and IoT devices?

“This sort of planning makes the difference between a wasted opportunity and a successful deployment that can make your organization more competitive while improving security, lowering capital and operational costs and simplifying the day to day lives of your network and security teams.”

JOE SKORUPA is a thought leader in the convergence of networking, security, and applications and the disruptive forces that shape those markets. As a Gartner Distinguished Analyst, along with Neil MacDonald, Joe defined and shaped the SASE market. Joe’s other breakthrough research includes CASCE, SD-WAN, SDN, and WAN optimization, resulting in three Gartner Thought Leader awards. Joe is a graduate of Indiana University, is a Life Member of the IEEE and contributed to multiple Ethernet standards. When he and his wife, Megan, aren’t traveling, Joe is an avid upland bird hunter (along with his Flat-Coated Retriever, Ben), hiker and reader. Joe, Megan and Ben live on California’s beautiful North Coast outside of Fort Bragg, CA.