Sassy Security

For all the impacts the likes of COVID-19 and technological advance have on IT, there are two immovable staples that we can rely on:

  1. Gartner to keep on introducing new acronyms to create new magic quadrants from and:
  2. Vendor press releases claiming the impossible.

So it was with a certain amount of glee that I encountered both in one fell swoop last week, when a release popped into my inbox announcing that Versa Networks (with whom I speak regularly) has “Launched The Industry’s First SASE Solution Delivering Leading Secure SD-WAN Capabilities to Remote and Working from Home Employees”. Apart from combining two key elements – a recently invented Gartner acronym and a COVID-relevant angle – it topped it off with declaring itself to be first to market with a solution that is the staple diet of a company, Cato Networks, I’d been briefed by a few weeks ago -))))

OK, so it’s all one big marketing game at this level, and I will be looking further into the new Versa product (endpoint software) shortly, but there is a (good) serious element here, which really came out during the Cato conversations and that is that we have a Gartner invention that actually does make a lot of sense for once… Let us step back a moment, before we look at SASE (pronounced “Sassy” – surely not IT trying to appear “sexy” again?) in more detail.

Throughout my extended life in IT, one key focus area has been optimisation; making stuff going faster and better. It’s kind of how I chose my hot hatchbacks in the old days, when roads weren’t littered with upmarket Polaroid cameras so, from an IT perspective it held my interest from day one. Oh, and being a Yorkshireman, the idea of saving bandwidth came equally naturally. And then security started to raise its ugly head – getting in the way of all my lovely optimisation scenarios, like the gates with impossible to work locks and latches on my local cliff walks (hand sanitiser moment). I guess the council is assuming the local sheep and wild pony population would get the hang of opening a regular latch?

And the rest, as they say, is history. Security has created its own IT lifeform and spawned a gazillion mutant variants over the past two decades, while optimisation has continued to, er, be optimised, in spite of the might of the security army set against it: AV/EDR, encryption, firewalls, IDS/IPS, UTMAs, SIEMs, content filtering, DLP, IAM… I recall an article from some guy a few years ago that identified – then – 70 different categorisations of security product! So, imagine you’re in the IT engine room for a company that actually produces something – cars, biscuits, beer, bills (I.e. accountants and lawyers): you obviously want your IT to be optimised and therefore manageable, as the two go hand in hand and help you make your products and therefore all important profit. You also need it to be secure, in order to protect your own company, its inner secrets – e.g. grandmother’s special shortbread recipes or unique pearlescent spray finish techniques – and your customers details, in order to avoid being sued and losing all that profit. So, how do you decide exactly what combination of security products you need and how do you then integrate them a) within themselves and b) within your IT delivery architecture? Answer – you can’t, not using the DIY methodology. The general consensus is that only around 20% of the investment in security products and services is actually put into daily use – the rest lies on dusty shelves, real or virtual. The problem is simply that companies don’t know exactly what they need as, every week, there’s another “new” security gizmo launched. That, and/or Gartner invents another new acronym/category. And they already have this room full of stuff they don’t know what to do with anyway…

Meantime, the only common, unified phrase being used to define security in IT in 2020 is that “security has moved to the edge”. What the world has been crying out for, then, is for a hybrid product\service that delivers a SOLUTION combining security with optimisation. Yes, in the DC world, the Load-Balancer/ADC guys have long had web app firewalls (WAFs) as part of their optimisation armoury, but for true end to end delivery, notably via SD-WAN (the artist formerly known as WanOp), there has been no defined area for vendors to play. So, enter “Sassy” – Secure Access Service Edge, I prefer Sassy… Gartner defines SASE as “combining network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SD-WAN) to support the dynamic secure access needs of organisations. So, yeah, an acronym based around a whole set of other acronyms but you get the point – these capabilities are delivered primarily “as a service – XaaS – and based upon the identity of the entity, real time context and security/compliance policies”. The latter element is important – as a service basically meaning it is cloud-based, so eliminating another management headache.

So, now back to our starting point and especially the recent-ish Cato briefing, that being – vendors jumping on the SASE bandwagon. That will be every security vendor then… What I particularly appreciated about the Cato angle is that SASE might as well have been invented for them (I double-checked and it wasn’t invented by them!) as it defines what the vendor actually offers – now. And last week, and last year etc… Andrew Lerner of Gartner makes a valid point re: selecting a SASE offering: “Software architecture and implementation really matters. Be wary of vendors that propose to deliver services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships.” That rules out quite a few already reinvented vendors – you know who you are! – then -)))

I’ll go into more detail about the Cato solution in the next brief and update on the Versa software once I’ve had chance to have a play, but clearly the former IS the definition of “Sassy”. Cato calls its solution “the network for whatever’s next” which might sound glib, but it’s what every IT manager wants to hear. Key to the solution is the sheer number of options available; like a superstore for secure SD-WAN app delivery in the cloud!

Not that the company will be short of alleged competition. As ever, given the Gartner origins, every interested vendor party will be angling for a top right position on the SASE magic quadrant, as and when that finally appears,  but companies actually in need of a secure, optimised end to end delivery solution (who isn’t?) can ignore all the hyperbole and acronyms and just use their common sense – the answer is out there right now.

Data Center
Data Management