Cherries - stock.adobe.com
When Gartner first came up with the concept of secure access service edge (SASE) in 2019 to describe a suite of networking and security functions that can be consumed through a single cloud service, the analyst firm saw it as a way to address the demands of networking and security as more applications moved to the cloud.
“It was the convergence of SD-WAN [software-defined wide-area networking] with firewall-as-a-service, zero-trust network access [ZTNA], secure web gateway [SWG] and cloud access brokering that started the whole concept,” says Bjarne Munch, senior principal analyst at Gartner’s IT leaders and tech professional research organisation. “And if you look at most enterprises, there’s a strong need to converge just the security services alone.”
Based on Gartner estimates, a large enterprise could be using up to 40 security suppliers, underscoring the need to simplify the security environment and avoid overlaps that could open up security gaps. On the networking side, misconfigurations could also occur from service chaining that automates traffic flow between services.
“For example, for a set of configurations. SD-WAN might do one type of filtering while the secure web gateway might do another filter with no coordination. We see clients having issues just around those two services,” says Munch.
These challenges are enough to spur more enterprises to adopt SASE sooner rather than later, with Gartner expecting up to 80% of enterprises to consolidate network-oriented security into a cloud service from one provider in the next few years, and at least 40% of enterprises charting explicit strategies to adopt SASE.
Steven Scheurmann, regional vice-president of ASEAN at Palo Alto Networks, says the pandemic that forced many businesses to adopt hybrid work models has also accelerated the adoption of SASE. This is because data shifted away from datacentres towards the cloud and edge to internet of things (IoT) devices and remote workers.
Additionally, the adoption of cloud and digital initiatives, precipitated due to the influx of hybrid work models, drove organisations to invest more in software as a service (SaaS) and other public cloud services. This, in turn, delivered a strong push for SASE adoption that brings protection closer to users, so traffic doesn’t have to backhaul to headquarters to reach the cloud, Scheurmann says.
“Branch transformation driven by new hybrid work and digital transformation initiatives leveraged branches as collaboration hubs rather than primary places of work. This trend also fuelled the demand for WAN transformation from legacy MPLS [multiprotocol label switching] to SD-WAN and SASE,” he adds.
Key benefits of SASE
Heng Mok, chief information security officer for Asia-Pacific and Japan at Zscaler, says SASE offers many benefits to organisations that put aside traditional on-premise enterprise network infrastructure and security in favour of cloud services, mobility, and other aspects of digital transformation. These include, but are not necessarily limited to the following.
Bjarne Munch, Gartner
Reduced IT costs and complexity
As organisations work to enable secure access to cloud services, protect remote users and devices, and close other gaps in their security, most have been forced to adopt a range of security solutions, adding significant costs and management overheads. Despite that, the on-premise network security model is simply not effective in a digital world.
Rather than focusing on a secure perimeter, SASE focuses on entities, such as users. Based on the concept of edge computing – processing of information close to the people and systems that need it – SASE services push security and access close to users. Using an organisation’s security policies, SASE dynamically allows or denies connections to applications and services.
Fast, seamless user experience
When users were on the network, and IT owned and managed the apps and infrastructure, it was easy to control and predict the user experience. Today, even with distributed multicloud environments, many enterprises still use virtual private networks (VPNs) to connect users to their networks for security. However, VPNs deliver a poor user experience, and they broaden an organisation’s attack surface by exposing IP addresses.
Instead of this degradation, SASE provides optimisation – it calls for security to be enforced close to what needs securing.
“Instead of sending the user to the security, it sends security to the user. SASE is cloud secure, intelligently managing connections at internet exchanges in real time as well as optimising connections to cloud applications and services to ensure low latency,” says Mok.
As a cloud-native solution, SASE is designed to address the unique challenges of risk in the new reality of distributed users and applications. By defining security, including threat protection and data loss prevention (DLP), as a core part of the connectivity model, it ensures all connections are inspected and secured, regardless of location, app or encryption. The same security policy follows the user wherever they are located.
A key component of the SASE framework is ZTNA, which provides mobile users, remote workers and branch offices with secure application access while eliminating the attack surface and the risk of lateral movement on the network.
Enterprises often tend to start their SASE journey with security rather than networking use cases, with organisations in Asia-Pacific often prioritising the adoption of zero trust for application access, says Sam Rhea, vice-president of product at Cloudflare.
Rhea says the first step often starts with offloading VPN traffic and transitioning to cloud-delivered ZTNA controls for selected apps (often self-hosted web applications) or users. Some of those starting use cases include securing how third parties – such as contractors, developers, suppliers, partners, or newly acquired teams – access internal resources, while providing a better user experience.
Expanding from this starting point, organisations then begin layering on additional per-app policies based on role, multifactor authentication (MFA), hard key requirements, identity checks, device posture and more. As teams build confidence in this approach, they move to retire their VPN entirely and protect non-web and legacy private networks with zero trust.
Once enterprises gain familiarity with this zero-trust approach to internal access, their focus then shifts to improving visibility and controls for SaaS applications – including mitigating shadow IT, managing tenants and preventing data exfiltration – with tools such as a cloud access security broker. By continuing to implement protections that mitigate the risk of mishandling sensitive data, they can take better steps towards regulatory compliance.
Heng Mok, Zscaler
“From there, organisations extend that visibility and control to broader internet access with services like SWG and remote browser isolation to protect against phishing, ransomware and other online threats,” says Rhea.
Challenges with SASE
With networking and security teams often operating in silos, a key challenge enterprises face with SASE implementations is getting the two teams to work together. “SASE is a collaborative venture where network specialists and security professionals need to weigh in on the components best suited for the company to achieve its overarching goal,” says Scheurmann.
In addition, Scheurmann says a standalone SASE solution may sometimes be insufficient to cater to the company's requirements. In such a situation, a hybrid build-up must be considered to balance on-premise and cloud networking and security in specific situations.
“Further to this, different companies have different needs. While an all-in-one platform has the benefit of a single policy engine, it may deliver some functional limitations compared to a best-of-breed solution. Therefore, each organisation must have components and requirements first to make the right decision,” he adds.
Zscaler’s Mok points out misconceptions about what a SASE architecture looks like and which supplier has the capabilities to truly deliver SASE services.
“With the growing demand for SASE, we are seeing many network and security vendors gluing together their own versions of SASE architectures. Many of these vendors claim to engineer a cloud-delivered product, but the truth is a great number of them are just a ‘cloud platform’ built on legacy hardware. Herein lies the main challenge for companies embarking on their SASE implementation journeys,” he says.
Mok adds that when companies use the services of suppliers that rely on virtual machine-based offerings running in cloud-provider infrastructures, they face several problems, such as less than optimal user experience because of the backhauling required from the cloud to the supplier and then on to the applications users want to access.
“This model relies on a single-tenant architecture using network-based access policies in a SASE model, which should be based on user access. This results in more complex policies that don’t translate well to SASE, and also limits scalability,” he says. “It may also use a patchwork of multiple products or services that are not truly integrated but rather cobbled together through an overlay user interface.”
Therein lies a key decision that enterprises will need to make – that is, to choose between a single-supplier or multi-supplier SASE offering. Single-supplier suppliers such as Cato Networks deliver a full platform without stitching together different pieces from other suppliers, while multi-supplier offerings tend to augment their platforms with security or networking capabilities they lack through acquisitions and partnerships.
Gartner’s Bjarne notes that among single-supplier SASE players, Cato Networks and Versa Networks are “looking pretty strong now”.
“Palo Alto Networks, Cisco and Juniper have most of the components, but they are not really fully integrated,” he says, adding, however, that no SASE provider has best-of-breed offerings across the board.
“If I had to place the leaders, I’d say Versa, Cato and Palo Alto Networks are probably those that have progressed furthest,” Munch says. “But there are still certain aspects in their portfolios that are lacking.”
Munch also points out a curveball that could change the dynamics of the SASE market – managed SASE services.
“A carrier could work with Zscaler, for example, to provide all the integration and manage the relationship with Zscaler, which will manage the delivery of the service from their platform through API integrations with the carrier or a systems integrator,” says Munch.
“I believe SASE is ultimately going to be part of a managed service in one way or another, enabling an enterprise to subscribe to best-of-breed services from different vendors through an online portal and operational platform that sits across all of the underlying infrastructure,” he adds.
Should managed SASE take off, Munch says enterprises may not gravitate as much towards single-supplier SASE offerings that deliver operationally integrated services, but that also means they would need to pick a managed service provider that has relationships with their preferred suppliers.
“There’s going to be more confusion in the market for those looking at managed services,” says Munch. “You’ve got to find the right carrier that uses the right SD-WAN and has relationships with the right security people and the security credentials to deliver the service.”
Read more about cloud security in APAC
- Cloudflare co-founder and CEO Matthew Prince talks up what has changed since the company’s first business plan was written in 2009 and how it keeps pace with the fast-moving network security landscape.
- Zscaler’s head in Asia-Pacific and Japan talks up the company’s growth momentum in the region and what it is doing to address areas where it can do better.
- The move to the edge expands an organisation’s attack surface. Here are some measures that organisations can take to minimise their edge security risks.
- Akamai’s chief technology officer Robert Blumofe makes the case for a decentralised security model to address cyber threats that are emanating from the network edge.