The COVID-19 pandemic dramatically changed how and where we work. Remote and hybrid work models have become the norm, with employees needing secure access to business apps and data from anywhere. This massive shift has fueled rapid enterprise adoption of cloud-based software, infrastructure, and platforms.
According to Flexera‘s 2021 State of the Cloud Report, 92% of enterprises now have a multi-cloud strategy. However, legacy network and security architectures often struggle to support distributed workforces using cloud apps.
As a result, businesses are increasingly vulnerable to cyber threats. The 2022 Hiscox Cyber Readiness Report found that 61% of firms surveyed experienced a cyber attack in 2021, up from 33% in 2020. The average cost was over $200,000.
To adapt to the new business normal and combat evolving threats, enterprises need an integrated cloud-delivered network and security model. This is where Secure Access Service Edge (SASE) comes in. According to Gartner, adoption of SASE architectures will accelerate, with 50% of enterprises having plans to implement SASE by 2024.
What Exactly is SASE?
SASE (pronounced "sassy") converges wide area networking and network security into a single cloud-native service. Rather than backhauling web traffic through data centers for inspection like with traditional hub-and-spoke architectures, SASE moves security to the edge alongside endpoints.
This enables organizations to connect any user to any application quickly and securely. Employees gain seamless access to cloud-hosted apps and services from any device or location.
SASE delivers integrated networking and security from the cloud. (Image source: Gartner)
As shown above, SASE combines a wide range of networking and security functions into a unified cloud service, including:
Networking
- SD-WAN: Software-defined networking that intelligently routes traffic over any type of connection
- Edge networking: Distributed points of presence close to users
- Zero trust network access (ZTNA): Identity-based secure access to apps and resources
Security
- Cloud access security broker (CASB): Protects cloud app access and data
- Secure web gateway (SWG): Filters outbound web traffic and protects from web-based threats
- Firewall-as-a-service: Network perimeter security delivered from the cloud
- Cloud-based sandboxing: Detects and analyzes advanced threats
Bundling these services improves flexibility, agility, scale, and total cost of ownership compared to buying discrete products.
The Limitations of Legacy Architectures
Before exploring the benefits of SASE in more detail, it‘s helpful to understand the limitations of traditional network and security architectures.
Many enterprises use multiprotocol label switching (MPLS) circuits to connect regional offices and data centers into a wide area network (WAN). Sensitive traffic is then backhauled via VPNs to centralized security stacks for inspection.
While this hub-and-spoke model worked well in the past, it has some major drawbacks:
- Latency: Long distances between branch offices and data centers can introduce significant lag when backhauling traffic. This degrades performance, especially for cloud apps.
- Availability: MPLS and VPN concentrators represent single points of failure. Local outages disrupt connectivity across all sites.
- Cost: MPLS and leased line charges are expensive, as are scaling VPN concentrators. Ongoing WAN optimization adds complexity.
- Inflexibility: It‘s difficult to locally route internet traffic based on context. Granular access controls for users and apps are limited.
- Complexity: Managing security in different silos is operationally challenging and requires extensive expertise.
As a result, many organizations are now finding their legacy architectures inadequate – introducing risk as workforces, apps, and threats rapidly evolve.
Key Benefits of Adopting SASE
Migrating from legacy network and security stacks to a SASE model provides compelling advantages:
Improved Security
- Full inline inspection of all web traffic, on or off network
- Zero trust access to apps and resources based on context
- Reduced attack surface with cloud-native security services
- Greater visibility into threats with unified analytics
Increased Agility
- Rapid deployment of new offices/locations without added hardware
- Dynamic scaling to support large numbers of remote users
- Faster adoption of new cloud-hosted apps and services
Enhanced User Experience
- Low latency access to cloud apps from any location
- Consistent policies and security for all users and devices
- Improved performance and availability for distributed teams
Operational Efficiency
- Converged networking and security reduces tool sprawl
- Centralized management and automation reduces manual efforts
- Integrated analytics provide full stack visibility
Cost Savings
- No more MPLS buildouts and centralized security CapEx
- Reduced WAN cost by 30% or more by optimizing internet transport
- Economy of scale versus discrete products and services
Research firm Gartner predicts that "by 2025, at least 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of zero trust network access." SASE accelerates this transition.
Detailed Comparison of SASE Benefits
| Business Driver | Traditional Architecture | SASE Model |
|---|---|---|
| Security | Security tacked on to network perimeter Fragmented view of users, devices, apps VPN gaps for remote access |
Inline security everywhere Unified identity-based policies Zero trust app access |
| Agility | Hardware-defined networking Complex VPN scaling Slow cloud app adoption |
Cloud-managed connectivity Dynamic user access Accelerated cloud adoption |
| Experience | MPLS latency and downtime VPN connectivity issues Backhauled traffic inspection |
Local breakout, optimal routing Direct-to-cloud connectivity Decentralized security |
| Operations | Complex multi-vendor environment Separate network and security teams |
Converged stack Centralized management |
| Cost | MPLS, security hardware CapEx Separate tools and contracts |
Reduced WAN cost As-a-service economy of scale |
Choosing the Right SASE Architecture
Migrating fully to SASE represents a multiyear journey for most large enterprises. It requires rearchitecting how networking and security services are delivered. There are several deployment options to consider:
DIY SASE
Building your own SASE architecture using discrete products allows the most customization but also demands extensive in-house expertise. Sourcing, integrating, operating, and supporting multi-vendor components is complex.
MSSP-Managed SASE
Many enterprises prefer having a managed security service provider (MSSP) build, monitor, and manage their SASE implementation. This simplifies operations but still involves some integration work.
SASE Platform
End-to-end SASE platforms like Zscaler and Cisco Umbrella converge networking and security into a unified cloud service. This approach reduces the heavy lifting required for enterprise IT teams to piece together discrete products.
Comparing Leading SASE Vendors
| Vendor | Pros | Cons |
|---|---|---|
| Zscaler | Full inline security Large partner ecosystem |
Requires third-party network integration |
| Cisco Umbrella | Integrated networking and security | Still maturing as full SASE platform |
| Palo Alto Prisma | Strong app security capabilities | Mostly focused on security versus networking |
| Versa SASE | Unified management console | Smaller customer and partner ecosystem |
The "best" option depends heavily on each organization‘s existing infrastructure, in-house expertise, and business requirements. A network-focused provider like Versa makes sense for a company looking to replace their MPLS connections with SD-WAN. Meanwhile, a security-led vendor like Zscaler fits if the priority is upgrading web and cloud app controls.
No matter the approach, SASE adoption is accelerating as enterprises transform to support distributed cloud workloads. Gartner forecasts that "by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018."
Key Considerations for Selecting a SASE Vendor
Migrating to SASE is a strategic project that impacts networking, security, operations, and budgets. Key criteria for evaluating providers include:
Integrated Networking and Security
Seeking convergence is the driving force behind SASE. Evaluate how tightly integrated vendors‘ offerings are end to end. blendec
Cloud-Native Delivery
SASE services should be delivered entirely from the cloud – not as legacy products simply hosted in the cloud. Multi-tenant architecture is preferred.
Scalability and Performance
Solutions must be able to dynamically scale to thousands of sites and tens of thousands of users. Also assess throughput capacity.
Ecosystem Integration
Review which complementary security/networking vendors are supported. API integration options are also important.
Management and Analytics
Unified configuration, monitoring, and reporting is expected. Evaluate available visibility into users, devices, apps, threats, and performance.
Customer Support and Services
SASE simplifies operations but some enterprise expertise is still required. Review partners‘ customer support models and professional services.
Pricing and Contracts
Compare monthly subscription costs based on expected usage. Contract flexibility is also beneficial as needs evolve.
By taking the time to thoroughly evaluate prospective SASE providers against these criteria, IT leaders can select the right long-term strategic partner to enable workforce transformation and combat intensifying cyber risks.
The Future of SASE
As covered in this guide, SASE convergence is a necessity for securing today‘s distributed enterprises. Workforces will only grow more mobile, apps and services will continue migrating to the cloud, and threats will get more sophisticated. Legacy network and security architectures simply can‘t keep pace.
By adopting SASE models that integrate software-defined networking and cloud-native security, companies can confidently embrace cloud transformation. Users gain seamless and secure access to business apps from anywhere on any device. Operations are streamlined through centralized cloud management versus discrete security and networking products.
It‘s clear that SASE is becoming the norm for enterprise networking and security. To learn more about making a successful transition and selecting the best providers for your organization‘s needs, contact our experts below.