We’ve seen quite a few vendors claiming to offer secure access service edge (SASE) solutions since Gartner first introduced the architecture to the market last fall. Some vendors have come from the networking space but many of the biggest companies — Netskope, Palo Alto, and Zscaler — have their roots in security.
With SD-WAN firms, we’re often worried about their security capabilities. SD-WAN works best when security is integrated into the network and not just bolted on. Security firms have a similar issue but in reverse. They’ll talk to you all day about their threat protection, NGFW, and protection capabilities that it’s easy to forget that as a SASE provider they also need to deliver on the network.
What networking questions should you be asking? Good question — and that’s the first one. Here are five more that we at SASE Experts ask but first, let’s talk SASE.
SASE is Security AND Networking
As we’ve spoken about, SASE is being seen as the successor to SD-WAN. It creates a single network that secures and connects all of your endpoints — mobile devices, offices, IaaS, SaaS, PaaS, and IoT devices — into one global network.
SD-WAN is, after all, a replacement for legacy WANs, and, as such, connects sites. By contrast, SASE connects and secures sites and the new tenants of the enterprise – IOT device, mobile devices, and the cloud. Remote-access VPNs that for so long have been separate from the WAN (and SD-WAN) go away and mobile access becomes just another way of accessing the SASE network. So, whether your users sit in offices or on the road, anywhere in the world, SASE is meant to bring them one network that delivers the optimum network experience with just the right degree of security.
SASE is clearly in its infancy and no single vendor today delivers all SASE capabilities. With that said, there are certain core functions that even immature SASE offerings should provide. These four essential attributes are:
- Global SD-WAN Footprint. SASE service providers should be able to provide a low-latency, global SD-WAN service, such as by operating over a global private network not just the public Internet.
- Distributed Inspection and Policy Enforcement. Security inspection and policy enforcement should occur primarily in the cloud.
- Cloud-native Architecture. A SASE service should use a converged, multi-tenant cloud-native software stack, not discrete networking and security devices service-chained together.
- Identity-driven. Security and network access are delivered based on user identity, not an IP address.
As should be very clear, SASE includes the underlying network as well as the security stack. It’s the ability to deliver both seamlessly that separates SASE from a pile of networking and security appliances service chained together. Check out our SASE page for a more detailed description of SASE.
Five Network Questions to Ask Your SASE Provider
When evaluating SASE solutions, then, you need to look at the security and networking capabilities of the providers. Since SASE starts with “security” too often networking gets the short shift. What kind of networking capabilities should you be looking for in a SASE solution? Here are the five questions we ask:
#5 Universal Connectivity: Do you offer the “edges” to connect all end-points into your SASE service?
The SASE provider should deliver SD-WAN appliance or VM for connecting sites; clients or clientless access for mobile users, gateways for native cloud connectivity, and the means for connecting IoT devices. SASE providers are supposed to provide all of those connectivity options across any transport, including MPLS services, for hybrid WAN configuration. Relying on third-party, SD-WAN appliances opens the way for additional integration or external management services, which is exactly what SASE was meant to eliminate.
#4 Native Cloud Connectivity: How will you connect cloud resources into the SASE platform?
The SASE provider should be offering cloud connectivity as part of their SASE offering. This means that there should be cloud gateways for dropping the SASE traffic right at the cloud provider’s doorstep as it were. It also means that the routing algorithms should differentiate between cloud applications and route the traffic in the most optimum way. The cloud, whether application or data centers, should be treated no differently than any other resource on the SASE service.
#3 Overcome Last-Mile Outages: Do you have the QoS, loss correction, and other last-mile technologies needed to overcome connectivity problems to the SASE backbone?
If SASE is to become the network for the complete enterprise, the SASE services must overcome the underlying networking issues that have prevented companies from replacing their MPLS with the Internet. Like any good SD-WAN solution then SASE’s SD-WAN edge device should offer the basic functions needed to overcome last mile instability, technologies such as QoS, error correction, active/active, and dynamic path selection.
#2 Middle-Mile Replacement: What will you do to ensure a consistent middle-mile experience worldwide?
If SASE is going to replace MPLS, and it’s supposed to do that, then the SASE provider should offer a backbone solution that will deliver the predictability, capacity, and latency characteristics needed for enterprise-grade communications. There’s some wiggle room here. The SASE provider might have optimized peering across the public Internet and not necessarily a private network backbone. They might have to rely on the public Internet but have an integration arm that’s ensuring the network meets your requirements. But one way or another the vendor needs to have thought through the latency and transport issues, particularly across the long haul, where the delays of the public Internet are most commonly felt.
#1 Network Management: What sorts of tools do you offer to monitor and manage my network infrastructure?
Configuration is something you do once, management is something you do every day. Integrating security into the network isn’t only meant to make configuration and deployment simpler, it’s also meant to make management easier. The SASE provider must deliver you one dashboard and suite of tools for managing your security and network infrastructure.
You should have deep visibility into and control over your network performance from the application layer and down. You should be able to see the routing tables, the applications across the network, and the underlying latency, jitter, and packet loss metrics down to the individual circuits. And you should have real-time tools for diagnosing networking problems. All tools should let you use the same set of objects and parameters as those in the security domain.
SASE is a Network After All
Security specialists often dismiss the network as, well, just the network. But anyone who’s spent time deploying a global network knows that even without CLIs of a Cisco there remains an awful lot of complexity in building out a global network. A SASE solution must be able to address that complexity — or otherwise, they’re just not very sassy at all.