With so many companies claiming to offer secure access service edge (SASE) solutions, I’m frequently asked, “What exactly is a SASE offering?” We discussed the security part of the answer in our last post, now let’s take a look at the networking capabilities.
As you’ll recall, SASE is intended to be one network for the complete enterprise or as Gartner put it in, The Future of Network Security Is In The Cloud: “SASE offerings will provide policy-based “software-defined ” secure access from an infinitely tailorable network fabric in which enterprise security professionals can precisely specify the level of performance, reliability, security, and cost of every network session based on identity and context.”
Let’s take that apart:
The Infinitely Tailorable Network Fabric
SASE is expected to be one network that interconnects the complete enterprise. Yes, you’re still going to have different technologies — SD-WAN to connect site, clients (or clientless) to connect mobile or remote users, VPN for third-party devices and IoT, and virtual appliances or native integration for SaaS and IaaS. Different technologies are appropriate for different challenges. But the configuration, management, and reporting is all done from one console.
This also means that SASE must be available wherever your users are based. A such as SASE is conceptualized as a service delivered globally. It’s true that many appliance vendors are claiming to have SASE solutions but those solutions are often being delivered by providers offering secure SD-WAN services that look an awful lot like a SASE service.
The biggest difference between the two? Putting aside any specific features difference the biggest difference is architecture. Appliance-based services require the configuration, deployment, and integration of discrete appliances. There’s a cost involved whether on the part of the provider or the enterprise.
SASE platforms, ideally, in Gartner’s world are cloud-native. As Gartner puts it in the recent
“Hype Cycle for Network Security, 2020”: “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.” The emphasis on cloud-native is because historically cloud-native platforms lead to lower operational costs and greater agility.
Highly Available to Meet Business Critical Needs
As a network fabric for the complete enterprises, SASE platforms must have sufficient uptime and consistency to support all applications and uses cases from the least important (random web browsing) to mission-critical use cases. This means not only should the architecture be resilient but that resilience should be able to be adapted to the given application or environment.
Specifically, the SASE offering should have:
- Hardware redundancy and failover throughout the network to provide sufficient uptime for all use cases. Some sites or applications may not require full redundancy, others will. The option should at least be available to be deployed as necessary.
- Path Resiliency by being able to assess between multiple paths to a destination, selecting the optimum path at any one time, falling over as alternate paths depending on line conditions
Optimum Performance For Every Application
The other part of an “infinitely tailorable network fabric” is being able to deliver the optimum possible performance for each session. To achieve that goal, organizations first need network connections with the performance characteristics to meet the needs of the most stringent application regardless of locations. For this SASE should have
- Low latency global connectivity, typically though not necessarily in the form of a private, global backbone.
- Bandwidth optimization through deduplication and compression to minimize the data that needs to be sent and maximize available bandwidth.
- Latency optimization to minimize the effects of latency on protocol performance through a variety of techniques, such as proxying connections.
- Packet loss mitigation to reduce packet loss particularly in the first mile where it so common.
SASE offerings also need to be able to set and implement performance policies for every session. To do so they need a mechanism to deliver necessary performance levels in both the last- and middle-mile:
- Deep Packet Inspection (DPI) to identify a session
- QoS and traffic shaping to implement application policy in the last mile.
- Management console to stipulate application policies
Identity and Context are Key
Ideally, SASE offerings will be able to assess cost, selecting the lowest cost paths for a given application. In reality, the use of affordable Internet capacity makes such calculations often unnecessary. What isn’t unnecessary, though, is the importance of tying networking and security policies back to the identity and real-time context of the user.
Users today move between office and on the road, and as they move so changes the risk posed to the organization. A user working from a corporate device in the office likely poses far less risk than the same user working on a third-party device in a Wi-Fi hotspot of a Starbucks. The ability for policy to reflect the user’s identity and real-time context is important in creating an agile, powerful network fabric.
To deliver on those goals, look for SASE to integrate with your directory services, such as LDAP or ActiveDirectory. The identities contained in the corporate directory should be able to be used throughout the networking and security policies. Policies should also be able to consider the device being used, user location, and other elements comprising real-time context.
SASE continues to be a work in progress. The features we’ve talked about here are still just a small tip of this complex new area. To dive deeper and learn more about the other features in SASE, how SASE offerings compare, or to discuss ways of prioritizing SASE features for your deployment, drop us a line or sign up for our free WAN Jumpstart Kit where explore these very issues.