For a while now, you’ve heard me sound off about the importance of factoring security into your SD-WAN evaluation. If SD-WAN is to accommodate the cloud, we must evolve our network security models from centralized Internet gateways to secure, direct Internet access at the branch. Only then can we get away from the backhaul and latency that undermined IaaS and SaaS performance across the WAN.
SASE Defined and Described
Gartner seems to agree. The analyst firm recently introduced a new product category in their “Hype Cycle for Networking, 2019” that describes how security and networking will converge together. (You can read the full SASE text from the Hype Cycle in this blog from Cato.) The secure access service edge or SASE (pronounced “Sassy”) envisions an architecture where all of the company’s entities — mobile devices, routers (sites), and cloud resources —connect to and are secured by a managed service running in the cloud. “These capabilities are delivered as a service based upon the identity of the entity, real-time context and security/compliance policies. Identities can be associated with people, devices, IoT or edge computing locations,” writes Gartner.
Unlike traditional managed service built by integrating appliances, Gartner sees the SASE service as running on a cloud-native, single-pass engine incorporating all of the core security and networking capabilities. This is not discrete virtual or physical appliances that telcos usually integrate together to deliver a service but software, much like you’d see with AWS or any other cloud service.
And those security capabilities are expected to be all-encompassing. “SASE services will converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, software-defined perimeter (zero-trust network access), DNS protection and firewall as a service,” writes Gartner
SASE Hype is Already Here
Already, the industry is rallying around SASE much the way they did around SD-WAN. Cato Networks today announced that it was selected as a “Sample Vendor” by Gartner in the Hype Cycle. That puts them in pretty sharp company. Only a handful of other networking vendors were mentioned as sample vendors.
Of course, the irony is that no vendor has a complete SASE offering today. zScaler offers a cloud security service but lacks networking — both in terms of an SD-WAN offering and in terms of a private backbone delivering networking services. Barracuda offers security and networking but, in an appliance, not in the cloud. There’s an enormous difference between an appliance and a cloud-native, multitenant stack.
Cato is arguably closest to Gartner’s SASE vision. They’ve been offering security and networking convergence in the cloud serving sites, mobile users, and cloud resources since their inception. Back in July, Cato also added identity-aware routing as well. (They had identity for security resources).
What Does SASE Mean for SD-WAN?
The introduction of SASE should not deter you from selecting SD-WAN solutions, but SASE should be part of any conversation around future direction. Ask your SD-WAN suppliers about SASE and what their plan is to accommodate Gartner’s vision. They should be clear about their ability to support mobile clients in particular. And by supporting, I mean delivering networking and security capabilities to mobile clients wherever they are without requiring backhauling to a central location. Need help with them? Give me a call and let’s talk