SASE Is Only SASE When Deployed in the Cloud
Secure Access Service Edge (SASE) is hailed as the future of network security. However, for organizations and individuals trying to understand what is SASE and how to select a SASE solution, the inappropriate labeling of some solutions as SASE when not deployed in the cloud adds to their confusion and makes it more difficult to select the right solution.
Many SASE Vendors Don’t Understand SASE
SASE is a networking and security solution for the corporate WAN. A true SASE solution combines the networking functionality of SD-WAN with a full security stack in a single, integrated solution. This solution is then deployed in the cloud as a network of virtual SASE appliances called Points of Presence or PoPs. Traffic routed over the corporate WAN enters through the nearest PoP, undergoes security inspection there, and is securely and optimally routed to the PoP nearest its destination where it leaves the corporate WAN and is routed to its target.
The problem with SASE for many traditional vendors is that their core business model is founded on selling physical security appliances. As a result, many of them attempt to sell a physical appliance containing SD-WAN functionality and a security stack as a “SASE appliance”. However, these appliances cannot be deployed virtually in the cloud, meaning that they don’t meet the basic definition of SASE.
Why SASE Needs to Be in the Cloud
The physical vs. virtual appliance debate may seem like a minor detail for SASE. However, SASE must be deployed in the cloud in order to achieve its full potential and fulfill its guarantees. This is true for several different reasons.
SASE is designed to provide optimized routing of traffic over the corporate WAN. Traffic enters and leaves the WAN via SASE PoPs, and the distance from the traffic source or destination to the nearest PoP contributes to network latency. For this reason, SASE PoPs need to be deployed geographically near their users.
As companies increasingly deploy infrastructure in the cloud and support telework, a growing percentage of their IT resources will be located off-site. Attempting to deploy SASE via physical appliances limits the potential deployment locations of the SASE PoPs. As a result, the latency incurred by traffic entering and leaving the corporate WAN becomes significant.
Deploying SASE as a virtualized appliance in the cloud minimizes this latency. For cloud-based infrastructure, SASE PoPs can be deployed in the same data centers, all but eliminating the jump to the nearest PoP. For remote users, PoPs can be geographically distributed in the cloud, minimizing the distance between a user and the nearest PoP.
Organizations’ IT infrastructure is increasingly moving off-premise. SASE must be deployed in the cloud if it is to continue to provide high-performance and low-latency network connectivity.
Patch Management and Maintenance
All software and appliances require updates. Whether these updates are driven by new features or recently-discovered vulnerabilities, applying these patches rapidly is important.
With SASE, patch management can be complex. A well-designed SASE-based WAN will have SASE PoPs that are widely distributed to effectively serve all of an organization’s IT infrastructure. If only SASE PoPs are deployed as physical appliances, sending IT technicians to perform required maintenance and patching for these appliances can be a significant expense. Additionally, “out of sight out of mind” further increases the probability that these appliances will lag behind in required maintenance, making them less usable and more vulnerable to attack.
Deploying SASE as cloud-based virtual appliances dramatically simplifies the patch management process. Assuming that maintenance patching is not managed by the organization’s SASE provider (which it likely will be), it can be automated, enabling an organization to instantaneously deploy patches to all PoPs on the corporate WAN. This not only decreases the overhead for IT and security teams but also minimizes the impact on company productivity due to maintenance-related network outages.
SASE is intended to support an organization’s digital transformation initiatives. This means that it needs to be able to scale to handle all of an organization’s business traffic. The growing use of the Internet of Things (IoT) and the movement of organizations’ infrastructure off-premise means that WAN traffic volumes will continue to increase.
With an appliance-based approach to SASE, the corporate WAN has a set maximum capacity. SASE appliances can only handle so much traffic before they need to be augmented or replaced with additional infrastructure. Taking an appliance-based approach to SASE means that organizations need to choose between over-investing in the short-term or being forced to regularly upgrade and replace appliances in the future.
On the other hand, SASE deployed in the cloud enables an organization to take advantage of the flexibility and scalability of cloud-based infrastructure. This enables an organization to easily scale its SASE infrastructure to meet the expanding needs of the business.
Selecting the Right SASE Solution
SASE is considered quite the buzzword, and many networking and security vendors are attempting to use it to sell products that are not true SASE solutions. When evaluating potential SASE options, look for ones that:
- Contain an integrated security stack. Beware of the use of multiple appliances or the term “service chaining”.
- Are deployed as a cloud-based appliance. Physical appliances cannot meet the needs of SASE. It must be deployed in the cloud.
Any solution that does not meet these two simple criteria is not SASE. Instead, it is an attempt by a vendor to sell a legacy security solution, capitalizing on the SASE buzzword.