Gartner only coined the term SASE (Secure Access Service Edge) two years ago to describe a cloud-based service that combines SD-WAN networking with all the latest security features in a single SaaS, easy to manage and deploy. product.
At the time, SASE, which is pronounced “sassy”, was more of a philosophy or a direction to follow than a real category of products. Few vendors offered a full SASE stack, and when they did, typically required customers to buy it in chunks, often lots of chunks, with confusing names and overlapping functionality.
Accessing the SASE model would take years, the experts said.
Then COVID-19 hit.
Businesses couldn’t walk into their data centers to install new VPN boxes, and even if they did, hardware shortages and shipping delays meant VPNs were not a practical option.
“Product delivery times have skyrocketed,” said Mike Moore, director of practice development at Insight, a technology consulting company based in Tempe, Arizona.
Some customers haven’t gotten rid of their VPNs completely, he said, but have used SASE to offload much of the traffic. For example, traffic to systems running in on-premises data centers was still handled through traditional VPNs, but traffic to cloud services bypassed the data centers entirely.
“And it gave a better app experience for the users because they weren’t sending traffic through the data center and then to the cloud,” he told Data Center Knowledge.
The SASE model offered an easy alternative. You signed up like any cloud service. Employees downloaded a client to their personal laptop. And you were in business. The process was quick, easy, inexpensive, and scalable.
Adoption has exploded.
A June report from Sapio Research, commissioned by Versa Networks, found that 34% of companies are already using SASE, and 30% plan to do so within the next six to 12 months.
And vendors have started adding missing pieces to fill their SASE technology stacks, either by building new functionality or acquiring other companies.
Product selection has become simpler and easier.
“For early adopters, they had 10, 15, 20 SKUs,” said JJ Safer, manager of security practice development at Insight.
This made it difficult for first-time buyers to adopt the SASE model.
“Now we come down to just two, three or four SKUs,” Safer told Data Center Knowledge. “It’s part consolidation, part consolidation of the technology itself. “
What is the basic SASE stack?
Here are the top five features, according to Gartner:
- SD-WAN: Cloud-based networking is the core functionality of SASE. SASE providers have points of presence around the world, located near corporate data centers, branch offices, devices, and employees, as well as at or near all major cloud service providers. When traffic goes through the public Internet instead of the SASE provider’s secure network, such as the last mile to the user’s home, it goes through an encrypted tunnel. The SASE provider manages the network to optimize delivery of, for example, video conference calls with customers, and blocks malicious traffic and DDoS attacks before they reach data centers or corporate applications.
- Firewall as a service: It is a cloud-based firewall that protects the boundaries of the corporate network, even as those boundaries are increasingly distributed.
- Cloud Access Security Officer (CASB): When employees connect to cloud services like Office 365 from their home computers, CASB ensures that company security policies are always followed.
- Secure Web Gateway: Employees don’t just need access to trusted cloud services like Office 365. They often travel to many other places on the Internet. The secure web gateway ensures that they do not visit malicious sites to try to upload sensitive data to untrusted destinations.
- Zero trust network access: The holy grail of security today, zero trust reorients security around identity rather than location. There is no longer a perimeter of trust, so each connection is considered risky until it is fully authenticated. Zero trust is difficult to achieve in legacy environments, but comes standard with most SASE offerings.
SASE model: new and emerging features
These five key elements were just the start.
Since the start of the pandemic, vendors have innovated at a rapid pace, adding services and tools to their SASE platforms.
- Remote navigation isolation: What happens in an employee’s browser window stays in the employee’s browser window. It does not go out or infect their computer, nor spread to corporate networks.
- Prevention of data loss: Is sensitive corporate data leaking to untrusted destinations?
- Automating: SASE vendors have access to huge amounts of data about network issues or cyber attacks, data that can be used to train AI systems to respond automatically. SASE customers also increasingly have access to some of these AI-powered features to customize their own automated responses.
- Observability: SASE providers increasingly make it easier for enterprises to see, at a very granular level, what is happening on their networks, both in terms of network performance and security.
- Endpoint security: Does the employee have malware on their laptop that can infect a network – or a keylogger that can steal their passwords? Is the antivirus up to date? Endpoint security is at the forefront of the war against cyber attacks and is more difficult to achieve when employees are working remotely or on personal devices.
- Direct connections to counterparties: Major SASE vendors are increasingly working with major cloud services like Office 365 and Zoom, AWS and Google Cloud, as well as ISPs and other partners, to improve connectivity speeds and reliability.
Today’s SASE providers have the full stack
As everyone hopped on the SASE train, the salespeople stepped up. They built or bought technology to fill in the missing parts, simplified product lines, and made sure all the parts worked together.
At Palo Alto Networks, Prisma SASE billings have grown at a compound annual growth rate of 154%, said Kumar Ramachandran, senior vice president of SASE products at Palo Alto.
Ramachandran was the founder of CloudGenix SD-WAN, which Palo Alto acquired in April 2020. “We were one of the first companies to be sold through a Zoom call,” he told Data Center Knowledge.
Palo Alto itself has grown from less than 100 branches to 10,000 home offices.
Some of its clients have sent tens of thousands, if not more, of employees to work from home.
“The scale is crazy,” he said. “And the vast majority of our customers understood that the new working model was going to be a hybrid, which is the source of one of the biggest acceleration and adoption of SASE.”
Before the start of the pandemic, the transition to the SASE model was expected to take five or 10 years, he said. “SASE was barely a sparkle in most people’s eyes.”
“Then in the last 12 months we’ve seen 10 years of transition,” he said.
At first, he said, users were more forgiving when it came to connectivity issues.
There was a state of emergency and bad connections were tolerated.
“But three to six months later, most people have stopped being patient with it,” Ramachandran said. “This is my job. I am in my office. I expect high quality performance.”
To address this issue, Palo Alto – along with other vendors – added User Experience Management.
If an employee is having trouble signing in to Office 365 or Zoom, where is the problem coming from?
“Is it because their laptop is heating up?” Ramachandran asked. “Is it because they’re sitting in a corner of the house where the Wi-Fi signal isn’t as strong?” “
Or the problem could be with the local cable company – or with Zoom itself.
“As part of our SASE solution, we now have this deep visibility and can take steps to automatically adjust,” he said. “Try alternative paths to provide the best user experience.”
SASE installs in on-premise data centers
The initial benefit of the SASE model, and where most companies are deploying it for the first time, is to support new employees remotely.
But, more and more, businesses want to achieve the same usability and manageability features and apply them to their existing wide area networks and on-premises data centers.
“Almost every conversation I’ve had with customers is about SASE,” said Raviv Levi, vice president of cloud security at Cisco. “And the next step that customers are asking us to do is not just remote access.”
They want more of their infrastructure to be connected to SASE, he said, like existing SD-WAN appliances.
“We are constantly working to make this more transparent, consistent and unified,” he told Data Center Knowledge.
“People are looking for simplification,” said Jay Chokshi, director of product management for secure SD-WAN and SASE at Cisco Meraki.
And, like other SASE vendors, Cisco has added features and services, acquired other companies, and forged partnerships to enhance its SASE stack.
For example, Cisco now has more than 2,000 peering relationships with other vendors, Levi said.
It’s no longer enough to have points of presence near corporate data centers and close to customers and employees, he said. “They want to move to Microsoft Office 365 or Salesforce. If you connect directly to these places, the performance is going to be amazing. But it costs money and requires expensive infrastructure to be put in place.
Transfer staff to the SASE mindset
SASE may be easier to set up and manage than a traditional network, but it still requires specific skills.
But the technology is so new that these skills are not readily available.
To help companies fill this gap, SASE providers offer training and certification programs.
The best known is the free SASE certification from Cato Networks.
The company launched its advanced level 2 version of its SASE certification on September 1, after launching level 1 last November.
As of Sept. 1, more than 1,000 people have achieved Level 1 certification, according to Dave Greenfield, Cato’s director of technology evangelism.
Level 1 certification takes about a day and Level 2 takes about half a day and requires applicants to first complete Level 1. Both are completely free and online.
SASE provider Netskope launched its own SASE accreditation course in June.
The course lasts two days and costs $ 1,000. He’s also online.