The Truth About SASE: Everything You Need to Know

SASE stands for Secure Access Service Edge and it’s the newest buzzword being thrown around the network and IT industry. It’s one of those terms that everyone claims to be, few know what it actually entails, and even fewer truly know if they need it. That’s where this post comes in. We’re going to talk about what exactly SASE is, what it includes, and who needs it.

In short, SASE is the convergence of network edge functions and network security into a single service.

Now, here’s the long version:

The Requirements to be a SASE Provider

The word “SASE” was coined by Gartner and, therefore, they were the organization that decided what SASE is meant to include. According to their 2021 SASE Strategic Roadmap, here’s what SASE solutions should include:

WAN Edge services:

  • SD-WAN (Software-Defined Wide Area Network): A device or software that allows for dynamic path selection, load balancing, greater visibility into the network, and more.
  • WAN Optimization: Techniques to improve the tranfer of data across a WAN including deduplication, compression, caching, and more.
  • Quality of Service: The ability to prioritize real-time traffic (i.e., voice, video) over other, non-critical, traffic.
  • Routing: Selecting a path for traffic to take within a network or across multiple networks.
  • SaaS Acceleration: Optimizing connections to SaaS-based applications such as O365, Salesforce, and more.
  • Content Delivery/Caching: Minimizing delays in loading web-based content by reducing the physical distance between the end user and the server, or caching that data to avoid it having to load mulitple times.

Security Services Edge:

  • SWG (Secure Web Gateway): Proxy that provides holistic traffic visibility (via session termination) to filter internet traffic.
  • CASB (Cloud Access Security Broker): Protects access to cloud applications, including firewall, authentication, and data loss prevention (DLP).
  • ZTNA/VPN (Zero Trust Network Access/Virtual Private Network): Software client that provides secure access for users, ideally only to requisite resources.
  • FWaaS (Firewall as a Service): Device that inspects inbound and outbound traffic (typically by packet) to identify and block threats.
  • Remote Browser Isolation: Removing browsing activity from a user’s computer and executing it in a virtual environment.
  • Encryption/Decryption: Converting information or data into a “secret code” to protect that information in transit and at rest, then converting that “secret code” back to the original data when needed.

Most providers don’t offer every single one of these features, so the “core features” that Gartner says a SASE solution requires are:

  • SD-WAN
  • Secure Web Gateway
  • CASB
  • FWaaS

SASE has unfortunately started to become a term that people throw around like hot cakes! Everyone who has an SD-WAN or security platform is claiming to be SASE and it’s hard to fight through all the noise to get through to the truth. That’s what I’ll help you start to do today.

By 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch, and edge access, up from 10% in 2020.

Gartner’s 2021 Strategic Roadmap for SASE Convergence

No One is 100% There

The number one truth that you should know is that right now (as of May 26, 2021), no “SASE provider” has a 100% SASE solution based on the requirements Gartner outlined above. Almost every provider in the SD-WAN and Security space is working their tail off to try and get there as fast as possible, but it’s just not there yet.

Gartner reiterated this statement in their SASE Roadmap Report that I linked above.

I want to make one thing clear before we move on: Even if a provider isn’t 100% SASE, that doesn’t mean they won’t be a good fit for your network and security needs.

I find that when a term like SASE becomes as popular as it has, sometimes people will look at a specific solution and deem it unfit if it doesn’t meet all of the SASE requirements. However, if a solution isn’t SASE because it doesn’t have Content Delivery and you don’t actually need Content Delivery, then it could very well be a fit for you! What I’m trying to say here is that we can’t just look at this technology at surface level. We need to dig deeper into what your actual requirements are and then compare them to what these providers are offering without all the acronym fluff.

Different Types of SASE Providers

There are a couple different types of SASE providers that we should talk about:

All-in-one providers

All-in-one providers are those solution providers who are doing everything in-house. They own the SD-WAN portion, they own the security portion, and everything integrates seamlessly together. With this type of setup, the end client would have one portal to log into to make policy changes for the SD-WAN, firewall, or anything else.

An example of a provider in this bucket is Cato Networks. Cato was Gartner’s SASE pioneer. They were the example that Gartner used in order to outline what SASE is and what it will be moving forward. Cato’s POP-based SD-WAN solution paired with their cloud-based next-generation firewall and other security services make them a front-runner for many SASE opportunities.

Combination providers

I like to call the second bucket of SASE providers “combination providers” because they take an SD-WAN platform and a security platform, put them together, and sell them as a SASE solution. Oftentimes, this is a gateway or POP-based SD-WAN solution (e.g., VMware VeloCloud) paired with a cloud-based security platform (e.g., Zscaler, Checkpoint, etc).

An example of a combination provider is CBTS. CBTS is a managed service provider who offers a VeloCloud SD-WAN solution paired with Checkpoint’s cloud-based firewall. Together, they meet most of the bullet point requirements above to be a SASE solution. CBTS’ value add on top of the technology is that they will help you manage everything from end-to-end, taking some of the complexity out of having two separate platforms/portals.

By 2024, 30% of enterprises will adopt cloud-delivered SWG, CASB, ZTNA, and branch office firewall as a service (FWaaS) capabilities from the same vendor, up from less than 5% in 2020

Gartner’s 2021 Strategic Roadmap for SASE Convergence

Types of Companies that Need SASE

Once understanding SASE, some companies will instantly jump to the conclusion that they need it, and they need it now! But let’s take a step back. Since SASE is the convergence of network and security, the most obvious type of company that should be considering SASE is one that is in need of a security refresh as well as an improved network. For example, if your firewalls are outdated or clunky to manage and your end users are complaining about internet connectivity speeds and connecting to mission critical applications, SASE may be the answer to your problems.

Conversely, if you just recently invested in new next-gen firewalls, there’s no need to throw those out because you want SASE. You can get all the other functions listed above with several SD-WAN providers. In general, SD-WAN platforms will work with most firewalls, so keeping the two platforms separate is an option for transition phase until it makes sense to deploy a full SASE solution. Most SASE providers allow their clients to only use the SD-WAN portion, or only use the firewall portion if that’s all they need.

For example, if you have firewalls deployed today that you want to keep for now, you can get SD-WAN functionality from a SASE provider without turning on the firewall from them. Then, when your current firewalls go end-of-life, simply take those out, and turn on the firewall option from the SASE provider. This is the transition we see a lot of clients doing today.

Additional use cases that make sense for SASE:

  • Companies with work-from-home or remote users (ZTNA/VPN is part of SASE)
  • Companies that are accessing public cloud services or SaaS-based applications (SD-WAN, CASB, and FWaaS are included with SASE)
  • Companies that are tired of having multiple vendors finger point to each other when something goes wrong. With SASE, security and network edge functions are all from a single provider.

Alternatives to SASE

Just like the scenario I described above, you may have recently deployed either new firewalls or an SD-WAN environment and you’re not sure that it makes sense to completely scrap it and move to SASE. If that’s you, that’s okay!

If you recently deployed new firewalls, consider adding SD-WAN to your environment to help optimize your application traffic, load balance between two circuits, and simplify your WAN.

If you recently deployed SD-WAN and need a firewall refresh, you can simply deploy new firewalls for now, or consolidate security services from a single cloud security provider. By choosing the right cloud security provider, you’ll be able to get FWaaS, SWG, ZTNA, and CASB all from one provider. At that point, you’re 50% of the way to a SASE solution. If you’re going with just firewalls at this point, make sure you check with your SD-WAN Service Provider. Most of them offer some kind of next-gen firewall option to add onto SD-WAN. If not, still check with them because some SD-WAN platforms work better with certain firewalls over others.

I hope this article started to demystify the term SASE for you and gave you a sense of whether or not you should be considering this technology convergence for your company. As always, if any questions come up, put them in the comments below!

If you’re interested in chatting about the different SASE providers that would best fit your specific environment, fill out this interactive assessment and we’ll be in touch!