Evolving software defined networking to be cloud native, secure and cheaper

With the proliferation of cloud hosted applications, South African enterprises are adjusting their workforce and the design of their branch network to be perimeter-less and more distributed rather than running enterprise applications from within office bound VPNs. Employees are more frequently working from home or processing regional data at distribution centres or edge-located mega stores.?

From a networking perspective, the connection of distributed enterprise resources to private, public or hybrid cloud to reach enterprise containers and SaaS applications demands less of a hub-and-spoke topology (branches to central DC via a VPN) to a cloud native approach.?

Enterprises also demand greater security at network, LAN and application level.??To manage highly distributed enterprises, companies need to deploy a myriad of resource intensive appliances - on prem firewalls or cloud access security brokers behind intensive encryption protocols programmed into VPN or SD-WAN routers - traditional models also force users to authenticate to centralised security that grants access but may also route traffic through that central location.

This model does not scale. Moreover, this legacy architecture was already showing its age before COVID hit, but now in 2023, its complexity and delay undermine competitiveness.

It boils down to being a cost, performance, risk trade-off for CIOs: security means more complexity and slower performance, better performance means compromising security and simplicity, and so on. If only the physical hardware could be a?distributed, cloud-based resource?

Introducing sass to networking

The challenge is that SD-WAN uses a networking overlay – an “SD-WAN fabric” – that does not include any of the security and access controls enterprises need to protect and defend their network in a cloud environment. Whereas SD-WAN offers greater scalability than traditional WANs, the Gartner coined?secure access service edge?(SASE or colloquially named ‘sassy’) is the new hype: combining SD-WAN and security functions into a cloud-delivered solution. Enterprises gain the advantage of capacity and elasticity at branch level, deploying SASE as a service.

SASE can be deployed as a service, working with any cloud service including public, private and hybrid clouds. A SASE solution provides mobile employees, branch offices and retail locations with secure connectivity and consistent security wherever they are in the world. It does this by offering companies a single, centralised view of their entire network.?

This enables enterprises to quickly identify users, devices and endpoints, apply their networking access and security policies, and securely connect users to their applications and data in a cloud or mobile environment, all while ensuring multi-branch and multi-cloud network security. Once authenticated, they have direct access to the resources, reducing latency for mission critical or client facing tasks.

SASE offers greater resilience than native SD-WAN for secure connections from any resource, enriching enterprise WANs with security features such as secure web gateway (SWG), DNS, DLP, API protection, cloud access security broker (CASB), firewall as a service (FWaaS) including built-in DDOS and network privacy protection, traffic dispersion and zero trust network access to facilitate secure network access in cloud and mobile environments.?

Other optional capabilities include Wi-Fi-hotspot protection, support for legacy VPNs, and protection for offline edge-computing devices or systems.

Among its advantages, SASE:

• Provides a holistic view of an enterprise’s network so the organisation can better protect it. Enterprises gain centralised control for things that must remain in-house, such as setting user policies.
• Simplifies network complexity and management by combining SD-WAN and other networking infrastructure into a single cloud-based platform.
• SASE providers can supply varying qualities of service, so each application gets the bandwidth and network responsiveness it needs.?
• Enables companies to consistently apply security to stop cyberattacks.
• Reduces costs by allowing companies to use a single platform instead of multiple point products.?In other words, enterprises deal with fewer vendors, the amount of hardware required in branch offices and other remote locations declines.
• Decreases the number of agents on end-user devices, hence improving utilisation and performance at branch level.
• Allows users to immediately gain secure access to a company’s network, wherever they are and whatever device they use. IT executives can set policies centrally via cloud-based management platforms, and the policies are enforced at distributed PoPs close to end users.?

Other optional capabilities include Wi-Fi hotspot protection, support for legacy VPNs, and protection for offline edge-computing devices or systems.?

The ultimate goal of bringing all these technologies together under the SASE umbrella is to give enterprises flexible and consistent security, better performance, and less complexity – all at a lower total cost of ownership.

SASE is suited to larger enterprises rather than SD-WAN. However, managed SD-WAN solutions do offer mid-size businesses template based deployment that is needed to control their voice and applications over more affordable broadband networks; especially as they cannot always afford senior network staff.

SASE is a major paradigm shift for both networking and security for the modern enterprise. Vendors are clamouring to evolve their range of networking and security appliances including SD-WAN routers, firewalls, cloud access brokers and web gateways to claim share of wallet of spend as enterprises seek true flexibility, simplicity and cost efficiency.

The feature set will vary from vendor to vendor, and the top SASE vendors are investing in advanced capabilities, such as support for 5G for WAN links, advanced behavior- and context-based security capabilities, and integrated AIOps for troubleshooting and automatic remediation.

Gartner says that by 2025,?

80% of enterprises will have adopted a strategy to unify web, cloud services and private application access using a SASE/SSE architecture, up from 20% in 2021.

Wide area networking is evolving from hybrid, to quasi to sass. As-a-service models is inevitable.

Cover image courtesy?Freepik