Navigating the SASE maze

Since the term was first proposed by Andrew Lerner of Gartner in late 2019, SASE has rapidly become one of the hottest enterprise networking technologies. It seems to come up in almost every vendor presentation, and most clients and prospects I meet with are asking about it.

One of the most common questions we're asked at Coevolve is how to choose a SASE solution, and how the many options on the market stack up against each other. This is a valid question - just as we saw in the early days of SD-WAN, each vendor has appropriated the term to some extent as they align its definition to their own product feature set. Understandably this has created some confusion for the enterprise buyer, as it can be challenging to directly compare offerings and identify gaps. Rather than revisiting the definition itself, I thought it would be helpful to look at some of the common SASE use cases and challenges that we've heard from clients that are trying to navigate the rapidly-growing maze of options.

Building on an SD-WAN foundation

One of the most common scenarios we encounter is helping clients identify a plan to evolve from an SD-WAN environment to one that includes SASE components. SD-WAN is primarily a networking technology, and many early deployments depended on legacy firewalls or other security infrastructure. A migration to a SASE architecture can allow these appliances to be phased out, reducing the amount of hardware (and associated maintenance, etc.) in the network and potentially providing a more direct path to the Internet. This works particularly well if the enterprise uses SaaS applications extensively, as backhauling traffic to data centers or other hubs can be very inefficient.

SASE solutions that incorporate strong SD-WAN functionality are particularly important in this use case. SD-WAN provides highly capable link aggregation, traffic steering and policy management, and these functions continue to be important in a SASE environment. By combining the technologies, the enterprise can continue to progress the network architecture from the SD-WAN model, adopting an 'as a service' approach to many of the key security functions like secure web gateway and content filtering.

Supporting a distributed workforce

The drastic changes in network usage patterns that were driven by COVID-19 caused many enterprises to scramble to re-architect their environments to support large-scale remote work. As we move forward into what looks like a longer-term hybrid model for many businesses around the world, it's important to build an environment that is fully optimized for these usage patterns. Again, there are some excellent benefits that SASE solutions can deliver to address this, as remote users can be fully supported without having to aggregate their traffic on appliances inside the network. Cloud-based SASE services can improve performance for the distributed user base, and related technologies like Zero Trust Network Access can allow for secure, identity-driven access to internal applications.

The 'best' model here really depends on the individual enterprise - how many users are there, how widely are they distributed, what applications do they need to access, and so on. Integration with the on-premises envionment also needs to be considered. Another complexity that some enterprises need to deal with is whether they will provide small appliances to be deployed at individual user locations - this can add functionality (like a consistent corporate Wi-Fi SSID, better performance management, etc.) but can add significant cost and management overhead.

Integrating network and security functions

This final topic relates to a challenge that many enterprises face when looking at SASE solutions. By definition, the technology consolidates two functions - network and security - that were historically separated. Not just separated from a product perspective, but often within the enterprise environment itself. I've met with many global enterprises where the security and network teams had minimal interaction, and operated with separate budgets, procurement cycles, and leadership teams. The integrated nature of SASE can raise some issues in this type of environment; sometimes the network team wants to move to a next-generation SD-WAN or SASE solution to replace legacy network infrastructure, but the security team just finished implementing next-generation firewalls at key locations. It becomes essential to understand how the functionality (and associated cost) of a SASE solution can be ramped up over time as existing services become eligible for replacement, instead of a 'big bang' approach to implementation.

Very few people I've spoken with think it makes sense for these two functions to remain separate over time - security really is becoming an integral part of the network, and vice versa. But the timing can be problematic in some cases, and does not often perfectly align with how many SASE offerings are intended to be implemented.

Navigating the options

All of these topics are examples of what our team at Coevolve discusses on a daily basis with global clients and prospects. Just as we did in the early days of SD-WAN, we keep an open mind about the pros and cons of the different flavors of offerings in the market, and our clients value the broad expertise we can bring to the table.

This is a key element of the Coevolve approach that we'll continue to focus on - adding our own value over and above the underlying technologies and vendors that make up our solutions. We believe this is a critical role for next-generation managed service providers like Coevolve, and it differentiates us from most of the competitive offerings in the market. As always, if there is anything we can help with in this area or elsewhere, please let me know!