Secure access service edge (SASE) architecture rolls networking and security into a cloud service, making it easier for enterprises to provide simple, secure access to corporate resources, but it’s still in its infancy.
Vendors and service providers sell offerings that they call SASE, but what they actually provide and how they provide it varies widely.
SASE is expected to grow significantly and rapidly, with Dell’Oro Group projecting it to have a compounded annual growth rate of 116 per cent from 2019 to 2024. And the Covid-19 crisis has “absolutely” accelerated that momentum, says Gartner analyst Nat Smith. Gartner, which projects that 60 per cent of SD-WAN customers will have moved to SASE by 2024, compared with about 35 per cent in 2020.
Potential benefits include easier network and security management, flexibility to scale up or down as business needs require, and lower costs. “SASE is one of those technologies that gives you the ability to be able to better handle disruptions in the future,” Smith says.
Gartner presents a lengthy list of technologies and features that might be included in a SASE service including latency optimisation, routing, caching, deduplication and geographic restrictions. On the security side, Gartner includes data loss prevention, web application firewalls, threat detection, encryption, and remote browser isolation among others.
There is no minimum set of these elements that must be included in order for a service to be considered true SASE, says Smith. “It’s more of a framework than an architecture,” he says. “If you’re going through a checklist, then you’re missing what SASE is about. It’s more about evolution.”
Nevertheless, Gartner does name five essential SASE elements: SD-WAN, firewall-as-a-service (FWaaS), secure web gateway, cloud security broker (CASB), and zero trust network access, also known as software-defined perimeter. “These five segments, as they continue to evolve, are collapsing into one thing, and that becomes SASE,” he says.
Today, offerings marketed as SASE may be driven by service providers that include greater or lesser feature richness as well as by hardware vendors who bundle their gear with cloud services.
SASE vendors may also provide client hardware or software for end users, network appliances for enterprise data centres, distributed network backbones and points of presence (PoP), DDoS protection and CASB platforms.
There are hardware vendors moving in this direction, he says, that qualify as SASE vendors without offering all five features. “I don’t think there’s a clear or obvious vendor that’s doing better than any of the others.”
For hardware vendors, there can be some significant challenges, he says, especially if they are transitioning from a hardware-based product model to a one based on service subscriptions.
With hardware sales, for example, the revenues mostly come at the beginning of the relationship, instead of on monthly payment cycles. That means changes to the way sales staff is compensated and to how company cash flow is managed. There will also be disruptions to channel partnerships.
“The vendors are going to have a lot of challenges,” he says. “You might think for the long term it evens out, but it’s a very radical change for most sales teams to go through.”
Right, now, though, there are services labeled SASE that are in the cloud, and those that are on-premises. Here is are brief descriptions of what some have to offer.
Best known for its global content-delivery network, Akamai has 4,000 PoPs around the world, giving it proximity to end-users and to data centres. Akamai already offered secure web gateway and zero trust network access.
CASB is available through a third-party partner, the company says, and customers have to provide their own FWaaS and SD-WAN. The company is working to add security for all outbound traffic to guard against malicious activity within a couple of quarters.
Aruba, a subsidiary of Hewlett Packard Enterprise, is focused on hardware for the network edge including edge access, but is working to flesh out its SASE offering. It lacks PoPs and security as a service, according to Paul Kaspian, the company’s senior manager of security product and solutions marketing. So the company partners with Zscaler, and with others including McAfee, Semantic, Check Point and others for cloud security.
A Barracuda spokesperson says the company offers most of the components necessary for SASE, starting with SD-WAN and including network security services such as FWaaS, IPS, malware scanning, content filtering, advanced threat protection, DDoS protection, and zero trust network access. The only piece missing, the company says, is CASB. There, customers need to bring their own.
Cato is a vendor highlighted Gartner’s SASE whitepaper, and claims it has more than 600 SASE customers. It says its business was built to be cloud-native from the start. Cato Cloud service includes FWaaS, CASB, secure web gateway, and zero trust network access. Its Cato Socket, a feature of Cato Cloud, can provide SD-WAN services.
During spring 2020, Cisco stitched together its WAN, security, and edge computing services into a single cloud-native SASE package. Gartner called it “a solid roadmap to deliver increasing security capabilities in an integrated fashion, driving toward a SASE architecture.” That package is a combination of Cisco SD-WAN and Cisco Umbrella services plus Cloudlock CASB as well as zero trust security through its acquisition of Duo Security.
Forcepoint offers the complete SASE security stack as a service and has more than 160 PoPs globally, says Ravi Srinivasan, the company’s vice president of solutions and platform marketing. It can provide SD-WAN, but also partners with customers’ existing deployed networking services. Forcepoint partners for remote browser isolation.
Gartner says Fortinet’s SASE includes all the SASE elements, including SD-WAN (Fortinet Secure SD-WAN), FWaaS (FortiGuard Security Services for FortiGate Next-Generation Firewalls), cloud-access security broker (FortiCASB), secure web gateway (Fortigate SWG), and zero trust security via its acquisition of OPAQ Networks in July 2020.
Masergy services are available both in the cloud and on-prem, and it says its Managed SD-WAN Secure platform offers most of the basic SASE security stack including FWaaS, CASB, and a secure web gateway. The company says it is building its own zero trust network-access capability. Masergy offers artificial-intelligence- and machine-learning-based security optimisation.
Netskope claims its business has grown more than 80% year-over-year thanks to its SASE technology and that it meets Gartner SASE requirements for CASB (Netskope CASB), secure web gateway (Netskope Nxt Gen SWG), and zero trust network access (Netskope Private Access). It doesn’t have FWaaS but can provide SD-WAN through partners including Aryaka, VMware VelocCoud, Silver Peak (Aruba), and Versa Networks.
Palo Alto Networks
Palo Alto Networks is building part of its SASE expertise via acquisition, such as its purchase of CloudGenix, which has SD-WAN expertise. Other SASE features are already part of Palo Alto’s Prisma Access that includes FWaaS, CASB, and zero trust network access. Palo Alto is partnering with Google Cloud or AWS for needed cloud infrastructure.
Vmware is drawing on its existing services for the five core capabilities Gartner says SASE should have and bundling them as Vmware SASE Platform. The elements are SD-WAN (VMware SD-WAN), zero trust access (VMware Secure Access), CASB and secure Web gateway (VMware Cloud Web Security), and FWaaS (NSX Firewall as a Service).
Zscaler was already positioned well to become SASE provider, according to Gartner’s Smith, with its zero trust networking. It can provide Including FWaaS (Zscaler Cloud Firewall), secure web gateway (Zscaler Internet Access), zero trust network access (Zscaler Private Access), and CASB (Zscaler Cloud Access Security Broker). It’s missing SD-WAN but provides that via partners, offering “one-click integration” and “integrated onboarding and management.”