Gartner published its seminal report, “The Future of Network Security is in the Cloud" in 2020[1]. Even more hyped than the term “SD-WAN” a few years ago, nearly every SD-WAN vendor and every security vendor is now marketing and messaging about “SASE,” or the Secure Access Service Edge. Gartner coined the term to describe the need for the combination of WAN transformation and security transformation at the edge to enable enterprises to realize all of the benefits – the promises – of moving applications and workloads to the cloud.
To build a SASE architecture, an enterprise might start with just one transformational project, but ultimately, both WAN and security architectures must be addressed. That’s because traditional WAN and security architectures based on routers and next-gen firewalls backhaul cloud-destined application traffic through their data centers or hub sites to keep it secure (see Figure 1). But backhauling adds latency (delay) that negatively impacts cloud application performance.
Figure 1: Traditional network and security architectures backhaul cloud-destined traffic to the data center, adding latency which impairs cloud application performance.
Why not send cloud-destined traffic directly to the cloud and why not do so using the internet together with cloud-delivered security services? That’s what SASE addresses both in terms of transforming networking architecture and security architecture.
Network Transformation
From a network architecture perspective, the SASE model advocates a greatly simplified WAN edge, placing only the network functions required at the edge, ideally within a single platform that unifies the following:
- SD-WAN
- Routing
- Stateful zone-based firewall
- Advanced segmentation
- WAN optimization
- Application visibility and control
SD-WAN offerings are now well-beyond the early adopter stage and continue to be deployed at a breakneck pace.
Security Transformation
When applications are hosted everywhere, and users access them from anywhere and from any device (only exacerbated by the huge increase in remote workers due to the COVID-19 pandemic), the traditional security model must adapt. In the SASE model, Gartner also prescribes that the majority of security services are best served when hosted in the cloud and not on expensive, complex-to-manage next-gen firewalls deployed across branch locations. Keeping the latest threat detection and mitigation capabilities up to date is far easier when centralized in cloud. And just like SD-WAN displaces routers at the branch, cloud-delivered security services eliminate the need for next-gen firewalls at the branch.
Over the course of the past year, a myriad of differing perspectives have been published by vendors and the media alike about SASE including, it’s a replacement for SD-WAN, SD-WAN is dead, and security is the primary function with a sprinkling of SD-WAN features. These misconceptions have led to confusion and a need to clarify the meaning and intent of SASE.
A careful read of the aforementioned Gartner report, as well as follow-on reports from Gartner and other respected analysts, clearly defines SASE as the combination of SD-WAN + cloud-delivered security services; SD-WAN is a foundational component of the SASE architecture. In fact, it’s the synergy between best-of-breed SD-WAN and best-of-breed cloud-delivered security that will ultimately deliver on the vision for a secure access service edge.
Getting Started
So, how should enterprises that have not yet adopted SD-WAN or cloud-delivered security services embark on their journey to implement a secure access service edge?
Aruba recommends starting now with an industry-leading, field-proven, advanced SD-WAN platform such as Aruba EdgeConnect. EdgeConnect fulfills all of the branch wide area network functions as recommended in Gartner’s report as listed above.
And basic SD-WAN functionality falls short; an advanced SD-WAN is required to fully enable SASE. What SD-WAN capabilities are required to implement a robust SASE architecture?
- Identify applications on the first packet and granularly steer them to enforce both QoS and security policies as defined by business intent (see Figure 2)
- Keep cloud application definitions and TCP/IP address ranges up to date, automatically and daily, to always enable accurate and optimal internet breakout
- Automate orchestration between the SD-WAN and cloud-delivered security services from a single console
- Automatically failover to a secondary cloud security enforcement point should the primary become unreachable, avoiding application interruption
- Automate reconfiguration of connections to cloud security enforcement points if a newer, closer location to the branch is deployed to further minimize application latency
- Enable enterprises to adopt cloud security services – and their SASE implementation – at their own pace
- And most importantly, avoid vendor lock-in to provide freedom of choice to adopt new security innovations as they become available
Figure 2: Adaptive internet breakout from the branch delivers the highest cloud application performance and enables granular, consistent security policy enforcement to provide a superior end user quality of experience while protecting the enterprise from security vulnerabilities.
Aruba EdgeConnect is an open WAN edge platform that provides enterprises with the freedom-of-choice to easily evaluate and integrate with any cloud-delivered security service, avoiding vendor lock-in. And Gartner’s “Hype Cycle for Cloud Security, 2020” [2] affirms that most of today’s SASE implementations include two vendors’ network and security solutions.
“By 2023, 20% of enterprises will have adopted SWG, CASB, ZTNA and branch FWaaS capabilities from the same vendor, up from less than 5% in 2019. However, today most implementations involve two vendors (SD-WAN + Network Security), although single-vendor solutions are appearing. Dual-vendor deployments that have deep cross-vendor integration are highly functional and largely eliminate the need to deploy anything more than a L4 stateful firewall in the branch office.”
Aruba proven best-of-breed security vendor integrations include Zscaler Internet Access, Netskope Security Cloud, Check Point Harmony Connect, and Palo Alto Prisma Access.
As interest in SASE increases and SD-WAN solutions mature, cloud-first enterprises can confidently begin their SASE journey today with Aruba. Please contact your Aruba sales partner to schedule a deeper dive and demonstration.
-------------------
[1] “The Future of Network Security is in the Cloud,” Gartner ID G00441737, September 13, 2019
[2] “Hype Cycle for Cloud Security, 2020,” Gartner ID G00448014, August 26, 2020
This blog was published in September 2020 by Silver Peak, which was acquired by Aruba.
