When we go shopping for new clothes, we often select different brands for shoes, shirts/blouses, or pants/dresses. We rarely select a single brand for all these clothing items simply because we want the best brand quality for each of those three categories. Similarly, when it comes to technology, why would we not want the best choice for networking and security technology platforms when it comes to SASE? Does one size fit all?
SASE is the term Gartner coined to describe the Secure Access Service Edge framework that has emerged to define the convergence of WAN and network security functions into a single, cloud-delivered model that will support enterprise digital transformation initiatives. SASE consists of a number of key components as we have highlighted in earlier SASE blogs and videos.
One of the key foundations of a SASE framework is a robust SD-WAN component. So how will enterprises and service providers evaluate and assess the networking and security technology components of a multi-vendor or single vendor SASE technology vendor solution?
For most enterprises, software-defined wide area networks (SD-WAN) have emerged as the technology of choice to evolve existing legacy WANs to a network connectivity architecture that is focused on supporting a cloud-first environment – where the majority of business applications are hosted in the cloud rather than the data center. Advanced SD-WAN solutions like the Aruba EdgeConnect SD-WAN edge platform can reduce networking complexity, improve application performance, and enable more efficient connectivity between users and applications residing in the cloud. Aruba EdgeConnect can be deployed by organizations either as DIY (do it yourself) or as part of a managed SD-WAN service from a managed service provider.
The promise of SASE for service providers is to make it easier to deliver a converged or bundled managed networking and security service. As I wrote in a previous SASE blog, service providers will likely need to revamp their existing siloed (separate security and separate networking) organizational structures to be able to deliver integrated managed networking and security services to enterprise customers, which is really what SASE is all about.
By adopting a SASE architecture on top of their existing transport services, service providers strive to create a managed networking and security practice that can support their customers’ requirements. This enables service providers to accelerate time-to-market with new differentiated services. By owning the transport providing the connectivity to the SASE framework, service providers add value to the end-to-end service. Ultimately, the goal of SASE is to deliver a better end user quality of experience and security for cloud-hosted applications.
Because SASE deployments are in the early stage of the adoption lifecycle, the market will likely see a clear split in approaches. For example, small and medium size enterprises are more likely to be attracted to the all-in-one managed SASE offerings, where simplicity and “one-stop shopping” take priority over advanced capabilities.
On the other hand, large regional or global enterprises will remain unwilling to compromise on security, reliability, or the quality of user experience. They will adopt a dual-vendor approach, pairing a best of breed SD-WAN technology supporting multi-cloud on-ramp access and advanced WAN-facing capabilities, with a fully-fledged, best of breed cloud-delivered security partner delivering secure web gateway (SWG), cloud access security broker (CASB) and zero trust network access (ZTNA) services. When it comes to SASE, there is no “one size fits all” for all enterprises and service providers.
Fig 1. SASE Deployment Options. Check mark = managed; DIY = Do-it-yourself
SASE services may be consumed in a variety of deployment options as shown in Figure 1. These five deployment scenarios highlight how service providers may also be able to offer either managed SD-WAN or managed cloud security services and also support enterprises who implement their own (DIY) SD-WAN or cloud security solution. In a recent Ponemon survey, as shown in Fig 2, 71% of enterprise respondents would select a best of breed vendor when deploying both SD-WAN and cloud-delivered security for a SASE architecture.
Fig 2. Source: Ponemon Institute. The State of SD-WAN, SASE and Zero Trust Security Architectures. April 2021
Service providers must consider offering multiple managed options to enterprises who may be at different stages of their SASE journey. Do they offer the best of breed SD-WAN and best of breed cloud security and hope that the integration between the chosen technology vendors works? How easy is it to integrate SD-WAN and cloud security solutions?
An Aruba EdgeConnect is a best-of-breed SD-WAN platform that has been integrated and proven with the leading network cloud security vendors, including Zscaler, Netskope, Check Point, iBoss, and Palo Alto Networks Prisma Access. This enables service providers to configure, deploy, and offer a SASE service providing their customers the flexibility of cloud-delivered security options without compromising on best of breed technologies. It also enables service providers to offer a solution for the SASE hybrid scenarios (rows three and four in the table above) and potentially offer an existing DIY enterprise a migration to a fully managed SASE service.
SASE is a journey that is just beginning for most organizations, and service providers have been an integral part of the evolution of networking and security connectivity technology throughout history. Service providers should carefully consider the benefits of leveraging the integration of a best of breed SD-WAN platform together with a best of breed cloud security. Taking this approach for SASE will help service providers mitigate the risk of depending on a single technology vendor to supply all the components of their managed SASE service, and it will continue their role as a trusted advisor to their customers.
