Why is SASE necessary?
SASE converges all networking and security capabilities into a single-service cloud-native, globally distributed architecture that shifts the security focus from traffic-flow-centric to identity-centric.
SASE encompasses a package of technologies that embeds security into the global network fabric so it is always available no matter where the user is, where the application or resource being accessed is, or what combination of transport technologies connects the user and the resource.
Modern enterprises conduct business in the client-to-cloud era. Gartner writes that the “Network and network security architectures were designed for an era that is waning, and they are unable to effectively serve the dynamic secure access requirements of digital business.”
Gone is the time when employees all worked in a physical building and all corporate resources were resident in private data centers that were both physically and digitally secured.
CIOs of modern enterprises need exemplary client-to-cloud experiences that are secure, reliable, scalable, and simple. These are the requirements that necessitate the capabilities that SASE deliver.
Cloud Adoption
Gartner points out that more traditional enterprise data-center functions are now hosted outside the enterprise data center than in it—IaaS clouds, SaaS applications, cloud storage. The data center is no longer the focal point of access for users and applications. Digital transformation initiatives and cloud adoption have completely changed the enterprise network. In today’s IT world:
- More user work is performed, and more sensitive data is located, outside the traditional enterprise perimeter than inside it.
- More workloads are running in the cloud than in the enterprise data center.
- SaaS applications are used more frequently than locally installed ones.
- More traffic is destined to public cloud services than to the enterprise data center.
- More traffic from branch offices is heading to public clouds than to the enterprise data center.
Consistent Client-to-Cloud Performance for WFA and Mobile Users
Users are connecting from everywhere. After the exigencies of the covid-19 pandemic there is now widespread acceptance of work-from-anywhere (WFA). Remote users traditionally connected via VPNs that required VPN aggregation and firewalls at hub locations and data centers to authenticate users and apply security policies once only, and then granting wide/full access inside the enterprise network. This legacy architecture is hampered by scalability meltdown, complexity, latency and security threats.
SASE architecture authenticates and applies security policies per transaction, and grants least-privilege access only. This significantly improves performance and reduces the attack surface.
Consistent Policy Enforcement for WFA Users
SASE has cloud-native flexibility to apply consistent policies, at consistent performance, for all users and assets regardless of location—whether resident in a data center, cloud platform, or at a SaaS provider.
Network Perimeter Expansion
The mandate is to secure the edge of the network—we’ve long done that—but with increasing WFA and SaaS access the edge has become amorphous and blurred. Security policies can no longer succeed by protecting a fixed perimeter, instead they must follow the user: enforceable wherever the user is; on whatever device is used; wherever the accessed asset is; and it must protect traffic equally well over Internet access as it used to on MPLS. In short, the perimeter has become software-defined and SASE is the flexible technology to protect a SD-perimeter.
Unmanaged Devices
The WFA trend has exacerbated a parallel trend in workers using their personal devices for business purposes. Today’s personal devices are as powerful and flexible as IT-managed devices and users keep them up to date themselves. IT-managed devices have long been a burdensome IT-team responsibility.
The proliferation of IoT devices adds to the strain of unmanaged devices. Business communications from all devices must be secured at scale and without delay. Traditional WAN security architecture is unfit to achieve this, but SASE does—especially the SASE implementations that require no client software agent.
Sophisticated, Always-Changing Threat Landscape
Threat actors and the tools they use are rapidly increasing in sophistication and ease of use. Just like enterprises, bad actors also leverage the flexibility of the cloud. SaaS architectures significantly lower the bar for relatively inexperienced hackers to launch highly sophisticated and damaging attacks.
With traditional VPN access, a threat actor can gain access to the enterprise network once only, and then move laterally with little or no further security enforcement to all data and assets. Network segmentation helps mitigate this threat landscape, but SASE protects assets much better due to its transaction-orientation (identity-based authentication per transaction) and by granting only least-privilege access.
Enterprise Digital Transformation Trends
The side effects from digital innovation efforts—dynamically changing network configurations; dramatic expansion of the attack surface—are that traditional security solutions no longer provide the level of speed, performance, security, and access control that organizations and users require.
IT Management Complexity
Installing disparate point products in branch locations is costly, results in sprawl, is complex to manage, and neither enables WFA nor optimizes cloud access. A SASE architecture—with all network and security capabilities embedded in a single software stack—reduces capital investment, frees IT staff to focus on strategic work, enables a coherent security policy deployment, reduces hardware complexity and cost, and moves the enterprise towards the on-demand, pay-as-you-go model that is increasingly prevalent.
Free eBook
SASE For Dummies
Learn the business and technical background of SASE including best practices, real-life customer deployments, and the benefits that come with a SASE enabled organization.
Learn More
Find more research, analysis, and information on SASE (Secure Access Service Edge), networking, security, SD-WAN, and cloud from industry thought leaders, analysts, and experts.