Is SASE mere vendor hype? It’s more nuanced than that
There’s no doubt that SASE is being overhyped, but nevertheless the concept holds value that security teams should not discount, according to PA Consulting's analysts.
A common question when discussing secure access service edge (SASE) is whether this is just the latest marketing hype from security vendors. The short answer is yes.
Yet a more nuanced answer is that while SASE is still more hype than reality, it does try to tackle deep-rooted problems that firms encounter when securing their IT estate. So, what exactly is SASE, how might it help organisations and, in the short term, what is likely to hold back its adoption?
What is SASE?
Firstly, SASE is not yet a formally defined concept with an agreed definition or backed by credible standards. Vendors providing SASE products tend to converge on a set definition that closely corresponds to the technologies they already work with.
Most suppliers do agree that SASE is a convergence of network and security services such as SD-WAN (software-defined wide area network), firewalls, threat detection and network access controls. The central idea is that networking and security capabilities will evolve into a single service that can be consumed across both cloud and on-premise. The exact composition of network and security capabilities that constitute SASE will vary between vendors.
What problems does SASE address?
Many firms have responded to a constant evolution of threats by putting point technical solutions in place. This has been accompanied by a trend towards software-defined networking (SDN) and a move from on-premise IT to cloud services and has produced a fragmented set of security and networking technologies. This has increased the cost and complexity of managing an IT estate.
Interoperability between these products is often poor, making it difficult to roll out consistent policies across an organisation or to unify logging and event correlation activities. Disparate sets of technologies also make it more difficult for organisations to assess whether they have a complete set of controls and make compliance activities more challenging.
SASE as a concept addresses many of these challenges, but the question then is: why has it not made greater inroads into the market?
What holds back SASE adoption?
SASE adoption will very much be driven by each organisation’s existing security investment as well as their transformation vision.
We know there is a need for many of the security capabilities covered by SASE in their own right. However, unless you are starting from a greenfield, there will be legacy security implementations to accommodate. These include potential changes to operating models and workforce capabilities to cater for the combined network and security services.
Where there is a cloud transformation, SASE can potentially cover many compliance requirements. Yet buyers need to ensure they are happy to procure all this capability from one supplier and not get caught up in vendor lock-in. Also, using only one provider may mean buyers are forced to adopt less than “best-in-class” security capabilities across the SASE stack, despite the benefits of tight integration.
Given the level of maturity of these products, adopting SASE may not be straightforward for anyone except greenfield organisations. Looking ahead, by understanding and working with these challenges, organisations can lower the barriers to SASE adoption.
What does the future hold for SASE?
The complexity of the challenges facing organisations means there is a case for the simplification of network and security management, and SASE appears to be a strong solution. That said, with the “cloud-first” mindset and the move away from managing large enterprise networks, the convergence of technologies provided by SASE may be competing to fill a gap that organisations are increasingly trying to close in other ways.
We also tend to see organisations that have shifted a significant amount of their environment to the cloud outsourcing the management of SD-WAN while maintaining control of security services internally. This means that the convergence of SD-WAN and security services within a single service offering is not necessarily beneficial, because managing these services in a unified way is not a problem they currently have to deal with.
All this means that unless there is a sudden shift in this mindset, it is unlikely SASE will be adopted in the short term.
In the longer term, as more vendors combine their zero-trust network access (ZTNA) solutions with SD-WAN-type services, providing secure, optimised access to a range of cloud services, there is potential for increased SASE adoption.
This could be as a broker service between cloud providers – offering the network guarantees that traditionally organisations would have looked for in MPLS, and maintaining legacy hybrid environments where these exist. There is also the possibility that major cloud suppliers will offer SASE-type services as part of their licensing model, leading SASE to be absorbed into existing service offerings.