SASE is gaining steam. A global study found that 34 per cent of security and IT decision makers have already adopted SASE (secure access service edge) and another 30 per cent plan to do so by the middle of next year.
I also noticed a bigger buzz about SASE at this year’s SecTOR cybersecurity conference in Toronto. There were three sessions on SASE this year (up from just one in 2020), so I attended one to get a handle on why it’s gathering momentum right now, potential challenges to adoption and guidance for organizations considering a SASE strategy.
SASE is getting a major boost from the pandemic-related shift toward hybrid work, according to Cisco’s Najib Hatahet. In his presentation at this year’s SecTOR, Hatahet said 82 per cent of workers will perform their jobs in a hybrid model after 2020, which makes connecting enterprise users to applications a lot more complex.
The era of having “everything in a single data centre to enforce (security) policies” is over, said Hatahet, global SASE go-to-market lead at Cisco.
By moving access control to the edge, SASE helps deliver secure access anywhere, anytime, which seems ideal in a hybrid work situation, Hatahet said. He added that the increased popularity of cloud during the pandemic is also sparking interest in SASE, which helps integrate cloud-delivered networking and security — which he believes have been operating as silos.
“SASE is about network ops and security working together,” Hatahet said. Sounds like IT bliss. But as with any emerging tech, SASE is bound to encounter some growing pains in its infancy.
Obstacles to adoption
Since the whole concept has only been around for two years, it’s worth revisiting how it was originally defined by Gartner.
“SASE is a new package of technologies including SD-WAN, SWG, CASB, ZTMA and FWaaS as core abilities, with the ability to identify sensitive data or malware and the ability to decrypt content at line speed, with continuous monitoring of session for risk and trust levels,” Gartner’s Andrew Lerner explained in a 2019 blog post.
“These capabilities are delivered primarily as-a-service and based upon the identity of the entity, real time context and security/compliance policies … shifting the focal point to the identity of the user and/or device — not the data centre,” Lerner wrote.
One obstacle to adoption, however, could be a lack of understanding about what the heck it really is. In the same survey we mentioned earlier, only 31 per cent correctly identified SASE from a list of possible definitions. That led the researchers to conclude that “despite rapid uptake of SASE, the majority of IT and security professionals surveyed remain confused about its true meaning.”
Even if you do know what it is, other barriers may get in the way of implementing it. As analysts from PA Consulting recently pointed out in Computer Weekly, that old nemesis legacy IT is just one of them.
Integration is another stumbling block when adopting new technologies like SASE. At SecTOR, Hatahet suggested a way to tackle that: look for a complete, integrated SASE architecture, ideally by avoiding products from multiple vendors.
Sounds like just the thing a major vendor like Cisco would recommend, right? Perhaps. Yet Gartner also cautioned against a patchwork approach to SASE two years ago.
“Be wary of vendors that propose to deliver (SASE) services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability and high latency,” Lerner warned in his original 2019 blog post.
Which brings us to the conundrum all enterprises face when adopting emerging tech: missing the boat vs. vendor lock-in.
The lock-in debate
The idea is that if your organization waits too long to get in on the Next Big Thing, it risks being left behind. If you jump in way too fast, however, you risk getting locked into a long-term contract with just one vendor.
Quickly opting for one vendor eases some integration headaches in the short term. But will it quash your chance to add on new features as they’re introduced to the market by other vendors?
It’s a catch-22 sized up this way by analyst Martin Kuppinger in another Computer Weekly piece: “If SASE is a one-stop shop, then the risk of being locked into the approach of one supplier — sometimes with a few selected partners — is big. SASE needs to evolve to become an open, flexible, standards-based architecture, where different providers can be easily combined. This is still a long way off.”
While you’re waiting for that day to come, how can you get started on your SASE journey while maintaining flexibility for your future needs?
The way forward
Hatahet closed his SecTOR presentation by advising enterprises to pose three questions to themselves while assessing any SASE solution:
- Does it address the top use cases you’ve identified for your organization?
- Does it include critical capabilities you need?
- What’s your future vision?
That third question may prove the most helpful in addressing vendor lock-in concerns. Your current needs may change in the future; SASE offerings will definitely change in the future. Perhaps that’s what Lerner had in mind when he penned this advice in his 2019 blog post:
“We recommend short-term SASE contracts of one to two years maximum as licensing models are in flux. Favour SASE vendors that offer the simplicity of identity/entity-based subscription licensing (not based on bandwidth) across all offerings.”
In his SecTOR talk, Hatahet also recommended subscription as a flexible consumption model for SASE that can be scaled up or down as business needs fluctuate. According to the aforementioned article by analysts at PA Consulting, the market itself may ultimately end up fluctuating in a very similar way.
“(There’s) the possibility,” they predicted, “that major cloud suppliers will offer SASE-type services as part of their licensing model, leading SASE to be absorbed into existing service offerings.”
That’s the thing about adopting new IT. It’s like filling an urgent prescription to ‘hurry up’ mixed with a healthy dose of ‘wait and see.’ Every enterprise must decide how much of each it can stomach.