SASE Sounds Seductive but Takeup Will Take Time

It’s been a year since Gartner published a paper called The Future of Network Security is in the Cloud. It was the company’s introduction to a new security model called Secure Access Service Edge (SASE). Since then, the pandemic has sharpened many companies’ focus on just the thing that SASE was invented to address: the need for secure access to resources any time from anywhere. So what is it, exactly, and where are we at with it now?

Traditional computing models focus on accessing resources at a company’s data center. Increasingly, though, those resources are in the cloud and people are accessing them remotely, especially when so many of us are working from home. Instead of using on-premises equipment for secure access and other services like content filtering, SASE pulls it all into the cloud. Employees get access to these security services whereever they are.

So far, so good, but we have had managed firewalls, malware scanners and remote access gateways in the cloud for a while now. What’s different is that security and network connectivity services combine to create access and network service profiles for different users. They change based on factors like the user’s identity, where they’re accessing from, what device they’re using, and what they’re doing on the network.

That means one employee might get enhanced quality of service, extra authentication steps and restricted access to corporate applications. Another might be able to get online without the extra hoop-jumping and might have access to more applications, but might not get the same low latency priority. An IoT device might get access to data directly via an API, with extremely high priority to support a real-time analytics app.

All of these sessions run through the same network architecture without having to set up custom appliances to support them, and when admins need to change the rules, they can configure the whole thing from that mythical ‘single pane of glass.’

Talking about mythology, it’s worth looking at SASE’s journey through the Gartner hype cycle, a measure of technology relevance that sounds more like a Tolkien novel the further through it you get. A year ago, SASE sat at the far left of the cloud security hype cycle, at an innocuous-sounding stage known as the innovation trigger. This is the coming-out stage of the technology, where it debuts as a concept and everyone gets to grips with it.

A year later, SASE has climbed to the fancifully-named peak of inflated expectation. This is the second stage of the cycle, where people talk it up so much that they think it can do everything.

From this point, according to Gartner’s research model, SASE must continue its quest through the trough of disillusionment, where people decide that it can’t do anything, emerging triumphant but chastened to climb the more modest slope of enlightenment, when people realize that it can do some things well enough, but not everything. In anywhere between five and 10 years from now, it should reach the plateau of productivity, where people get comfortable with it, and it gains widespread adoption.

What stands in its way? People have to get comfortable with a lot of things. One of the first is SD-WAN, which applies the same principles that we saw in software-defined networking (SDN) to wide-area networks, enabling you to define services in software that can be applied anywhere rather than configuring them manually on proprietary network hardware. That gives people more control over their networks, enabling them to flex capacity up and down and configure connectivity and security services from within the cloud infrastructure.

Another thing that people will have to grapple with is their legacy security technology stack. Many companies have spent years building complex security frameworks with solutions from different vendors, most of which sit on their own premises.

It might make sense to replace these ‘Frankenstacks’ with single-vendor solutions hosted in the cloud, making the whole thing more manageable for a set monthly fee, but that doesn’t mean everyone will do it right away.

For one thing, those devices represent a lot of sunk investment that accountants still need to depreciate. For another, it’s a big strategic move with broad implications – one doesn’t just dismantle a kingdom overnight, and anyway, there’s this whole pandemic thing on, which is making companies a bit nervous.

So yes, the coronavirus has definitely shone a light on SASE, but don’t expect a mass migration yet. Many companies are still working out how to clean up the mess that people made when they took their PCs home in taxicabs six months ago. There’s a long way to go before we reach cloud security nirvana.

What’s Hot on Infosecurity Magazine?