As we get ready to wish the term SASE a happy 4th birthday, it seems odd that there is still a great deal of confusion in the market about what SASE really is and how it relates to a ‘Zero Trust’ architecture. For many, SASE is a framework for secure network design; for others, it’s seen more as an architectural approach to delivering Zero Trust.
So why do we have this confusion when Gartner defined SASE back in 2019? From my perspective, vendor marketing has caused some of this confusion. Many vendors have adapted their messaging to leverage the hype created around the term SASE and, moreover, how their solutions deliver Zero Trust.
So what is SASE? And can it help deliver a Zero Trust model for your organization? The answer, like so many things in life, is – it depends.
If we break it down, SASE is just a set of technologies you can put together to secure your network and deliver a Zero Trust approach to network security. As your network topology, security policy, and application delivery requirements are unique, how you leverage so-called SASE technologies must be unique to you. Therefore, it is imperative that before embarking on any SASE projects or considering the move to a Zero Trust architecture, you need to know your network and have clearly identified your technical, operational, regulatory, and commercial objectives first.
In my experience, most firms have a really good idea about what their requirements are and, often, what they don’t want. However, as Donald Rumsfeld once said: “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know.”
This is where working with a partner, and I emphasize a partner, not a vendor here, to create a detailed Solution Requirements Document (SRD) to ensure that the unknown unknowns are addressed and accounted for when selecting a technology vendor(s) and architecting a solution.
When selecting a technology vendor(s), one key consideration is the importance of consolidation. I have seen some organizations trying to deliver Zero Trust by using Next Generation Firewalls from ‘Vendor A’ in critical locations, layer 4 Firewalls in small offices from ‘Vendor B’, cloud-based proxy services for remote users from ‘Vendor C’, and native security from Cloud and SaaS providers.
The cost and complexity of creating and deploying consistent least privileged access policies for a hybrid workforce in that type of environment does not bear thinking about. Even Gartner now recommends keeping to one or possibly two vendors and predicts that 80% of enterprises will have adopted a strategy to unify web, cloud services, and private application access using a SASE/security service edge (SSE) architecture by 2025.
However, choosing and using a technology are two very different things and while a SASE solution from ‘Vendor A’ and ‘Vendor B’ might tick all the boxes on paper, how they deliver in the real world is often very different. For example, some solutions use a proxy, while others provide inline security functionality. This impacts how least privileged access can be maintained once a session is running. The best approach is to run a Proof of Concept with clearly defined success criteria based on your solution requirements document.
In summary, I can not recommend enough the importance of working with a partner that will help you to understand your network and requirements, work with you to navigate the marketing claims, and engage in a detailed Proof of Concept to verify that you can trust the SASE solution you have chosen.
Find out more about how Teneo can support your SASE strategy.
Author: Brett Ayres, VP of Product, Teneo