Ingredients for a True Cloud First & Customer First SASE
In less than18 months from when Gartner coined the term, ‘SASE’ (Secure Access Service Edge) has become the central talking point for every WAN transformation discussion. We have seen every Networking & Security vendor in the market aggressively making investments on their SASE portfolio organically or through M&A. Last week, Aryaka announced its acquisition of Germany based security start-up Secucloud, underlining the fact that SASE convergence is not a myth anymore. Aryaka will be integrating secucloud security technologies into Aryaka’s Cloud-First WAN architecture to provide a seamless managed SASE experience for our customers.
In the wake of this development, one of the important questions that I have been answering is: Does SASE convergence and consolidations happening in the market mean vendor partnerships are dying out?
Breaking the suspense right away, I would state that partnerships in the SASE space will continue to be key to any vendor’s success. While everyone understands SASE as the convergence of Networking, Security and Cloud , there is an additional magic ingredient that forms the fourth pillar of a successful SASE solution— which is to be Customer First. And there is a great correlation between vendor partnerships and their Customer First value proposition too!
In this blog, I would like to throw some light on the ‘four’ key pillars of SASE and how critical the ‘partnership’ dimensions of SASE are for every SASE vendor in the landscape.
What is Secure Access Service Edge(SASE)? Gartner calls SASE as the convergence of Network as a Service & Network Security as a Cloud Service.
Had we seen a convergence of Networking & Security in the past? Yes- way back starting in 2004–2005 itself, when the UTM (Unified Threat Management) segment was created which stood for convergence of networking and security in a single On-premise appliance.
So what dynamics of UTM landscape would you expect to repeat in the world of SASE? Clearly, it will be the consolidation of several functional capabilities from networking & security domains into a single vendor solution. Like how web security, IPS, antimalware, firewall and routing functions were consolidated in a UTM appliance, SASE calls for the consolidation of capabilities such as Secure Web gateway (SWG), Cloud Security Access Broker(CASB) and Firewall as a Service (FWaaS), along with SD-WAN and ZTNA (Zero trust network access). Today you will see that, leading market players in SWG category are adding native CASB and ZTNA capabilities, while CASB leaders are adding SWG & ZTNA . We also see that most Firewall vendors have started hosting their Virtual Next Gen Firewall offering in public cloud and provide a combined FWaaS+SWG +VPNaaS offerings as SASE, while acquiring smaller CASB/ZTNA assets to beef up their SASE portfolio.
So, how is SASE convergence different from UTM ?
UTM convergence meant integration of routing capabilities into a Multi-layered Security appliance. It was more or less a ‘porting’ of routing capabilities and interfaces supporting different WAN connectivity options (MPLS/Internet/Cellular)into a unified security appliance.
So what does a UTM/NGFW vendor need to transition to SASE? Simple answer is ‘Cloud’ — but it is anything but simple. To be fair, Cloud is a ‘domain expertise’ like networking and security.
On the WAN side, cloud adoption was the major trigger that led to the birth of SD-WAN a few years back. Today, SD-WAN is undoubtedly the primary networking ingredient needed for completing SASE core capabilities.
As you know, traditional WAN deployments leveraged MPLS transport to connect users in branch offices to their Data center where the applications were typically residing. MPLS transport ensured guaranteed application performance for users in branch offices to the applications hosted in data center. In this traditional architecture, internet traffic from branch offices was also backhauled to data center for a secure internet breakout through Firewalls in Data center.
With applications moving to public cloud, customers needed to optimally and securely access their apps anywhere- whether on-prem or Cloud, while ensuring best application experience. This led ‘SD-WAN’ technology to the prime time. With the massive growth of Internet hosted apps for entertainment & Unified Communications, local internet breakout from the branch offices became the norm with traditional SD-WAN deployments. This necessitated a distributed Security model for providing Secure Internet Access from branch offices, bringing in the class of ‘secure SD-WAN’ offerings. Moreover, experience with SaaS Apps has led customers to expect a ‘cloud hosted Management Portal’ as a SaaS service associated with SD-WAN services too.
Thus, vendors started adding the ‘Cloud and Security ingredients’ to their SDWAN & Networking architecture involving
- Cloud Management Portal as a ‘ready to consume’ service, without needing DIY installation by customers
- Extending the SD-WAN fabric into Public cloud using Virtual Form factors
- Optimizing the connectivity into SaaS Apps from Branch offices
- Integrating SD-WAN with a distributed Security offerings to achieve ‘Secure SD-WAN’. This was achieved through either (1) a single appliance providing SD-WAN+ UTM capabilities (referred to as a ‘Branch heavy’ Security architecture), or (2) service chaining the SD-WAN branch platform with a Cloud Secure Internet Gateway offering (referred to as thin branch with heavy cloud Security architecture).
So what’s new for SASE , compared to Secure SD-WAN?
First and Foremost, SASE believes inthe shift from a Branch Centric to a User Centric view. And, this is a big shift. Rather than optimizing connectivity and Security only for Branch site environments, SASE calls for providing the best app experience and pervasive security for ‘User Anywhere’. And precisely, it is this user angle which has fast-tracked the evolution of SASE with the pandemic locking down most office spaces, and with the world starting to adopt the ‘Hybrid Workplaces’ as the new normal.
The second key differentiation for SASE is being Cloud-Native . Born in the cloud, SASE provides the true benefits of agility, scalability and high availability for customers expected out of a ‘Cloud-First WAN’.
So, what would a Cloud Native architecture for user anywhere SASE look like?
Yes, SASE architecture will have a globally distributed footprint of Points of Presence (POPs) at close proximity to user anywhere, providing best application experience and pervasive security capabilities!
So lets understand how would a SASE architecture provide best application experience for users anywhere?
Most SD-WAN solutions is optimized for a Branch connectivity by leveraging MPLS connectivity for applications needing performance guarantees. First of all, MPLS is anything but agile. Waiting for 120 days to bring up a circuit connectivity is not what a ‘Cloud-First WAN’ experience is expected to be. But more importantly, you cannot extend the benefits of MPLS to remote users to achieve SASE— Sorry, an On-prem VPN concentrator connected to MPLS circuit is definitely not scalable or distributed and hence not SASE- this legacy architecture cannot grow with customer needs elastically without a rip and replace.
SASE architecture typically addresses the application experience challenges by providing a private backbone core with WAN optimization capabilities connecting its POPs across the globe. Private Core will provide MPLS like or better than MPLS SLAs for carrying application traffic from one part of the globe to another. Users anywhere can connect into the nearest POPs over direct internet itself. SASE POPs also offer ‘VPN as a Service’ for onboarding remote users in a secure way. Yes, that means your global deployment is up in a matter of hours or days, instead of months. Pls note that the Private core should not only provide an UP-time SLA for you, but also guaranteed Performance SLA in terms of packet loss, latency and jitter, as you are attempting to replacing the need for MPLS.
Today, there are only a few vendors in the market such as Aryaka Networks who are offering a Global High performance Private Core with performance SLA, as part of SD-WAN capabilities. Most of the SD-WAN vendors in the market are still partnering with Cloud Service Providers(CSP) to utilize the CSP backbone for fulfilling the private core which is a key component for fulfilling a complete SASE solution.
Now looking from the angle of security, Cloud based Secure Web Gateway (SWG) vendors of the world have already been providing the ‘User Centric’ security with a POP based architecture for Secure Internet Access, as an integral part of the ‘Secure SD-WAN’ partnerships for the last 5 years. Primary Challenge for SWG vendors to provide a complete SASE is in figuring out how they can provide the best application experience for users anywhere, considering the fact that most SWG vendors doesnot have a branch footprint device from their own portfolio today. Without the branch edge device, there is no way for the SWG vendors to provide the last mile SD-WAN capabilities such as dynamic path selection for applications. For this reason, all SWG vendors are partnering heavily with SD-WAN vendors even today.
Firewall vendors on the other hand, enjoy a branch footprint which is an advantage over Cloud Security vendors. But the cloud exposure for Firewall vendors is mostly limited to having a Virtual Machine (VM) form factor of their Firewalls that can be hosted in public cloud. As a result, these vendors typically leverage hosting of their virtual Firewalls in a public Cloud Service Provider inorder to gain the POP footprint. They also leverage the public Cloud Service Provider backbone for providing global application experience. So in short, Cloud Service Provider partnerships are key and integral components of the ‘native’ SASE strategy of most Firewall vendors as well.
Thus you can see here, that while SASE is bringing convergence of some technology elements of SD-WAN and security, it is adding in more technology elements into the mix necessitating more vendor partnerships.
Now, coming to the last (but not the least) pillar of SASE : Customer first ! It is very clearly that with the convergence of the 3 technology domains in a SASE solution, complexity of consuming a SASE solution is not going to be trivial. With multiple touch points, technology domains, and vendor solution integrations, the operational overhead of a customer to do it all by themselves is going to be a daunting task. This is clearly an invitation for Managed Service Providers into the SASE game, as undoubtedly all industry projections are validating unprecedented growth for Managed SASE services with the on-going convergence.
It is also worthy to note that, SASE is the bringing together of multiple customer personas i.e customer network buying centers and their security buying centers. A change in vendor preference (security or network) doesnot happen over-night for our customers. This means, we will continue to see customers demanding multi-vendor SASE integrations from networking and security side ! yes, customer is still the decision maker and forcing factor! Customers are looking at their trusted service providers to deliver SASE , really as a SaaS like consumption model, while providing flexibility and choice. That is indeed the ‘Cloud First, Customer First’ SASE model!
That’s why I would say, Aryaka is the true ‘Cloud First & Customer First’ WAN company for you, uniquely positioned for success in this market with a true POP centric SASE architecture providing best application experience and pervasive security for users anywhere and delivered as a fully managed ‘ready to consume’ offering for the customers. Yes, we continue to believe in providing customers with utmost choice and flexibility of their Security deployments and are committed to continue our technology and managed service provider partnerships for the market leading security vendor offerings such as CheckPoint and Palo Alto Networks — simply because Aryaka is ‘Customer first’ !
Visit our website to learn more about Aryaka SASE offerings:
