Search
Close this search box.

SASE: A New Frontier in Secure Enterprise Connectivity

A New Frontier in Secure Enterprise Connectivity
Jump to...
    Add a header to begin generating the table of contents

    SASE: A New Frontier in Secure Enterprise Connectivity

    You’ve almost certainly heard about secure access service edge (SASE) if you’ve been looking into upgrading your enterprise’s networking solution — or if you’re simply interested in the latest telecommunications trends and developments. But if you’ve asked what exactly SASE is … you may have gotten a number of confusing or even conflicting answers. If you’re trying to decide whether the technology is right for your organization, that’s not helpful.

    Never fear - that's why you're in GTT's Techtorials library. For this entry, we aim to explain the essential tenets of SASE, how it emerged on the scene, its relationship with software-defined wide area networking (SD-WAN), the ironclad cybersecurity capabilities it offers and its potential for widespread adoption in the years to come.

    The fundamentals of SASE

    The simplest way to think of SASE is as something similar to a wide area network (WAN), but one lacking a centralized architecture with a data center at its root. Instead, SASE architecture is based in the cloud. A branch office or individual device would connect to the SASE service edge through various distributed points of presence (PoPs).

    As such, SASE does not have to deal very much with the public internet, aside from its occasional leveraging of public clouds like Amazon Web Services (AWS) and Google Cloud Platform (GCP). It also distinguishes itself from other WAN options through its native advanced network security functions, which are similar to the most cutting-edge cloud security features. (We will discuss these in much more detail below; they include highly advanced encryption and firewalling techniques, among other methods.)

    SASE and SD-WAN are sometimes spoken about together, in part because there is still some murkiness about SASE: It is sometimes touted as an ideal replacement for SD-WAN, which — for reasons we’ll explore later in this Techtorial — is not necessarily true, at least not yet. SD-WAN can sometimes work alongside SASE, or it can function as a core element of a SASE service. The fundamental difference between the two lies in SD-WAN’s leveraging of the public internet (to create the virtualized overlay that serves as its connective tissue), which SASE largely avoids.

    History of the SASE network model

    SASE originated with Gartner: first in the research firm’s mid-2019 Hype Cycle report, and later (in considerably more detail) within the context of a now-famous white paper, “The Future of Network Security is in the Cloud.”

    The latter, written by Neil MacDonald, Lawrence Orans and Joe Skorupa, posited that modern enterprises' security needs and "dynamic access requirements" demanded that they break their dependence on the data center and focus on the cloud. Gartner's analysts dictated many of the core tenets of SASE: the use of a worldwide network of PoPs to connect disparate branch officers and users via the cloud, convergence of high-end security features in a software stack at the edge and heavy emphasis on low latency.

    In some ways, you can look at SASE as a culmination of - or a turning point in - the development of enterprise-scale wide area network (WAN) systems. You can certainly say the technology's evolution is logical given the direction in which global business and communications have trended: Organizations have been thoroughly digitally transformed, their workforces distributed across a mixture of offices, homes and other locations. They are also heavily reliant on numerous software-as-a-service (SaaS) cloud applications, so it makes sense that a networking method so hyper-focused on the cloud would catch on quickly.

    That said, SASE in some ways is still more of a concept than a specific technology. Aside from the conditions MacDonald, Orans and Skorupa set in their Gartner whitepaper, it has not been formally codified or standardized. As such, there is debate about certain aspects of the model: For example, some are adamant that Gartner's focus on the cloud edge means the public cloud cannot be part of a SASE enterprise network, whereas others think hybrid and public clouds are just as useful for SASE as their private counterparts.

    The lack of clarity also means that any major vendor in telecom can say that they are a SASE vendor, when what more than a few of them actually offer are solutions that can best be described as "almost-SASE." Perhaps they observe the SASE network model but have higher-than-optimal latency, or aren't as secure as Gartner's concept would dictate. In other cases, vendors like Fortinet and Palo Alto Networks have taken their security backgrounds to devise SASE platforms that meet or exceed Gartner's (somewhat non-specific) threshold, with Fortinet offering its native SD-WAN solution as part of the package. It will likely be some time before there is a definitive standard beyond Gartner for what is and isn't SASE.

    Security advantages of SASE

    The key features in the security arsenal of any SASE solution worth its salt are as follows:

    • Secure web gateways (SWGs): These portals scan incoming traffic for malicious code, suspicious URLs, malware and other cybersecurity threats, based on parameters established in the network administrator’s security policies. SWGs can help ensure users only have the exact level of access they need for their individual work responsibilities.
    • Cloud access security broker (CASB): Because of CASBs, any gaps in security that might exist in the path between an end user at a SASE access point and a cloud service provider will not threaten confidential data while SaaS apps and other cloud-based tools are in use.
    • Next-generation firewalls (NGFWs): SASE’s reliance on the cloud necessitates firewalls that offer integrated security across both cloud-based and physical environments, which is where NGFWs come in. Depending on the provider, these may be virtualized or hardware-based.
    • Advanced threat protection (ATP): As cyberattackers grow more brazen, the malware they develop becomes more complex and harder to combat. ATP systems combine endpoint security tools, email gateways, anti-malware technologies and other methods to take on cyberthreats from all sources.
    • Zero trust network access (ZTNA): This security solution allows SASE networks to restrict access by identifying users, devices and applications, rather than locations or IP addresses. In an era of remote working, ZTNA has become extremely valuable.

    Only the most secure SD-WAN solutions stack up to what a fully realized SASE platform can offer. Legacy WANs, including many MPLS networks, don't even come close.

    The cloud access and performance potential of SASE

    Opinions vary on just how much operational capacity and data enterprises have put into the cloud: Estimates made in the late 2010s and early 2020s projected that figure reaching above 80%; available data on public cloud utilization suggests something closer to 50% as of mid-2020. But there’s no denying which way the wind is blowing: toward steadily increasing cloud use.

    This, in turn, necessitates always-on availability for enterprise users, regardless of locations - which is exactly what SASE provides in terms of cloud access and performance. Rerouting traffic according to real-time app needs increases performance when end users need it most, and creating PoPs using a combination of colocation facilities, public cloud and private data centers guarantees secure access to the network regardless of location or device.

    SASE is still in its early stages, but with the way things move in telecom, it’s only a matter of time before adoption becomes fairly common. If your enterprise wants to get in on the proverbial ground floor of the technology, get in touch with GTT: Through the underlying strength of our Tier 1 backbone and partnerships with reliably security-focused vendors like Fortinet, Aruba (SilverPeak) and VMWare (VeloCloud), we can help you realize truly robust network performance in a world that grows more cloud-centric each day.

    JUMP TO
      Add a header to begin generating the table of contents

      FAQs ABOUT SD-WAN

      Unable to find the answers you’re seeking? Contact our customer support team for assistance.

      Below are some common mistakes organisations make when deciding whether SD-WAN is for them and when choosing a provider:

       

      Overestimating cost savings It is common to compare SD-WAN to what they perceive to be alternative options, particularly MPLS, and look at this from a purecost perspective. While there are potential cost savings that can result from SD-WAN deployment, the main benefit is that it improves the performance of networks. There is of course an advantage to using MPLS as an underlay for SD-WAN, as this gives both the performance advantages of SD-WAN and the isolation from Internet-based threats offered by MPLS. 

       

      Forgetting about security SD-WAN may result in data being carried across the public internet, meaning security is imperative. While there are data security features included, such as strong encryption, it is important that SD-WAN is deployed in tandem with a robust security solution to meet your business needs and mitigate potential threats.

       

      Not giving enough thought to the integration of SD-WAN with legacy systems SD-WAN needs to be able to work with your existing network and systems. It is important that your implementation strategy takes into consideration any difficulties that may be caused by legacy systems to avoid a integration challenges.

       

      Choosing between DIY options and managed service providers It can be tempting for organisations to opt for the cost savings that come with a DIY service. While this might work for some, particularly large enterprises with an experienced and highly skilled IT team, this may not be the right choice for the majority. A managed service provider will be able to help develop an SD-WAN strategy and deploy the solution to meet your requirements. There are also options that fall between DIY and fully managed solutions where certain aspects of management may be opened up to you.

       

      Choosing between the range of choices Many new SD-WAN providers have come into the market in recent years. It is therefore important to consider exactly what your requirements are before you start engaging with providers.

      With an SD-WAN solution, data can travel across a range of network connections, some of which will be more secure than others. As this will include the use of public internet connections, organisations naturally have questions about the security implications.

       

      With SD-WAN there is a perceived security concern compared to legacy private networks due to the introduction of Internet as transport. In reality this risk is neither more nor less with SD-WAN, and as has always been the case the assessed risk to data in transit should be determined by the underlying access type used. SD-WAN offers a level of built-in security, including strong encryption, but it is important that an SD-WAN solution is complemented by a robust security solution.

       

      For those with security concerns, a managed service provider, with a security product portfolio, might be the best option. These providers can assist in designing a full solution that incorporates SD-WAN and security.

       

      Examples of security products that may be used in conjunction with SD-WAN are:

      –  Next Generation Firewall (NGFW) –  Advanced Detection and Response (ADR) –  Managed Detection and Response (MDR) –  Security Information and Event Management (SIEM) –  Cyber Security Risk Assessment (SRA) –  SOC Services –  Web Application Firewall (WAF) –  Endpoint Protection –  Proxy Servers

      The primary goal of an SD-WAN deployment shouldn't be to save money, but to provide an enhanced user experience across your network. Whether costs are (or should be) reduced depends on a wide range of factors.

       

      SD-WAN does not replace wide area networks, meaning budget is still required for MPLS, for example. However, there are potential cost savings, as well as productivity improvements, that can be achieved with an SD-WAN deployment. These include the following examples:

       

      Network costs While SD-WAN won’t replace MPLS, it can result in less reliance on it, therefore reducing outlay

       

      Network management As SD-WAN uses software to make intelligent decisions on traffic routing, it can lead to savings on the physical time it takes to manage networks

       

      Faster network speeds Via fuller use of what were previously backup connections – leading to increased employee productivity

       

      Downtime avoidance SD-WAN can optimise networks to reduce downtime, again increasing employee productivity

      Latency reduction With SD-WAN making decisions on the best way of routing data, it can lead to data travelling an alternative route to reduce latency where possible

       

      Flexibility The flexibility on offer means updates can be made quicker

      There are various steps that should be taken when deploying your SD-WAN solution. Obviously if you're planning to go down the 'Managed Service Provider' route, you should opt for a provider with multiple technology options and they will help you to navigate their different offerings to determine the most appropriate technology. The below is an example of a deployment process:

       

      Planning –  Think about integration with legacy systems –  Assess your current setup and your expectations of the improvements SD-WAN will provide –  Put together a clear statement of your requirements before you start talking to providers

       

      Initial search for providers –  Consider at least three providers based on your requirements –  With each provider discuss the problems you are looking to solve and the enhancements you expect to achieve. This will provide them with an opportunity to explain how they can help you meet these objectives –  Ensure you choose a provider with access to multiple technology vendors who can talk you through the different options and help you to choose a vendor solution that is right for your specific needs

       

      Design phase –  Once you have decided on a provider, involve them in the design of your SD-WAN solution. They are experts in their field so you can benefit from their experience –  Discuss security concerns and required security solutions with your chosen provider –  Discuss your plan with internal stakeholders and consider feedback

       

      Deployment –  Consider deploying your SD-WAN solution on some parts of your network first so you can test it and become familiar with it before full deployment –  Ensure thorough training is provided to anyone who will be hands-on with the SD-WAN solution –  Roll out further only once you are ready

      People often ask what the differences are between SD-WAN and MPLS. However, SD-WAN is not an alternative to MPLS, but it may use MPLS, as well as other connections such as the public internet, as a way of delivering traffic over the most efficient route. To a degree, therefore, SD-WAN and MPLS should be seen as complementary technologies.

       

      An SD-WAN solution will make decisions on the most appropriate connection for data transfer in any particular scenario. In some instances, for example for sensitive data, MPLS will be the preferred route, but in other instances a public internet connection will be suitable. As opposed to exclusively routing data across MPLS connections, this can result in less reliance, and therefore lower spend, on MPLS.

      With an increasing number of providers having entered the SD-WAN market in recent years, choosing the right one for you is not an easy task. Things to consider include:

       

      Geographic reach For multinational organisations it is important that the solution you choose is able to cope with your international reach, as well as the range of connections (e.g. leased lines, ethernet, broadband/xdsl, 4G/LTE/5G, etc…) you use to carry your data

       

      DIY vs. managed service offerings Do you wish to implement and manage your SD-WAN solution in-house or do you need the support of a managed service provider? If the former, you need to be confident you have the required expertise and resources (proactive monitoring, troubleshooting, 24/7 support, etc…) in-house. A managed service will be the preferred choice for many, but it is still important to make sure your provider is able to offer all the support you need

       

      Flexibility For some organisations, flexibility is important. For example, you might want the flexibility to re-configure your setup due to changing priorities or changes to your network in future

       

      SLA & performance Having a service level agreement in place can provide you with the confidence that you will receive the level of performance you require

       

      Price While making a choice simply based on cost is rarely the best strategy, it is important that you are getting good value for money. You need to get the right balance between a solution that meets all your business requirements, while avoiding paying for things you don’t need

      Talk to an Expert

      Interested in learning more about GTT products & services? Please complete this short form to schedule a call with one of our sales consultants.

      Thank you for your information. One of our sales consultants will be in touch with you.

      Everything you need to know
      ABOUT DDoS ATTACK:

      gtt-and-corero-solution-guide.png

      Related Services

      SD-WAN

      Transform your WAN with dynamic network traffic management.

      Firewall as a Service (FWaaS)

      Leverage anti-virus, firewall and anti-malware services all in one scalable solution.

      Secure Web Gateway (SWG)

      Defend against cyberthreats and block access to malicious sites.

      Cloud Access Security Broker (CASB)

      Monitor your cloud environment, enforce policies and mitigate shadow IT.

      related products

      SD-WAN

      Transform your WAN with dynamic network traffic management.

      Firewall as a Service (FWaaS)

      Leverage anti-virus, firewall and anti-malware services all in one scalable solution.

      Secure Web Gateway (SWG)

      Defend against cyberthreats and block access to malicious sites.

      Cloud Access Security Broker (CASB)

      Monitor your cloud environment, enforce policies and mitigate shadow IT.

      OUR GARTNER RATING

      Gartner Peer Insights Reviews
       
       
      As of 20 September, 2024
      Scroll to Top