What is SASE? The Future of Hybrid Security or Just the Latest Fad?

Heads up, folks, there’s a new acronym in town: SASE (pronounced “sassy”, apparently).

SASE, or Secure Access Service Edge has been recently pioneered by well-renowned consulting and research firm Gartner (of Magic Quadrant fame) and it’s being touted as the “the future of network security“. This has left many cybersecurity vendors and suppliers clamouring to bring their own SASE solutions to market.

With such high acclaim, you’d think that we’d be fully on board the SASE hype train. But we’re actually quite critical of SASE as cybersecurity trends go.

In order to critique the idea of SASE, we need to understand it. And in order to understand SASE, we need to understand the thing it’s designed to protect: WANs and SD-WANs.

If you’re already familiar with WANs and SD-WANs, click here to cut to the SASE chase.


What is a WAN?

A WAN, or Wide Area Network, is a network that operates across a wide geographic area, usually using for-purpose, hard-wired, leased connections that span across numerous organisations’ premises, campuses, and branches. This enables those at other premises to use networked software, servers, and resources exactly as if they were on the same local network.

WANs are incredibly useful, though there are a few reasons why “vanilla” WAN networks have started falling out of favour recently. Firstly, you can most easily connect to a WAN if you are at one of the physical locations where the WAN connection is present. But if you are working remotely, you would need to dial in to a server at one of your premises using a remote VPN connection in order to access the network.

This wasn’t really a problem when everyone was in the office. But now whole teams are starting to embrace remote working, it puts a lot of strain on remote VPN functions that were only designed to serve a handful of connections at a time.

Secondly, managing network routing (managing how traffic flows through a network) can be problematic on a WAN. If an organisation wants to manage how traffic flows through their WAN, they may need to make changes across multiple devices in order for those changes to take effect.

Even pre-pandemic, businesses have increasingly favoured cloud solutions like Microsoft 365 that are accessed through the internet, rather than static software installed on a central network. But… there’s little point in VPN-ing into a WAN through the internet if you’re only going to use an internet-based cloud tool anyway!

This is where SD-WAN comes in. (Don’t worry, we’ll get to the SASE critique soon!)


What is SD-WAN?

An SD-WAN, or Software Defined WAN, is a Wide Area Network where traffic is intelligently routed across different connection types, including leased lines, broadband internet, and even 4/5G connections. The “software defined” part of Software Defined WAN refers to software installed on each networked device which takes complete control over how that device routes traffic. This software can intelligently decide how best to reach a given destination – be that networked or online – through a regular WAN connection or securely over the internet.

Where “traditional” WAN networks rely on expensive leased lines between concrete geographic areas, SD-WAN infrastructure allows users to access their company WAN securely from anywhere in the world, so long as they have a broadband or cellular connection.

The SD-WAN software that is installed on each device also connects to a central (often cloud-based) panel which provides control and visibility over the whole network. From this panel, administrators can oversee network use, tweak routing logic, block certain kinds of traffic, and apply security measures, and push them out to all users in one go. This level of central visibility and control is virtually impossible on traditional WAN.

This makes SD-WANs a much more future-focused solution. Yet they do present one massive network security problem. Any network needs to secure its “perimeter” – effectively all of the places it “touches” the internet. On a traditional WAN, this is limited to internal routers at each hardwired premises and the routers along their leased connections. But on an SD-WAN, the perimeter consists of all networked devices, wherever in the world they may be!

We therefore need a standardised way of defending this new, nebulous perimeter – and one approach that’s rising through the ranks is SASE. (Phew, we got there in the end.)

SASE


What is SASE?

SASE, pronounced “sassy” and short for Secure Access Service Edge, is a network security idea put forward by Gartner in 2019. SASE refers to a centralised, cloud-first cybersecurity WAN concept that builds on SD-WAN by incorporating a number of other cloud-first technologies into a melting pot that maximises both security and functionality. Some vendors have started to sell their own cloud-based SASE solutions.

As we’ll discover shortly, nailing down an absolute definition of SASE is like trying to securely nail a jelly to another jelly. But the term generally refers to WAN security measures that tick the following (rather vague) boxes.

  • Use a single, centralised, cloud-native WAN security and management service that provides flexible, scalable oversight into the network’s usage, security controls, and policy management.
  • This security platform should let you administer local and wide area network security through a shared “single pane of glass” view, providing the same levels of security and control to both types of network.
  • Strong, identity and context-led security policies that are “zero-trust” by default, yet informed by defined user groups, offices, locations, risk/trust posture, time of day, etc.
  • Provide each member of a network with high performance security equally, regardless of how they connect to your network.

SASE therefore lends itself well to a number of existing – and effective – network security concepts, including next-generation firewalls, firewalling as a service, and software defined perimeters (as per SD-WANs), alongside cloud defence tools like cloud access security brokers (CASB), and secure web gateways (SWGs).

Noble aims indeed, but as we’ll learn, SASE isn’t all it’s cracked up to be – at least in our opinion.


Getting Sassy About SASE

Don’t get us wrong, these measures all make a great deal of practical, cybersecurity sense. However, as a concept – and as the latest buzzword on the block – we feel that SASE has a number of failings…

Everyone’s Definition is Different

One of our main gripes with SASE is that there doesn’t seem to be a single, concrete definition that we can all agree on. When you look at SASE definitions from three mainstream SASE providers – Palo Alto, Cato Networks, and Infoblox – you see slightly different approaches draped around similar, sound network security concepts. All of their suggestions are sensible, of course, but as a concept, it’s all a bit fuzzy and open to interpretation.

The real problem comes when someone who is unaware of this fuzziness suddenly wants to “buy SASE”. SASE refers to a loose umbrella of network security concepts which may not be applicable, practical, or useful to every organisation with a WAN. It makes much more sense to untether yourself from the concept of SASE and consider your organisation’s security needs individually.

Yet alas, we have a number of vendors already advertising SASE solutions – each with their own definition of SASE. Hanging a sale on such a vague concept can lead to buyers expecting something totally different to what they eventually receive – a customer service nightmare!


”Just What We Need – Another Acronym”

SASE does raise a number of very important security considerations for any organisation that uses a WAN. However, it somewhat lazily bundles a number of useful concepts together under an indistinct, buzzword-y umbrella. We feel this haphazard grouping only serves to obfuscate understanding of the separate concepts within.

As industries go, IT is rather acronym-happy. This isn’t a problem when the acronym refers to something with a firm definition and a sensible name like WAN/Wide Area Network and MFA/Multi-Factor Authentication. However, you can’t really make head nor tail of “Secure Access Service Edge” at first glance – we certainly couldn’t. It’s not imbued with any sort of recognisable meaning. It’s just… words.

And herein lies the rub. It’s essential that directors, managers, and those in charge of the purse strings understand precisely what IT security measures they are investing in. Yet SASE doesn’t refer to one specific solution or approach; and once you scratch the surface, you quickly get hit with a barrage of yet more tech-speak. Acronyms are supposed to simplify communication, yet SASE simplifies precious little. It just raises more questions.


Too Much Centralisation is Bad

One of the core tenets of SASE is to use a centralised, cloud-native portal to manage security across the entirety of your WANs and LANs. Though this may sound incredibly convenient on the surface, too much centralisation can set you up for a nasty fall.

We regularly warn clients and prospects against sourcing too much of their network from one manufacturer. Yes, staying true to one manufacturer can make your network easier to centrally manage, but what happens if that manufacturer suffers a crippling supply chain attack designed to compromise their user base? Your entire network could be affected.

But if you use a blend of different manufacturers across your network, the fallout of any one attack will be limited only to its corresponding hardware. As with a lot of things, not having all of your eggs in one basket makes for great damage control. There are tools that you can use to centrally administer your network across vendors, so don’t feel like you have to go all in on one manufacturer!


SASE is Literally Nothing New

SASE is an odd addition to any business’s security arsenal because it doesn’t exactly bring anything new to the table. IDC and IHS Markit criticise SASE because it’s a strictly Gartner-coined term that presents “neither a new market, technology, nor product”. IHS Markit further drub SASE, highlighting a lack of focus on analytics and machine learning. They share our concerns about over-centralisation, too.


Not Enough Focus on Endpoints & Data

SASE is focused on centrally managing hybrid network security environments and it’s based on a lot of sound cybersecurity practices. However, we feel that its trending status may lead some to believe that it’s the latest security panacea to solve all of your remote working security ills. This is not the case.

We’re concerned that some interpretations of SASE won’t go far enough to protect endpoints and data – you know, the two most sensitive parts of any network. Where’s the Advanced Threat Protection? Where’s the Data Loss Prevention? SASE may include some sound security concepts but they’re far from enough on their own.


The SASE Bandwagon is in Motion

SASE is arguably the latest network security buzzword, and an irritatingly marketable one at that. Yet it isn’t a single, “silver bullet” solution; rather, it’s a collection of established, sensible WAN practices which can (and should) be chopped and changed depending on your network needs.

As the term gets around to business owners, some without a technical grounding may feel that they suddenly “need SASE” – even if they don’t have a WAN! The whole confusion around SASE could lead to less scrupulous providers over-selling SASE-related services to firms that don’t really need it, especially suppliers who don’t take a consultative approach. Beware of bandwagons – never jump on them blindly!


Our team are focused on pairing you with the network and cyber security solutions that you really need – not just what’s trending.

If your business relies on a WAN and you want to make sure it’s as secure as it can be, or if you are concerned about network perimeter security in the era of #WorkingFromHome, get in touch!

Our expert team are here to guide you – book a discovery session today!