By: Renuka Nadkarni
With digital transformation, users and applications are everywhere, and the traditional network and location-based design architecture is obsolete. Users need flexibility with a hybrid workforce and applications delivered as a service or across multiple clouds. The technology around access control, threat protection, and authorization must evolve into this new paradigm. At the same time, enterprises are looking for agility, meaning rapid application provisioning along with the corresponding network, security, and observability. While IaaS can instantiate a workload in minutes, end-to-end provisioning can take days or even months.
As an example, one of our enterprise customers shared that the service level agreement to provision applications was 24 hours, while the network and security team required two weeks. These disconnects in the deployment of network and security services slow down the business and its ability to operate at the speed of change.
As a lifeline, about three years ago Gartner proposed the Secure Access Service Edge, or SASE, with the promise of built-in cloud networking and security capabilities that can be easily orchestrated with application provisioning. . The underlying concept of SASE is based on the twin pillars of Network as a Service and Network Security as a Service. The former includes SD-WAN, optimization, CDNs, and other connectivity features. The latter includes a combination of security features including Secure Web Gateway (SWG), Firewall, Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA). More recently, Gartner defined this security pillar as the Security Service Edge, or SSE to include SWG, CASB, and ZTNA. But what’s key is the as-a-service aspect of SASE, aligned with the movement to the cloud.
Figure 1: An overview of the architecture
Click to enlarge
Within the market, the main focus is on the technology underpinnings of SASE – the various networking and security capabilities, and who offers what. Ultimately, to ensure SASE’s success, we need to step back and look at the bigger picture. Delivering the true flexibility promised by SASE and offering choice when needed requires an underlying architecture equipped for this evolution. This requirement has several important dimensions, including technology, operations, sustainability, and cost.
Distributed data plane
With users and applications anywhere, security enforcement must be closer to the source. Security controls should be easily applicable in multiple locations and wherever needed. This approach requires a combination of security applied at the customer site, closer to where the users are, in the cloud, and closer to the destination where the applications are. It must be truly distributed, cloud-native data