The software-defined wide area network (SD-WAN) has become the de facto standard for connecting dispersed offices so they can communicate with each other. Businesses with field offices, retailers or restaurants with multiple locations, and enterprises have come to rely on SD-WAN for network connections. However, a newer option has emerged: secure access service edge (SASE).
How SD-WAN Works
SD-WAN has two primary elements: an underlay network and an overlay network. The underlay network may consist of only a single connection to the public internet, but in the majority of cases it leverages different combinations of public and private WAN connections. Most often, companies use at least two different connections at each location to create redundancy – if one connection is interrupted or fails, users can still access the network via the other.
The overlay network is created on top of the underlay network. This overlay creates a private, encrypted WAN that connects multiple sites, prioritizes and routes traffic, measures the network’s health, tracks analytics, etc. In the event that a part of the underlay network fails, the overlay has the intelligence to reroute traffic over an alternative path.
One of the reasons that SD-WAN has been the go-to network architecture is that, overall, it makes building a reliable, flexible and intelligent network easy. Models are available that enable businesses and organizations to set up and manage an SD-WAN on their own or contract a third party for this service.
Taking SD-WAN to a New Level with SASE
In the last few years, a new cloud- and security-focused networking option has grown in popularity. In 2019, Gartner named it “secure access service edge” and used the acronym SASE. (pronounced “sassy”) for the new approach to network architecture. At its most basic level, SASE is SD-WAN and network security elements rolled up into a single solution. In light of the current cybersecurity landscape, it’s easy to see the appeal of security-centric SASE. Verizon’s 2020 Data Breach Investigations Report states that external attacks on network applications made up 43 percent of all cyberattacks in 2019. In addition, with more people working remotely in 2020 due to COVID-19, hackers targeted newly distributed organizations, betting that they didn’t have adequate security deployed. With SASE, which can include secure web gateway (SWG), cloud access security broker (CASB), firewall, and even zero-trust network access (ZTNA), attacks on the network can be more easily detected and mitigated without the added burden of deployment and management of multiple solutions.
Moreover, users can manage SASE, both WAN traffic and security, from a single pane of glass. Since SD-WAN requires an appliance at each branch office to aggregate multiple ISP/WAN links, SASE can just be a matter of layering in network firewall capabilities into the same box to accomplish basic firewalling. However, it can also go well beyond this by delivering analytics, unified threat management and even application layer policies. This is a particularly valuable feature, especially for companies with multiple branch offices or locations with different security solutions deployed at various sites. In addition to reducing the complexity of the network, bundling all of these solutions into one offering reduces the number of vendors the business has to manage.
As a primarily cloud-based offering, SASE requires less infrastructure onsite—which also means less investment in hardware, networking and physical appliances plus lower maintenance costs and less of a burden on in-house IT teams. Also, like other cloud-based solutions, it enables users to deploy a network more quickly and be more agile when making changes or scaling. In addition, users can connect via SASE using a variety of devices, securely accessing the business network from any location.
Points to Consider Before Choosing SASE Architecture
While all elements of IT are important, security has become mission critical and top of mind for most organizations. Because SASE is relatively new in the networking world, you need to ensure that the people designing and implementing the network and security policies have the expertise and experience required. Although many skilled IT professionals are more than capable of setting up an SD-WAN, they may not have the skills or knowledge (or resources) to optimize all of the security elements that will provide an organization with the best defenses. If you will choose to outsource SASE to a systems integrator (SI) or managed services provider (MSP), ask about other networks they’ve built and how they manage them. Those with experience in SD-WAN alone may not be the best partners for this project. Also, be aware that some providers offer a SASE bundle of hardware, network deployment, and ongoing services – make sure that the offering they’ve built is a proven, integrated solution and that it will meet your business’ specific needs. The good news is that there are several very strong offerings in the market. Recent M&A activity has seen companies that truly understand both wide area networking and enterprise security come together; Palo Alto Networks acquiring CloudGenix is a great example as is CATO Networks who has both strong security and networking pedigrees.
SASE may not be for everyone. For example, large enterprises that may have separate teams managing security and infrastructure may not be ready to merge the two. Other examples where SASE may not be a natural fit are larger organizations that have unique security demands that cannot be satisfied by existing SASE technologies. Additionally, organizations that have made recent investments in edge security infrastructure will likely want to consider SASE a bit further down the road.
However, if you are looking for a simpler way to manage your network, address security, and decrease costs and the burden on your IT team, SASE may be the solution you’re looking for.