Looking to adopt SASE? Here's what you should consider first.
15th April 2020
In the first part of my blog series, I provided some background on what Secure Access Service Edge (SASE) is – effectively, IT leadership teams are looking to provide their clients (IT end users) with ultimate mobility to work from home, coffee shops or a traditional office environment and to do so in a completely secure fashion. This has accelerated the melding of the traditional Network and Security teams into a single entity.
In this blog entry, I will look more into the traditional elements to consider, from a network perspective, as an organisation adopts SASE.
The majority of organisations I speak to day-to-day are looking to transform their traditional, expensive, dedicated network infrastructure into a blended model. Many have already adopted a Cloud-First strategy where their end users can access cloud-based applications straight from where they reside, rather than transporting all traffic to a traditional hub and spoke MPLS architecture to reach the internet. Applications, like O365, Salesforce.com, Oracle Cloud can be accessed by the end user at the edge.
This allows IT organisations to “right-size” their expensive MPLS networks and eliminate the latency introduced to the end user by backhauling that traffic across the country/globe.
When going through a network transformation, it is imperative to understand the applications that are paramount to the end user’s success. For those organisations that are still heavily voice dependent – choosing an underlying SD-WAN partner with dynamic path selection, path conditioning and WAN acceleration capabilities is extremely important. We have seen this need accentuated now more than ever with the recent COVID-19 pandemic. Organisations are requiring their employees to work from home and tools like Skype for Business and Teams meetings are now more than ever the norm. Choosing the underpinning technology to support these requirements is paramount for an IT organisation.
It is also important to consider; does the technology have inherent next generation firewall (NGFW) capabilities? And can an IT organisation’s policies be easily applied to the SD-WAN environment, via a central orchestration management interface that provides full visibility into the network?
Lastly, it is important to consider scale. Many SD-WAN technologies are sufficient and certainly less costly dependent upon the number of locations that makeup the transformation. Once the number grows above 10-15 locations, the underlying SD-WAN technology needs to be able to scale. It’s within this scalability, or lack thereof, where a network transformation typically fails. The SD-WAN infrastructure must be able to grow and support the number of tunnels required for branch mesh tunnel configurations.
One of the most elementary considerations in a SASE enabled environment is the ability to leverage the most prevalent and often least expensive network links at the edge where an IT organisation’s clients reside.
Partnering with a traditional network carrier flies in the face of the basic SD-WAN premise of leveraging network links (broadband, ADSL, DIA, 4G, 5G) provided by the local cable company, LEC, or wireless carrier provides ultimate flexibility. Choosing a traditional MSP to provide this flexibility can result in the carrier looking to minimise their revenue write-downs by providing solutions that do not always meet the end client’s requirements. By maintaining a carrier agnostic approach, an IT organisation can meet the bandwidth requirements for their users at the Edge, with SLA backed network links that are orders of magnitude less expensive than a traditional MPLS network.
Typically, I have found that application performance for the end user improves significantly provided you are using the right SD-WAN technology over these less expensive network links.
Many prospects or clients are looking to outsource their network transformations. This ranges from SD-WAN management, SD-WAN and carrier management via letter of authorisation, or a fully managed environment that includes carrier selection and management in addition to the SD-WAN.
It is important for an IT organisation to look for a partner that understands each IT organisations business drivers, applications, and existing capabilities to help define the managed service. It’s also important to partner with someone who understands the business drivers, as well as the different underlying technologies, and is able to marry the two together to help achieve the desired outcomes. Understanding the business drivers, how much involvement your IT staff want to take on and can your preferred partner support the current means of running your business (ITSM integration).
Finally, I would recommend choosing an SD-WAN managed service provider who has a proven track record with global deployments, to meet any future international growth requirements.
In the next blog entry, I will look at the Security elements that when combined with the network elements above, provide a robust SASE environment that provides a Secure experience for your IT end users over a “right-sized” network infrastructure.