In the first part of my blog series, I provided some background on what Secure Access Service Edge (SASE) is – effectively, IT leadership teams are looking to provide their clients (IT end users) with ultimate mobility to work from home, coffee shops or a traditional office environment and to do so in a completely secure fashion. This has accelerated the melding of the traditional Network and Security teams into a single entity.
In this blog entry, I will look more into the traditional elements to consider, from a network perspective, as an organisation adopts SASE.
The majority of organisations I speak to day-to-day are looking to transform their traditional, expensive, dedicated network infrastructure into a blended model. Many have already adopted a Cloud-First strategy where their end users can access cloud-based applications straight from where they reside, rather than transporting all traffic to a traditional hub and spoke MPLS architecture to reach the internet. Applications, like O365, Salesforce.com, Oracle Cloud can be accessed by the end user at the edge.
This allows IT organisations to “right-size” their expensive MPLS networks and eliminate the latency introduced to the end user by backhauling that traffic across the country/globe.
When going through a network transformation, it is imperative to understand the applications that are paramount to the end user’s success. For those organisations that are still heavily voice dependent – choosing an underlying SD-WAN partner with dynamic path selection, path conditioning and WAN acceleration capabilities is extremely important. We have seen this need accentuated now more than ever with the recent COVID-19 pandemic. Organisations are requiring their employees to work from home and tools like Skype for Business and Teams meetings are now more than ever the norm. Choosing the underpinning technology to support these requirements is paramount for an IT organisation.
It is also important to consider; does the technology have inherent next generation firewall (NGFW) capabilities? And can an IT organisation’s policies be easily applied to the SD-WAN environment, via a central orchestration management interface that provides full visibility into the network?
Lastly, it is important to consider scale. Many SD-WAN technologies are sufficient and certainly less costly dependent upon the number of locations that makeup the transformation. Once the number grows above 10-15 locations, the underlying SD-WAN technology needs to be able to scale. It’s within this scalability, or lack thereof, where a network transformation typically fails. The SD-WAN infrastructure must be able to grow and support the number of tunnels required for branch mesh tunnel configurations.
One of the most elementary considerations in a SASE enabled environment is the ability to leverage the most prevalent and often least expensive network links at the edge where an IT organisation’s clients reside.
Partnering with a traditional network carrier flies in the face of the basic SD-WAN premise of leveraging network links (broadband, ADSL, DIA, 4G, 5G) provided by the local cable company, LEC, or wireless carrier provides ultimate flexibility. Choosing a traditional MSP to provide this flexibility can result in the carrier looking to minimise their revenue write-downs by providing solutions that do not always meet the end client’s requirements. By maintaining a carrier agnostic approach, an IT organisation can meet the bandwidth requirements for their users at the Edge, with SLA backed network links that are orders of magnitude less expensive than a traditional MPLS network.
Typically, I have found that application performance for the end user improves significantly provided you are using the right SD-WAN technology over these less expensive network links.
Many prospects or clients are looking to outsource their network transformations. This ranges from SD-WAN management, SD-WAN and carrier management via letter of authorisation, or a fully managed environment that includes carrier selection and management in addition to the SD-WAN.
It is important for an IT organisation to look for a partner that understands each IT organisations business drivers, applications, and existing capabilities to help define the managed service. It’s also important to partner with someone who understands the business drivers, as well as the different underlying technologies, and is able to marry the two together to help achieve the desired outcomes. Understanding the business drivers, how much involvement your IT staff want to take on and can your preferred partner support the current means of running your business (ITSM integration).
Finally, I would recommend choosing an SD-WAN managed service provider who has a proven track record with global deployments, to meet any future international growth requirements.
In the next blog entry, I will look at the Security elements that when combined with the network elements above, provide a robust SASE environment that provides a Secure experience for your IT end users over a “right-sized” network infrastructure.
Many in IT are familiar with Software-Defined – Wide Area Networks (SD-WAN) or have significant investments in digital transformation. Originally coined by Gartner, SASE: Secure Access Service Edge is the simplification and convergence of wide area networking and security. Delivering both as a cloud service directly to where the end user resides, rather than bringing that traffic back and centralising everything at a corporate data centre level.
The convergence of Network and Security groups that is driving this newfound SASE requirement. SASE is driven by the need for mobility and flexibility for the end user. It must however, equally secure the legacy hub and spoke architectures of a traditional MPLS network. Enabling the end user at the edge also improves application performance. The end user accesses the nearest point of presence for the application. This means that application latency is minimised vs a traditional, centralised, MPLS network where all of the traffic is brought back to a single point (many times across the globe) before traversing out to the internet.
With many enterprises embracing Cloud-First solutions (SaaS applications, Hyperscale infrastructure, Office365 etc.) there isn’t the need to have traffic route back to the Corporate datacenter over expensive, traditional MPLS networks. Rather, enterprises are looking to enable those end users to directly access the internet at the edge. Reaching those applications and using their more expensive network circuits for internal self-managed applications. This means that many clients can “right size” their MPLS environments. And in many cases replace expensive, dedicated circuits with much less expensive broadband or internet circuits. But how do you ensure that those edge locations and the end users are secure?
Cloud-based next generation Firewalls (NGFW), or inexpensive but feature rich embedded NGFWs into the SD-WAN appliances can offer the same level of enterprise security as traditional premise-based FW technologies. Identity Access, Zero Trust, Cloud Access Services Broker (CASB), and Software-Defined Perimeters are additional security solutions which can be layered onto those edge circuits/end user devices to ensure that enterprises maintain an aggressive security posture. These technologies are cloud-based and can easily scale; important considerations for companies heavily vested in mergers & acquisitions or dynamic application requirements.
SASE is a new acronym to many folks. As digital transformation and secure SD-WAN network transformations continue to take place the convergence of IT’s network and security teams will meld. Expect SASE to become an industry-accepted acronym.
In the next two blog articles, I will look more at the intricacies of the network and then the elements around Security in greater detail.