Cisco’s SASE Vision – Is it the best approach for enterprises?

SASE Secure Access Service Edge

If there was ever a question about enterprise networking and security moving to the cloud that was answered last month at the Cisco Live conference. Here you had Cisco the preeminent proponent of appliance-based architectures, talking about how the future of IT infrastructure lies in the cloud. 

Through slick slides, Cisco laid out a compelling vision for SASE and why enterprise IT leaders are and will go to the cloud with SASE. But beneath the Cisco glitz, I picked up on another story. It’s a story about what wasn’t said at Cisco. And what wasn’t said, I believe, underscores why enterprises should be skeptical about Cisco’s vision.

The Cisco SASE Story 

The macro trends propelling SASE was well summed up by David Gromley, a leader in Cisco product marketing, in his session, “Cisco Umbrella: The SASE convergence of Cloud Security and Networking..”

On the security side, he shared research that showed how the vast majority of organizations (93%) agree that moving security to the cloud has increased their efficiency. He also pointed to how 76% of organizations say they’re looking for multifunction cloud security services.

On the networking side, he noted that 50% of respondents say their workforce will be remote. Another 60% expect most of their apps to become SaaS by this year. Overall 79% say they’re shifting some kind of direct Internet access. 

Put those stats together and it is easy to see the argument for the cloud. Cisco sees security functions progressing from standalone security functions to consolidated Security Internet Gateway and finally combining with access and networking in the cloud. 

Gromley aligned those core areas —  networking, security, and identity and access —  with the Cisco products. For networking, there’s Cisco SD-WAN. For security, there’s Cisco Umbrella. And for Identity and Access, Gromley points to ZTNA and remote access with Duo and AnyConnect. All running on a highly available global cloud architecture, driven by programmable APIs, and protected by Secure and Threat Intelligence of Cisco Talos.

SASE: The Answer to the Problems Created By Cisco’s Appliance Strategy

But SASE is as much of an evolution of enterprise networking as it is a reaction to everything that’s been wrong with legacy enterprise networks.

For years, enterprises built their networks from carrier services and appliances, often sold by Cisco. And as our networks grew we threw more and more specialized solutions —  appliances in our offices, network services between them —  to solve our problems. Our networks have become hyper rich in capabilities but incredibly complex to maintain and run. We had to invest in additional products to manage those solutions and still others to enrich them further and still we lacked visibility and insight. Even then with networking and security kept separate, cracks in our security infrastructure for attackers to creep through. 

SASE directly comes to solve these very problems. Converging technologies together, moving them into the cloud obliterates the deployment complexity, the headaches of updating and maintaining appliances, gives us the visibility we’ve been missing by creating a single data repository. It turns the network into a utility that can be consumed anywhere anytime. In short, SASE solves the problems created by appliances like those sold for years by Cisco. 

Leading from Behind

So to hear Cisco talk about embracing SASE is a ringing endorsement for this cloud technology.  But what’s even more surreal is to hear Cisco see itself as a SASE leader. 

Throughout the presentations from Gromley and  Gee Rittenhouse, senior vice president and general manager of Cisco’s Security Business Group, in his session, “SASE, Network as a Service and Onramp to the Cloud,” we kept hearing  one small word, a word that tells the true state of Cisco’s SASE offering —  “will” —  as in:

“Cisco will deliver…”

“We’re going to have API abilities…”

“Will be available..” 

Over and over, Cisco executives spoke about SASE in the future tense. For Cisco, SASE isn’t something that’s fully here today, it’s a futurestate that Cisco will deliver, not one they offer today. 

Which is fine, actually. Many SASE solutions are still evolving. But Cisco’s so-called SASE vision is one that’s already being delivered today by its competitors. That hardly makes Cisco any kind of SASE leader. . 

Claiming SASE leadership would also be okay, if Cisco’s vision of SASE was somehow different or more complete from the rest of the market, but that’s also not the case. Cisco’s SASE vision fails to include a global private backbone but instead relies on third-party, hyperscale infrastructure. As I’ve said before, relying on a Google or AWS for global transit is fine for near-term market penetration but over the long term. Gartner themselves are quite critical of not owning the underlying network for many reasons not the least of which is the lack of geographic coverage.  And without a predictable, global backbone for site-to-site traffic, enterprises find themselves forever chained to legacy MPLS services. A long term SASE solution must include global infrastructure. 

Cisco’s SASE “leadership” also continues to be predicated on selling you many products. Cisco refers to “Cisco SD-WAN” but that can mean Cisco Meraki, Cisco Viptela, Cisco DM-VPN, or the discontinued Cisco iWAN. You still need Cisco AnyConnect for remote access and to still select from four products for security —  Cisco Meraki for basic firewalling, Cisco Umbrella for a Secure Web Gateway (SWG), Cisco ASA for your NGFW, and Cisco AnyConnect.  This says nothing about the individual network management or security management platforms. 

Is it any wonder that the SASE features pointed to by Gromley was easing deployment between devices through automated connection setup?  Of course, that’s critical. With so many products and configurations simplifying deployment is a must. But that’s just putting a bandaid on the real problem, the complexity of building networks from dozens of appliances. A true SASE solution would inherently solve this problem without the need for automated connection setup by replacing the various components with a single, cloud solution. 

The really ironic thing is that deployment is the smallest part of the SASE vision. Convergence into a single cloud-native software stack leads to deeper insights into network trends. It helps with planning and means greater visibility across networking and security domains to spot risks, lurking malware, and potential security cracks —  all without having to buy more equipment and software. It also leads to parallel processing where security functions happen in parallel, improving performance. 

None of this was promised in Cisco’s vision. SASE leadership? I don’t think so. 

Wolf Guarding the Sheep

So would I trust Cisco to lead us to this promised land of SASE? About as much as I trust carriers to sell us managed SD-WAN services, which is to say, not very much. Carrier managed MPLS services created the pro

blems that led us to find a technology to leave MPLS, a technology we call SD-WAN. Relying on their SD-WAN services just so they can continue to lock us into their MPLS services, strikes me as a strategic mistake. 

The same is true with Cisco. For years, Cisco profited from and pushed appliances and point-solutions that created the problems leading to SASE. Only now, after much industry outcry and startup innovation, Cisco has stepped in to lead SASE. Trusting that they’ll get it right this time seems to me to be the height of folly. 

Interested in learning more about SASE and what SASE vendors would be right for you? Signup for your free WAN Jumpstart and let’s chat about your deployment challenges.

Share this post