How to Integrate SASE with Your Existing WAN and SD-WAN

We’ve spoken a lot about the emergence of Gartner’s Secure Access Service Edge (SASE). Gartner might not have been the first consultancy to describe how security and networking are converging together into a global cloud service, but its definition has certainly become popular. Already, we’ve seen several of our clients requesting SASE elements in their RFPs and several vendors responding with SASE pitches. Here’s why there’s such interest in SASE and how some of my customers are thinking about incorporating the technology into their networks.  

SASE Provides A Networking Platform For The Future 

As we’ve explained, SASE connects and secures all enterprise “edges” — sites, mobile users, cloud datacenters, SaaS, and IoT devices – with one service. Relying on one service for networking and security eliminates the multiplicity of appliances and point-solutions that have raised costs by requiring custom integration, obscured network visibility, and meant juggling management consoles to troubleshoot problems.

As radical as SASE sounds, it’s part of the natural WAN transformation process that’s begun with SD-WAN. Displacing MPLS with SD-WAN is the first step most enterprises who come to us take in evolving their networks. In parallel, we encourage our customers to reevaluate their security architectures as they transition from MPLS to SD-WAN. Failure to adapt legacy security architectures limits the value organizations realize from SD-WAN. And then, depending on the organization, additional network changes occur over time from expanding their global footprint and connecting IoT devices to delivering large-scale, remote access (particularly relevant today with COVID-19). 

SASE makes this broader transformation much more straightforward. Organizations no longer spend weeks and months evaluating, testing, deploying and integrating the individual point solutions that would compete with a SASE platform. Instead they can activate those features in minutes from a console — at least that’s the theory. With the convenience, you’ll also give up a degree of flexibility as we explain below. 

But the ability to rapidly adapt to new requirements through a simple click on a console cannot be underestimated. Consider the recent need for large-scale remote access, for example. No pure SD-WAN play that I know of includes a remote access client or provides clientless access. Up until COVID-19, this was a minor curiosity that many companies assumed could be solved with existing mobile VPN solutions. 

With COVID-19, we’ve seen the inability of mobile VPN servers to accommodate large scale remote access. IT managers simply never imagined needing the number of remote users they are seeing today. It’s not just about providing large-scale connectivity, though that is a challenge. It’s about providing that connectivity with the performance levels users accustomed to working in the office expect, with the content inspection and advanced security needed to protect them from Internet threats, and with the visibility needed to provide them with the same service levels as always. All of which is beyond the scope of most VPN solutions.  

Meeting enterprise needs for remote access has led SD-WAN vendors to take drastic measures to meet client requirements. For example, Silver Peak, to its credit, delivered 400 of EC-S, their small, SD-WAN devices, in two weeks to one customer. As they point out in their blog, “TrialCard literally extended its SD-WAN deployment to 400+ remote call agents and went live in less than two weeks, without disruption to their business.”

Impressive…for a hardware company. 

But consider how quickly it takes to deliver mobile VPN licenses, or even better, clientless access. Hundreds, even thousands, of users can be equipped in minutes. And by building remote access into the underlying networking platform, not only do SASE platforms deliver remote access but also the necessary security inspection and network optimization needed to provide remote users the experience of working in the office.

Networking And Security Deployment Considerations

Any network transition should be able to be done gradually, and SASE is no different. In terms of networking, SASE platforms rely on SD-WAN edge devices to connect sites. As with any SD-WAN device, SASE implementations support gradual migrations, supporting hybrid deployment models where legacy and Internet-based networks coexist. Sites can be connected to a SASE platform without the provider’s SD-WAN appliances by establishing IPsec tunnels from legacy devices, such as firewalls or third-party SD-WAN devices, to the SASE provider’s premises. Cloud connectivity and remote access capabilities should be optional.

As for network security, SASE offerings replace a wide range of security functions including, NGFW, SWG, CASB, and ZTNA. For the most part, SASE is about packaging those capabilities together so you can expect to lose some vendor choice. Once you buy into a SASE platform plan to use the company’s suite of services. 

If you provide a hybrid security deployment, there are two approaches to consider. For one, consider first protecting less critical sites with SASE security services while maintaining legacy firewalls and security appliances. You can also consider “firewall bursting” where you use SASE’s security capabilities to extend the life of legacy security appliances that might have limited throughput. They can “burst” the excess traffic to the security provider for processing. 

Since security features might be licensed differently, if an enterprise has a security investment that has not been fully depreciated, there’s a decision that has to be made around activating security features — or not. Many are surprised to learn how much SASE can save on their security costs. Power, rack space, the network (MPLS in particular, hardware, appliance maintenance and licensing fees, and let’s not forget the appliance upgrade and replacement costs add up to be quite significant. This says nothing about the urgency under which security infrastructure must be maintained. With each new attack or vulnerability, security teams must react quickly to update the infrastructure. All of which are addressed by SASE. 

In many cases, security investments can be maintained through the end of their contract to save the cost of such a feature in the SASE solution. In most cases, though, my experience has been that companies prefer to write off such investments due to the operating efficiencies that the new solution introduces.

SASE Platforms Provide A Network For Today —  And A Migration Path for Tomorrow 

The cloud and remote (or mobile) access are too essential to be thought of separately from facility locations. Security has become inseparable from connectivity. You can’t possibly give users access to anything if those connections are not secured. SASE adoption then is less of a question of “if” but “when.” Most companies, I believe, will find themselves adopting SASE in the next five years. The value proposition is just too compelling. 

Share this post