Making sense of SASE: a review of Gartner’s Strategic Roadmap
Expereo’s take on the latest Secure Access Service Edge thinking
About 12,000 years ago, human beings started farming instead of hunting. This “agricultural revolution” lasted thousands of years. By contrast, the first Industrial Revolution—steel and steam—lasted all of 200. And the one we’re experiencing now—computing and telecoms—is just a few decades old. Everything’s changing faster.
It’s understandable. As the world joins up and ideas are traded globally, it leads to faster innovation, new methods for solving problems, more enablement via technology. But it also means that to stay competitive, businesses have to change the way they work much more often.
Take networking. The team at Expereo remembers circuits giving way to packets, dial-up to fiber optics, fixed-line to mobile. And—today—fast but inflexible MPLS hardware to software-defined approaches like SASE, Secure Access Service Edge.
What’s important to note is that these changes aren’t happening in isolation: they’re driven by market conditions. Software-defined networking suits a fast-changing world well: it’s weightless, frictionless, faster to implement. But caveats remain.
Research experts Gartner Group have just released their 2021 Strategic Roadmap for SASE—so here’s our summary of their thoughts.
SASE: a threefold challenge
Everyone’s aware of how Covid-19 changed the world of work—but it’s far from the only driver. The trend towards home-based working started hockey sticking years ago, as home broadband speeds rose, cloud computing made applications and data available anywhere, and owned devices became the preferred means of accessing them. It’s a three-legged challenge. Let’s look at each leg.
- Finding a place-independent architecture
The first part: any solution needs to be independent of place. The situation of the digital nomad in Bali, the executive in Business Class, and the remote employee at his kitchen table are all different, but their needs are the same. Despite the underlay—the leased line at the office, broadband at home, public Wifi—being as different as their surroundings.
Gartner believes the rise of software-defined, cloud-delivered services is inexorable: different levels of service to office-based workers just isn’t acceptable. The business case for change is so strong that any company not addressing it is at a huge disadvantage.
Hence SASE. Like SD-WAN, it hardens the corporate network by extending it to its vulnerable perimeter: the device in the user’s hands. But unlike SD-WAN, with its view of “secure the network first”, the SASE approach of ZTNA (Zero Trust Network Access) secures the application first—authenticating and authorizing individual users, irrespective of which device they’re on. Which is completely separate from network-level security.
With ZTNA, a compromised device on the network won’t compromise the application; in fact, with outbound-only connections and IP cloaking common in ZTNA, malware on a compromised device doesn’t even “know” about the application infrastructure its user is accessing. It’s an approach that secures the link between user and application—not just the network as a whole. According to Gartner, ZTNA provides place-independence to our changing world needs.
- The complexity beneath the simplicity
But there’s trouble ahead. Most corporate networks are a patchwork of systems from different vendors. To users, many organizations already offer anywhere, any time, any device access to corporate data and applications—but beneath the surface, with a competing web of platforms and policies, it’s a different story.
That’s Gartner’s second noted challenge: harmonizing corporate IT migrations across branch offices on the same timescale. It’s not just a hardware issue. “Doing it right” means taking account of different skill sets around the world, different equipment lifecycles, even the availability of like-minded vendors. Without harmony, vulnerabilities will remain.
Here, the research group’s prediction is that a winning strategy needs to treat all these factors—employee skills, vendor approaches, hardware upgrades, internet access methods—as all being part of their SASE strategy. In other words, Secure Access Service Edge isn’t about access to applications anymore: it covers every aspect of IT investment. Gartner thinks this approach can cut SASE adoption time by half.
- Only as strong as the foundation
The third challenge: SASE needs underlay. The whole promise of SD-WAN liberated distant branch offices from high-cost solutions like MPLS: in general, good bandwidth meant good access, equalizing opportunity for all employees.
But the mix of security approaches—Secure Web Gateways, Cloud Access Security Broking, Firewall as a Service, and Virtual Private Networks—can slow ZTNA adoption when moving to a SASE model; each treats edge security in a different way. And while local managers may be happy with network-level security, wherever there’s a weak point on the perimeter, the whole network is at risk.
That’s why Gartner sees these different approaches converging, into a single generally understood approach to SASE centered on ZTNA. Ultimately, the shift is from network-level security to application-level, valuing user identity more than device authentication. The model is no longer “once you’re in, you’re in.”
The solution: a series of actions in logical sequence
So: a trio of challenges. What’s Gartner’s suggestion for maintaining place-independent access to applications and data, that overcomes legacy complexities, and makes the best use of an irregular underlay? Their roadmap includes both short-term and long-term approaches.
SASE in the short term …
As you’d expect, the emphasis is on ZTNA. Gartner recommends accelerating your ZTNA rollout to all your VPN users, starting with the high-risk use cases like senior managers and those accessing sensitive data while working from home.
In parallel, conduct a review of hardware, software, and IT contracts across your organization—starting today. Know their scope and when they expire—because the most effective approach to implementing SASE is with cloud-based delivery. As these agreements end, plan to phase out physical infrastructure in favor of cloud services, consolidating vendors along the way. The goal? To create a level playing field for SASE rollout.
… and one longer timescales
Your goal in the short term is to reduce complexity. In the longer term, it’s to leverage the simplicity that replaces it. The fewer vendors you partner with, the better—because they’ll give you a consistent platform for ZTNA.
The objective here is to roll out ZTNA-based security to all users, not just your high-risk cases. And with a smaller number of vendors, you can implement network-wide policies for it—how traffic gets routed, where inspection and authentication take place, even (in a privacy-obsessed legal environment) where logs and identifying data are stored.
Gartner’s final suggestion is to break down barriers within your IT security team, and treat them as a unified whole—sharing responsibility for all use cases: remote branches, work-from-home, on-the-road, applying to all users and all devices.
By the numbers
As always, Gartner supports its case with statistics—and the numbers are big ones. Within three years, nearly a third of corporations (30%) will get their SWG, CASB, FWaaS, and ZTNA solutions from a single vendor. (In 2020, barely 5% did.) There’s a consolidation coming; be ready for it.
After all, your competitors will be. By 2025, there will be more enterprises with an explicit SASE strategy than without: 60%. That’s an even steeper growth curve: at present, it’s just 10%.
And the cloud will win. Before 2024, 30% of all corporate locations will get their connectivity solely from internet WAN—outsourcing in-house infrastructure entirely to the cloud. This change is clearly in progress: 15% are already there.
OUR SASE FUTURE, ACCORDING TO GARTNER
The famous research group is in no doubt: the future is SASE, and its focus on application-level security and authentication at the perimeter, beyond just network-level. And it means simpler infrastructure, reliance on cloud services, and a consolidated vendor list.
Of course, Expereo would like to be on your vendor list. With decades of experience spanning over 600 global enterprises, we’re ready for SASE—in fact, we’re there now.