This is the second article in a four-part series by Stephane Monboisset, Director of SASE and Data Protection at Fortinet, demystifying the concept of SASE.
ARTICLES IN THIS SERIES
SASE – Why Do We Care?
SASE = SD-WAN + SSE … Or Is It, Really?
On-Premise vs. Cloud-Delivered Security, Which One is Best?
As the Cybersecurity industry is a complex and fragmented market (some of the major players offer over 50 cybersecurity products to choose from), simplification is therefore needed to get your message across, but simplification can lead to more confusion than clarification, and the over-simplification of the definition of SASE is a perfect example of this.
If you ask 100 security experts what SASE means to them, you will probably get 50 different answers because the value of SASE can be very different from one user to another. However, if you ask them what SASE is and what it is composed of, 90+ will unanimously answer that SASE is the combination of SD-WAN and Security Service Edge (SSE, which is Cloud-delivered Security – Cloud being a means to bring security to the users wherever they are).
While this is not very far from the truth, we need to understand that this is an oversimplification that misses a very important and fundamental reality: the infrastructure of most companies is hybrid and will remain for many years to come.
What is the issue with this simplified representation of SASE (= SD-WAN + SSE)?
When I outline the above definition of SASE to prospective customers, I usually pause and ask them if they see a fundamental problem with it. Often some of them answer “we have not implemented SD-WAN yet and do not see a need for SD-WAN, so SASE is not something that we can implement yet”. While this is one issue with this simplified definition of SASE, there is actually a much more fundamental problem with it: what this definition implies is that security lies solely in the SSE component and as such is only delivered through the Cloud.
If we consider that this is how most security decision makers see SASE, then we can easily understand the fundamental questions that come with this.
“How does this adapt to my existing infrastructure and specific needs?”
In other words, “I have and need security on-premise, so if security in SASE is only cloud delivered, then the SASE framework is of no use to me!” Security infrastructures of companies are largely on-premise nowadays, and even if many companies are looking to benefit from the flexibility of the Cloud to secure some part of their networks and users, it is a giant leap for most companies to move everything there. Also, as we will see in a subsequent article, there are still very good reasons for companies to keep some elements of security processing on-premise rather than moving everything to the cloud.
“If I go with a cloud-delivered only security solution, how do I avoid compromising my overall network security?”
In other words, it is one thing to trust one particular cloud security vendor to secure remote sites or users, constituting a small section of the corporate network. However, would that vendor be capable of properly defending the entire corporate network? Decision makers need to ask themselves, “who do I trust to secure my entire network security?”
Several SSE vendors got great traction during the pandemic when they were the only ones to offer a way to secure all the employees that were forced to work from home when the companies’ infrastructure was unable to accept the load. Companies were extremely grateful for these cloud-delivered solutions as some security was far better than no security, but if this solution deployed during the pandemic is to be expanded to the whole network, then that becomes a different ball game.
Companies are likely going to be more diligent and will review more carefully which vendor they will select to secure their whole infrastructure. This is where traditional Firewall companies, as long as they have a solid cloud-delivered solution, have a strong advantage as the efficacy of their solutions has been proven over the years from multiple independent research firms.
“How do I leverage my existing investment?”
Rarely will we have a company looking at a SASE solution which is ready to move everything all at once. Many still have active on-premise equipment that has not yet reached end of life and is not amortized yet. Any vendor pushing a SASE solution needs to take into account that no one will throw out perfectly operational security equipment because they are told that “cloud is the right way to do things”. Also, the effort taken to put in place an organization’s security policies is a long term investment that cannot be discounted just because Cloud is more elegant.
“What about reversibility?”
As we all know, there are two types of companies in this world: those going to the cloud, and those coming back from the cloud. Many modern companies who had moved towards a full public cloud computing architecture are now actively bringing some computing elements back to a private-cloud solution as they discovered it is not optimal for all workloads/applications.
There is no reason why security would be any different. So making a move towards a cloud-delivered only security solution may be the right choice at a given point of time for a company, but the speed at which this market evolves and modern companies develop, pivot and expand, calls for caution on non-reversible changes.
Therefore, any move towards a cloud delivered security solution needs to provide a clear reversibility path in case it needs to happen. Only once these four questions are clearly answered can a sound, constructive SASE journey conversation take place between vendor and end user organization.
Going back to the definition of SASE = SD-WAN + SSE, we clearly see that this simplification cannot be accepted by most companies and that any SASE framework needs to have some element of on-premise security built in, or at least the ability to integrate it, should a customer need it.
In the third article of this series, I will look at the differences between on-premise vs cloud-delivered security and we will see why, while some vendors try to discount the use of on-premise security appliances, organizations still have strong reasons for implementing a hybrid (cloud and on-premise) architecture.
