This is the third article in a four-part series by Stephane Monboisset, Director of SASE and Data Protection at Fortinet, demystifying the concept of SASE.
ARTICLES IN THIS SERIES
SASE – Why Do We Care?
SASE = SD-WAN + SSE … Or Is It, Really?
On-Premise vs. Cloud-Delivered Security, Which One is Best?
As we saw in article 2 “SASE=SD-WAN + SSE … or is it, really?”, the idea that all security elements will be cloud delivered is flawed for most architectures, and SASE/SSE vendors who try to convince their customers that Cloud-delivered security is the only way forward, completely underestimate that the reality of current and future network and security architectures is and will continue to be hybrid for most companies.
Every customer I have engaged with who has seriously been considering the benefits of the SASE framework and how this framework would map to their existing infrastructure had to also assess which of the cloud-delivered or on-premise security solution and specific elements of these was the most appropriate for their network architecture. While the following is not an exhaustive list, it presents a number of key use cases and the value represented by the two options.
For remote users, the industry usually agrees that cloud-delivered security is the more sensible way to bring security to the users wherever they are and provides a more reliable and scalable solution to deliver security to them rather than backhauling all the remote users’ traffic into the network for security inspection. For large or crowded branches, I would argue that having the right firewall on-premise is going to be more economical than leveraging the cloud, which will end up being more costly in the long run.
For smaller branches, cloud-delivered security is generally better as the extra cost of cloud-delivered security is easily compensated by the savings from the operational cost of managing the security on-premise for these small branches. When it comes to performance and latency, I would also argue that on-premise security is a better choice as the security inspection can happen right on-site for traffic leaving the premise (rather than being forwarded to a cloud instance somewhere) and especially when there is a need for east-west inspection where sending traffic to a cloud instance and back for security inspection makes little to no sense at all.
Cloud does provide a great advantage when it comes to simplified management as all the operational actions such as patching and firmware updates are managed by the cloud security vendor. One last element I’d like to add is fail-over path. This comes from a discussion I had with a large bank in Africa which was explaining to me how they got in trouble during one of the lockdowns when their cloud-delivered security provided had a 36h outage and no one at the bank could work.
They mentioned this story as a justification to request from their future SASE vendor that they also provide on-premise security that they can activate, in case something goes wrong with the cloud instance. Taking all these factors into consideration, a single implementation will unlikely satisfy the needs of most companies, so the question that needs to be asked in return is: Why choose?
Most of the world is hybrid, so why would your secured networking be any different?
On-premise security and cloud-delivered security come with their own merits and address specific use cases better than the other. Forcing your secured networking architecture to be purely one or the other would not only be inefficient but would likely put you on a path where you would surrender some level of control.
The ideal SASE solution should not force you to choose between these two implementations and instead give you the ability to:
- Leverage cloud-delivered security for remote users so they have fast reliable access wherever they are and you have the assurance of a scalable solution regardless of the number of remote users that are connected at once.
- Keep your large branches with the right powerful on-premise firewalls for maximum performance and most optimized cost.
- Connect whatever IoT device you have with a simple “dumb” hardware appliance and leverage the cloud to secure them.
- Assess for any other branch/location whether it makes more sense to have a hardware security appliance on-premise or leverage the cloud. In essence, you should be able to decide at any point of time which location you move to cloud-delivered security and which you want to bring back to on-premise security based on what makes the most sense.
This ideal SASE solution should also allow you to control all security elements from a single pane of glass and allow you to do so with the same security policies, regardless of whether the security inspection is performed on-premise or in the cloud. And if that SASE solution also has a tightly integrated SD-WAN offering that can be controlled from the same management tool, this is the icing on the cake.
In the fourth and final article of this series, I will introduce the concept of Sovereign SASE and explain why, beyond the obvious, it is an importance concept that every organization needs to be familiar with.
