This is the fourth article in a four-part series by Stephane Monboisset, Director of SASE and Data Protection at Fortinet, demystifying the concept of SASE.
ARTICLES IN THIS SERIES
SASE – Why Do We Care?
SASE = SD-WAN + SSE … Or Is It, Really?
On-Premise vs. Cloud-Delivered Security, Which One is Best?
Private SASE and the Need for Sovereignty
Several industries are already tightly regulated and the use of cloud-delivered solutions is not something that can be taken for granted for organizations operating within these. But beyond these industries, with the pace of geopolitical changes and the need of countries to better regulate, certify and control, no SASE vendor can avoid the question around sovereignty as a whole, and specifically how sovereign their SASE solution is.
Most SASE vendors are addressing the sovereignty question around their SASE offering through local Point of Presence (PoPs) and local certifications, and it is essential for SASE vendors to play the transparency card so that companies can assess where the PoPs are, what is processed in these local PoPs vs. what is sent away for processing (not all PoPs are born equal), and what certification they have been awarded.
Moreover, for a growing number of organizations (and especially governmental agencies), the in-country location of the security inspection and log retention is just not enough. More than just “where is this, geographically?”, the question is “who hosts it?”. For many organizations, leveraging a third-party service such as SASE is not an option because of data sovereignty rules and sensitivity around the data that is being processed.
While they can’t just outsource that security to a SASE vendor, building their own SASE service from scratch is also out of the question as this is far too complex a project to undertake. SASE is not just bolting the framework elements together, it requires developing complex orchestrators, managing redundancy, provisioning users and tracking usage (among others). Even large organizations with deep pockets would find it challenging to recruit and retain the right individuals to build and manage the system at a time when the World Economic Forum estimates that we are missing over four million security experts worldwide.
To address this requirement, the concept of Sovereign SASE has been emerging over the last few months, where organizations can purchase and host all the security inspection and log retention equipment on their premises and rely on a SASE vendor for the management, orchestration and provisioning of the SASE instances and users. This split of responsibilities has proven to address the largest objections related to SASE solutions and data sovereignty needs from organizations.
Obviously, this requires more effort on the company purchasing and implementing a Sovereign SASE solution than just outsourcing to a SASE vendor, but it is far simpler to undertake than try to build a SASE architecture from single security building blocks. Over the last 3 years, I have met multiple companies who were so advanced and are at the forefront of cybersecurity technologies that they had implemented their own SASE-like architecture by deploying a CASB, FWaaS, SWG, ZTNA, … before SASE was even a thing, and all of them reported that the management and keeping up with the pace of evolution of this was no longer making any business sense for them.
Most were actually turning to a SASE vendor to replace what they had built over the years with a simple easy to manage solution. Clearly the availability of a sovereign SASE solution is at the top of their mind and something that allows them to address their security concerns, their overall operational complexity and maintain a high level of sovereignty to comply with the most stringent regulations.
Telcos and MSSP (Managed Security Service Providers) in particular have expressed strong interest in Sovereign SASE solutions. The Sovereign aspect of the offering is seen as a way for them to get a form of independence and be in full control of what they are offering and delivering. Such an approach allows them to build a Private SASE offering as this represents a way to leverage their existing infrastructure (datacenters, servers, telco lines, …), differentiating themselves from security vendors and their local competitors, and addressing a part of the local highly sensitive market that needs locally-hosted and locally-managed security solutions.
Telcos and MSSPs can take sovereign SASE and not only productize it as their own, but also build their own Private SASE services on top of it, adapting their solution to local market needs and greatly increasing the value they bring to the local market. Any reliable SASE vendor needs to take the Sovereignty conversation beyond the list of PoPs and their location (in-country or not).
It needs to have a clear Sovereign SASE offering for organizations which have stringent sovereignty mandates, as well as those that may require a sovereign SASE solution in future. A sovereign SASE offering is not only a strong sovereign solution for today’s needs but also offers insurance that, should the regulation or geopolitical landscape change, customers can achieve sovereignty if needed.
To conclude this 4 article series, if I were to give you one piece of advice when selecting your SASE vendor, I would say: don’t rush into your decision, take a step back, look at the long term implications of your choice and select whoever’s vision and capabilities are best aligned with what you expect your future needs will be. Doing so is critical, since ripping and replacing a SASE solution from one vendor to another is a complex task that involves not only adapting/changing your core security policies but also touching every branch and every endpoint. The right vendor for you may not necessarily be the one which has the shiniest product today (the Hare), but probably the one that is developing a strong reliable and future-proof SASE platform (the Tortoise).
