SASE – Why Do We Care?

This is the first article in a four-part series by Stephane Monboisset, Director of SASE and Data Protection at Fortinet, demystifying the concept of SASE
Secure Access Service Edge (SASE) is probably the biggest buzzword in the cybersecurity industry today; every security vendor talks about it and there is a multitude of articles about the benefits of it. However, when I talk to customers, prospects and partners around the globe, there remains major confusion around what it is and what it can actually do. The question I get most often is “why should I even care about SASE?”
The reason for this global confusion is fairly simple: SASE is not your traditional cybersecurity product. In fact, it’s not actually a product but a framework/architecture composed of multiple products, which has led to the situation where any vendor which has one of the elements of the SASE framework positions their product/solution as “SASE”, making it hard for companies and cybersecurity professionals to grasp its true nature and value.
The other complexifying element comes from the fact that it is difficult for any vendor to approach a company and say, “This is where SASE is going to bring value to you”. Given the nature of SASE, many companies will find immediate value in SASE from specific use cases that other companies might not. This is why I have been borrowing the following quote from Oscar Wilde when I talk about SASE: “Beauty is in the eye of the beholder”.
What is clear to me is that every company will tend to, over time, extract most of the value that the SASE framework can provide to them. It is therefore critical for companies embarking on the SASE journey to not only look at the shiny elements that the SASE vendors are presenting to them but to thoroughly study where the vendor is today in terms of development and where the vendor plans to be in the coming years, as the selection of a SASE vendor will have long lasting implications to the company.
Why does SASE even exist?
While most vendors spend a good amount of time talking about the HOW (“how we are delivering the SASE benefits”), there is a strong need from the industry to talk about the WHAT (“what value SASE brings, what beauty is there in SASE for you”) and most vendors do a good job at it. However, I would argue that we need to take an additional step back and look at the WHY (“why does SASE even exist?”).
Multiple challenges have called for this new framework to be developed. First, securing remote users has become one of the biggest challenges of modern life, especially since the pandemic. When users are inside the network, they are protected by a series of products and solutions that make them safe from external attacks. However, when they go out (when they get home, when they travel, etc.) they are outside of the network and no longer protected by the security infrastructure that the company has put in place.
The industry has been dealing with this challenge through the use of VPN (the ability to virtually bring back the user inside the company’s network). However, VPN’s have been proven to be unreliable, non-scalable, and most users do not use them reliably (meaning they don’t use the VPN unless they need to access specific company resources within the company’s network).
Another growing challenge faced by modern organizations is the ability to manage on-premise security (especially for smaller remote branches) or just bringing security to IoT devices where the use of specific hardware security appliances comes with multiple operational challenges and sizable operational cost.
If you add to that the exploding complexity of securing a company’s infrastructure, users, data, and applications in a world where new threats are emerging every day and the security skills shortage is greater than ever before, you understand that a framework such as SASE can only be valuable if it aims to simplify cybersecurity to the users and the operational teams, rather than just being one extra tool to add to an already very large toolbox.
Lastly, most companies are embarking on a Zero Trust Journey, and it is essential for a framework such as SASE to have Zero Trust as a guiding principle throughout. And of course, such a framework needs to be future-proof and be able to adapt to future needs in an evolutive manner.
To SASE and Beyond!
What strikes me is how we (cybersecurity vendors) have made the SASE framework sound so complex to everyone, when in essence its objective is crystal clear: wherever the user is (remote or on-premise in large or small branches, in factories, and so on), and wherever the data/application is (Internet, SaaS application, Public Cloud or private datacenters), SASE is the framework that allows the transaction to happen between them in a secure, efficient, simple, and consistent way.
The nature of the SASE framework as well as its objective means that SASE is not a 100m race, but more like an ultra-trail where decisions taken now will have long lasting implications. When planned properly, the SASE journey can be a sequence of small implementations (for example, starting with 200 remote users then expanding, migrating 1 small branch at a time, starting with contractors and BYOD users, …), and this is a safe approach that reduces the risk along the way.
In the second article of this series, I will be diving into the important questions an organization needs to answer before embarking on a SASE journey.