• BigPicture

Secure Access Service Edge. Gartner's new category

Organizations are progressing from traditional networking and security models to cloud based platforms and there are multiple delivery models securing the WAN and edge. Vendors tend to address part of the puzzle and rely on integration either with other vendors or combining many new and traditional technologies. The SASE category considers a broader landscape of network and security technologies and the convergence of these networks. So the real aim of SASE is the convergence of WAN capabilities with network security functions (such as firewall, secure web gateway, CASB and SDP).


Gartner has recently released the Hype Cycle for Enterprise Networking which includes the category of Secure Access Service Edge (SASE) and has indicated that a SASE services should meet the following requirements:


  1. The convergence of WAN edge and network security models

  2. Cloud-native, cloud-based service delivery

  3. A network designed for all edges

  4. Identity and network location


Network and Security Convergence

The technologies at the edge tend to address a specific mode of access and function and are all typically different products and services spanning multiple vendors. SASE on the other hand requires that the service edge has to address all modes of access, especially with the growing need for mobility and flexibility in work arrangements. So the service edge needs to consider the identity of a user, application or service and the location of those users and resources. With the ability to determine these, the edge access can securely and efficiently route users to applications and services at the closest on-ramp based on their access policy and the experience for the mobile users traveling are not limited by geography. For an approach to deliver on these points, the vendor may look to provide geographically distributed points of access for efficient on-ramp. These on-ramps should ideally provide a common access method and distributed security policy control. This will push the traditional firewall and security platform vendors to rethink their approach to secure cloud networks but it opens up opportunity for those vendors as they try to align themselves with SDWAN. For the SDWAN vendors there will be a need to expand their architectures to encompass points of presence and level up on the security components of the platform. SASE will also blur the access methods and vendors approaching the software defined perimeter (SDP) architecture which means the access method will also look to integrate/expand on SDWAN connectivity


SDWAN is solving many challenges organizations have in relation to visibility and policy based steering for flexible, reliable and efficient connectivity to both cloud and on-premise delivered applications. SDWAN is not solving all the challenges, for example mobile workers and security often rely on combining vendor solutions or chaining multiple virtualized or cloud delivered services. SDP which is expected to replace the traditional VPN, is meeting the needs of identity and "Zero Trust" security architecture, limiting the visibility of applications and system on the Internet but not necessarily the WAN access controls or protecting users as they egress to the Internet . Secure Web Gateways do, however, address the traffic destined for the Internet, inspecting, filtering and protecting users but not WAN access or mobile users. Next generation firewalls provide the tools to define policy at an application level and combine threat management intelligence. There are also a number of vendors addressing access to cloud providers and applications with CASB services. All these are perimeter functions and with cloud scale performance the prospect of converging these function into a SASE from a single vendor is a reality.


Some vendors that I believe are closer to the SASE category than others are Z-Scaler and Cato Networks. Both vendors provide globally distributed POPs that present to the user or sites, access to services regardless of geography. Z-Scaler do require partnering with other vendors to address the SDWAN component of their architecture but will provide location based access to their platform using standard IPSec connectivity from any vendor. Cato on the other hand has a SDWAN platform that is fully unified with the security for WAN and Internet. The SDP part of the equation is where Cato probably require development rather than standard VPN access methods for mobile users.


I am sure there are other vendors that will argue they have a platform that addresses some of the SASE requirements, for example Forcepoint who has evolved the SDWAN access in addition to their CASB solution. Other vendors tend to address network and security with a suite of products and services managed and operated separately. I am interested to hear from individuals and vendors on meeting the SASE requirements now and as part of product road map.