SASE – The new SD-WAN?
Legacy unencrypted and implicitly open networks have in recent times been migrated to SD-WAN solutions, but does this really modernise a business’s WAN technology sufficiently?
At Systal we pride ourselves on innovating and finding a better way for our clients. While we believe SD-WAN is an effective WAN transport replacement strategy, we see it as another point solution for organisations to have to integrate and manage. We strongly believe that SASE is the new SD-WAN, and that it is the future of overall enterprise connectivity and not purely WAN. This post will explain why we are so excited to offer SASE as a strategic solution for our clients.
So what is SASE?
SASE (Secure Access Service Edge) – pronounced “sassy”, is a networking and security technology that combines the intelligent transport element of SD-WAN networks with enhanced security functions within a cloud-based service. We believe it’s taken SD-WAN to a new level where it can add significant value. We see SASE as a framework and not a product, a cloud-based holistic strategy to connect any device or user to any resource within an enterprise based on a central secure policy.
SASE addresses the changing requirements of modern businesses with a scalable cloud architecture that provides secure access to applications and services from anywhere. We’ve seen first-hand how SASE simplifies network management and reduces costs with fast and secure connectivity to the cloud for a distributed workforce. SASE combines the several following key technologies to create a secure framework:
1. SD-WAN – A technology that utilises SDN (Software-Defined Networking) to create a virtual overlay network on top of existing MPLS WAN or internet connections. This allows for dynamic and intelligent traffic routing and optimisation, as well as improved application performance, reduced latency, increased bandwidth utilisation and cost savings by use of internet transport.
By integrating SD-WAN functionality into a SASE framework, organisations can provide secure and optimized connectivity to cloud applications and services, while ensuring that all network traffic is protected, encrypted with IPsec and secured according to policy. We have used SD-WAN previously to improve application performance, reduce latency, and increase overall network efficiency, while providing comprehensive security across all network endpoints, regardless of the location or network connection.
2. SWG (Secure Web Gateway) – A service which provides secure access to the internet and cloud-based applications. A SWG is a security solution that filters and blocks web traffic based on policies and rules, to protect against web-based threats such as malware, phishing, and other cyberattacks. We have seen numerous issues enterprises experience with on-premises proxy appliances, including lack of scale, manual updates, and managing the lifecycle. All of these headaches are eliminated by a cloud-native service.
3. CASB (Cloud Access Security Broker) – A service that provides security controls for cloud-based applications and services. CASB is a security solution that sits between cloud service users and cloud service providers. It acts as a gatekeeper to enforce security policies and protect against cloud-related threats such as data leakage, unauthorised access, and compliance violations. We see CASB as the glue that holds the SASE framework together.
4. DLP (Data Loss Prevention) – A technology that provides security controls for preventing the unauthorised exposure or leakage of sensitive data. DLP refers to the practices and technologies used to identify, monitor, and protect sensitive data to prevent it from being disclosed to unauthorised parties. We have typically seen clients use a magnitude of providers and appliances which can be complex to administer and manage.
5. IPS (Intrusion Prevention System) – A technology that provides real-time threat prevention and detection for network traffic. An IPS is a network security solution that monitors and analyses network traffic for signs of malicious activity and takes action to prevent attacks in real-time. Typically, our clients use IPS at the perimeter of their networks so moving this functionality into the cloud is a natural step to take when adopting SASE.
6. NGAM (Next-Generation Access Management) – NGAM provides secure access controls for users, devices, and applications across a variety of network and cloud environments. NGAM refers to the next generation of access management solutions that are designed to meet the challenges of modern cloud-based and mobile-first IT environments. With our comprehensive state-of-the-art toolset, integration into SASE NGAM is seamless.
7. Remote Access – This enables users to securely access network resources from any device, any location, and any network, using a variety of security and connectivity technologies which terminate in the cloud (agent-based and agentless) to benefit from cloud security services and central security policy rather than more traditional on-premise RAS solutions. We have seen clients adopt Remote Access into their SASE journey at varying stages of deployment and typically this can be a feature that is enabled when existing RAS services require license renewal for investment protection.
What’s the difference between SASE and SD-WAN?
In terms of why Systal typically recommend SASE to our customers rather than SD-WAN the comparison chart below identifies the main differences between the two technologies:
Overall, we see that SASE and SD-WAN serve different purposes and are designed to address different networking and security requirements. SASE is a converged security and networking solution that provides built-in security functions and cloud-based service deployment, while SD-WAN focuses on WAN connectivity optimization and can be deployed on-premises or in the cloud.
What could SASE bring to my enterprise?
Systal sees SASE as a framework so it’s going to bring multiple benefits to your enterprise including:
✓Additional network capacity and resiliency at or below the cost of MPLS – Migration from MPLS to ADSL/SDSL last mile links and SD-WAN transport for more usable capacity and resilience with options to make use of new 5G cellular gateways with native resilience for “pop up” locations or “office in a box” scenarios.
✓Secure Direct / Cloud Internet Access without Appliance Sprawl – It’s no longer a requirement to backhaul internet-destined traffic through a central DC or HQ location when a branch location has an internet access circuit locally. SASE vendors also typically choose simplistic hardware without chipset constraint providing the dual benefits of a lower cost and a much quicker time to deploy. Elimination of wasteful MPLS backhaul of Internet traffic which typically overloads central Firewalls / Proxies and Internet circuits. Removal of point solutions and associated appliances.
✓ Reduction in global latency – Affordable and predictable connectivity from remote global locations to DC locations through vendor backbone connectivity. Rather than relying upon the ‘vanilla’ internet to get access between point A and point B, SASE providers typically optimise the connections using TCP acceleration, and data deduplication to provide a much faster and more reliable service.
✓ Optimised and Secure Cloud Access – Optimally connect cloud data centres and cloud applications to the WAN. Optimise branch-to-cloud and user-to-cloud access based on a Zero Trust policy.
✓ Optimised and secure remote access – Improve connectivity for mobile users’ access across regions. Apply full network security without costly VPN point solutions and VPN traffic backhaul to DC locations. Our clients often want to provide the same level of security to their users, branches, campus sites and Data Centres without the complications and expense of putting a full security stack everywhere. SASE can provide this – with the same security policy applied for users connecting to the enterprise and cloud.
✓ Simplified network operations – Faster site deployments based on zero-touch principals, and self-service network changes. Consolidation of network and security management into a single converged policy. Traditional network and security vendors like to talk about their “single pane of glass” which often ends up being many panes of glass to handle the multiple-point solutions within their architecture. Single-vendor SASE solutions truly can provide configuration, oversight and analytics for all the elements of the solution from a single portal.
Risk Analysis: reviewing existing WAN technology
Systal recommends reviewing or allowing us to assist you in reviewing your enterprise’s existing WAN/connectivity technology and principles. A risk analysis can be created to determine your current exposures and whether SASE could be a good fit for your enterprise.
For example, Can you answer the following 13 questions with confidence?
1. Are your existing security point solutions capable of effectively mitigating threats within their varying life cycles, multiple policies and operating systems?
2. Do you believe your current MPLS service and backhauled internet access is cost-effective, are you willing to extend contracts for an additional 3-5 years of service?
3. Are you aware which resources your users are accessing within corporate and external networks and the associated risks this entails?
4. Do you know who or what is accessing your resources?
5. Is your WAN traffic encrypted?
6. Do you have Zero Trust networking deployed within your network?
7. Are your IT support staff fully trained and certified on every vendor appliance, technology and Cyber Security?
8. Do you have a network and cyber security strategy?
9. Is the number of vendor point network and security solutions you maintain manageable?
10. Is the amount of time your IT staff are spending on making changes, troubleshooting issues and applying security patches acceptable?
11. Is your Remote Access Service scaled correctly, cost-effective, providing maximum performance and MFA security?
12. Do you have a cost-effective and secure multi-cloud strategy?
13. Are your IT costs spiralling?
If a weakness has been identified it’s time to talk to Systal.
How can Systal help me on my SASE journey?
Firstly at Systal we’re vendor agnostic, we’re not going to stipulate our clients use a particular vendor. This allows us to provide the optimal solution to our clients every time.
We collaborate very closely with our clients to understand their business and technical requirements. Our aim is to innovate from the “inside out” rather than a more traditional “outside-in” approach to ensure we provide our clients with an optimal solution which allows their business to succeed.
Systal offer an industry-leading API integration service into our best-of-breed tooling to support multiple vendors. Whichever SASE solution is selected, you can be safe in the knowledge that network management and telemetry is covered from the outset.
We’re passionate about SASE because we understand the value the technology can provide. In addition to what we’ve detailed in this post going forward, we see SASE as an enabler for our Hyper Convergence solutions, ranging from NFV through to our innovative compute / storage systems offering scale and affordability in a “pay as you grow” model. We are in discussions as to how we can simplify and offer wider network management solutions to our clients as part of a SASE solution which we aim to be a zero-cost bolt-on.
Find Out More
At Systal we’re keen to help businesses move away from disjointed point solutions, and provide strategic, simplistic and secure solutions. SASE fits this model and our clients extremely well. Talk to Systal about integrating SASE into your enterprise’s digital transformation journey to significantly improve IT performance and future-proof your network security.
Martin J. Duggan, CCDE#2016::6 and CCIE#7942, is a Principal Network Architect designing network solutions for global financial accounts at Systal Technology Solutions. He is one of Systal’s key technical leadership resources, helping Systal to be a dynamic and innovative services integrator and provider that offers fast, agile, and tailored support to meet business aspirations and challenges. Martin draws on 20+ years of experience designing global networks, mentoring colleagues at world-class networking organisations and personally contributing to Cisco CCIE & CCDE exam updates. Martin has authored the CCIE & CCDE Practice Labs series for Cisco Press and creates content for multiple Cisco exam tracks.
Phil Guerin, CCIE#17416, is a Technical Sales Consultant at Systal Technology Solutions. He has worked with a range of clients across key industry verticals to discuss their pain points and identify the right mix of technologies and solution for their needs. Phil has over 25 years of experience in networking, ranging from network management, network design and architecture right the way through to consultative selling.