The Secure Access Service Edge (SASE) was very popular last year. The term and category SASE, created by Gartner in 2019, states that the future of networks and security lies in the convergence of these categories in a single cloud platform.
The features offered by SASE are not new and include SD-WAN, threat prevention, remote access and other features offered by different vendors over the years.
So, what about SASE? This was the main topic of our conversation with Yishai Yovel, Marketing Director at Cato Networks, one of the first companies to enter the SASE market.
THN: Cato was a great supporter of SASE. Why is SASE important for end users?
Yishay: SASE is a wake-up call for our industry and IT organisations. The IT infrastructure is fragmented by numerous ad hoc solutions, resulting in complexity, inflexibility, high costs and increased risks. This is a systemic problem. Each individual product does its own work, but together they are very difficult to handle. Something had to change.
Cato was founded in 2015 to tackle this problem. The solution we have created is a new converged network and security platform offered as a global cloud computing service. The same great features, but with a single platform, a single management, self-service and self-healing. In 2019 Gartner invented SASE, which fits very well with our vision.
SASE is thus a way for customers to simplify their infrastructure, to use it as a service and to provide secure and optimal access to all users and applications, regardless of their location.
THN: Seems like a very big promise. What is the relationship between SASE and customers during a pandemic?
Yishay: SASE is a very good example of how an appropriate architecture is the key to a rapid response to a changing business environment. Imagine if you had invested in a ton of industrial equipment – firewalls, SD WAN devices and even MPLS. All these investments are not registered when everyone works from home. SASE, on the other hand, is a cloud-centric architecture.
According to Gartner, SASE comes from points of presence in the cloud (PoPs) that offer users a variety of security and optimization options. This is important because a user can leave the office and go home, connect to the SASE service in the cloud with a lightweight device agent, and get almost as much protection and optimization as in the office.
In short, with SASE you can work anywhere. We have had remote VPN solutions for 20 years now, but they are built for road warriors, a small part of the organisation and for short meetings. We need a completely different scalability and distribution than what the VPN cannot offer.
For example, SASE with ZTNA (Zero Trusted Integrated Network Access) eliminates the need for VPN point solutions and provides a better overall service. In the case of Kato, we saw a 300% increase in remote hiccups in the first two months of the pandemic.
THN: You mention that SASE is the first architecture for the cloud, but not all providers seem to agree. Why?
Yishay: SASE is very difficult for former box manufacturers. If your business is based on selling cheap boxes that try to bundle all the functionalities of SASE, you are not solving the real architecture problems that SASE is trying to solve.
First of all, dimensioning and scaling – you need to make sure that the device you install can support all the different functionalities today and in the years to come. This is not a trivial task – security and networking functions have very different processing requirements, and it is difficult to determine the size you need (multiplied by the number of sites and their specific requirements).
Secondly, you need to practically manage the corrections and updates per box. Thirdly, these boxes must be distributed worldwide, either in your shops or in colocation centres. Fourth, you need to work with scripts that allow remote users secure access to applications in the cloud when the device is not in direct view. Finally, you make investments based on location – users leave the office and they can’t keep track of the functions they need.
SASE solves all these problems. This is a cloud scale, so you don’t have to worry about the scale. It is supported by the cloud service provider, so no patching is required. It is scattered around the world at different points of presence (PoP), i.e. without colonisation or concentrators. It can see and protect all traffic, so a return journey is not necessary. And because it’s not stuck in the office, it can serve users anywhere.
In fact, these instrument-oriented SASE solutions try to convince you that you don’t need SASE at all. What they offer as SASE is the same approach that they have been selling for decades. Cloud First architecture is not an optional feature of SASE, but the essence of SASE – without the cloud service, there can be no SASE.
THN: Let me make it a little harder. What about scenarios in which the traffic within the data centre must be protected?
Yishay: SASE focuses on a broad area network (WAN). It is the traffic that flows between branches, data centers, users and clouds. It’s the traffic the company runs today. The cloud is the best place to secure and optimize this traffic. If you are unable to use the online services or if you have certain requirements in the data centre, SASE is of course not designed to solve this problem.
If I have 1,000 sites and 20,000 users who can use SASE, and a data center that can’t, wouldn’t I prefer a device-based SASE architecture? I think it makes sense to treat the exception as such instead of enslaving the entire infrastructure with poor architecture.
THN: We see security companies such as zScaler, Palo Alto Networks and Netskope taking part in the SASE race. Doesn’t SASE care more about security than the network?
Yishay: SASE means the convergence of a network (especially a WAN) with cloud security. When functions are counted, there are more security functions in SASE than network functions. But for our customers, it is the need to change the network architecture to make it cloudier and more mobile that triggers the necessary changes in the security architecture.
As a result, some security vendors are adding SD WAN capabilities to their offerings to better align with SASE. Other suppliers work with SD WAN providers, but this clearly weakens their only platform.
Customers will have to choose between a single architecture that allows for full optimization and control and a form of integration of multiple products based on the ‘do it yourself’ principle. We believe that the main trend for the coming years is the simplicity of a single converged platform delivered as a service.
THN: Thank you for your understanding. Where can readers learn more about SASE?
Yishay: We recently made a book SASE for Dummies, which can be downloaded for free from our website. I encourage readers to think critically about the different SASE architectures when considering their next network and security upgrade. We see huge benefits for customers through the implementation of SASE, and we believe it will really change the IT landscape in the coming years, as Gartner predicts.
secure access service,sase benefits,sase vs vpn,cisco secure access service edge,cato networks case study,keto sd wan,sase gartner,sase vendors,cisco sase,sase vs casb,sase checkpoint,cato networks cato cloud,kado networks,cato networks,cado networks,secure access service edge (sase) for dummies pdf,myvpn cato,cato vpn client