How SASE Architectures Can Reach Beyond Cybersecurity

There’s something not quite right about the secure access service edge (SASE) model. It’s not that there’s a problem from a technical perspective -- but more so that the concept felt painfully shortsighted. When you break down the core components, SASE should be less about cybersecurity and more about an efficient delivery architecture that can be used to deliver any type of network function. Fortunately, many within the industry are coming to this same conclusion.

According to Gartner Research, who coined the term SASE, the model "combines network security functions (such as SWG, CASB, FWaaS, and ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic, secure access needs of organizations." While there is certainly a need for flexible, secure access, the architecture can do so much more.

SASE isn’t just about cybersecurity and SD-WAN

From my and a growing number of others' perspectives, there are two glaring issues with how this architecture model was formulated. First, it needlessly focuses on network security functions as opposed to all network functions. Second, the concept outlines the importance of an intelligent WAN as opposed to the entirety of modern enterprise networks. Missing network segments include the wired and wireless LAN, private data center, traditional cloud, and metropolitan edge deployments.

SASE can and likely will be much bigger than Gartner made it out to be. Because SASE uses a flexible software-as-a-service (SaaS) model, cybersecurity services can be positioned in the cloud, at a metro edge, or inside a private edge. The physical location where services reside depends on where end-users are located and the level of network performance they require. This means that cybersecurity services are delivered in a manner that can dynamically shift delivery points based on user location and need and fully abstracts the delivery of those services.  

If you think about it, there are plenty of non-cybersecurity network functions and services that could benefit from dynamic delivery with the purpose of improving application performance. In fact, virtually any application or service could take advantage of such a model. Thus, the true benefit of SASE is the “service edge” portion of the acronym -- not the secure access part.

The other major aspect of the SASE model that is often glossed over is that network transport to and from services can be completely streamlined and abstracted. Because of the desegregation of applications, data, and users in recent years, traditional routing and switching technologies are being stretched well beyond what they’re capable of achieving. This leaves network architects with little choice other than to configure elaborate and complex routing policies to ensure the efficient and semi-predictable transport of business-critical and/or latency-sensitive data streams.

Where SASE can come into play is that the model is intended to place network services where data flows can be the most efficient. Much like how major cloud providers can route globally distributed users to the closest cloud data center region based on geolocation, a business’s corporate network could route user traffic to an application located inside a public cloud, private data center, or metro edge depending on geographic location and network performance need. If a network were intelligent enough to understand the network performance intent for a particular service combined with the physical location of the user or device attempting to access the service, the network could route traffic to the service edge that provides the most optimal experience at any given moment in time.

The tech industry is taking SASE to a whole new level

Apparently, I’m not the only one that thinks the SASE model can be much bigger than it was originally thought to be. For example, some enterprise managed service providers (MSP), including Verizon, prefer to use more general terms such as "dynamic enterprise edge services" to describe the combination of SASE, SD-WAN, and other network functions that they sell to their customers on a single unified platform. The reason for this calculated shift in marketing terminology is simple: while the delivery of these network services uses the exact same distribution architecture that is described in the SASE model, what Verizon offers goes well beyond just secure access.

Enterprise technology vendors are also jumping onto the idea that SASE can be extended further into the enterprise. Celona Inc. is one such company exploring how they can combine the superior network intelligence capabilities found in modern 5G network slicing policies with the concept of a "flexible edge." The company’s plan is to create a network that understands optimal network paths on a per-application or device level and route the traffic to the service edge that offers the necessary and guaranteed levels of performance.

Core SASE concepts will remain, but the acronym will likely disappear

I’m a huge proponent of SASE. I just hate the fact that it was too narrowly scoped. But I believe that eventually, the core aspects of what makes SASE such a fantastic architecture will remain while non-cybersecurity network functions and next-generation flexible edge network technologies will be allowed to join and thrive. Ultimately, what I see in SASE is a dynamic service edge architecture that has the potential to become the next-generation foundation for enterprise networks of the future.