SASE: This Time It’s Personal

Secure Access Service Edge (SASE) is a useful way to describe the integration of networking and security. Unfortunately, that’s where its usefulness ends. No one would dispute that SASE is a good idea or that it describes real issues for the CIO. The problem is with delivery.

As applications and users have become more widely distributed, it no longer makes sense to send traffic back to the data center for inspection. Backhauling traffic to a remote firewall, which could be on the other side of the world, severely impacts application performance.

As Gartner, the company that first coined the term SASE in 2019, described it, networking and security controls were expected to move to the cloud. Cloud-based firewalls and Internet gateways would reduce the round-trip time from user to security checkpoint to application and back, resulting in lower latency and higher application performance.   

Performance was not the only rationale for SASE. System architects recognized that building security into networks rather than bolting it on would make for better security. A single networking and security stack, governed by a single set of policies, would also reduce complexity, resulting in lower IT management and support overheads.

Problems with ‘traditional’ SASE

Related:SASE Explained: Definition, Benefits, and Best Practice

There are several reasons why SASE remains more aspirational than practical.

Firstly, SASE vendors pay lip service to users that are not inside the office. These are a significant part of the current hybrid workforce, yet their systems were never designed with this style of working in mind.

SD-WAN – the network architecture at the heart of SASE – is a hardware centric, hub and spoke branch office architecture. The fundamental assumption behind most of today’s SD-WAN platforms and the SASE paraphernalia bolted on to them, is that most of the users would be in the same location or concentrated in a few locations.

Secondly, unlike an office set-up, where IT directly controls the local and wide area networking environment, work-from-anywhere (WFA) users might be connected to unreliable Wi-Fi or consumer broadband. Furthermore, parameters you previously relied on for security – such as their location/IP address – go out the window. When you add enterprise-grade security to a remote connection – forcing Internet traffic through a secure web gateway (SWG), for example – you compromise performance.

This is why most SASE solutions still involve uprated network connections and additional hardware at the user premises. This adds massive expense and operational complexity (rolling out and maintaining thousands of hardware routers) and only works for users who work from home or another fixed location.

Thirdly, SASE vendors have not sprung up fully formed but have evolved from existing networking and security vendors – typically SD-WAN or enterprise firewall suppliers. That means they have had to assemble all the components of their SASE solution – in most cases through acquisition – and then make them work together. The goal of SASE is supposed to be reduced complexity, but the price of all this legacy debt for customers is multiple dashboards, disparate policy islands, and much more complexity. 

Former F100 CIO Karl Gouverneur characterizes the problem this way: "CIOs want the SASE promise of integrated networking and security, but they're looking for the 'easy button.' Legacy single-vendor SASE offerings are often an expensive, overly complex patchwork of acquired products while multi-vendor solutions also bring complexity into the environment, rely on constant finger-pointing, and need further integration."

Taking location out of the equation

Working patterns are changing fast. Millennials and GenZs – the first true digital generation – no longer expect to go to the same place every day. Just as the web broke the link between bricks and mortar and shopping, we are now seeing the disintermediation of the workplace, which is anywhere and everywhere. The trend was accelerated by the pandemic, but it’s a mistake to believe that the pandemic created hybrid working.

So, while SASE makes the right assumptions about the need to integrate networking and security, it doesn't go far enough. The networking and security stack is still office-bound and centralized. If you were designing this from the ground up, you wouldn't start from here.

A more radical approach, what we call personal SASE, is to left-shift the networking and security stack all the way to the user edge. Think of it like the transition from the mainframe to the minicomputer to the PC in the early 1980s, a rapid migration of compute power to the end user. Personal SASE involves a similar architectural shift with commensurate productivity gains for the modern hybrid workforce, who expect but rarely get the same level of network performance and seamless security that they currently experience when they step into the office.

Personal SASE involves putting all the key networking and security functions, including the firewall, Internet security, routing, and zero trust access controls at the user edge – where most data is created and consumed – while retaining necessary IT controls over security policy and network observability.

The other vital element in liberating the hybrid/remote worker from second-class user experience is the end-to-end delivery of personal SASE as a service. Any WFA solution that involves more hardware appliances feels like a backward step.

We’ll know it when we get there

As Mauricio Sanchez, senior research director, enterprise networking and security at Dell’Oro Group, said: “In many SASE solutions for WFA users, security often overshadows the networking. Yet, for remote users to enjoy a positive experience and robust security, equal emphasis on high-performance networking and stringent security is essential. A truly effective SASE solution integrates these elements seamlessly, supporting the hybrid workforce's demands."

Gartner’s original vision for SASE was right, but as often happens in the IT industry, the destination was easier to imagine than the journey. We won’t realise the vision until we can shape the vision not around the IT of the last decade, but around the needs of the current and future workforce.

Related articles: