SASE is all the rage, promising things IT leaders have long dreamed about, but a purist approach may create consequences.

Jay Barbour, Director of Security Product Management at Masergy

May 31, 2021

4 Min Read

Secure Access Service Edge (SASE) has been a hot topic since Gartner defined it as a new category of offerings combining wireless area network (WAN) capabilities with network security functions. Everyone agrees SASE makes sense conceptually, but when it comes to turning idealistic frameworks into realistic IT approaches, misconceptions abound. Here's where SASE principles can be taken too far and where IT buyers may get a bit too starry-eyed.

Misconception #1: SASE Mandates Zero Daisy Chains
Gartner's 2019 Hype Cycle for Enterprise Networking included this warning statement about virtual machine service chains (also known as daisy chains) that can sometimes lead people astray:

"Software architecture and implementation matters. Be wary of vendors that propose to deliver services by linking a large number of features via [virtual machine] service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability, and high latency."

Solution architecture is important, and yes, you want to minimize the number of daisy chains to reduce complexity. However, it doesn't mean you cannot have any daisy chains in your solution. In fact, dictating zero daisy chains can have consequences — not for performance, but for security.

SASE consolidates a wide array of security technologies into one service, yet each of those technologies is a standalone segment today — with its own industry leaders and laggards. Any buyer who dictates "no daisy chains" is trusting that one single SASE provider can (all by itself) build the best technologies across a constellation of capabilities that is only growing larger. Being beholden to one company is not pragmatic given that the occasional daisy chain greatly increases the ability to unite best-of-breed technologies under one service provider's umbrella. Here are a few more reasons why daisy chains are needed:

  • No single vendor, particularly a startup, can effectively deliver on all areas of SASE security with a level of product maturity, mastery, and best practices that businesses need and expect in today's landscape of relentless attackers. SASE capabilities should be proven on the harsh cyber battlefield, and most startups don't survive.

  • Any incremental complexity stemming from a strategically placed daisy chain or two should be managed by the provider and should not impact the customer. If a SASE platform performs above expectations, then why should the number of daisy chains matter?

  • "No daisy chains" implies technology acquisitions and large market consolidation, meaning a small number of very large SASE providers may have too much market power, stifling innovation and raising prices. That's not always good for IT buyers.

Misconception #2: You Must Take an All-Cloud Approach With SASE
SASE revolves around the cloud and is undoubtedly about speed and agility achieved through cloud-deployed security. But SASE doesn't mean the cloud is the only way to go and you should ignore everything else. Instead, IT leaders must take a more practical position, using the best technology given the situation and problem. For example, on-premises next-gen firewall appliances are usually still the best option for large offices where performance and total cost of ownership are the key goals. If your SASE approach is cloud-first but not cloud-only, make sure your solution follows suit. 

sase.jpeg

Credit: Momius via Adobe Stock

Misconception #3: SASE Will Solve All Your Security Problems
Don't assume SASE is a total solution. SASE covers a lot of ground, but it does not cover all the technologies a company needs to secure a remote-work and multicloud environment. For example, cloud workload protection (CWP) and endpoint detection and response (EDR) are critical in securing user and cloud computing environments but are not part of the SASE framework. Although EDR is a primary technology for addressing ransomware, a skyrocketing threat vector, it is excluded from SASE because it does not require network traffic inspection to function. Rather, it's an agent-based solution that monitors operating system activity and integrity.

Moreover, SASE addresses only the technology components of an effective security program, leaving out the experts required for 24/7 security monitoring and mature incident response. Without a dedicated team of security analysts, security technologies are ineffective — whether they are included in SASE or not. Professional skills are necessary to investigate threats and stop them before major damage is done.

Purity vs. Pragmatism
SASE is all the rage, promising the ideologies that IT leaders have dreamed about for years, but taking a purist approach may have consequences. Hardline expectations around daisy chains and the cloud should be softened in favor of maximizing security excellence and business outcomes. Likewise, SASE solutions need to be compared against the broader security and network strategy, seeing where it adds value and where it may still fall short. By taking a pragmatic approach, companies can make ideologies tangible, achieving agility and productivity with ready-made security.

About the Author(s)

Jay Barbour

Director of Security Product Management at Masergy

Jay brings more than 20 years of security experience to Masergy as Director of Security Product Management. He is responsible for the product vision of Masergy's managed security services and leads the product team on execution. Previously, Jay was Director of Security Advisory Services for BlackBerry, where he advised large enterprises and government agencies on mobile security.

Other positions he has held include Vice President of Marketing at Intrusion and Vice President of Product Management at Scansafe (now Cisco). Jay holds a degree in Engineering Physics from Queen's University, Canada, an MBA from INSEAD, France, and is a Certified Information Systems Security Professional (CISSP).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights