Implementing SASE: One Company's Story
This is what Andrew Thomson, vice president of innovation and technology at BioIVT, was looking for when he was revamping network security two years ago. He wasn't specifically seeking SASE but wanted to find a more secure way to manage the network in the cloud. At the time, BioIVT was running on a network with several Cisco point-to-point connections, which connected sites together into a WAN. There were multiple points of entry through various Internet provider connections, and he wasn't sure how to support its growth.
"We were kind of at a crossroads," Thomson says. "How do we manage this growing network and how do we manage our security game?" The search turned to SD-WAN providers, which were focused on this type of service.
He found disparate tools but wasn't enthusiastic about working with several partners. "I didn't want to have to go find different vendors … didn't want a network monitoring vendor, and a new firewall vendor. Being able to select a SASE model, [we have] one vendor handling all that for us."
BioIVT needed to maintain connectivity throughout the implementation process and was able to structure the integration as it ran in parallel alongside its existing network. Since then, he's noticed some unexpected benefits to the new approach. The company has been able to stick with the same vendor (Cato Networks) without additional monitoring or staffing, a perk because it hasn't required a learning curve for security employees. Since its implementation, BioIVT has grown from eight locations to 17, and a preconfigured device can be shipped to each new site.
To SASE or Not to SASE?
There are several reasons why an organization might adopt a SASE model and many reasons why they might hold back. Companies that choose SASE are driven by a set of factors: They don't want to run their own hardware anymore; they don't want traffic backhauled to the data center before it goes to the Internet; they don't want end users unsecured when not on a VPN.
If your firewall is about to expire, for example, you might consider a SASE-based approach rather than investing in new hardware, Cross notes. Perhaps you're opening a new office and it would be easier to connect using a service-based security model. Or maybe you're in the M&A process and need stronger control over a new company's security processes and infrastructure. Distributed workforces, branch offices, and retail stores are also scenarios where SASE fits in.
When Cato Networks started, only the smallest businesses were looking for a SASE model, says Greenfield. Mid- to low-end enterprise users often didn't have the staff to manage a lot of complex infrastructure. Now, even the largest enterprises are adding SASE to 50–70 sites. Security has grown so complicated that most organizations don't have the resources to manage it.
"It doesn't matter how big you are but how old you are and how your IT works," Cross says. Businesses born in the cloud will have an easier time adopting SASE, but the reality is that most are not starting from scratch. And there are some industries that will always need on-premises IT infrastructure: manufacturing facilities, hospitals, and retail sites all need hardware on-site.
The Future of Cloud Security?
There has been a "significant uptick" in interest in solving this problem over recent months, says Cross, and as a result, multiple vendors are tackling the issue from different directions. Vendors like Cato Networks, Zscaler, Forcepoint, OPAQ, and Symantec for a while had a managed WAN or proxy type of service they're starting to extend, says Rothman. Meta Networks, another, was acquired by Proofpoint — an early sign of consolidation in the space.
While adoption has grown, it's unclear if or when SASE will reach the widespread popularity of cloud storage and apps. Some organizations remain hesitant, a common mentality when cloud computing started to emerge. "When IaaS began, a lot of people were like, 'We're not going to move our workloads to the cloud — we're not going to trust cloud providers,'" says Cross.
Consider the millions of workloads in platforms like Amazon Web Services and Microsoft Azure, he continues, and think about how much weaker their security would be if each organization had handled their security on their own. It's the same situation with security-as-a-service: Outsource to people who can securely manage the infrastructure — they will be more successful.
"This will be proven out over time, just as with the cloud," Cross says.