Regardless of your role in cybersecurity or IT, if you're reading this article, there is a good chance you may already have heard mutterings of a tech trend called SASE.
Secure access service edge is a somewhat cumbersome assemblage of words dreamed up by Gartner, which frequently plays the John the Baptist of IT, anointing new and emerging trends and technologies with monikers, which are then rapidly taken up by vendors that have largely failed to describe themselves. Convenient hooks on which to hang their marketing hats, you might say.
SASE's Component Parts
Be that as it may, kudos to Gartner for identifying and naming a trend in the market (for SASE is most definitely not a new technology but, rather, an emerging delivery mechanism for several important technologies, most of which already existed, in networking and security. In the case of networking, these are:
- Software-defined wide area networking (SD-WAN) and
- 5G mobile connectivity.
Meanwhile, in network security, they are:
- Next-generation firewall (NGFW),
- Secure Web gateway (SWG), and
- Cloud access security broker (CASB).
In secure remote access, the technology in question is the nearest thing to a new kid on the block, namely:
- Zero-trust access (ZTA), which is a cloud proxy-based replacement for virtual private network (VPN) technology that provides both tighter security and more efficient use of bandwidth.
SASE brings all these technologies together and delivers them as a managed service, preferably (though not exclusively) from the cloud. For this reason, a further essential element of SASE is the network itself, which enables the SASE provider to offer service-level agreements to its customers.
The SASE Gold Rush
In the past 12 to 18 months, there has been a veritable SASE gold rush, with tech vendors from all the segments listed above working feverishly to don the SASE mantle and become service providers in their own right. Palo Alto Networks, Fortinet, and Check Point have all launched SASEs, as have companies that were already in the “as-a-service” business, such as content delivery specialists Akamai and Cloudflare, cloud-delivered SWG and ZTA provider Zscaler, and network-as-a-service pioneer Cato Networks.
Traditional telecoms operators, whose lunch the tech vendors now threaten to consume, have responded to this existential challenge with SASE offerings of their own: AT&T was first out of the gate in early 2020, but Verizon has since entered the fray, trumpeting the fact that it has had its own ZTA technology since its 2018 acquisition of Vidder.
The coronavirus pandemic has, of course, supercharged interest in SASE: With millions of knowledge workers suddenly forced to work from home, ZTA was a more convenient alternative to provisioning multiple new VPNs. And as some of these workers trickle back into offices where possible, the attraction of branch connectivity delivered as a cloud-managed service, whether via SD-WAN, 5G, broadband, or any combination thereof, is a cost-effective alternative to MPLS WANs.
Just When You Were Getting Used to SASE…
Now that it has taught the world to talk SASE, meanwhile, Gartner has moved on to launch yet another acronym: SSE, which stands for secure service edge (i.e., SASE without the "A"). In essence, an SSE has all the elements of a SASE minus the networking, and Omdia suspects that it may have been created at the request of vendors that play in this market but don't have any SD-WAN technology. Zscaler is a case in point.
IBM, which launched its Security Service for SASE offering in September this year, delivers it via a partnership with Zscaler, making a virtue of the latter's SSE status by arguing, therefore, that it will work with whichever SD-WAN vendor the customer has in place.
Will a Cloud Titan Throw its Hat into the Ring?
Frivolity aside, the question Omdia ponders is this: Will the SASE market grow to a point where one of the big players in cloud (Amazon Web Services, Microsoft Azure, Google Cloud, or even Salesforce) decides to launch a SASE of its own? They all have extensive networks with huge bandwidth between their multiple data centers. Indeed, Google's network already underpins Palo Alto Networks' SASE offering. Furthermore, GCP was a pioneer in ZTA with its BeyondCorp technology.
One might argue that SASEs are designed to facilitate multicloud access and thus work against the interests of the cloud heavyweights, which would love to be their customers’ sole providers. That said, multicloud is coming, if not already here in some form, and there are signs that some cloud service providers are actually embracing this heterogeneous world as a competitive advantage: Both Azure and GCP have cloud-based security information and event management (SIEM) platforms that can work across their rivals' clouds, while Oracle has endowed its OCI Web Application Firewall (WAF) with the ability to protect apps in third-party clouds as well as on customers' premises.
Omdia has long considered heterogeneous cloud security as a canny competitive tool for all cloud providers that want to convince the customers of market leader AWS to adopt a more promiscuous approach to cloud procurement. As such, a SASE could provide such vendors with a useful means of delivering secure cloud connectivity, with all the visibility into their customers’ cloud usage that would come with such a service offering.