SASE- Yet Another Gartner Acronym, But Does This One Have Real-World Validity And Who Is Providing It?

By Steve Broadhead, Broadband-Testing.

  • 4 years ago Posted in

IT thoughts may have turned towards the “new normal” and what company policies and IT strategies and technologies are now required, but one “old norm” in IT is Gartner Group’s ability to create new acronyms and matching IT categories.

So it is, that with, one of its more recent inventions, Gartner has ironically created a blueprint for that new normal, in the form of SASE (pronounced “Sassy”) or Secure Access Service Edge. So, it’s a mouthful but it is relevant to both IT security in general and the need for the secure, end to end communications that are fundamental to the successful deployment of mass WFH (Work From Home) brigades and remote users. It ticks two key boxes – security and optimisation. The most common phrase being used to define security in IT in 2020 is that “security has moved to the edge”. What the world has surely been crying out for, then, is a hybrid product\service that delivers a true solution (rather than an amalgam of products) combining security with optimisation and that’s SASE in a proverbial nutshell.

While in the Data Centre world, the Load-Balancer/Application Delivery Controller vendors have long had web application firewalls (WAFs) as part of their optimisation armoury, in the world of true, end to end delivery, notably via SD-WAN (the artist formerly known as WanOp), there has been no defined area for vendors to play that combines traffic delivery with security as a single solution. But now there is. Gartner defines SASE as “combining network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SD-WAN) to support the dynamic secure access needs of organisations. So, and typically, we have an acronym based around a whole set of other acronyms, but there is logic behind the “marketese” in this case. Key again, is that these capabilities are delivered primarily “as a service and based upon the identity of the entity, real time context and security/compliance policies”. The XaaS element here is important – as a service basically meaning it is cloud-based, so eliminating another management headache – and validating the “solution” rather than “bunch of products” requirement.

Unsurprisingly, the emergence of Gartner’s latest and greatest category towards the end of last year, combined with the fallout of COVID-19, has led to many vendors seemingly jumping on the SASE bandwagon, all coming from a number of partially related technology areas and laying claim to being the first SASE vendor. However, there is one that effectively defined SASE before Gartner did, and that is Cato Networks. So, if any vendor owns the rights to stake its claim as “the first SASE platform”, then it most certainly does. Of course, from a vendor perspective, the reality is that it takes many of them playing the same game in order to create a significant marketplace, so the more the merrier is no bad thing. What Gartner has done here is also provide some focus on an area – IT security – that was becoming ever more complex and confused. Over the past two decades, security has created its own IT lifeform and spawned a gazillion mutant variants, most of which even the vendors themselves struggle to differentiate between: AV/EDR, encryption, firewalls, IDS/IPS, UTMAs, SIEMs, content filtering, DLP, IAM… The list is near endless. I recall reading an article from some years ago that – then - identified 70 different categorisations of security product!

In the meantime, several thousand new start-ups have been introduced into the world of IT security. Imagine, then, being that IT professional within a company, tasked with both securing and optimising the network. How do you decide exactly what combination of security products you need and how you then integrate them a) within themselves and b) as part of your IT delivery architecture? Here’s a quick answer: you can’t, at least not using the DIY methodology.

The general consensus is that only around 20% of the investment in security products and services is actually put into daily use – the rest lies on dusty shelves, real or virtual. The problem is simply that companies don’t know exactly what they need as, every week, there’s another “new” security gizmo launched. That, and/or Gartner invents another new acronym/category suggesting more investment for an IT team with a room full of stuff they already don’t know what to do with anyway… Gartner itself, allowing for the reality that is digital transformation is not an option for companies, it’s been forced on them, notes: “digital transformation and adoption of mobile, cloud and edge deployment models fundamentally change network traffic patterns, rendering existing network and security models obsolete.”

Hence, the emergence of SASE, Gartner’s underlying philosophy here being a result of: “customer demands for simplicity, scalability, flexibility, low latency and pervasive security force convergence of the WAN edge and network security markets” – that’ll be SASE in one then. Which, in turn, brings us back to the aforementioned Cato Networks. So, Cato predates SASE by a few years, but Gartner might as well have invented the category for the vendor (it didn’t!) so close is the connection in terms of what SASE defines and what Cato has offered from day one. Andrew Lerner of Gartner makes a valid point re: selecting a SASE offering: “Software architecture and implementation really matters. Be wary of vendors that propose to deliver services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships.” In contrast, every SASE element is delivered from within the Cato portfolio – kind of like a superstore for secure SD-WAN application delivery in the cloud… The vendor calls its solution “the network for whatever’s next” which might sound somewhat glib, but it’s what every IT manager wants to hear since anyone who swears they can map out the future of IT is being somewhat disingenuous...

Key to the solution is the sheer number of options available and the ability to cherry pick from those, as not every company needs everything, or even the same subset of features. Regardless, the Cato delivery mechanism is fully cloud-based, designed around a global private backbone of over 50 POPs (Points Of Presence), so all traffic is managed in the same way, on the same network and with no reliance on backhaul traffic. So, back to the “new normal” and the WFH brigade: how does the Cato solution work from a user perspective? For starters, you can go down the client or clientless (web browser) routes, including mobile. The solution integrates with a number of identity management providers, to enable a single sign-on, for example using something like Microsoft 365, which can be multi-factor for hardened security. All the remote user’s traffic is inspected en route by Cato; the security stack includes a next generation firewall (NGFW), a secure web gateway, IPS, anti-malware and a managed threat detection and response (MDR) service.

So that covers off the basics of the “security” element of SASE, what about the optimisation side from a WFH perspective? While not offering a unified communications (UC) product – key to the EFH initiative – the Cato solution is designed to optimise all the elements of UC, such as by minimising packet loss and latency, both of which are killers for real-time applications such as voice and video. Equally, the Cato solution has been designed to overcome problems at the sharp end of the delivery mechanism – the last mile, using a combination of bidirectional QoS (Quality of Service) and policy-based routing/real-time optimum path selection – again all designed to minimise latency and packet loss. Moreover, it uses multiple last-mile links in order to ensure traffic availability, with multiple redundancy options available.

Naturally, there is far more to the Cato solution than I’ve touched upon here but, from a “new normal” perspective, the point is that it ticks all the boxes while effectively defining SASE at the same time. For more information related directly to the overview here, follow: https://www.catonetworks.com/sase.

Gartner noted in a recent report that: “after decades of focusing on network performance and features, future network innovation will target operational simplicity, automation, reliability and flexible business models” and this appears to be both the SASE and Cato Networks mantra. Not that the company will be short of alleged competition. As ever, given the Gartner origins, every interested vendor party will be angling for a top right position on the SASE magic quadrant, as and when that finally appears, but companies actually in need of a secure, optimised end to end delivery solution (who isn’t?) can ignore all the hyperbole and acronyms and just use their common sense – the answer is out there right now.

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.