SASE: Reimagining the traditional security and networking model
Even before the pandemic began, IT teams were reimagining the design of networks so they could better secure and improve performance of the apps and devices that connected to them. While the pandemic and the shift to remote work that came with it certainly accelerated this redesign, many trends were already converging to put the wheels in motion.
1. Apps have evolved. Applications are not just hosted in the data center anymore. Today, an organization's app mix may include web and SaaS apps that are running in an on-prem, cloud or edge compute environment — or combination of all three. And the makeup of an app is more dynamic than ever. Not only can a single app run in multiple environments, but the adoption of microservices allows IT teams to run certain app functions in different environments simultaneously.
2. Remote work is here to stay. Employees are now accessing these apps from the network edge in remote work sites and home offices. And these users' network needs vary drastically. A radiologist who is reading patient charts with graphic-heavy applications requires a different kind of network than, say, a writer who may only utilize a handful of productivity apps every day. The volume of remote workers and the variance of their performance needs puts unprecedented pressure on traditional networks.
3. Security threats are increasingly complex. With apps and users everywhere, the traditional "trusted" security perimeter has completely dissolved. It is getting harder to detect threats across the network, and attacks are getting more sophisticated.
Considering these factors, the traditional network and security model — serving up an app, over a server, to a headquarters or branch location, behind a security firewall — is obsolete. A new model that is emerging as a viable solution is Secure Access Service Edge, or SASE. This is an architecture conceptualized by Gartner that brings together networking and security — both delivered as a service.
But first… a word about SD-WAN
To understand the significance of SASE, we must first understand the shift from legacy, hardware-based networks to software-defined networks that has been underway for some time.
In the past, enterprises would deliver an application by connecting users to a data center where the app resided, typically located at headquarters and behind a security stack. Think of this as the "hub-and-spoke" model. As the cloud came into the picture, IT needed a way to keep the app behind the security stack while deploying it outside of its data center. IT was forced into one of two inefficient models:
1. Hairpin traffic back to the cloud. This means application traffic takes a roundabout route from a data center to the cloud and then back to the data center before getting to the user. Performance suffers.
2. Connect every branch to every cloud — also known as mesh. IT operations are a nightmare.
With SD-WAN, or Software-Defined Wide Area Network, we created a WAN overlay that connects branch locations with the application — no matter where the app is located. The WAN overlay takes care of all the connectivity and automation on the back end to provide the optimal app experience and performance. Think of this as the "application traffic cop" model.
The shift from SD-WAN to SASE: Why now?
The saying "what got us here won't get us there" applies in this situation. While SD-WAN made significant strides in how apps are delivered to users, it's optimized for connecting branches and certain home workers. When it comes to the growing number of remote users (and devices and services) outside the branch, businesses once again must route everything through the data center. Today, the industry is taking SD-WAN to the next level with SASE.
As originally defined by Gartner, SASE brings together network and cloud security services. It pairs the network performance benefits of SD-WAN with a simpler way to deliver security services on demand, wherever they are needed, like other cloud services.
Today, SASE providers, including VMware, are building a global fabric of points of presence (PoPs) that serve as an onramp to SaaS applications and other cloud services. When users, devices or applications connect, either in a branch or via remote access, each PoP can apply the full suite of enterprise security functions.
VMware SASE, for example, combines industry-leading SD-WAN capabilities with cloud-delivered security functions, including cloud web security, zero-trust network access and firewalling, among others. These capabilities are delivered as a service from a global network of over 150 PoPs.
Our SASE platform delivers these cloud-based security functions on demand, and customers can apply the full suite of security protections anywhere, without having to maintain hundreds of point products distributed around the globe.
Going beyond security
SASE is the future of networking and security. And while the focus up to this point has been on "secure access," the "service edge" component of SASE is critical. Security services are just among the many capabilities that can be delivered to the edge from a SASE platform. The true potential of SASE lies in creating an extensible service edge platform where you can deliver capabilities like edge computing on demand in a subscription-based model.
While the SASE space is white-hot, we are just at the beginning of this journey. With an eye on the horizon, I see limitless possibilities as to the variety of services that can be delivered over our SASE platform, ultimately unlocking new potential for customers and partners.