As SASE Evolves, Organizations Can Choose the Best Model to Meet Their Needs

An increasing number of organizations are adopting the secure access service edge (SASE) approach to remote security to address two issues facing many IT teams today: hybrid work and hybrid cloud. SASE is intended to connect users to and from anywhere without forcing them into a centralized IT environment.

Some organizations move to a SASE architecture to improve the effectiveness of their security efforts, since they can run more advanced security controls at a cloud scale than on-premises resources would allow. Others adopt SASE to improve performance, because it directly connects users with security tools. No matter why an organization starts its SASE journey, it ultimately experiences multiple benefits through improving security efficacy and increasing performance. With SASE, it doesn’t matter whether applications are internal or external; SASE converges data flows to protect end users wherever their destinations are.

Let’s look at several ways SASE models have begun to evolve.

Historically, SASE required organizations to deploy a multisolution or multi-vendor approach. An organization might purchase software-defined WAN (SD-WAN) from one vendor, a secure web gateway from another, a cloud access security broker (CASB) from another, and use VPN or zero-trust network access from another. Now, platforms are merging, so organizations can choose a single-vendor solution. Organizations may want a more modular approach or a fully integrated model, depending on their needs.

Larger, more complex organizations are likely have separate, dedicated teams for networking and security. Typically, they want these teams to work together more closely while maintaining a clear separation of duties. The platforms they select may be independently chosen yet need to support direct integrations. Here, a modular approach may work best due to its flexibility and varied deployment and purchasing models. Conversely, smaller organizations with IT teams handling both networking and security may need a unified SASE solution that’s easy to deploy, manage and troubleshoot, with simplified licensing models and back-end support.

Cisco supports both scenarios — delivering the same routing and security capabilities with different approaches to management. Larger organizations might opt for individual SASE components. They may start with a Cisco SD-WAN project, and subsequently purchase Umbrella several months later once the security team is ready to shift branch inspection to the cloud.

Smaller organizations might choose to unify those solutions through Cisco+ Secure Connect, which bridges SD-WAN and cloud security to create a single management point. Cisco+ Secure Connect adds the cloud security element of SASE to the networking management capabilities of the Meraki dashboard. This simplifies management so IT staffers can see network operations as well as the correlation of insights and events against their security policy. Both models use the same routing and security innovations delivered by SD-WAN and cloud security but provide flexible consumption options for licensing, management and support.

The adoption of SASE is being driven by three key objectives: WAN modernization, outbound security and inbound private access.

For organizations looking to enhance their networking via a SASE deployment, SD-WAN is generally a robust option. SD-WAN delivers capabilities such as a cloud-based controller system, intent-based networking and a centralized policy distributed to all edge environments. When outbound security is the driver, organizations prioritize SASE components such as secure web gateway, CASB, Firewall as a Service and data loss prevention — elements that protect organizations from external environments and let them apply a unified security policy. The third driver is facilitating secure, inbound access to private applications using zero-trust methodologies by limiting lateral movement within the network and providing end users with least privilege access to sensitive applications.

Today, we’re seeing SASE projects that started with SD-WAN, moved into outbound cloud security and are now moving into secure private access. That last driver is becoming more common as organizations seek to move away from traditional VPNs while providing remote users with secure access to private applications. However, there is no right or wrong answer as to where to start your SASE journey. What’s important is to take an inventory of your current networking and security capabilities and map them to your hybrid work and hybrid cloud initiatives. If the current architecture does not provide flexibility for onboarding applications or delivering mature security practices, it’s time to get started with a SASE project.

For the most recent Cisco Cybersecurity Readiness Index, Cisco surveyed 6,700 private-sector security leaders in global markets. We found that only 15 percent of organizations are considered mature from a security perspective, and 60 percent experienced a cybersecurity event in the past 12 months. These findings affirm the need for an evolution in how organizations approach security. SASE is an excellent way to achieve this goal while increasing business agility and user productivity.

Story by Dave Abbott, a secure hybrid work architect with Cisco Systems who has primarily focused on zero trust and secure access service edge architectures. Over the past seven years at Cisco, he has helped customers migrate away from traditional networking and security models and into agile deployments that enable hybrid work and hybrid cloud adoption.