Apcela’s Head of Solutions Engineering, Kunal Thakkar, outlines three key trends you don’t want to miss when considering adoption of the Secure Access Service Edge (SASE). 

Tech Reads Series

By Kunal Thakkar

Head of Solutions Engineering at Apcela

While most network and security engineers are likely familiar with the Secure Access Service Edge, or SASE, not all are aware of the differences in solutions offered by the multitude of SASE vendors. Below I will outline three things to keep in mind when considering a SASE strategy. 

First, a definition. SASE is Gartner’s name for a combination of SD-WAN capabilities with a number of security services that are primarily delivered through a cloud-based delivery model. Gartner introduced this new category late in 2019 in a research note titled “The Future of Network Security Is in the Cloud.”

In short, a SASE offering helps simplify network management by offering highly customizable policy-based control for performance and security – and it’s delivered from the cloud.

Still on board with SASE? Here is what you should remember:

1. What is best for you? Single-pass solution vs. Best of Breed offering

Gartner’s SASE framework defines various network and security functions (some crucial, others optional) that should be considered for an organization’s SASE architecture. These functions often include traffic shaping, latency optimization, Firewall as a Service (FWaaS), Zero-Trust Network Architecture (ZTNA), Secure Web Gateway (SWG), and more. See image 1. 

Image 1: Components of a Secure Access Solution “The Future of Network Security Is in the Cloud

Many of the large, industry-recognized vendors you may have heard of in SASE conversations provide a large set of these SASE functions in a ‘single-pass’ solution, meaning the SD-WAN and Security solutions are provided by the same vendor. Vendor X for SD-WAN, Vendor X for security, and so on.

However, while this offering may sound convenient, it doesn’t mean that you will receive the best solution out there. You may instead want to consider a ‘best of breed’ platform that enables integration with Network and Security providers by leveraging proximity to their PoPs.  

During countless discovery calls, design & engineering sessions, and technical discussions with customers and prospects, my team of engineers and architects have discovered that a majority of customers would like to have a select group of vendors provide various functional stacks for SASE. For example, a set of customers would like to use Cisco SD-WAN along with Palo Alto-based security (IDS/IPS, DLP, Threat Prevention, Sandbox) at the edge, Infoblox for the DDI, F5 for load balancing, and Aviatrix Gateway appliances for multi-cloud orchestration. You can pick your choice of vendor for each feature, and have it managed under one SASE platform, rather than defaulting to Vendor X for everything. This is how we at Apcela approach our plug and play SASE offering on our Arcus platform

2. SASE exists at the Edge

Many organizations are choosing to trade in their hardware for virtual options, such as Network Function Virtualization (NFVs) within their Virtual Private Cloud (VPCs). While this solves for protecting workloads within a VPC or a given cloud provider’s multi VPC architecture, the setup has to be duplicated for every Cloud Service Provider (CSP). If you utilize both AWS and Azure clouds, you will have to learn all providers’ disparate methods, pricing, etc. In theory, you can virtualize all network functions in a public cloud, but if you are a multi-cloud subscribing agency you will have to replicate deployments across multiple environments. Not only is this cost prohibitive, but it will require unnecessary engineering training just to deploy once. 

A hardware-based approach provides more robust architecture and throughput as opposed to virtualized appliances. If you deploy at the edge of the Cloud, in a CloudHub or AppHub, instead of natively in each cloud, a single set up would benefit all clouds and hybrid IT and will extend to any users and office locations. Plus, we recently validated with one of our security partners that throughput in virtual environments is more restrictive than in physical environments. Big telcos are attempting to virtualize and are not succeeding due to the multiple functions that need to be combined across environments.

So, when you consider whether you want to deploy natively in public cloud or at the edge of the cloud – we suggest at the edge.

3. Proximity is Key

When it comes to application performance, proximity is the key. That is, you want to have the execution of an application and delivery of data as close to the end user as possible. This is the fundamental premise of content delivery networks that are designed to minimize the time it takes to deliver web content to users.

Networks belonging to large enterprises with multi-cloud and hybrid-IT initiatives have distributed footprints of office locations, data centers, operations and manufacturing facilities, sales offices, extranet connections, and users and applications. An argument can be made that each enterprise essentially needs to create and optimize its own version of a content delivery network for the efficient delivery of data and applications.

The key components of this optimization equation are Applications, Data, and Users, and the interactions among them. One thing they all have in common is that they are all more distributed now than they ever have been, and the trend is growing. After all, distribution of network architectures is what led to the creation of SASE in the first place. 

Conclusion

Being a technology company which takes pride in its engineering excellence, Apcela has strong preference for platforms and vendor technologies for various SASE functions that we’d recommend to our customers seeking guidance or a fully managed solution. At the same time, we are sensitive to the needs and preferences of the customers who have existing investments in various vendors’ technologies as well as preference for a specific platform for rightful reasons. Hence, Apcela’s Arcus platform is built from the ground-up to integrate various solutions in a modular manner.

Learn more about SASE and how we at Apcela differentiate ourselves from other network and security vendors in our upcoming eBook. In the meantime, check out these resources – SASE: A How-To GuideMulticloud and your WAN: The Apcela Arcus Platform, and more on our website.

How can we help? 

We love talking about software-defined networks and the cloud! Let us know if we can help by filling out the form. Cheers!