What is SASE and how is it going to affect the channel – The single pane of glass for security and infrastructure?

Secure Access Service Edge is a term that has been flying around for the past couple of years now but it just coming into mainstream usage.

Pronounced SASSEE, we need to understand how web traffic flowed within a corporation previously before we can understand it.

Traditional networks

In traditional network environments, almost everything was stored on-premise in the data centre that was owned by the company. This in turn connected to the internet and traffic was routed through the internal network to get to the respective user. Branch offices were connected to the head office and traffic was routed through that head office and onto the wider internet.

In previous times, the traffic of a corporation was 80% internal and 20% external with the majority of traffic coming from self hosted apps such as CRM’s, ERP’s, file servers, internal Sharepoints sites / intranets etc. If a user from a branch office wanted something that was hosted on the world wide web, that resource would come via the head office gateway.

This was perfectly fine as the web traffic was at a minimum and security could be handled easily on premise by having a firewall, anti virus, anti malware and security policies at the server which would block and filter what could get through.

This has recently switched to be 80% of traffic being external and 20% being internal and it’s looking like it will be pushing closer to the 100% mark with IaaS and SaaS apps being the way that corporations manage their setups.

Software defined wide area networks and direct connections

The software defined WAN didn’t really help with this increase in traffic from external because everything was still coming in through one point in the company where they had a router and a firewall and everything else connected after this point.

To ease load on the network, some companies resorted to a mixture of WAN and direct internet access at some locations which created a hybrid type of environment. Issues with mixing the infrastructures like this is the lack of security across all endpoints on the network. Some are protected on-premise from the WAN, some are connected directly to the cloud data centre in the form of a thin client for example and others are just connecting on their local machine.

83% of organisations around the globe are now moving to a direct internet access setup as opposed to the central hub that is the gateway to the outside world for the network.

It makes sense to do this as most of the business critical services that are consumed by companies are coming from the world wide web in the form of SaaS applications. This has greatly increased the amount of bandwidth that is running through the corporate network. Video streaming and online meetings have also created bandwidth issues for companies running on the traditional networking model.

In the traditional model, the security was the responsibility of the corporation who would have firewalls, web application firewalls and security policies on the local servers to restrict access. They were in full control of their networks due to the ratio of internal traffic vs external.

With the shared responsibility model coming in in recent years, more companies have moved to a cloud based service for their security posture. This is coming from a mixture of managed firewalls, DNS security, cloud access security brokers among others.

The problem with this model is that the companies are struggling with the management of multiple cloud security services that are completely independent to each other with separate configurations and lack of integration with each other. Each company could have in excess of 100 vendors that they work with for their security.

93% of organisations have said that moving their security to the cloud has increased their efficiency as a company. 76% of organisations are looking to adopt multifunction cloud security services.

The single pane of glass for security

Multifunction cloud security services are effectively a single platform for managing all of their security tools. Single pane of glass for security services in the cloud. Set it up once and everyone that connects to the corporate network from outside, needs to go through the SASE layer.

Cloud security isn’t a new thing but what SASE proposes to do is bring together all of the required services into a converged service, thus making it simpler for security teams to manage their infrastructure and security from one place.

It is said that a true SASE provider will take care of both infrastructure and security in a unified control panel. Effectively a single vendor providing all of these services.

Services that make up SASE

• Software defined wide area network
• DNS layer security
• Secure Web Gateway
• Firewall as a service
• Cloud Access Security Broker
• Zero Trust Network Access

Where is the opportunity in the channel?

It seems that there are plenty of opportunities for new style vendors to come on the market that are simply orchestrators of multiple vendors. Single vendors are no longer going to be supplied to end users but instead they are going to be supplied with a stack of products that can be controlled via one interface.

Are new vendors going to appear with a dashboard that connects to multiple vendor services?

The complication of vendors switching to provide the entire SASE requirements themselves comes with the lack of expertise in all solution areas. The offerings need to be made up from separate vendors and unified into one dashboard. A firewall vendor isn’t going to be able to provide infrastructure in the same sense that an infrastructure vendor isn’t going to be able to provide firewalls. This is being done to a certain extent in AWS and Azure where services can be purchased individually and managed from the dashboard of the cloud provider but they are still separately managed products.

What comes to mind straight away is that the likes of AWS, Azure, Google Cloud, Alibaba Cloud etc are going to monopolise the new style networking/security model by being able to provide the interface for the stack within their current services. The customer doesn’t even need to know which services they are using as it can be mixed in with the consumption billing from their IaaS bill.

New style vendors that focus on the integration of security products and IaaS platforms could come to light. All offering different stacks that can be mixed together in a single pane of glass for the end customer / MSP.

Is this going to make it even more difficult for early stage cyber vendors to come to market?

If the leading cloud providers are going to select the stacks and say which vendors solutions are able to be managed from the dashboard, it takes away the choice of the end customer. Granted, it makes it easier for them to manage but it also pushes out the smaller vendors who won’t be able to enter into the alliance and get themselves into the stack – unless we have a super SASE provider who aims to integrate all solutions in the market (which will be a massive challenge).

Partners are no longer going to sell individual vendors to their customers like before but instead sell them a dashboard which is connected to the individual services that they sold to them previously. If a specific security vendor is incompatible with the dashboard that the partner provides them with, the end user would have to move away from the original vendor they were using and be forced to use one that is compatible with the SASE solution provided to them.

With 83% of companies stating that they would move towards a unified approach to security and infrastructure, it begs the question of what is going to happen to the vendors that don’t make it into the stack?

Cutting out the complexity but also the resale potential

With on-premise still being favorable in some locations around the globe, there will still be these markets available to the emerging vendors. If the unified dashboards give a choice of which vendor is being used for a particular service then it becomes fair but what I’ve seen so far, there isn’t much choice of the service that you get to use at the moment.

Maybe an idea is to have all vendors be available within the unified dashboard but wouldn’t that add to the complexity and revert back to being hard to manage?

The opportunity is massive for the MSSP’s who can be given a multi-tenant dashboard for managing multiple customers for the same security stack at the click of a button. Automated roll outs for multiple security solutions in one go and the ability to provide one bill to each customer for all services.

Even the traditional MSP’s should be able to easily manage security solutions for their customers if it’s as easy as clicking a button and products being deployed.

Is this another way to cut out the VAR’s though? How are the VAR’s going to sell products if they are all managed and provided from one place?

Is the VAR going to sell the dashboard and make margin on consumption from the one SASE provider based on the total usage of the vendors in the stack?

This can become massively complex when there are 100 vendors in one solution that are all being billed at different rates to the orchestrator of the vendors.

Or is it going to be done the traditional way by the VAR working out which products are best for the customer and if the SASE dashboard provider doesn’t work with one of the vendors, it gets requested to be integrated or sold as a single service?

Cisco are offering a SASE solution, which utilises their own products within the stack. All of the products in the Cisco offering are their own solutions or products that have been acquired by Cisco.

It looks like the big players are going to continue acquiring the solutions required to make up the stack and make it more difficult for the early stage vendors to come to market….. as usual.

The best way I can think of is that all of the solutions that are used in the market today move towards integrating with a SASE provider so that as many solutions can be chosen by the customer / partner / MSP and the sale of products remains the same….. just instead unified into one dashboard.

The partner makes margin on the dashboard as well as all of the products that they incorporate into it.

A marketplace on steroids?

Could the major SASE providers become a super marketplace with the ability to not only purchase but also configure from the same place with a consistent look throughout?

The vendor that wins this race is going to be the one that offers the most vendor possibilities in the same dashboard with the correct route to market for the products they integrate with.

Time will tell on what will happen with the sale of these solutions and how the partner community position them.