SASE is coming, but adoption will be slow (especially for large enterprises)

Smaller organizations eye SASE to provide secure access to applications. Lack of maturity, existing security and digital transformation investments give large enterprises pause on SASE.

cloud security expert casb binary cloud computing cloud security by metamorworks getty
metamorworks / Getty Images

The adoption of edge computing and cloud infrastructure over the past decade combined with the recent surge in remote work, have seriously challenged traditional network architectures and security models. Large enterprises have been better able to adapt to this new reality, having access to larger IT budgets and skilled employees, but small and medium-sized businesses are struggling to keep up with the access control, monitoring and threat detection technologies needed to defend their local and remote assets.

In response to this trend, security vendors, as well as cloud and networking vendors, have been launching new software-defined and cloud-delivered solutions that combine network-as-a-service with network-security-as-a-service functionality. The goal of this new concept, which Gartner has dubbed secure access service edge (SASE), is to allow companies to easily provide secure access to any of their applications, whether hosted in the cloud or locally, for any user, from any device, and from any location without relying on locally deployed security appliances through which traffic would need to be routed and inspected.

According to a recent Gartner report, interest in this new model of network security, which is built around the principles of zero-trust networking, has exploded over the past year. By 2024 the analyst firm expects that 30% of enterprises will adopt cloud-delivered secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA) and branch office firewall as a service (FWaaS) capabilities from the same vendor. By 2025, over 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch, and edge access.

SASE adoption drivers and challenges

An important driver for the adoption of cloud-based network security services is the reduced management complexity and cost savings because IT teams will no longer have to manage different hardware boxes from different vendors to get different security capabilities. The SASE offering of one vendor is supposed to handle multiple security functions and will be managed from the same console.

This is not a new concept and is what unified threat management (UTM) appliances already do to some extent. Doing it as a service in the cloud, however, could reduce the scalability and performance issues that UTM-type solutions sometimes introduce, since cloud services can easily scale.

The downside, however, is that choosing all security solutions from the same vendor does not guarantee you're getting the best possible protection because no single vendor is the best choice for all types of network security features an organization might need.

Another big adoption driver is that with the addition ofsoftware-defined wide-area networks (SD-WAN) and networking-as-a-service, SASE offerings solve the problem where remote employees and contractors need to have their traffic routed through a company's existing branch office or VPN gateway for the security functions of the existing hardware boxes to be used. Instead, with SASE, remote workers could connect directly to a vendor's globally distributed network that was built for performant routing and low latency.

For now, one challenge to adoption is the maturity of the SASE market. The vendors building SASE solutions come from different backgrounds or might specialize in one area of security. Some are security vendors who are now building their SD-WAN and cloud capabilities, while others are networking or content delivery network (CDN) vendors who are building their security capabilities. Even among the security vendors, some might, for example, have strong SWG technology but are still developing data loss prevention (DLP), or might be strong in DLP and working on adding some other security capability. This is something that will likely improve and accelerate with partnerships and ultimately acquisitions and market consolidation.

"Some vendors have more pieces than others, and some are more mature in the capabilities than others, no doubt, but there are several vendors today that have nearly every capability that we're talking about, and some that are very, very close," Gartner analyst Neil MacDonald tells CSO. "I would tell an organization: Well, let's see what your priorities are. What are you going to weigh more heavily—is it the sensitive data, the secure gateway, the SD-WAN from the branches—and what are your existing vendors? I would look for which vendors does it make the most sense to start consolidating around and ultimately, with the goal of getting to one or two."

Other big hurdles to adoption for many organizations are the long hardware refresh cycles and existing software contracts. Large enterprises have existing investments in hardware that need to be amortized or digital transformation plans in progress that span a long time. Many companies have already trained or hired personnel with the skills required to manage or use existing security solutions from certain vendors or have dedicated teams that only handle the networking operations side, which will be significantly reduced with the adoption of SASE. Retraining and reassigning those employees to roles that are more focused on policy creation will take time.

Large enterprises slower to adopt SASE

"You'll see adoption faster in a midsize enterprise, because they just don't have the siloed approach: security versus networking," MacDonald says. "They may not even have a dedicated security team and they tend to favor simpler, easier-to-consume solutions in the form of cloud-based services. The larger enterprises are moving in this direction as well. It will take longer, but it will happen."

IDC analyst Christopher Rodriguez agrees that SMBs are likely to be interested in such cloud-delivered security capabilities and they could be the low-hanging fruit for the SASE vendors building such services. Getting the large enterprise customers on board might be more challenging. Some companies might not want to lose their choice of best-of-breed solutions and might view getting all security capabilities from a single vendor as too much of a risk. On the networking side they might not be satisfied with the current capabilities that SASE vendors provide. Some security features have been traditionally hard to move to the cloud, like network firewalls, which might take another five-plus years because of performance and other reasons, he says.

While it's hard to know how many of the existing network security functions will eventually become cloud-based or when, Rodriguez agrees that is the direction where things are headed because the cloud is more elastic, more scalable, and can help reduce costs. "Once you go to the cloud, the trend there is toward convergence, because it's a performance thing. When you go to the cloud, you don't want a chain of 20 different services because each one is inevitably 150 milliseconds or 100 milliseconds away [...] We're not going to switch over to SASE tomorrow, but it will get better. I'm not going to say this is not real."

Related:

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline