In the wake of COVID-19, enterprises are racing to adopt Secure Access Service Edge, or SASE.
The concept, not even a year old, wasn't expected to take root until 2024 at the earliest, according to forecasts, but that timeline has all but evaporated as companies address the security needs of an increasingly remote workforce.
Gartner coined the term in August 2019, describing SASE as a way for enterprises to protect their data, wherever it may be located, through a combination of software-defined WAN (SD-WAN), secure web gateways, cloud access security brokers (CASBs) and zero-trust network access. Neil MacDonald, vice president and distinguished analyst for Gartner, based in Stamford, Conn., originally projected about 40% of enterprises would adopt SASE by 2024, but he told SearchSecurity that companies are deploying the model today.
"You're likely to see an acceleration of adoption, in the name of reduced costs and reduced complexity, later this year and throughout 2021 and 2022," MacDonald said.
In terms of the revised forecast, Johna Till Johnson, CEO of Nemertes Research, based in New York City, said she is also seeing more companies interested in SASE. Rather than SASE, however, Nemertes uses the acronym SCAPE -- secure cloud access and policy enforcement -- to define the new model. Johnson said the acronym SASE was too "telecom-centric and obscure" and ignored how companies do business today, which she defined as being "cloud-friendly and cloud-modeled, providing secure access to both cloud and on-prem resources and enabling comprehensive policy enforcement and protection across those resources."
This article is part of
MacDonald, who gave SASE its name in a 2019 research note, agreed with Johnson's assessment. He said SASE reflects how networking and network security have shifted away from the data center and toward the cloud, where data is distributed across multiple service and hosting providers.
"Everything's being turned inside out," MacDonald told reporters during a webinar in April. "Instead of the data center being our focal point, it's identity; it's the user; it's the data."
As a result, he said, network security is no longer about location because users are everywhere and connecting to services that are equally distributed.
Johnson said integrating individual security tools into a centralized, policy-driven service is inevitable as more networking and security components become virtual. Based on Nemertes' internal metrics, organizations that implemented SASE are 80% more successful than those that haven't, Johnson said.
Security vendors building toward SASE
SASE's building blocks have been in the works for years as security vendors ramped up efforts to add capabilities related to cloud security. Many vendors, such as Oracle, Cisco, Symantec, Palo Alto Networks and Microsoft, made CASB acquisitions. That buying spree culminated in November 2017 when McAfee purchased Skyhigh Networks, one of the last stand-alone CASBs on the market. Zscaler added CASB support to its SASE offering in 2019.
McAfee also bolstered its SASE capabilities by acquiring Light Point Security, a browser isolation pioneer, in February 2020. Additionally, Cato Networks has secured more than $200 million in funding to support its SASE offering.
Some security vendors are basing their SASE products on partnerships with SD-WAN vendors, but MacDonald said that strategy will "work until it doesn't." SASE will be dominated by a few larger suppliers because a SASE implementation that relies on multiple vendors is inherently less secure, he said.
"One of the drivers is encrypted traffic, so it doesn't make sense if one vendor is going to decrypt the session and inspect it for sensitive data and another will open it up and inspect for malware. You're putting your data at risk every time you decrypt, inspect and reencrypt," MacDonald told SearchSecurity. "The more vendors that have access to your certificates in order to even enable what I just described, the less secure you are. Better to open it once and do what you need to do -- inspect the content, the packets, look for attacks and sensitive data -- then apply the policies based on what the user is doing."
SASE adoption accelerating
The COVID-19 pandemic has ignited interest in SASE, MacDonald said. He expects a sharp uptick in adoption in the next two years. Nemertes, in its recent Cloud and Cybersecurity Research Study, said 62% of organizations had either rolled out or planned to deploy SASE by the end of 2020.
"Since COVID-19, our enterprise clients have uniformly told us they're accelerating the move to SCAPE," Johnson said. "Enterprise technologists have been quick to recognize that the shift from inside-to-inside (branch offices to an internal data center) to outside-to-outside (remote workers to cloud) is a fundamental sea change. Cloud-based and off-prem resources aren't going away after the pandemic ends, and it's time for a new way to think about both networking and protecting networked resources."
For companies assessing SASE, MacDonald suggested enterprises take advantage of expiring security contracts in order to make any migration easier. If a contract is expiring for a secure web gateway or CASB or if enterprises are undertaking SD-WAN projects or looking at redesigning the network architecture, "why don't we redesign the network security architecture at the same time?" he said.
"Why should customers care?" MacDonald asked. "That's what's drives it: reduction of complexity, reduction of cost, reduction of the number of consoles, reduction in the number of policies, the ability to handle those managed and unmanaged devices on a workforce that now is entirely remote and will be for the foreseeable future. That's going to create the demand for the market."