Alex -

How enterprises can close 5 major SASE gaps

Despite five major gaps that hamper SASE implementation, Gartner recommended enterprises should plan their migration timeline and aim to consolidate to a single vendor.

Sometime in the foreseeable future, Secure Access Service Edge, or SASE, will change how networking and security teams provide services to end users. Before that change can happen, enterprises must work with vendors to close gaps within current SASE deployments.

In a recent report, Gartner identified five major gaps with how enterprises deploy SASE. Authors Neil MacDonald, Nat Smith, Lawrence Orans and Joe Skorupa provided recommendations on how these gaps can be closed over the next few years. According to the report, SASE is rapidly gaining popularity in the industry, so enterprises must streamline their SASE deployment approach to keep in line with their refresh cycles and migration timelines.

SASE is picking up steam

SASE is a software-defined cloud architecture that merges network and security functionalities into a single platform. Fusing these services together is a cost-effective way to deliver network and security capabilities from the cloud.

SASE expands on software-defined WAN (SD-WAN) to grant users safe and secure access to networks, regardless of device location. Unlike SD-WAN, SASE is location-independent; users can connect to resources via points of presence (PoPs) from the office, branch location, mobile device or home.

Gartner estimated that 30% of enterprises will adopt SASE-related capabilities -- such as secure web gateways (SWGs), cloud access security brokers (CASBs), zero-trust network access (ZTNA) and firewall as a service -- by 2024. It also estimated that, by 2025, 60% of enterprises will have strategies and timelines outlined for SASE adoption.

Despite these trends indicating the upward trajectory of SASE adoption, Gartner reported that SASE in its current model is largely inconsistent.

SASE gaps that impede migration

Gartner recommended that enterprises prioritize steps to implement SASE that are most conducive toward saving costs, reducing complexity and deploying ZTNA. It also encouraged enterprises to switch to single-vendor SASE providers, if possible, as a means of developing cohesion in their networking and security teams.

The five major gaps between current SASE deployment and its ideal future model are the following:

  1. organizational silos, existing investments and limited skills;
  2. inconsistent architecture;
  3. weak visibility into sensitive data;
  4. undeveloped security services; and
  5. minimal complete SASE offerings.

1. Organizational silos, existing investments and limited skills

Silos, legacy environments and skill sets create some of the biggest gaps when migrating to SASE. One of SASE's biggest benefits is its ability to manage network and security features in a single framework. However, this benefit is also one of SASE's greatest challenges because many enterprises have separate networking and security teams.

In a fully implemented SASE model, networking and security teams should be unified into a single IT team, Gartner said. While this consolidation process varies among SMBs and larger enterprises, employees should ultimately share the responsibility of operating a secure network accessible to users working remotely, on premises, at branch offices or in edge locations.

Beyond the logistics of combining network and security teams, it will be some time before most enterprises can begin the early stages of vendor consolidation. Several organizations currently have software deals or binding relationships with vendors with at least five to seven years remaining in their contracts, Gartner said.

According to Gartner, current contracts and vendor agreements have delayed enterprise migration from multivendor SASE to single-vendor SASE, creating gaps in how teams manage cloud architecture. To address these challenges, Gartner recommended midsize enterprises consider purchasing their SD-WAN and cloud-based security edge services from a single vendor. Larger enterprises can also take this approach or consider explicit partnerships between a security vendor and an SD-WAN vendor to ensure cohesiveness.

To make the shift toward a cloud-networking model, organizations of all sizes should consider how to integrate their security and networking teams, evaluate vendor agreements and reduce complexity. Gartner noted enterprises that account for these factors can fully implement SASE capabilities twice as quickly.

2. Inconsistent architecture

Current SASE offerings are inconsistent in both policy enforcement and policy management, Gartner said. One of the most compelling features of SASE is its cloud architecture, which is essentially what facilitates organizations operating network and security functions together.

Most SASE offerings don't operate with the ideal cloud-based architecture, however, primarily because vendors have built their platforms from existing technology portfolios. Some vendors continue to provide virtual and legacy appliance architectures to enterprises, offering SASE through public cloud and IaaS platforms, via PoPs using colocation centers or offering both alternatives.

If vendors can't offer certain SASE capabilities, many service chain to partners or use network functions virtualization to deliver the missing pieces. Gartner urged enterprises to shift toward cloud architecture as soon as possible because those substitutes are not suitable replacements for fully integrated SASE.

These alternatives also create complexities in policy administration, especially for enterprises that use vendors with legacy architecture. Because legacy applications use older, outmoded software, their capabilities may not be compatible with newer technologies used to operate more advanced networks. Legacy apps use different approaches to manage cloud networks versus on-premises networks, leaving network admins with no standardized technique of implementing SASE.

To be fully functional, SASE must be enforced in the cloud and operated at a centralized location, Gartner said. Teams can more easily apply consistent policy across the entire network and also capitalize on AI, machine learning and automated APIs in the shift toward cloud management.

End users frustrated with SASE deployments
Current SASE offerings are inadequate and frustrating for end users.

3. Weak visibility into sensitive data

One of the most pressing and difficult challenges with SASE deployment vendors need to address relates to data visibility. SASE, in its fully realized form, must be able to protect networks and users from malicious attacks.

Current SASE vendors offer little to no data protection, Gartner said. Some offer data loss prevention and malware protection, while a few provide protection for data stored on premises or data stored at endpoints.

Vendors also typically do not own their protection software. Their systems are licensed from third parties, which can be costly or pose data risks. Developed cloud architecture, on the other hand, would enable vendors to use APIs to monitor and inspect traffic. Vendors would also be able to operate their own protection services, which gives them more management options.

This gap should be a top priority when searching for SASE vendors, Gartner said. Specifically, enterprises should consider vendors with SASE architectures that inspect traffic for malware and other harmful forms of data.

Gartner also emphasized the need for SASE vendors to implement ZTNA, as several don't offer the capability even though it is a critical component of SASE architecture. Without ZTNA, enterprises don't have the capability to manage their data or inspect their networks for malware.

4. Undeveloped security services

Just as with the other gaps, SASE security capabilities vary widely. Some vendors offer SWGs, CASBs and ZTNA or a combination of the services. This results in an uneven range of capabilities; some may be largely developed, while other areas remain underdeveloped.

Gartner recommended vendors use SASE to combine all these services, including SD-WAN, into one single-vendor, cloud-based system. Additionally, with developed data protection, enterprises will be able to simultaneously manage their security and data policies.

Security services, in particular, take longer to mature and deploy. It will take at least another few years for full implementation of adequate security services, Gartner said, but in the meantime, enterprises should consider how to move toward SASE.

5. Minimal complete SASE offerings

Currently, fewer than 10 vendors meet Gartner's definition of a complete SASE platform, the report said. With disparate ways to adopt SASE, end users have experienced many complexities. Some vendors offer cloud-based services but do so at the expense of their SD-WAN operations. Other vendors that have mature SD-WAN offerings provide limited security features. This lack of consistency is frustrating for end users, Gartner said.

To close these gaps, enterprises can aim to consolidate their networking and security functions into a single team, operated by a single vendor that offers the necessary SASE functionalities for their business. Over time, they can phase out legacy hardware and vendors and migrate to their preferred model. While the migration process will occur over the next few years, enterprises should begin outlining their timelines for SASE adoption as soon as possible.

Next Steps

A deep dive into Fortinet's SASE platform

Dig Deeper on Network infrastructure

Unified Communications
Mobile Computing
Data Center