Industry outlook on MEF's new zero-trust, SASE standards
MEF recently released new zero-trust and SASE standards. Standardizations can help with interoperability, but are they necessary for vendors and service providers to follow?
Technology standards define how vendors and service providers deliver platforms to customers. Take Secure Access Service Edge for example. SASE combines software-defined WAN, networking and security functions into a single platform, which can support secure remote network connectivity.
Secure remote access was an essential capability during the peak of the COVID-19 pandemic and remains a relevant enterprise requirement. Even with 35% of workers back in the office full-time, 65% are still hybrid or fully remote, an April 2022 study on employee experience from Future Forum Pulse found, based on a survey of 10,818 users. Many enterprises are using SASE and zero-trust initiatives to connect those users.
Experts predict the SASE market will increase to $13 billion by 2026, per Dell'Oro Group. But the market is rife with varying definitions and offerings. With different vendors offering so many options, MEF recently announced MEF 117, the first SASE standard, to unify SASE vendor offerings. Along with the SASE standard, MEF also released MEF 118, its new standard for zero-trust frameworks.
The release of the SASE standard indicates how SASE will become important in networking as enterprises continue to embrace it, said Bob Laliberte, senior networking analyst at Enterprise Strategy Group, a division of TechTarget.
"An industry forum taking the time to dedicate and create standards and common definitions is because they believe [SASE] has legs and it'll be around for a while," Laliberte said. "That's a good sign for the industry overall."
The release of MEF's new SASE standard might serve as a positive indication that enterprises will continue to embrace SASE in the future. But that doesn't mean SASE vendors and service providers are gearing up to follow MEF's new specifications -- at least, not anytime soon.
Confusion over SASE prompts release of new standards
MEF cited minimal customer education and a lack of defined standards as the biggest problems SASE providers currently face. The organization released these standards to promote customer awareness around SASE architectures.
MEF said in a statement that its SASE standard defines the following:
- what a SASE standard is;
- key terminology related to SASE; and
- SASE service attributes, such as security functions, connectivity options and policies.
MEF 117 SASE standard
In December 2021, almost 80% of 613 respondents told Enterprise Strategy Group their organization had already implemented SASE or was actively planning to implement SASE within the next two years. Even with mounting interest in SASE and a projected increase by 2024, confusion remains about how to implement a SASE architecture, said John Grady, senior security analyst at Enterprise Strategy Group.
"A lot of users don't know where to start," Grady said. "It can be difficult to compare and contrast offerings across different vendors because they're different. [SASE] is such a broad initiative that you have to focus on use cases, which require different technologies."
The use of different technologies also adds to the confusion. Organizations typically use multiple services from different vendors to complete their SASE offerings. MEF claims that without defined standards, organizations find it difficult to enable multivendor interoperability. Because SASE is so broad, it can also be challenging for network and security professionals to understand how to best operate a SASE architecture.
"Any time there's something new, there's confusion," Laliberte said. "Everyone's trying to define what SASE means. Is it only cloud based? Can you have it hybrid and have some things on premises? Does it all have to be from a single vendor? Can it be multi-vendor, and does it have to be fully integrated?"
Some experts claim that when it comes to SASE deployment options, enterprises should prefer a unified SASE approach. Some vendors have released single-vendor SASE services. While the development of unified SASE architecture is accelerating, its slice in the market is still narrow.
Few enterprises have single-vendor SASE services, Laliberte said. Even when more unified SASE approaches hit the market, enterprises will likely continue to use their pre-existing platforms.
MEF 118 zero-trust framework
When MEF announced its SASE standard, the organization also released MEF 118, its zero-trust standard. Similar to the SASE standard, MEF's zero-trust standard creates clear definitions for what zero-trust frameworks are, requirements and service attributes.
While not the first of its kind, the release of a zero-trust standard with a SASE standard indicates a close connection between the two technologies, Grady said. Studies from Enterprise Strategy Group reported enterprises use zero trust to facilitate SASE deployment. For example, an April 2022 study from Enterprise Strategy Group found that 45% of 589 respondents reported they consider implementing zero-trust network access (ZTNA) as a starting point to build a SASE architecture.
Organizations with ZTNA in place aren't likely to rip-and-replace the platform to deploy a unified SASE service, opting instead to use ZTNA to implement SASE. As organizations use these technologies together, Laliberte said standards can help eliminate some of the confusion around the network environment and zero trust and SASE.
Is SASE standardization necessary?
Standardization can create clear definitions and uniformity about specific technologies. But that doesn't mean standards are necessary for service providers to ensure quality of service (QoS). MEF supports the idea that defined standards are necessary for service providers to offer services to customers, but standardization might not be essential for proper deployment.
According to Laliberte, standardization is necessary regarding interoperability concerns, especially for emerging technologies. But in some cases, strict standards can impede QoS and make it difficult for service providers to modernize.
"You don't want to hamper vendors' ability to deliver next-generation capabilities by having to adhere to a standard," Laliberte said. "We don't want to have everything so standardized that it inhibits innovation."
SASE is still nascent, but its two major components -- security and SD-WAN -- predate the architecture, and other standards for security and networking functions are available. Alternative zero-trust frameworks also exist, so zero-trust providers have more options if they choose to follow a defined standard. Because of the variety of zero-trust frameworks available, Grady said he doesn't believe organizations will be at a disadvantage if they choose not to follow MEF's standard.
"I don't think they have the reach to say, 'If you don't follow this, you're going to be left behind,'" he said. "It's great to put some thought leadership out there to put a stake in the ground. But it's a big market, and there are a lot of voices out there."
Grady added that while there's more opportunity for MEF's SASE standard to gain ground because it's the first available standard for the technology, it won't happen overnight. It will likely take some time before service providers decide to follow a standard. But things could change in the next year or two.
Regardless of if the industry accepts a defined version of a SASE standard or zero-trust framework, the release of any standard, in general, gives industry players an opportunity to convene, drive clarity around technologies, eliminate confusion around interoperability and increase adoption rates.