A lot has been written about Secure Access Service Edge architecture since Gartner first described it in 2019, but the critical functions of SASE management and troubleshooting are rarely mentioned. Let's look at some requirements teams can keep in mind prior to jumping into an implementation.
SASE is the latest architectural model for integrating WAN connectivity with security to simplify the management of remote workers. Vendor implementations must incorporate multiple technologies that were previously separate functions; as a result, each vendor has a slightly different approach.
Below, we examine the functionality teams need to manage and troubleshoot in a SASE implementation, which will help during SASE product evaluations.
The SASE management system must make it easy to switch among different functions, while also providing a useful dashboard into system operation. An organization's best network management, troubleshooting and security staff should agree about the system's usability, as they will be the ones using it. Staff won't use a system if it is difficult to monitor, manage and perform troubleshooting, thereby eroding the system's value.
This article is part of
As part of the usability evaluation, teams should verify that they can create groups of sites to which policies are applied. This is particularly important for organizations that have many sites, such as consumer retail or work-from-home (WFH) staff.
The SASE control system should self-monitor and create alerts for any critical resources before they reach full utilization. Trend analysis of critical resources should provide enough advanced notice that teams can proactively make adjustments.
Network management controls include path selection, monitoring network utilization, establishing quality of service (QoS) policies and site-to-site connectivity. Teams should ensure they can control the paths of specific application flows. This is where networking and security merge. An organization's security policies may require that some applications use only software-defined WAN paths via direct connects to key providers, while other applications may rely on Transport Layer Security tunneling across the public internet. It will be important for staff to understand the ease with which flow policies can be created, applied and modified to match changing business needs.
A closely related management item is QoS. For example, is the correct WAN path being used for a specific type of traffic? Centralized policy definitions that are applied across many sites can make this a manageable problem.
Business today moves faster than the refresh cycle of firewalls, proxy servers, and intrusion prevention system and intrusion detection system products. The move to WFH accelerated this movement and created an environment in which remote employee access needed protection. SASE architecture makes it easy to keep such security systems up to date.
SASE is more attractive than refreshing the big hardware-based firewalls in organizations' data centers. It also reduces the need to backhaul end-user traffic to centralized security systems. Teams will want to verify that potential offerings are sufficient for current needs and flexible enough to adapt to future changes.
Basic security functions in a SASE offering should include secure DNS, next-generation firewalls with allowlist functionality, secure web gateways, zero-trust network access, cloud access security brokers and data loss prevention. Network segmentation is required to keep any successful breaches from spreading laterally site to site.
Who manages SASE?
Many organizations have historically separated networking from security. SASE, however, integrates the two, which raises the issue of who manages the SASE implementation. The best offering integrates networking and security together, but this may not be possible in some organizations without accompanying organizational and cultural changes.
A strong SASE system will incorporate good troubleshooting and analysis tools. Teams don't want to be left in the dark when an application doesn't work well. It is important to be able to track flows from source to destination. Is an application flow taking the desired path? Staff will need visibility into flows that can use multiple paths. Are the right firewalls being traversed? Does staff have visibility into firewall rule processing for specific flows? Imagine tracing a flow that can take either of two paths, one of which has a different firewall rule that causes a problem.
For detailed troubleshooting, organizations may need packet capture and analysis functions. Teams should determine whether such tools are built into the SASE product or whether they must provide them separately. What the staff needs is the ability to determine if a slow application is due to client processing, remote site infrastructure, path components across the internet or application services infrastructure, such as for SaaS or an enterprise application.
Set reasonable expectations
A viable alternative to the above monitoring and troubleshooting functions is to use a digital experience monitoring product to identify those nagging network performance problems. While it won't provide the level of detail described above, digital experience monitoring can identify problems at a high level, enabling teams to identify the general area of the network in which a problem is occurring.
Finally, teams should temper their expectations. Don't expect SASE implementation to provide a full monitoring and troubleshooting tool suite -- that's the realm of full-blown network and security management tools. But an implementation should provide basic visibility into the infrastructure over which applications are running. Don't be surprised if monitoring, management and troubleshooting take a back seat to the breadth of completeness in SASE offerings.