Digital Transformation with SD-WAN, SASE, and SSE
By: Nav Chander, Head of Service Provider SD-WAN/SASE Product Marketing.
Since the early days of the global COVID-19 pandemic, enterprise IT staff have been working hard to keep corporate networks on pace with the changing requirements of the business, as most application resources would no longer be serving centralized groups. This meant updating cloud, networking, and security infrastructure to adapt to the new realities of hybrid work. To achieve these aims, enterprise IT teams have reexamined technology pillars that start with the letter S: SD-WAN, SASE, and now Security Service Edge (SSE), to support these cloud-first digital transformations enterprises demand.
The elder “S” technology pillar, SD-WAN, arose in 2015 as a disruptive networking technology to empower enterprises to modernize WAN. In time, advanced SD-WAN platforms, including Aruba EdgeConnect Enterprise, emerged to further reduce networking complexity, improve application performance, and enable more efficient connectivity between users and applications, whether those applications reside in the cloud or data center.
However, as cloud and multi-cloud grew in prominence, enterprise IT teams needed a new way of thinking about network security. And according to Gartner®, the term Secure Access Service Edge (SASE) means “SASE combines network security functions (such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), firewall-as-a-service (FWaaS) and Zero Trust Network Access (ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic secure access needs of organizations.(1)” This framework defines the convergence of WAN and network security functions into a single, cloud-delivered model that better supports digital transformation initiatives beyond legacy models.
The third and youngest “S” pillar is SSE, which Gartner mentioned in February 2022 within the Magic Quadrant™ for Security Service Edge (2), defined as “a set of security services that enable a successful SASE architecture, securing people and data in the cloud without degrading user experience. (2)” Aruba views SSE within SASE as the key to unifying all security services, including SWG, CASB, and ZTNA, to better secure access to web, cloud services, and private applications. SSE functions provide both data protection and threat protection, as displayed in Fig 1.
Fig 1. SASE Pillars
Within this framework, does this mean enterprise organizations can simply embrace SASE to achieve its comprehensive security and networking framework for its digital transformation?
Unfortunately, it’s not that simple. In reality, enterprise IT executives are tasked with providing secure network-layer connectivity across ALL devices and locations with all the requisite and relevant business applications. To get there, executives must first ask two questions:
- How does one secure access to applications spread across multiple clouds, data centers, and software-as-a-service applications?
- How does one also secure the growing number of IoT devices that can’t run an endpoint agent?
In response to question one, SSE functionality delivered by cloud security vendors such as Zscaler, Netskope, and Check Point with the API or service orchestration integrations with SD-WAN platforms like EdgeConnect, fulfills this need. It can provide the secure connectivity of applications, including across cloud providers, data centers, and branch sites.
However, for the second question, the prevailing SASE framework falls short. For many deployed IoT devices, it is either impractical or impossible to run an SSE ZTNA agent on the device. This is despite the fact IoT devices are often major points of vulnerability. For enterprise organizations, which often deploy hundreds if not thousands of IoT devices per location from many different vendors, eventually one of those devices is going to suffer a security breach.
To remedy the IoT vulnerability, enterprises need advanced SD-WAN. IT can leverage identity-based role access control solutions, such as Aruba ClearPass or the recently announced Aruba Central NetConductor, which offers micro-segmentation and security policies that extend across Aruba’s entire product stack, including the ability to automatically segment user and IoT traffic integrated with an advanced SD-WAN.
In short, SSE solutions AND an advanced SD-WAN platform can address the twin security and networking requirements of secure access and IoT connectivity, completing the SASE framework necessary to provide for all devices and locations.
Multi-Vendor or Single Vendor SASE?
With the roadmap determined for secure connectivity across the entire organization, executives must decide on deploying a multivendor or single-vendor platform for SASE.
As a starting point, the Gartner report “How to Align SD-WAN Projects with SASE Initiatives(3),” offering the following recommendations:
- “Choosing a single-vendor SASE solution is challenged by the lack of solutions that offer best of breed, and for many enterprises, not-even-good-enough functionality across all of SASE’s functional domains.(3)”
- “After assessing which SD-WAN providers are best-suited for the organization, assess available options for SSE that can integrate operationally with the preferred SD-WAN. In particular, assess the level of console and API integration.(3)”
For enterprises, the choice is clear: A multivendor best-of-breed SSE and best-of-breed SD-WAN provides the flexibility to choose the best technologies available for SASE migration that is based on business requirements, not convenience.
Take an acquisition environment. An enterprise may be purchasing another organization that inconveniently employs a different cloud security vendor solution. The next question they must ask is how will the acquiring company integrate the existing SD-WAN platform with the two different security vendor solutions? Going further, does the prevailing SD-WAN platform support API, service orchestration, and automations to enable a smoother integration of both SD-WAN and cloud security?
If the answer is no, expect a more cumbersome and expensive integration. Fortunately, for those with advanced SD-WAN capabilities, such as Aruba EdgeConnect Enterprise, this best-of-breed SD-WAN platform can be integrated with the leading network cloud security vendors, including Zscaler, Netskope, Check Point, McAfee, iBoss, Palo Alto Networks Prisma Access, and more. This platform enables enterprises to configure, deploy, and develop a SASE framework with the flexibility of cloud-delivered security options without compromising on best-of-breed technologies. This more robust approach for SASE will help reduce the risk associated with depending on a single technology vendor to supply all the necessary components while enabling a secure cloud-first digital transformation.
For more about the “S” pillars of technology: SASE, SD-WAN, and SSE, check out the podcast “SASE isn’t revolutionary, it’s evolutionary”.
Related Resources:
1 – Gartner, SASE Will Improve Your Distributed Security Everywhere– Richard Bartley, , 8 December 2020
2 – Gartner, Magic Quadrant for Security Service Edge, Published 15 February 2022 – ID G00757036, By John Watts, Craig Lawson, Charlie Winckless, Aaron McQuaid
3 – Gartner, How to Align SD-WAN Projects With SASE Initiatives, Published 18 April 2022 – ID G00767529, By Bjarne Munch, Lisa Pierce, Craig Lawson
GARTNER and MAGIC QUADRANT are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.
Copyright © 2022 IDG Communications, Inc.