We’re very excited to announce that we recently completed a survey that aimed to help us understand where organizations are in their journey to adopting a SASE framework. The survey, conducted in January 2021, included 750 participants representing utilities, legal and finance firms, public sector organizations and more, was carried out in the U.K., the U.S., Japan, Germany and Australia in January 2021. After crunching the numbers, the survey has resulted in a new, interactive SASE report that provides a fascinating snapshot comparing countries, industries and trends around SASE implementation. And if you’re interested in a fun quiz based on the survey findings, you can check that out here.
Hype vs. Reality
An interesting result that popped up in our survey was that although IT experts claim to know what SASE is, its global adoption is lagging among organizations, particularly in the public sector (which is perhaps understandable given the disparity in budgets allocated to IT innovation in most government bodies).
As you can see, when asked whether SASE had been adopted throughout the organization’s technology stack, only 12% had fully embraced the philosophy, while more than a quarter (26%) did not embrace SASE at all. This result was slightly surprising, but does perhaps highlight the very real issue of timing.
If not now, when?
If most IT teams are now aware of SASE and starting to think seriously about how to implement the framework into their network infrastructure strategy, it’s likely that many are trying to figure out exactly what that will entail. So, in addition to asking what SASE is and how to implement it, one glaring question that often gets ignored is when.
There’s no doubt that organizations are facing far more pressure to modernize than they would have encountered if not for the pandemic. The term SASE (Secure Access Service Edge) had already been around since 2019, so the enormous and unexpected ramp up of our distributed workforce put immediate pressure on IT organizations everywhere to look for more practical remote access alternatives.
Why do we need SASE?
The timing was perfect for SASE to make a grand entrance. As Gartner describes it, SASE is the convergence of a number of existing network and security solutions that organizations may already have in place. These include SD-WAN, zero trust network access or software defined perimeter solutions, CASB, and FWaaS, but all blended into a single, cloud-delivered fabric.
And it’s not just Gartner talking about transitioning to a more robust model for security and networking. Forrester coined the term Zero Trust Edge (ZTE), which is basically the same concept as the SASE philosophy, but with a great emphasis on zero trust.
Regardless of its name, there are big reasons why organizations are sitting up and taking notice. Consider this. Most organizations today still host at least a minimal amount of data and a few applications on their own. But when you look at the actual workflow of an employee, much of the day is spent using various internet and cloud-based services, without the need to access HQ or dedicated corporate data centers very often.
So, if only 20% of an employee’s needs are ‘internal,’ it makes no sense to force that data through the organization’s network infrastructure. This outdated arrangement leads to an unnecessary burden and creates more potential bottlenecks, not to mention the additional cost of keeping up with capacity needs and maintenance.
SASE building blocks
A typical SASE framework includes three key building blocks – networking, security and identity. No single vendor out there is an expert in all three areas, so finding solutions that complement one another will be key to a successful deployment. Here are just a few examples:
- Networking: SD-WAN
- Security: Secure Web Gateway (SWG), Firewall as a Service (FWaaS)
- Identity & Access: Zero Trust, SDP, Remote access enterprise VPN
Practical Steps
What might a SASE deployment look like for your organization? As you can see in the illustration below, going fully SASE may take up to five years. There are several steps along the way as each organization moves from outdated or legacy equipment, so here’s just one possibility.
In the first year, your organization may simply optimize the existing VPN so that it’s better able to handle mobility and cope with a highly distributed workforce. The next step may be to think about adopting a cloud strategy, so in year two the organization may consider integrating a cloud-based VPN.
Slowly, as the IT organization becomes more comfortable with the concept of zero trust, additional solutions such as SDP can be adopted and deployed to take care of more applications and more people, while the VPNs are still present but only occasionally needed (and can be turned on or off purely based on policies).
It’s okay to be different
The key with any of this is to avoid the knee-jerk reactions of the past year and spend time designing an architecture that truly suits the organization’s current and future needs, and balances costs with agility and resilience – both clear and very desirable business outcomes. If that ends up taking just two or three years, great. By the same token, don’t be surprised if that journey actually takes closer to four or even five years.
Check out the full NetMotion SASE report here.
