introbackground-01.png
layer1-01.png
layer2-01.png
layer3-01.png
layer4-01.png
layer5-01.png

Seemingly from nowhere, the concept of Secure Access Service Edge (SASE) has gone from a fairly obscure term – first coined by Gartner in late 2019 - to a philosophy dominating the conversation in 2021. Undoubtedly accelerated by the huge shifts brought on by the 2020 global lockdown, SASE has caught the attention of professionals working across the IT, network and security landscape as they prepare their post-pandemic strategies.  

This report aims to explain the core concepts behind SASE, and the wider movements taking place to contextualize it. It draws upon the latest research from Gartner, as well as original and previously unpublished data from an extensive January 2021 study on the subject. This research surveyed 750 professionals working across five geographic markets (USA, UK, Australia, Germany and Japan) to better understand their perspectives and experiences with SASE. Participants held job titles at either the CXO, director or manager level, and worked in the IT, network or security departments. This report refers to the findings of this research extensively, segmenting by vertical and region to intimately analyze the nature of SASE in 2021.

About this report

presents

nm-blue-transparent-01.png
The journey to SASE

An introduction to Secure Access Service Edge technologies

quote-background-sm-01.png
mountain1-01.png
graph-background-blue-01.png

Network security trends

Network security has evolved a lot over the past two decades, but in general had largely settled on a fixed set of tools needed to secure the organization. Traditional technologies were focused on either securing or enhancing the corporate network. That meant using fixed solutions like firewalls, secure web gateways (SWGs) and on-premise based software to safeguard the enterprise. For workers operating outside the physical office, remote access products like VPNs, VDI and NAC were used to try and bridge the gap, helping distributed workforces behave as if they were located on-site. The relatively small volume of remote employees and limited number of use-cases for this meant that most organizations were willing to compromise on the user experience and latency that these technologies typically deliver.

The explosion in remote working has changed the requirements for network security forever. With more – if not most – employees working outside the fortified center of the enterprise, the trade-offs made for distributed workers pose a much bigger problem. Why should employees need constantly authenticate and connect to the company network just to satisfy security requirements? The migration of applications to the cloud has compounded this, with legacy network security products performing complex and unnecessary network gymnastics to secure the connections – often needlessly routed through the corporate perimeter.

Awareness of SASE

Although the concept was only established in 2019, it has not taken long to capture the attention of IT leaders around the world. In the January 2021 NetMotion study, two thirds of IT leaders claimed to be confident of their ability to describe the core concepts of SASE.

Those working in the UK and Australia are the most familiar with the framework – or at least claim to be – while those in non-English speaking markets were much less likely to be. Only around half of German and Japanese professionals are fully aware of what SASE is. There are stark differences between sectors in the awareness of SASE. Scarcely a third of government IT workers know what SASE is, an indicator that the public sector is significantly behind the private sector in general. Healthcare (a blend of private and public in the markets studied) ranks much higher, but still lags behind other verticals. IT leaders at law firms are the most engaged with the Gartner concept, with more than 4 in 5 of those surveyed comfortable at explaining SASE, with individuals from the utilities/energy, public safety and finance sectors close behind. 

1. Cloud-Based Service Architecture
SASE solutions must be delivered in the cloud

3. Central Visibility and Logging
SASE solutions provide detailed insights
into activity

2. Policy Decision Points
SASE solutions enforce policy dynamically
and locally

4. Network Security for Mobile and IoT
SASE solutions need to support far beyond
the desktop

Secure Access Service Edge or “SASE” is a term that was coined by Gartner in The Future of Network Security Is in the Cloud, published at the end of Summer 2019. Although it’s tempting to think of it as a product category, like a firewall or a CASB, it’s more accurate to consider it more like a framework or philosophy. SASE encompasses a package of technologies, delivered as a service, that are designed to support the secure access needs of modern organizations.

There is no fixed list of technologies that are or are not included within SASE, though many are frequently cited as examples of tools matching the philosophy. Andrew Lerner, a VP Analyst at Gartner, suggests that SD-WAN, SWG, CASB, ZTNA and FWaaS comprise the core abilities. IT leaders, however, may select any number of SASE technologies and begin implementing the most relevant solutions for their organization – there is not a rigid criteria for the term.

Gartner has published several research papers on this problem, out of which SASE emerges. In Emerging Technology Analysis: SASE Poised to Cause Evolution of Network Security, the paper’s authors talk about how appliance-based network security models are being replaced to ensure a better end user experience. More specifically, it states that ‘the traditional-data-center-focused hub-and-spoke model, optimal for data residing in a single location, is no longer relevant’. The legacy model for securing workers complicates design and puts strain on network performance in a world where employees can work from anywhere at any time – on any network.

core-concepts-path-01.png
pinpoint 1
pinpoint 2
pinpoint 3
pinpoint 4
pinpoint 5

5. Latency-Sensitive Security Computer
SASE solutions should embrace the edge and
minimize latency

Share of IT leaders that can confidently describe what Secure Access Service Edge (SASE) is

graph-background-blue-01.png

Core concepts

SASE places a heavy focus at the edge, securing users locally when possible and routing traffic in the most efficient way possible. It also embraces the idea of zero trust, using context-aware policy conditions to grant access on a ‘deny by default’ basis. SASE, at the highest level, concerns itself with five core principles.

of IT leaders surveyed could not confidently describe what “SASE” is. Let’s change that.

33%

compass-01.png
needle3-01.png

NaaS

SD-WAN

WAN optimization

Bandwidth aggregation

Experience monitoring

Carrier

CDN

Network

CASB

FWaaS

WAAPaaS

Cloud-based VPN

Cloud SWG

ZTNA

DNS

Security

Understanding
SASE

Emerging Technology Analysis: SASE Poised to Cause Evolution of Network Security  
By Nat Smith, Neil MacDonald, Lawrence Orans, Joe Skorup  (Gartner)

Hairpinning or tromboning of network traffic for inspection works against organizational agility and often encourages organizations to bypass security in the name of performance. Instead of the traditional hub-and spoke model, the network traffic and application of security must invert, becoming more endpoint- or identity-centric. This model is known as SASE.
Quotation mark
mountain1-01.png

Organizations have been embracing the sentiment of SASE by varying degrees across verticals and geographies. Around 12% of organizations claim to be embracing SASE entirely in 2021, up from just 1% in 2018 (Gartner) but over a quarter (26%) have no SASE operations in their IT stack today. Utilities, legal and finance (12-17%) are the industries most likely to be adopting a full SASE strategy, while once again government bodies are by far the least likely (3%).

In order to abide by the SASE framework, every networking and security solution that once lived in a box in the data center needs to instead to be delivered as a service to the distributed workforce (at the edge). The traditional bottleneck of tunnelling everything through one central on-premise ‘hub’ is therefore alleviated. SASE in practice means delivering identity-centric network security, as a service, in the cloud. SASE sits between agile users and corporate resources.

There are a number of reasons that organizations are attracted to SASE, which offers a wide range of advantages when compared with traditional approaches to network security.

Reduced complexity

Fewer appliances to
maintain and agents to deploy, equating to fewer dollars spent

Performance improvements

Latency is reduced and connectivity is optimized, without network gymnastics

Ease of use & transparency

Simple solutions that are invisible to the end-user, with minimal intrusions

quote-background-sm-01.png

Adopting
SASE

Survey: To what extent does your organization currently embrace the SASE framework?

Share of companies that are fully embracing SASE across their organization (by sector)

icon-complexity.png

Improved security

Adoption of zero trust risk posture and reduced attack surface

Low operational overhead

 Provides the ability to scale without infrastructure administration

Centralized policy &
Local enforcement

Decision-making at the edge without traffic hairpinning

The Future of Network Security Is in the Cloud
Neil MacDonald, Lawrence Orans, Joe Skorupa

The enterprise perimeter is no longer a location; it is a set of dynamic edge capabilities delivered when needed as a service from the cloud.
Quotation mark
icon-latency.png
icon-visibility.png
icon-security.png
icon-policy.png
icon-growth.png

Utilities

Legal

Finance

Healthcare

Public safety

Government

Not at all

In less than half of our technology stack

In more than half of our technology stack

We fully embrace SASE

mountain1-01.png

Getting to a full SASE approach to network security is not something that happens overnight. It’s also not something that can be delivered by one vendor, despite the hype, vendor claims and rampant marketecture. This is underlined in the Gartner research ‘Emerging Technology Analysis: SASE Poised to Cause Evolution of Network Security’ by Nat Smith, Neil MacDonald, Lawrence Orans and Joe Skorup, which discusses the topic extensively: “no vendor has a single, complete, integrated end-to-end solution based upon this architecture, nor is any likely to deliver one over the next three years”. 

This slow march to SASE, much like the migration to the cloud, is likely to take place over the next decade – and may not ever reach full realization. Selecting which parts of the network security stack to upgrade and when is a core strategic consideration for organizations planning their transition.

A marathon,
not a sprint

Strategic direction

The shift to SASE is a movement generally coming from IT, though in some organizations security, network or even management teams are the departments pushing the SASE agenda. NetMotion research shows that IT is overwhelmingly the most influential role, a pattern that is consistent across industries. Companies in the UK have a stronger influence from the security team than other markets, while Germany is more likely to have a network team influence. Another major cultural difference can be seen in Japan, where it is significantly more likely to have management (or non-technical team) pushing for adoption of SASE than other regions.

Survey: Which internal team within your organization is responsible for your SASE strategy?

IT

Security

Network

Other

of organizations report that the IT team is primarily responsible for their SASE strategy.

52%

Year 1

Year 2

Year 0

Year 3

Year 4

Year 5

The SASE maturity model

Gartner projects that by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE.
Hover over a point on the timeline to learn more.

cloud-lrg1-01.png
cloud-lrg2-01.png
cloud-sm2-01.png
Mountains L
Mountains R
mountain-chart.png

15%

35%

37%

10%

4%

cloud-sm1-01.png

SASE is entirely linked with several other market trends, such as the growth in remote working or the proliferation of networks, but the biggest is the gradual enterprise shift to the cloud. More applications and resources than ever before are now being accessed in the cloud, whether it be on the public web or hosted in hybrid cloud/IaaS environments like AWS or Microsoft Azure.

Much like SASE itself, transitioning to cloud-first working has been a decades-long process. Many organizations may have started implementation of SaaS applications like Salesforce twenty years ago, yet very few businesses operate entirely in the cloud today. Different teams, departments, use-cases and apps are slowly migrated or added to the broader productivity suite, from vast enterprise Office365 rollouts to more nimble self-provisioned marketing tools. Under-standing the success rate of cloud adoption is key to contextualizing the status of SASE inside the average organization. The 2021 NetMotion study revealed that only 4% of organizations have migrated fully to the cloud, with just over half (51%) having most of their apps and services available via SaaS. 

Migration to
the cloud

Survey: What percentage of your core work applications/services are in the cloud?

A surprisingly large 15% of organization still have at least three quarters of their resources hosted on-premise, a proportion that grows to 39% for government entities. Financial and legal firms are the most likely sectors to have at least three quarters in the cloud. 

Weighting the responses within each range allows an estimate to be created for the average migration rate across different organizations. This average migration rate is broadly similar across the five geographical markets studied, suggesting that most organizations are at over the halfway point in their cloud migration journey. A simple cohort analysis, dividing the more advanced quartile and least advanced quartile also, reveals the leading and lagging segments of the market.  

The bottom quartile of US firms are major laggards, migrating a weighted average of just 12% of core applications to the cloud. Although laggards in Japan also sit far behind those in Western markets, the leaders (upper quartile) among Japanese firms are the fastest globally at moving to the cloud. In contrast, Australia is the closest market studied, meaning the country has the smallest disparity between leading and lagging cohorts.  

graph-background-blue-01.png

Weighted cloud adoption rates

Over 3/4 in cloud

Over 3/4 on prem

25-49%

0-24%

50-74%

75-99%

100%

GRADIENT BG
quote-background-sm-01.png
mountain1-01.png (copy)

In a pre-SASE world, remote workers have relied on a VPN to provide a safe, encrypted connection to corporate resources. But as the number of users has grown and the types of assets they access has changed, these legacy VPNs have become a liability. Even with multi-factor authentication (MFA) in place, older generation VPNs lack the ability to understand context, opening the door to anyone holding the correct credentials. The answer, according to security experts, is to remove trust from the process. The concept of ‘zero trust’ was first coined in 2010 by John Kindervag, former Forrester Research analyst. This is the idea that, by default, users are denied access until they can prove they are a legitimate user for that resource. It also embraces the concept of ‘least privilege’, meaning users only get access to the application they requested and nothing more – preventing any kind of lateral movement, because connections are to the resource, not the entire network.

As the concept of zero trust has gained popularity, it has become the basis for many of the solutions included in the SASE framework, especially ZTNA (otherwise known as SDP).

Embracing
zero trust

Survey: Has your organization begun adopting a zero trust posture when determining access
to company resources?

Australian and British organizations were the most likely to have started using zero trust, while Japanese were the least likely. Given the relative maturity level of organizations and the limited investment in ZTNA products (15% - see following section), these results indicate either a pessimistic or optimistic conclusion. Cynically viewed, these findings demonstrate that IT leaders do not understand zero trust as well as they claim, or that they are over-estimating their own capabilities. Seen more positively, it can be concluded that organizations have just started adopting zero trust in very limited ways as an entry point to a much longer journey towards SASE (through per-app VPNs or policies implemented with SWGs, for example).

ZTNA solutions vary in their architecture, but they will all make use of some kind of controller. This controller acts a bit like a context-aware decision maker. It gathers a variety of data, such as the application being used, the location of the device, the network it is connected to and much more. It then uses this real-time data to build a risk profile of each request, determining whether the user can access the resource based on the context of the moment. If that changes, access can be revoked. It’s an elegant way of ensuring users get what they need while reducing the attack surface of an organization.  

The compelling driver for adoption is that it allows organizations to treat all of their resources equally, even for those resources hosted in the public cloud.  

According to the NetMotion study, over half of all IT leaders claim to have started their journey to zero trust, implementing at least one zero trust policy – though the research shows that this is being enabled in a limited capacity. Dedicated zero trust solutions like ZTNA and CASBs are still nascent in their adoption rates, suggesting IT leaders are finding ways to experiment with zero trust using other technologies in a narrower capacity. 

No, but plan to

No

Yes

William O’Hern, Chief Security Officer
AT&T

With SDPs, a user is not required to figure out the method of access based on the context of where they are, what time of day it is, or what type of device they are using — the network takes care of this.
Quotation mark (copy)
usa.png

United States

70%

Of US organizations are adopting or have already adopted zero trust technologies. Click through to see how other countries compare.

Share of international organizations adopting zero trust

quote-background-sm-01.png
mountain1-01.png (copy)

Mapping the entire suite of technologies that organizations might choose to implement to power their SASE strategies is almost impossible, due to the sheer scale of different options available to IT leaders. Some diagrams feature almost 100 distinct product categories that comprise the full SASE stack. Experience monitoring, for example, is a crucial means of ensuring a high-quality working environment for distributed workforces and meeting SASE visibility requirements for off-network employees. It is rarely seen in diagrams, however, as these are typically produced by more security-oriented entities. More typically, there are a small handful of network and security products that make up the backbone of most SASE strategies. Ultimately, IT leaders will need to approach multiple diff-erent vendors to meet SASE requirements across their broader technology stack. 

The SASE
technology stack

The 2021 NetMotion study showed that VPNs and SWGs are the most popular forms of cloud security products inside most organizations, perhaps as a result of their relative maturity. It appears that modernizing existing technologies (VPN, Firewall, SWG) is more attractive to IT leaders than the adoption of new categories (CASB, ZTNA, edge content filtering).  

Adoption of CASB (16%) and ZTNA (15%) is still low. These nascent markets are growing fast but are today mostly used by innovative companies rather than the mainstream. ZTNA adoption is consistent across verticals and markets, at 12-18% in all five markets included in this study. Filtering content at the edge is most prevalent in the US (23%), perhaps driven by the need to ensure compliance and security amidst the growth in remote working. This is compared to a global average across other markets of just 13%. 

SASE networking solutions are less likely to have been implemented than security solutions, on average. Researched showed that there is no network technology category present in over half of organizations surveyed.  

Over a quarter of organizations are now taking advantage of SD-WAN, a fast-growing category of network solutions. German companies are using SD-WAN products more than those in other markets, with 38% of respondents including it in their network stack, compared with a global average of 25% - only 19% of Japanese firms are currently using it.  

Australian companies are overwhelmingly the most likely to be using WAN optimization solutions at 70%, with other markets averaging at just 44%. This is perhaps the result of poor network quality and performance in Australia

Survey: Which of these cloud security solutions does your organization currently employ?

Emerging Technologies: Applying SASE’s Architectural Model to Secure Distributed Composite Apps
Joe Skorupa, Neil MacDonald, Anne Thomas

It is highly unlikely that a single vendor will be able to
deliver the complete set of required products; hence, cooperation and consistency are essential.
Quotation mark (copy)

Considering NetMotion

tent-01.png

The pathway to SASE is a long and non-linear one. It will require patience, heavy customization and agility to truly achieve. Managing traditional network security alongside SASE will be key to its success, just how the migration from on-premise to cloud did not happen instantaneously. 

NetMotion is uniquely positioned to help organizations begin their SASE journey without compromising on the requirements of today. It can be a struggle to support existing remote access needs alongside zero trust solutions, with multiple agents, clients, orchestration engines, dashboards, gateways and infrastructure to manage. NetMotion allows IT teams to modernize their network security with no sacrifices or painful overheads to manage.

Get market-leading capabilities in cloud VPN, ZTNA, WAN optimization and experience monitoring (DEM) categories, while also benefitting from additional functionality in other segments. Whether you are just starting out with SASE or are much further in your journey, NetMotion is the perfect partner to deliver edge-based security and a world-class user experience for the modern, distributed workforce. 

introbackground-01.png
layer1-01.png
layer2-01.png
layer3-01.png
layer4-01.png
layer5-01.png

NetMotion presents

Seemingly from nowhere, the concept of Secure Access Service Edge (SASE) has gone from a fairly obscure term – first coined by Gartner in late 2019 - to a philosophy dominating the conversation in 2021. Undoubtedly accelerated by the huge shifts brought on by the 2020 global lockdown, SASE has caught the attention of professionals working across the IT, network and security landscape as they prepare their post-pandemic strategies.  

This report aims to explain the core concepts behind SASE, and the wider movements taking place to contextualize it. It draws upon the latest research from Gartner, as well as original and previously unpublished data from an extensive January 2021 study on the subject. This research surveyed 750 professionals working across five geographic markets (USA, UK, Australia, Germany and Japan) to better understand their perspectives and experiences with SASE. Participants held job titles at either the CXO, director or manager level, and worked in the IT, network or security departments. This report refers to the findings of this research extensively, segmenting by vertical and region to intimately analyze the nature of SASE in 2021.

PLEASE NOTE:

We strongly recommend viewing this report on desktop rather than mobile.

The journey to SASE

An introduction to Secure Access Service Edge technologies

mountain1-01.png

Understanding
SASE

Secure Access Service Edge or “SASE” is a term that was coined by Gartner in The Future of Network Security Is in the Cloud, published at the end of Summer 2019. Although it’s tempting to think of it as a product category, like a firewall or a CASB, it’s more accurate to consider it more like a framework or philosophy. SASE encompasses a package of technologies, delivered as a service, that are designed to support the secure access needs of modern organizations.

There is no fixed list of technologies that are or are not included within SASE, though many are frequently cited as examples of tools matching the philosophy. Andrew Lerner, a VP Analyst at Gartner, suggests that SD-WAN, SWG, CASB, ZTNA and FWaaS comprise the core abilities. IT leaders, however, may select any number of SASE technologies and begin implementing the most relevant solutions for their organization – there is not a rigid criteria for the term.

Network security trends

Network security has evolved a lot over the past two decades, but in general had largely settled on a fixed set of tools needed to secure the organization. Traditional technologies were focused on either securing or enhancing the corporate network. That meant using fixed solutions like firewalls, secure web gateways (SWGs) and on-premise based software to safeguard the enterprise. For workers operating outside the physical office, remote access products like VPNs, VDI and NAC were used to try and bridge the gap, helping distributed workforces behave as if they were located on-site. The relatively small volume of remote employees and limited number of use-cases for this meant that most organizations were willing to compromise on the user experience and latency that these technologies typically deliver.

The explosion in remote working has changed the requirements for network security forever. With more – if not most – employees working outside the fortified center of the enterprise, the trade-offs made for distributed workers pose a much bigger problem. Why should employees need constantly authenticate and connect to the company network just to satisfy security requirements? The migration of applications to the cloud has compounded this, with legacy network security products performing complex and unnecessary network gymnastics to secure the connections – often needlessly routed through the corporate perimeter.

Gartner has published several research papers on this problem, out of which SASE emerges. In Emerging Technology Analysis: SASE Poised to Cause Evolution of Network Security, the paper’s authors talk about how appliance-based network security models are being replaced to ensure a better end user experience. More specifically, it states that ‘the traditional-data-center-focused hub-and-spoke model, optimal for data residing in a single location, is no longer relevant’. The legacy model for securing workers complicates design and puts strain on network performance in a world where employees can work from anywhere at any time – on any network.

quote-background-sm-01.png

Core concepts

SASE places a heavy focus at the edge, securing users locally when possible and routing traffic in the most efficient way possible. It also embraces the idea of zero trust, using context-aware policy conditions to grant access on a ‘deny by default’ basis. SASE, at the highest level, concerns itself with five core principles.

1. Cloud-Based Service Architecture
SASE solutions must be delivered in the cloud

3. Central Visibility and Logging
SASE solutions provide detailed insights
into activity

2. Policy Decision Points
SASE solutions enforce policy dynamically
and locally

4. Network Security for Mobile and IoT
SASE solutions need to support far beyond
the desktop

5. Latency-Sensitive Security Computer
SASE solutions should embrace the edge and
minimize latency

Awareness of SASE

Although the concept was only established in 2019, it has not taken long to capture the attention of IT leaders around the world. In the January 2021 NetMotion study, two thirds of IT leaders claimed to be confident of their ability to describe the core concepts of SASE.

Those working in the UK and Australia are the most familiar with the framework – or at least claim to be – while those in non-English speaking markets were much less likely to be. Only around half of German and Japanese professionals are fully aware of what SASE is. There are stark differences between sectors in the awareness of SASE. Scarcely a third of government IT workers know what SASE is, an indicator that the public sector is significantly behind the private sector in general. Healthcare (a blend of private and public in the markets studied) ranks much higher, but still lags behind other verticals. IT leaders at law firms are the most engaged with the Gartner concept, with more than 4 in 5 of those surveyed comfortable at explaining SASE, with individuals from the utilities/energy, public safety and finance sectors close behind. 

graph-background-blue-01.png

Share of IT leaders that can confidently describe what Secure Access Service Edge (SASE) is

Emerging Technology Analysis: SASE Poised to Cause Evolution of Network Security  
By Nat Smith, Neil MacDonald, Lawrence Orans, Joe Skorup  (Gartner)

Hairpinning or tromboning of network traffic for inspection works against organizational agility and often encourages organizations to bypass security in the name of performance. Instead of the traditional hub-and spoke model, the network traffic and application of security must invert, becoming more endpoint- or identity-centric. This model is known as SASE.
Quotation mark
mountain1-01.png

Adopting
SASE

In order to abide by the SASE framework, every networking and security solution that once lived in a box in the data center needs to instead to be delivered as a service to the distributed workforce (at the edge). The traditional bottleneck of tunnelling everything through one central on-premise ‘hub’ is therefore alleviated. SASE in practice means delivering identity-centric network security, as a service, in the cloud. SASE sits between agile users and corporate resources.

There are a number of reasons that organizations are attracted to SASE, which offers a wide range of advantages when compared with traditional approaches to network security.

icon-complexity.png

Reduced complexity

Fewer appliances to
maintain and agents to deploy, equating to fewer dollars spent

icon-latency.png

Performance improvements

Latency is reduced and connectivity is optimized, without network gymnastics

icon-visibility.png

Ease of use & transparency

Simple solutions that are invisible to the end-user, with minimal intrusions

icon-security.png

Improved security

Adoption of zero trust risk posture and reduced attack surface

icon-growth.png

Low operational overhead

 Provides the ability to scale without infrastructure administration

icon-policy.png

Centralized policy &
Local enforcement

Decision-making at the edge without traffic hairpinning

quote-background-sm-01.png

Survey: To what extent does your organization currently embrace the SASE framework?

Not at all

In less than half of our technology stack

In more than half of our technology stack

We fully embrace SASE

Share of companies that are fully embracing SASE across their organization (by sector)

Utilities

Legal

Finance

Healthcare

Public safety

Government

Organizations have been embracing the sentiment of SASE by varying degrees across verticals and geographies. Around 12% of organizations claim to be embracing SASE entirely in 2021, up from just 1% in 2018 (Gartner) but over a quarter (26%) have no SASE operations in their IT stack today. Utilities, legal and finance (12-17%) are the industries most likely to be adopting a full SASE strategy, while once again government bodies are by far the least likely (3%).

Quotation mark (copy)
The enterprise perimeter is no longer a location; it is a set of dynamic edge capabilities delivered when needed as a service from the cloud.

The Future of Network Security Is in the Cloud
Neil MacDonald, Lawrence Orans, Joe Skorupa

mountain1-01.png

A marathon,
not a sprint

Getting to a full SASE approach to network security is not something that happens overnight. It’s also not something that can be delivered by one vendor, despite the hype, vendor claims and rampant marketecture. This is underlined in the Gartner research ‘Emerging Technology Analysis: SASE Poised to Cause Evolution of Network Security’ by Nat Smith, Neil MacDonald, Lawrence Orans and Joe Skorup, which discusses the topic extensively: “no vendor has a single, complete, integrated end-to-end solution based upon this architecture, nor is any likely to deliver one over the next three years”. 

This slow march to SASE, much like the migration to the cloud, is likely to take place over the next decade – and may not ever reach full realization. Selecting which parts of the network security stack to upgrade and when is a core strategic consideration for organizations planning their transition.

Strategic direction

The shift to SASE is a movement generally coming from IT, though in some organizations security, network or even management teams are the departments pushing the SASE agenda. NetMotion research shows that IT is overwhelmingly the most influential role, a pattern that is consistent across industries. Companies in the UK have a stronger influence from the security team than other markets, while Germany is more likely to have a network team influence. Another major cultural difference can be seen in Japan, where it is significantly more likely to have management (or non-technical team) pushing for adoption of SASE than other regions.

Survey: Which internal team within your organization is responsible for your SASE strategy? (Global average)

Migration to
the cloud

SASE is entirely linked with several other market trends, such as the growth in remote working or the proliferation of networks, but the biggest is the gradual enterprise shift to the cloud. More applications and resources than ever before are now being accessed in the cloud, whether it be on the public web or hosted in hybrid cloud/IaaS environments like AWS or Microsoft Azure.

Much like SASE itself, transitioning to cloud-first working has been a decades-long process. Many organizations may have started implementation of SaaS applications like Salesforce twenty years ago, yet very few businesses operate entirely in the cloud today. Different teams, departments, use-cases and apps are slowly migrated or added to the broader productivity suite, from vast enterprise Office365 rollouts to more nimble self-provisioned marketing tools. Under-standing the success rate of cloud adoption is key to contextualizing the status of SASE inside the average organization. The 2021 NetMotion study revealed that only 4% of organizations have migrated fully to the cloud, with just over half (51%) having most of their apps and services available via SaaS. 

Mountains L
Mountains R
mountain-chart.png

15%

35%

37%

10%

4%

cloud-lrg1-01.png
cloud-lrg2-01.png

Survey: What percentage of your core work applications/services are in the cloud?

25-49%

0-24%

50-74%

75-99%

100%

A surprisingly large 15% of organization still have at least three quarters of their resources hosted on-premise, a proportion that grows to 39% for government entities. Financial and legal firms are the most likely sectors to have at least three quarters in the cloud. 

Weighting the responses within each range allows an estimate to be created for the average migration rate across different organizations. This average migration rate is broadly similar across the five geographical markets studied, suggesting that most organizations are at over the halfway point in their cloud migration journey. A simple cohort analysis, dividing the more advanced quartile and least advanced quartile also, reveals the leading and lagging segments of the market.  

The bottom quartile of US firms are major laggards, migrating a weighted average of just 12% of core applications to the cloud. Although laggards in Japan also sit far behind those in Western markets, the leaders (upper quartile) among Japanese firms are the fastest globally at moving to the cloud. In contrast, Australia is the closest market studied, meaning the country has the smallest disparity between leading and lagging cohorts.  

graph-background-blue-01.png

Weighted cloud adoption rates

Over 3/4 in cloud

Over 3/4 on prem

Embracing
zero trust

In a pre-SASE world, remote workers have relied on a VPN to provide a safe, encrypted connection to corporate resources. But as the number of users has grown and the types of assets they access has changed, these legacy VPNs have become a liability. Even with multi-factor authentication (MFA) in place, older generation VPNs lack the ability to understand context, opening the door to anyone holding the correct credentials. The answer, according to security experts, is to remove trust from the process. The concept of ‘zero trust’ was first coined in 2010 by John Kindervag, former Forrester Research analyst. This is the idea that, by default, users are denied access until they can prove they are a legitimate user for that resource. It also embraces the concept of ‘least privilege’, meaning users only get access to the application they requested and nothing more – preventing any kind of lateral movement, because connections are to the resource, not the entire network.

As the concept of zero trust has gained popularity, it has become the basis for many of the solutions included in the SASE framework, especially ZTNA (otherwise known as SDP).

quote-background-sm-01.png

No, but plan to

No

Yes

ZTNA solutions vary in their architecture, but they will all make use of some kind of controller. This controller acts a bit like a context-aware decision maker. It gathers a variety of data, such as the application being used, the location of the device, the network it is connected to and much more. It then uses this real-time data to build a risk profile of each request, determining whether the user can access the resource based on the context of the moment. If that changes, access can be revoked. It’s an elegant way of ensuring users get what they need while reducing the attack surface of an organization.  

The compelling driver for adoption is that it allows organizations to treat all of their resources equally, even for those resources hosted in the public cloud.  

According to the NetMotion study, over half of all IT leaders claim to have started their journey to zero trust, implementing at least one zero trust policy – though the research shows that this is being enabled in a limited capacity. Dedicated zero trust solutions like ZTNA and CASBs are still nascent in their adoption rates, suggesting IT leaders are finding ways to experiment with zero trust using other technologies in a narrower capacity. 

graph-background-blue-01.png

Share of international organizations adopting zero trust

70%

United States

Japan

65%

76%

Germany

United Kingdom

84%

86%

Australia

*Organizations are adopting, or have already adopted a zero trust architecture

Australian and British organizations were the most likely to have started using zero trust, while Japanese were the least likely. Given the relative maturity level of organizations and the limited investment in ZTNA products (15% - see following section), these results indicate either a pessimistic or optimistic conclusion. Cynically viewed, these findings demonstrate that IT leaders do not understand zero trust as well as they claim, or that they are over-estimating their own capabilities. Seen more positively, it can be concluded that organizations have just started adopting zero trust in very limited ways as an entry point to a much longer journey towards SASE (through per-app VPNs or policies implemented with SWGs, for example).

Quotation mark (copy1)
With SDPs, a user is not required to figure out the method of access based on the context of where they are, what time of day it is, or what type of device they are using — the network takes care of this.

William O’Hern, Chief Security Officer
AT&T

The SASE
technology stack

Mapping the entire suite of technologies that organizations might choose to implement to power their SASE strategies is almost impossible, due to the sheer scale of different options available to IT leaders. Some diagrams feature almost 100 distinct product categories that comprise the full SASE stack. Experience monitoring, for example, is a crucial means of ensuring a high-quality working environment for distributed workforces and meeting SASE visibility requirements for off-network employees. It is rarely seen in diagrams, however, as these are typically produced by more security-oriented entities. More typically, there are a small handful of network and security products that make up the backbone of most SASE strategies. Ultimately, IT leaders will need to approach multiple diff-erent vendors to meet SASE requirements across their broader technology stack. 

quote-background-sm-01.png

Survey: Which of these cloud security solutions does your organization currently employ?

The 2021 NetMotion study showed that VPNs and SWGs are the most popular forms of cloud security products inside most organizations, perhaps as a result of their relative maturity. It appears that modernizing existing technologies (VPN, Firewall, SWG) is more attractive to IT leaders than the adoption of new categories (CASB, ZTNA, edge content filtering).  

Adoption of CASB (16%) and ZTNA (15%) is still low. These nascent markets are growing fast but are today mostly used by innovative companies rather than the mainstream. ZTNA adoption is consistent across verticals and markets, at 12-18% in all five markets included in this study. Filtering content at the edge is most prevalent in the US (23%), perhaps driven by the need to ensure compliance and security amidst the growth in remote working. This is compared to a global average across other markets of just 13%. 

SASE networking solutions are less likely to have been implemented than security solutions, on average. Researched showed that there is no network technology category present in over half of organizations surveyed.  

Over a quarter of organizations are now taking advantage of SD-WAN, a fast-growing category of network solutions. German companies are using SD-WAN products more than those in other markets, with 38% of respondents including it in their network stack, compared with a global average of 25% - only 19% of Japanese firms are currently using it.  

Australian companies are overwhelmingly the most likely to be using WAN optimization solutions at 70%, with other markets averaging at just 44%. This is perhaps the result of poor network quality and performance in Australia

Quotation mark (copy2)
It is highly unlikely that a single vendor will be able to deliver the complete set of required products; hence, cooperation and consistency are essential.

Emerging Technologies: Applying SASE’s Architectural Model to Secure Distributed Composite Apps
Joe Skorupa, Neil MacDonald, Anne Thomas

blue-background.png

Considering
NetMotion

The pathway to SASE is a long and non-linear one. It will require patience, heavy customization and agility to truly achieve. Managing traditional network security alongside SASE will be key to its success, just how the migration from on-premise to cloud did not happen instantaneously. 

NetMotion is uniquely positioned to help organizations begin their SASE journey without compromising on the requirements of today. It can be a struggle to support existing remote access needs alongside zero trust solutions, with multiple agents, clients, orchestration engines, dashboards, gateways and infrastructure to manage. NetMotion allows IT teams to modernize their network security with no sacrifices or painful overheads to manage.

Get market-leading capabilities in cloud VPN, ZTNA, WAN optimization and experience monitoring (DEM) categories, while also benefitting from additional functionality in other segments. Whether you are just starting out with SASE or are much further in your journey, NetMotion is the perfect partner to deliver edge-based security and a world-class user experience for the modern, distributed workforce. 

tent-01.png