SASE - The Importance Of Spelling It Out In Full

First to note that in these financially – and politically – challenging times, it’s good to see serious investment still in the security area of IT.

Let’s face it – we need it more than ever. In this case, it’s Swimlane – who I carried out a very successful test project with at the beginning of the year – that has received a $70m growth funding round to move forward with its low code automation of security infrastructures. This is an essential ingredient in an otherwise impossible scenario, as we touched upon a couple of blogs ago – that of creating a multi-vendor “DIY” security deployment, rather than using a single platform.

For me, if there is an option, the single platform has to make sense nowadays, but for those companies who have gone too far down the multi-vendor path, then there is always Swimlane to help. What is interesting here is that – in relative terms – Swimlane has very little competition, so is kind of creating its own (increasingly large) niche, unlike other areas of security I’ve written about, such as SASE. The problem for vendors in Gartner-defined markets, such as SASE is that, for every genuine – true to the cause – vendor, there are nine others who simply jump on the analyst bandwagon. But the other – equally serious – problem with this type of market definition, is that it regularly is misunderstood or misinterpreted.

That much definitely applies to SASE, in that the “Secure Access” element of the definition (ending in “Service Edge”) is forever highlighted as often the be all and end all, forgetting that there is a second (but not secondary) aspect to SASE solutions – the service element. In this case, that most hyper of hype cards played by so many security vendors, namely “zero-trust” network access, is interchanged with the “Secure Access” element and there the story ends. But that is – literally – only half of the SASE meaning. Yes, converging networking and security (as it always should have been from day one – or zero? – as I recall writing about in the 90s!) is an important function of a SASE solution but without service delivery in tandem, it’s not SASE – just AN Other partial security solution.

In a domestic environment, we take services for granted; think electricity, gas, water, t’Interweb, TV…. We don’t have to go out and buy electrickery – unless you have a PAYG stick – you simply get it delivered (or in the case of water, “on tap”) and typically pay – an increasingly large amount – monthly. The only things you need to worry/focus about “buying” are the devices wot you plug into the mains, and even then, you can buy endless bundled “solutions” if you don’t want to make the effort to decide yourself. And you don’t consider a second, redundant power supplier just in case the first one fails because they handle all that themselves, accepting that – yes – there are still occasional power outages, for example when Orkney Islands weather hits the south of England…

Point being, you subscribe to a service and that service is delivered to you. Whereas, if you spend a gazillion bucks on procuring racks of security equipment, you are not buying a service delivery – you have to deliver it yourself. That’s the “SA” of SASE, but “Sassy” is supposed to be a service delivery platform – the clue is indeed in the “SE” bit. So, the fundamental infrastructure is delivered as a service, with a number of additional bells and whistles options on the menu, depending on what you think you need, just like on a restaurant – or indeed takeaway – menu. You don’t have to go prepare and cook it yourself.  This is what identifies SASE as something above and beyond previous levels and forms of outsourcing, which were typically just a part of the total solution. SASE IS supposed to be THE solution, meaning you – the customer – can focus on running your business securely.

The problem is, many “SASE players” are not delivering on the full definition, primarily just the first element, which is about as new and radical as the bicycle. I’ve featured a few vendors in these pages and one I’ve defined before as fitting the true SASE picture – you can work it out – but many of the alleged players are simply seasoned networking/security vendors with new hashtags and matching story. That’s to say, a story without an ending – yet. Sure, these guys can – and surely will – write an ending to their SASE story, but those already ahead of the game can be even further down the line. Being a front runner is often a great strategy…