Work From Home - providing enterprise features, security to network connections

As individuals and IT organizations learn from experience and adapt to new remote working conditions, the mounting consequences of closed offices span both work and home life.

Early in the pandemic-caused lockdown, I discussed tactical challenges to making remote work productive and secure and how IT should react to such a rapid change. In my most recent column, I detailed the interest in permanent work-from-home (WFH) status by a majority of surveyed employees and the implications on recruiting, salary, HR policies and choice of domicile.

Now that we are three months into the WFH experience and video conferences have morphed from being an exciting novelty to an annoying nuisance, it’s time to consider more strategic, long-term changes to enterprise infrastructure and operations to accommodate a permanent class of highly distributed workers.

As I mentioned early on, most of the WFH challenges facing IT arise from the need to redesign services built for an office-bound workforce to accommodate a WFH environment. The change in physical location means that the most-affected IT capabilities are network services since these are built upon the physical interconnect between workers and their employer.

Initially, WFH accommodations were reactionary, such as providing additional capacity for VPN, VDI and digital communication platforms. However, these necessary bandaids don’t address fundamental gaps in network performance, manageability and security between a home broadband link and an on-premises Wi-Fi connection. An emerging collection of technologies dubbed SASE (Secure Access Service Edge or “sassy”) is the most promising option for delivering enterprise network service and security to remote employees.

SD-WAN meets virtual network security

SD-WAN has been one of the hottest product segments for networking vendors, leading to a race by large, integrated IT vendors to acquire SD-WAN products and expertise from the smaller specialty companies that pioneered the technology. SD-WAN was initially used to replace expensive circuits from traditional carriers used to link central sites with branch offices, remote facilities and retail locations with cheaper, more widely available broadband and cellular service. Several companies have recently extended the technology to accommodate branch offices and WFH situations via software-based products that are suitable for endpoint appliances or individual laptops. However, once you have deployed an SD-WAN software network overlay to optimize routing paths and bandwidth usage, it’s easy enough to add other software-based network services and, presto, you have SASE.

The acronym minters at Gartner are generally blamed for coining the term SASE, which it naturally describes via an amalgam of other inscrutable acronyms (that I will unravel below):

SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic secure access needs of organizations. These capabilities are delivered primarily aaS and based upon the identity of the entity, real time context and security/compliance policies.

As mentioned, SASE starts with SD-WAN, namely a secure, encrypted software network overlay that works atop any physical network technology to control traffic routing, prioritization and security and can dynamically adapt to changing conditions on one or more physical circuits, like cable broadband and telco DSL, that make up a logical SD-WAN connection. By encrypting all virtual connections, SD-WANs effectively creates a smart VPN.

To that, SASE adds various virtual (software-defined) security services:

• SWG:  Secure Web Gateway that mediates web connections to provide content filtering and malware inspection, enforce enterprise access and content policies and detailed web usage data.
• CASB: Cloud Access Security Broker to provide central management of an organization’s security policies, including user and device authentication, SSO, encryption and malware prevention, for its entire fleet of cloud services.
• FWaaS: Firewall-as-a-service that replaces the traditional network appliance with a virtual next-generation (L3-7) firewall that is inserted in a software-defined network like an SD-WAN and that can be deployed at any point on the network, such as the branch office or WFH edge or even a client device.
• ZTNA: Zero-trust network access replaces traditional moat-and-castle network based security controls such as those extended remotely via a VPN with granular encrypted, authenticated access to all IT resources, regardless of the source. For more details on and an example of zero-trust, see my recent column describing its application to container infrastructure. 

In sum, SASE unites software-based network and security features in a single product or service.

SASE at home

Traditional methods of securing remote network access via VPNs to a central data center have become problematic now that enterprises rely on an array of cloud infrastructure (IaaS) and application (SaaS) products. Wide-scale adoption of WFH has further broken the moat-and-castle security model demarcating networks into secure and insecure zones since workers must access applications and data hosted on both internal systems and by third-party service providers.

WFH has also spread an organization's edge locations across a wider geographic area. Thus, traditional hub-and-spoke SD-WAN deployments between edge locations and a central office or data center are no longer viable.  Instead, SASE products are typically delivered as cloud services.

Describing the SASE “market” is premature since the concept and technology are nascent and dynamic. Indeed, Gartner estimates that the adoption rate for SASE products “is as low as 1 percent.” I can only find a handful of vendors with products or services that meet the criteria described.

• Aryaka doesn’t use the SASE label, but its portfolio of services built on an extensible Smart Services Platform covers most of the bases, namely SD-WAN via a cloud service, connectivity using globally-distributed POP on-ramps, security add-ons and central management.
• Cato Networks Is a cloud-hosted SD-WAN service, Cato Cloud, that like Aryaka added several security services to its base network-optimization product. Cato most directly embraces Gartner’s SASE acronym soup for its next-generation firewall, Web gateway, managed IPS and anti malware security modules.
• Silver Peak and Zscaler: Silver Peak is an SD-WAN pioneer, with products tailored to both enterprises and service providers, that partners with Zscaler to deliver cloud-hosted security services. The SASE-like system is assembled from Silver Peak’s Unity Edge Connect and Orchestrator SD-WAN products and Zscaler’s Cloud Security Platform.
• Versa Networks hasn’t officially announced a SASE product, but has teased its interest in a blog post and is expected to introduce a software-based product that extends its existing FlexVNF and TItan SD-WAN  products.

My take

SASE is just a new label for a trend that has already been underway. I agree with one Aryaka’s Paul Liesenberg who wrote in a blog that (emphasis added):

SASE puts a label on something that was clearly already in flow. So, while some out there already claim SASE leadership, it’s important to establish that no company delivers on all SASE vision elements yet. Also, we shall learn lessons as we move towards that goal of a seamlessly orchestrated, cloud-first network and full-security stack. The architectural model will evolve as we learn those lessons collectively as an industry.

SD-WAN is a mature technology that is evolving by adding higher-level network services, software appliances suitable for any endpoint and managed cloud core services with globally distributed POPs. While the combination of SD-WAN and cloud security services started in the last year or two, as Liesenberg notes, current products fall far short of the SASE ideal of a tightly integrated system delivered by a single service provider. Gartner’s lead network analyst, Andrew Learner cautioned potential SASE buyers about vendors overselling their capabilities when introducing the concept (emphasis added):

Be wary of vendors that propose to deliver services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability and high latency.

While SASE currently entails cobbling together SD-WAN and security, the situation should rapidly improve now that broad WFH adoption has significantly expanded the need for secure edge networking at virtually every organization. Interest in hosted SD-WAN will explode once more IT and executive leaders hear stories, like this one from Versa, about users that experienced no degradation in network service when working remotely. Adding cloud-based security services is just the cherry on top of a superb WFH network environment.