Making Sense of SASE

I’m really curious to see how many exhibitors at this year’s RSAC are touting a SASE strategy and/or solution.

Wait. You don’t know what SASE is? Then permit me to fill you in by liberally borrowing from its conceptual creators (see Gartner, “The Future of Network Security Is in the Cloud” – published August 30, 2019) while sprinkling in some color commentary of my own.


People, the computing devices they use, and new-age endpoints (think IoT) are everywhere. So too are the apps/services/data they access to get their jobs done. In other words, it’s no longer the case that users are in an office, on a desktop, and connecting to an enterprise app running in an enterprise datacenter. Check. That’s just user mobility, cloud computing, and digital transformation at work.

As a result, however, the traditional datacenter-centric architecture for networking and network security – which essentially boils down to a hub-and-spoke design – is no longer appropriate. It requires too much creative routing of traffic, too many enforcement points, and too many agents to account for all of an organization’s access scenarios while also delivering all of the required layers of protection.

SASE: What

According to Gartner, what’s needed instead is the secure access service edge, or SASE. At its core, SASE is an amalgamation of essential networking (such as SD-WAN, WAN optimization, and bandwidth aggregation) and network security capabilities (such as SWG, CASB, ZTNA, FW, IDS/IPS, and Browser Isolation), primarily delivered as a cloud-based service.

In HIGHLY simplified terms, you can think of SASE as a cloud-based “blob” of accessibility and security functions that your communications traffic passes through on its way to wherever the app or service you need resides (e.g., SaaS, IaaS, on-prem datacenter). Integral to this concept, too, is a cloud-delivered facility for unified policy management.

Voila! You now have a software-defined mesh of capabilities that can be dynamically applied where needed to optimally and securely connect users to the networked resources they require to succeed.


Being cloud based and incorporating unified policy management are two high-level “how” details I already mentioned. Digging deeper reveals some other “interesting” facets, such as:

  • The likely need for an endpoint agent (to provide true end-to-end coverage of certain functions)
  • The likely need for an on-prem network component (to fully support branch/physical offices)
  • The need for a single-pass inspection architecture (to keep inspection latency under control)
  • Numerous POPs (points of presence) and peering relationships (again, to ensure adequate performance)

Hmm. Is it just me or does bringing agents and network components into the mix sound eerily similar to what we already have today? Add the other details on top, and now I’m also starting to wonder who, if anyone, has the ability to deliver a “complete” solution – one that doesn’t fall short in one or more areas!


Best positioned will be those players with strong chops across all of these key areas: security, WAN/networking, cloud, and endpoint. By definition, that’s a pretty short list. Cisco. Perhaps Akamai and Palo Alto Networks. Who else do you think?

Starting from a clean slate also has some advantages. So, I wouldn’t be surprised to see a couple of strong contenders emerge from the startup camp, too. Privafy is one I recently stumbled across that looks pretty interesting.

SASE: When

Gartner’s prediction that 40% of enterprises will, by 2024, have an explicit strategy to adopt SASE suggests a lumbering freight train. Given the scope and complexity of the technologies involved, I’m mostly inclined to agree. But I’m also reminded that’s old-school thinking, as “everything technology” now happens seemingly 10 times as fast as it did just five years ago.

Which brings me back to where we started. How much SASE are we going to see at RSAC 2020? Let me know what you think. Hope to see you there!