I don’t know about you, but this whole SASE and SD-WAN thing has got me pretty confused. What is it? What does it do? Don’t we do this already? And what’s it got to do with End User Computing?
It seems like everyone has got an SD-WAN story and a SASE story, but either there’s an issue with marketing or I’m not listening hard enough to actually work out what the benefit is to the enterprise.
What is SASE, and why should I care?
Well, first off, I read Brian Madden/s great blog post here: https://blogs.vmware.com/euc/2021/11/what-is-sase.html. This a great summary but just to break it down further:
Enterprises have been moving a lot of their core infrastructure to the cloud over the past 5 years or so. Leading the charge has been VDI, rapidly transforming EUC into a cloud delivered service. So, now all of an organisations ‘stuff’ is in the cloud, what then? Well, the interesting thing is that even though an end user (who may be working anywhere in the world now btw – thanks covid), is accessing a cloud service, they have still needed to access that cloud service via the same Datacentre that all the core services have been migrated out of.
The network seems to have been the last anchor into the Datacentre for a lot of organisations. And think about that network. For most organisations, the network is the focal point for all Security services, such as firewalls, intrusion protection and detection systems, web proxies etc. Migrating all of that is very difficult, and that’s before you even think about making any of the capabilities geographically distributed.
Well luckily for you dear reader, SASE is coming to the rescue. Imagine if you had unlimited time and budget to build a truly globally distributed secure network from scratch. You’d probably build yourself a private SASE solution. So, let’s define SASE now:
Secure Access Service Edge is a service that allows an organisation to distribute its network and security across the world without actually having to build it or own any of it.
Once using this service, a user has simple, transparent access to their cloud services from anywhere in the world. From a network and security perspective, that user is connecting into their local SASE Point of Presence (POP), with all of their network access then routed though the SASE service into their requested cloud service. For instance, if a user is accessing a DaaS service on Azure, they simply launch their client and are then routed to the DaaS service in the most efficient way possible though the provider’s network. In the world of WFA, this is an essential service.
Let’s bolt on some security goodness
It goes deeper than that though. A SASE solution should also be extensible, allowing additional features to be added as required. One of those features could be, wait for it, a CASB service. It seems like we’re now in the era of four letter acronyms. CASB stands for Cloud Access Security Broker. This particular feature allows a SASE solution to actually start to control access to services in the organisation AND across the SaaS services. This, EUC fans, is where the integration with the broader, and generally awesomer EUC field is.
For a long time, the Digital Workspace has been focused on making it easy to consume apps, especially SaaS apps. Securing that access has been a bit trickier though, as the demarcation of the security boundary hasn’t been well defined. Identity aggregation tools such as VMware Access or Okta go a long way towards controlling access based on identity, but SASE and CAB go a step further. In fact, CASB as part of SASE can stop a user accessing a SaaS service in the first place, and even limit which individual services within a SaaS app that a user can access.
What about SD-WAN? Well, it’s pretty much the whole SASE story, just instead of one to one user mapping, it uses a physical device, like the VPN endpoints of old.
There you go. That’s the SASE story. It should be pretty evident why everyone is shouting about it now, and why it ties in so closely to the whole EUC story.