Not every provider can offer a full SASE, and that’s fine too. Not every company wants, needs or can implement this at all. […]
Secure Access Service Edge (SASE) has attracted a lot of attention in recent years, especially in view of the pandemic and the associated increase in remote employees. But SASE hasn’t evolved quite as Gartner – which first coined the term in a 2019 white paper – originally expected. Above all, the idea that SASE should be provided by a single provider as an integrated cloud service at the network edge met with resistance.
The SASE model combines network security features with WAN features, where the security elements are deployed in the cloud and SD-WAN is used at the edge or in the cloud. Key security features include Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), Firewall as a Service (FWaaS), and a Cloud Access Security Broker (CASB).
Some vendors in the SASE market, notably Cato Networks and Versa Networks, claim to offer the most similar version of a one-supplier-one-platform model. This is the purist view of SASE. Other vendors market what they do as SASE, relying on partnerships, company acquisitions, and the development of separate solution components that combine to create a complete portfolio offering.
Recently, however, there has been a rethinking of the bundling of security and networks.
Gartner itself was instrumental in moving away from the idea of the SASE bundle to the less broad SSE (Secure Service Edge) bundle, which includes CASB, SWG and ZTNA. Gartner introduced the SSE bundling option in its strategic roadmap for SASE Convergence 2021.
SSE is basically the security part of the combined security and network services that should be maintained simultaneously under the SASE model. Gartner’s reversion to SSE is actually just a recognition of what is happening in the market, and perhaps gives a little more credibility to the value of a best-of-breed approach.
I see SSE as the acceptance of market forces and the realization that trying to provide a number of different services in an integrated way when requirements are constantly changing is very complex. Not every vendor wants or can deliver the idealized SASE vision. And that’s fine. That’s not really important.
Helping everyone design the components of a credible network and security environment to deliver robust services while protecting your business is immensely valuable; kudos to Gartner. But the speed with which providers are adopting SSE shows how far many providers have been from true SASE. It also shows that trying to shape an industry with a conceptual model is ambitious at best and can lead to inappropriate hype at worst.
It is easier said than done to choose what works best for your own company. One of the challenges in the SASE/SSE area is that the solutions can have subtle or not so subtle differences in their offer. A solid technical and commercial analysis is crucial when trying to identify the most suitable features at the best price and with as few nasty surprises or cost risks as possible.
To help you get started, here are five points to consider:
Licensing, which features are included and which are not, as well as the basis for payment are of crucial importance.
For example, what period of time do you bind yourself to? What flexibility is there in volume changes (e.g. in the number of users)? Unlike the hardware you used to buy, you are much more dependent on price fluctuations and price increases for software. It is important that you take full account of the licensing costs when reviewing the plans and negotiating with the providers, and that you make comparative assessments of different providers.
What is the degree of contractual flexibility?
Or, perhaps more importantly, what are the main contractual restrictions that could harm your business? Be sure to consider the “what-if” scenarios regarding important contract components and conditions. For example: how will the obligations work? What price verification is provided? What happens if my demand changes drastically? What do we do if the service does not match the invoice?
A good lawyer who is knowledgeable in this area can be invaluable; there is no substitute for rigorous legal, commercial, service-related and technical examination to ensure that you are making the best arrangements. At the same time, you should also proceed practically with your wishes. A classic example that can unnecessarily delay the conclusion of a contract is the demand for limitations of liability, which no supplier would agree to in a world of constantly changing security threats.
Implementation deadlines and supplier obligations are often overlooked or at least not fully taken into account.
This can be a real problem for the careless. If the time, cost and scope of activities to implement your solution are underestimated, you need to explain to managers why you can not meet the time and cost framework for the project. Even worse, your company may then be exposed to service and security problems.
The elaboration of supplier obligations and the process for implementation, add-ons and optional components can avoid a lot of unrest and even conflicts in the business relationship when introducing solutions. It is best if you actively include the implementation details from the very beginning, starting with the RFP request for proposal or an RFI request for information.
Support and administrative arrangements for day 2 must be at the forefront of every procurement from the very beginning.
If you want to avoid painful (i.e. costly or affecting the service) gaps in ownership or scope, a well-structured service description (SOW – statement of work) is essential. It must include overhead costs and mechanisms for establishing obligations and clear responsibilities for both the enterprise and the supplier. Again, the definition of requirements at the beginning of procurement efforts is the basis for obtaining the necessary SOW results.
In the further course of the process, it is then about the hard work that is required to translate the requirements into documented obligations of the supplier. Test the pledges, understand the gaps, negotiate shortcomings, and then document the results.
The evaluation of the business requirements compared to the technical/solution-related skills is the basis for everything else.
The involvement of all parties involved in the validation of the project requirements can be of great benefit. The early involvement of the end consumers (your business customers) in the procurement process is important. It can provide useful insights, help to set priorities and at least create a better awareness of the task ahead. However, it is not always easy to find the right balance between the various stakeholders.
Try to find stakeholders who want to get involved in the right way. If the dialogue takes place at too high a level, it can lead to “helicopter” insights from managers that are not necessarily translated into practical contributions. Too much at the work level or with too many people involved can lead to inertia due to overanalysis or distractions. There is no simple answer. It requires a balance – as a rule, a core group of specialists with selected stakeholders at different levels is the most successful approach.
One tip is to determine what effort all parties can put in (usually less than ideal) and plan accordingly so that you can prioritize what is important.
*Mark Sheard is Managing Director of TC2(UK). Based in London but operating globally, he has a stake in TechCaliber Consulting, LLC, a global IT and telecommunications consulting firm headquartered in Washington, D.C. that advises the world’s largest companies on transformation strategies to reduce their costs for telecommunications and IT products and services.
TC2 assumes no responsibility for the use of the providers mentioned in this article, unless they are part of a professional assessment for the specific requirements of customers.