The secure access service edge (SASE, pronounced sassy) is a networking model first described by Gartner in 2019. It marks the necessary merger of traditional WAN management and security capabilities into a unified whole, one that is built, implemented and managed using cloud-native architectures.
The Gartner SASE model is a response to the limitations of conventional networking and security architectures in keeping pace with emerging edge-centric trends in mobility, cloud, SD-WAN and the Internet of Things (IoT). Conventional networking architectures are often over-reliant on physical infrastructure and suffer from tool proliferation, solution silos, manual processes and lack of automation. Their rigid hub-and-spoke arrangements route all endpoints through a central data center (Fig. 1), which results in performance issues at the network edge. Together, these shortcomings can hinder an organization’s flexibility, agility and ability to scale up its network.
Figure 1. Conventional hub-and-spoke architectures cannot keep pace with the escalating demands of edge-centric computing.
Benefits of SASE Networks
Increasingly, business applications and workloads are moving to the cloud. In addition, with the rise of BYOD and cloud connectivity, the traditional network security perimeter has vanished. The Gartner SASE framework reflects this rapidly changing network landscape.
In a SASE network, the burden of managing and securing a network moves from labor-intensive, server-based appliances in the data center to virtual and containerized applications in the cloud. As a result, SASE networks enable organizations to:
- Simplify management
- Scale elastically
- Dynamically deploy networking and security capabilities as needed
- Consume versatile network and security capabilities as cloud-based applications
Characteristics of the Gartner SASE Model
Gartner SASE requires technology and service providers to bring to market new platforms and architectures that enable organizations to deliver and manage network and security services with more agility and at ever-increasing scale. Primary elements of SASE networks include:
- Cloud-native architectures with containerized micro-services—use of cloud-native design principles and containerization for superior agility, flexibility, speed and scalability
- Integrated network and security services—simplified management of diverse WAN networking and security services available through a common platform
- Cloud-managed on-demand services—combining the cloud with consumption-based usage in delivering elastically scalable networking and security services to globally distributed, edge-centric enterprises
- Centralized policy control—a unified framework for deploying and enforcing security policies to all devices and endpoints across the network
- Local survivability—maintaining local access to essential network services such as DNS at the branch level should a disruption in WAN connectivity to headquarters occur
Have you been to a DMV office recently? You take a ticket and wait. You get called to a window and then are told to go to a different window. You take a ticket and wait. And so on. The same sort of waiting game happens to network traffic as it passes through infrastructure based on virtual network functions (VNF). Fortunately, its newer counterpart, cloud-native functions (CNF) is far faster and more efficient.
CNF is an important component of SASE networks. If you’re not yet familiar with it, SASE (secure access service edge) is a new model for network architectures proposed by Gartner that is reshaping the way organizations manage and secure their networks. Gartner SASE is a response to the growing need for network & security architectures that are more fluid at the WAN edge.
SASE is first and foremost a cloud-native concept. The need for flexibility and speed requires a cloud-native foundation. VNF implementations cannot provide the levels of agility, scalability and low latency required at the WAN edge. CNFs are more suitable to meet these needs.
CNFs: Lightweight and Faster than VNFs
A VNF is a software implementation of a network function that runs on one or more virtual machines (VMs) on bespoke or white box hardware. VMs can be linked together to form service chains that support full-scale networking communication services. That’s where the DMV experience begins (Fig. 1). It starts when significant overheads for VM spin up and spin down. Next comes service chain orchestration—take a ticket—followed by VM-to-VM handoffs and their resulting hop-by-hop latency—move to the next window, take another ticket. The whole process then repeats all the way through the chain. Latency is built into the architecture.
Figure 1: VNF and its “take a ticket and wait” experience versus highly streamlined CNF
In contrast, a CNF is a lightweight container-based software network function that enables spin up and spin down to proceed much faster. Once a container is spun up, traffic is processed, and policies are applied all in a single pass. No more tickets, no additional windows, minimal latency. As a member of the Cloud Native Computing Foundation (CNCF), it is our mission at Infoblox to make cloud-native computing ubiquitous for foundational network services.
The CNCF site provides real-world examples of how CNF implementations save time and money. Here are just a few:
- Comcast: “Autoscaling has improved [our] ability to address services that are over capacity or oversubscribed. Before, it was a week long process in the environment. Now, we have the agility to very quickly rescale an application or free up capacity.”
- T-Mobile: “Teams went from five or six days of waiting time, to five or six seconds.”
- New York Times: “Some of the VM-based deployments took 45 minutes; with Kubernetes, that time was just a few seconds to a couple of minutes.”
Beware of the SASE Hype
In the rush to grab their piece of the SASE business, vendors are glossing over the details of their implementations. Organizations considering their SASE options would be wise to look carefully before jumping in. The value of SASE depends on the breadth of services a platform offers. CNF is a critical component of service delivery in SASE. In order to realize the full promise of SASE networking, nothing short of a CNF-based platform will suffice.