Secure access service edge (SASE) has generated a buzz over the last couple of years, particularly in light of the pandemic and its associated surge in remote employees. But SASE hasn’t quite materialized in the way Gartner – which first coined the term in a 2019 white paper – initially expected. In particular, there’s been pushback around the idea that SASE should be delivered by a single vendor, as a single integrated cloud service at the network edge.
The SASE model combines network security functions with WAN capabilities, delivering the security elements in the cloud and using SD-WAN at the edge or in the cloud. Key security functions include secure web gateway (SWG), zero trust network access (ZTNA), firewall as a service (FWaaS), and cloud access security broker (CASB).
Some vendors in the SASE market, most notably Cato Networks and Versa Networks, profess to offer the closest version of a one-supplier-one-platform model. That’s the purist view of SASE. Other vendors market what they do as SASE while relying on partnerships, acquiring companies, and developing separate solution components that together create a full-stack portfolio offering.
Lately, however, there’s been a shift in thinking about how to bundle security and networking.
Gartner itself has been instrumental in a roll-back from the idea of SASE to the less-broad secure service edge (SSE) bundle, which includes CASB, SWG, and ZTNA. Gartner introduced the SSE bundling option in its 2021 Strategic Roadmap for SASE Convergence.
SSE is basically the security part of the combined security and network services that were supposed to be simultaneously cared for under the SASE model. Gartner’s roll-back to SSE is really just recognizing what is happening in the market and perhaps giving a little more credence to the value of a best-of-breed approach. (Related: Gartner’s SSE is SASE minus the SD-WAN)
I see SSE as the acceptance of market forces and the recognition that there’s significant complexity in trying to deliver a range of different services in an integrated way when needs are continually changing. Not every supplier wants to or is able to deliver the idealized SASE vision. And that’s ok. It doesn’t really matter.
There’s immense value in helping everyone conceptualize the components of a credible network and security environment to best provide robust services while protecting your business; kudos to Gartner here. But the speed at which suppliers are embracing SSE points to how far away many vendors were from true SASE. It also illustrates that trying to shape an industry with a conceptual model is ambitious at best and can lead to misplaced hype at worst.
Picking what is going to work best for your enterprise is easier said than done. One of the challenges in the SASE/SSE space is that solutions can provide subtle or not-so-subtle differences in what they offer. Robust technical and commercial analysis is critical if you’re trying to determine the most appropriate set of capabilities available for the best pricing with as few nasty surprises or cost risks as possible.
To help get started, here are five issues to consider:
1. Understanding licensing, what capabilities are included or excluded, and the basis for payment is critical.
For example, what period are you committing to? What kind of flexibility is there for volume changes (such as number of users)? Additionally, unlike the hardware you might have bought in days of old, you are much more exposed to price variations and rises with software. It’s important that you fully factor in license costs when you’re scrutinizing plans and negotiating with suppliers, as well as when you’re making comparative vendor assessments.
2. What is the level of contractual flexibility?
Or, perhaps more importantly, what are the key contractual constraints that might hurt your enterprise? Be sure to consider the “what if” scenarios related to key deal components and terms and conditions. For example: How will commitments work? What price review is built in? What happens if my demand changes dramatically? What do we do if performance doesn’t live up to billing? Good legal counsel, knowledgeable in this space, can be invaluable; there’s no substitute for rigorous legal, commercial, service and technical review to help ensure you get the best practice arrangements in place. At the same time, you should also be practical in your aspirations. For example, asking for limits of liabilities that no supplier would sensibly agree to in this world of ever-changing security threats, is a classic example that can unnecessarily delay contract close-down.
3. Implementation timeframes and supplier obligations are often overlooked or least not considered thoroughly.
This can be a real gotcha for the unwary. The time, cost and scope of activities to implement your solution, if underestimated, can leave you scrambling to explain to executives why you’re not on time and budget for the project. Worse, it might feasibly leave your business exposed to service and security challenges. Working through supplier obligations and the process for implementation, the add-ons, and the optional components can save a lot of anxiety and even conflict in the relationship as solutions are rolled out. It’s best if you actively include implementation details at the outset, starting with the request for proposal (RFP) or any request for information (RFI) work.
4. Day 2 support and management arrangements need to be front and center from the outset of any procurement.
If you want to avoid painful (aka costly or service impacting) ownership or scope gaps, a well-constructed statement of work (SOW) is essential. This must include cost overheads and mechanisms for tying down commitments and unambiguous responsibilities, both for the enterprise and the supplier. Again, laying down what’s required at the start of the sourcing effort is the basis for getting the SOW outcomes you need. It is then about the hard work needed to translate the requirements into the supplier’s documented commitments as you go through the process. Test commitments, understand the gaps, negotiate shortcomings, and then document the outcomes.
5. Assessing the business needs against the technical/solution capabilities is the bedrock for everything else.
Having all parties involved in the validation of the project requirements can be extremely beneficial. Early engagement of the ultimate consumers (your business users) in the procurement process is important. It can bring useful insights, help focus priorities and, at the very least, will promote better awareness of the journey being undertaken. However, it is not always easy to strike the right balance of engagement with different stakeholders. Try to find stakeholders who will engage in the right way. If the dialogue is at too high a level, it can lead to executive “helicopter” insights that don’t necessarily translate into practical contributions. Too much at the working level or with too many stakeholders can lead to inertia from over-analysis or distractions. There is no easy answer. It requires a balance – typically, a core group of specialists, with select stakeholders at various levels, is the most successful approach. One tip is to determine what level of effort all those involved can commit to (usually less than ideal) and plan accordingly so you can prioritize what is important.
TC2 makes no representation on the use or otherwise of providers mentioned in this article unless part of specialist assessment for the specific requirements of clients.
Mark Sheard is managing director of TC2(UK). Based in London but working globally, Mark is part of TechCaliber Consulting, LLC, a global IT and telecom consultancy headquartered in Washington, D.C., which advises the world’s largest companies on transformational strategies for reducing their costs for telecom and IT products and services. Mark can be reached at email@example.com