With SASE Definition Still Cloudy, Forum Proposes Standard
Even without an overarching dictionary of common definitions, the concept of a secure access service edge (SASE) has spread, but a standard could help cloud services work better together.
December 16, 2022
During the coronavirus pandemic, organizations had to quickly adjust to the disappearance of central offices, employees working from home, and applications moving to the cloud.
The solution usually involved a combination of technologies — such as flexible networking infrastructure, identity and device-base security, and cloud-native applications and capabilities — continuing a trend identified by business analyst firm Gartner in 2019, which dubbed it the secure access service edge, or SASE (pronounced "sassy").
The SASE collection of cloud-centric technologies focuses on the identity of users and devices, granular access controls, functionality pushed to the network edge, and a de-emphasis on data centers — essentially, it's a combination of security technologies and software-defined wide area network infrastructure, commonly referred to as SD-WAN.
The term, however, quickly became a buzzword in the industry, with companies claiming to be SASE-compliant or have products that supported SASE. For that reason, nonprofit industry association MEF — a global industry association focused on network, cloud, and technology — decided this week to create a standard lexicon for SASE technologies and services that defines service attributes, a framework and common definitions, and a zero-trust framework.
The goal is to make services communicate better about capabilities and to make features — especially security features — interoperable across infrastructure, says Stan Hubbard, principal analyst with MEF.
With SASE, "the user can be anything and anywhere, and security and network functions can be distributed away from the enterprise data center to maximize the availability of high-performance edges and security clouds," Hubbard says, adding that "SASE standards are key to addressing the top two SASE service provider challenges which impact growth and efficiency in the market — customer education and lack of an industry standard."
SASE Deployment Won't Wait for a Standard
Gartner predicts that SASE will continue to grow quickly. By 2025, about 80% of companies expect to unify their Web, cloud services, and private application access using SASE, up from 20% in 2021, according to Gartner.
Yet, don't expect companies to wait for standards, says Andrew Lerner, vice president and analyst at Gartner.
"We don’t expect the lack of standards to limit adoption, and we also don’t expect the ratification or creation of a new standard to instantly change anything in the market," he says. "With time, we suspect that more offerings will emerge to achieve a certification, but vendors are not waiting, and enterprises aren't waiting either at this point."
The adoption is also driven by industry consolidation and organization's focus on simplifying their enterprise infrastructure. By 2025, about two-thirds (65%) of enterprises will consolidate a variety of SASE components into one or two SASE vendors, a massive increase from the 15% of companies that did so in 2021, according to Gartner.
Network technology and security firm Palo Alto Networks has seen similar industry consolidation. One customer, for example, simplified from nine products and five vendors down to a single SASE product, says Matt De Vincentis, vice president for SASE for the company, which is not a member of MEF.
"Almost every enterprise is trying to reduce the number of security tools and vendors that they have," he says. "Every time there is a new security vulnerability or availability issue, a new group of startups pop up to propose a solution. It's becoming unmanageable for customers."
MEF Boosts the SASE Conversation
Yet, with vendors and service providers claiming to have SASE products, both customers and partners need to establish a common dictionary and a common understanding of what capabilities SASE products should have, says MEF's Hubbard.
MEF has created standards, certification programs, and automation tools for the network, cloud, and service provider industries. The latest effort defines standards that define the attributes of SASE services and provides a framework for those services, while a second proposal creates a zero-trust framework for security services using identity, authentication, policy management, and access control to protect and secure organizations' data, systems, and networks.
"The SASE vendor ecosystem lacks common terminology leaving organizations challenged to compare SASE feature sets and solutions," Hubbard says. "Standards help simplify offerings and provide clarity for organizations when selecting SASE services. Choices can be made based on industry-standard features and common definitions allowing for easier evaluation and faster decision making and implementation."
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024