Advertisment

SD-WAN and SASE : Two sides of the same coin?

As organizations have accelerated their plans to better enable dispersed workforces in a post-pandemic reality, many technology decision-makers.

author-image
Voice&Data Bureau
New Update
SD-WAN

Both SD-WAN and SASE are network architectural approaches designed to help administrators better manage distributed computing environments

Advertisment

As organizations have accelerated their plans to better enable dispersed workforces in a post-pandemic reality, many technology decision-makers are broadly rethinking their network architectures.

Inevitably their discussions lead to comparisons and debates over both Software-Defined Wide Area Network (SD-WAN) and Secure Access Service Edge (SASE) technologies.

There are quite a few similarities between SD-WAN and SASE technology categories. Both SD-WAN and SASE are network architectural approaches designed to help administrators better manage distributed computing environments. Both enable branch and remote workers to securely connect to enterprise assets with improved performance over legacy MPLS and VPN connections. And both use software-based virtualization to deliver bandwidth optimization and traffic prioritization, as opposed to leaning on traditional on-premises hardware like network routers.

Advertisment

SASE offers native security and performance features that extend the value proposition of SD-WAN management. The two technologies handle cloud connections differently and they also tend to support different network topologies. This point is why it is crucial for organizations to understand the differences and the relationship between SASE and SD-WAN.

SD-WAN is not designed to inspect traffic or apply robust security policies. Security teams still need to layer in a mix of secure web gateways, application firewalls, and cloud controls.

The following are three big factors that should inform how leaders chart a path for future-proofed connectivity.

Advertisment

SASE encompasses (and extends) SD-WAN principles

Comparing SASE with SD-WAN is no apples-to-apples affair because in truth SD-WAN functionality is a subset of the broader SASE feature set.

Since SD-WAN first started to gain steam in the mid-2010s, the draw has been its ability to optimize traffic across widely dispersed geographic locations, securely terminate traffic, and do it all with the required remediation to different destinations. It does this using a virtualized network control plane that has the flexibility to use a range of transport services, whether broadband internet, MPLS, or LTE, to connect sites and services. That control plane centralizes management and makes it much easier and more affordable for large organizations to unify the connection of branch offices to corporate networks.

Advertisment

The connections are secure, but the sticking point is that SD-WAN is not designed to inspect traffic or apply robust security policies. Security teams still need to layer in a mix of secure web gateways, application firewalls, and cloud controls to achieve their risk management goals. This means that SD-WAN traffic must traverse across a central inspection point for appropriate security controls to preside over it. This greatly limits the secure flexibility of SD-WAN in cloud environments or when connecting remote users or IoT devices to anything other than the main corporate network. This is because all traffic must be backhauled to the corporate network in order for it to be managed from a security perspective, incurring latency and performance problems in the process.

The big difference with SASE is it takes that centralized management principle of SD-WAN and bolsters it with a full slate of security controls that are administered through a cloud-based service that pushes traffic inspection out to the edge.

SASE is designed with key security controls baked in

Advertisment

When Gartner first defined the SASE category back in 2019, it laid out the bare minimum five ingredients that create the category. SASE technology combines SD-WAN network controls with four other security control functions directly baked into the architectural framework:

  • Secure Web Gateway (SWG),
  • Cloud access security brokers (CASB),
  • Zero trust network architecture (ZTNA), and
  • Firewall as a service (FWaaS)

As SASE technology evolves, other functionality like next-generation anti-malware (NGAV) and managed detection and response (MDR) has been added to that mix to create a more complete package of security management capabilities.

Advertisment

SASE topology looks more like a mesh than secured SD-WAN’s hub and spoke

That built-in security functionality is bundled up into a single SASE cloud service that applies the security controls and inspection from a distributed set of SASE points of presence (POPs) located close to the connecting device. In this way, SASE topology looks much more like a mesh than the hub-and-spoke model necessary for secure management of SD-WAN traffic.

This cloud-native model concurrently enables a higher level of security assurance while maximizing performance and operational efficiency in an era of cloud-first, IoT-heavy environments.

Advertisment

SASE unifies management of hybrid environments while dispersing network inspection, and when that’s paired with Artificial Intelligence for IT operations (AIOps) technology, IT teams are able to scale up visibility and management of edge devices. SASE and AIOps together can help organizations automate more management functionality and keep tabs on a diverse portfolio of network devices that keeps getting bigger as IoT devices rapidly proliferate.

Many organizations have delayed their SD-WAN implementation for fear of transitional bumps or shocks. Adding SASE options can sometimes compound that fear and elicit analysis paralysis.

Many organizations have delayed their SD-WAN implementation for fear of transitional bumps or shocks. Adding SASE options can sometimes compound that fear and elicit analysis paralysis.

SD-WAN-and-SASE2

Technology and business leaders should rest easy with the understanding that while SASE does extend SD-WAN principles, there’s no SD-WAN prerequisite for embarking on a SASE journey.

Can we apply learnings from SD-WAN implementations to SASE?

Lessons learned from the early days of SD-WAN can help ease the adoption of SASE. Many enterprises start with a proof-of-concept (POC). This allows them to realize the benefits of SD-WAN and the security it can deliver, allowing them to map their deployment and scale it for network transformation goals. As enterprises continue to move through their modernization, they should look to a PoC to help them identify and define their desired business outcomes and experience how a single stack SASE solution can solve this.

Another key lesson is the importance of the right service provider to minimize the challenges faced when choosing and deploying SASE solutions. To overcome operational challenges that can otherwise become overwhelming, businesses should partner with an experienced managed service provider, one that offers a consultative approach, and considers the future needs of the business, existing IT resources and the current state of the network.

SASE deployments can be greenfield and incremental

Companies with no SD-WAN infrastructure can go for greenfield SASE deployments quickly. Getting started with SASE is not difficult. SASE can be rolled out incrementally. There is a simple step-by-step process to achieve gains in network and application performance.

Arun-Karna

By Arun Karna, MD & CEO,  AT&T Global Network Services India Pvt. Ltd.

sd-wan
Advertisment