Stay ahead of digital transformation with a cloud-delivered Secure Access Service Edge (SASE). Watch as two of the industry's leading experts, Gartner Research Vice President Neil MacDonald and Palo Alto Networks Field CTO Jason Georgi, discuss what a SASE solution is, the benefits and more. Ultimately, you’ll walk away with a clear understanding of how SASE can empower your mobile workforce, distributed branch offices, and your business, with comprehensive visibility and security.

For more details about protecting digital business transformation in the cloud, read the Gartner report, “The Future of Network Security Is in the Cloud”

Speakers:

Neil MacDonald
VP & Gartner Fellow
Gartner Research

Jason Georgi
Field CTO
Palo Alto Networks

 


 

TRANSCRIPT

 

Narrator:

Business is transforming, requiring network architectures and network security approaches to rapidly expand and adapt to the ever evolving needs of users across the globe. Propelled by cloud adoption, global business expansion, and the need for anytime anywhere access to applications and data, protecting your organization has become increasingly challenging. To stay ahead of digital transformation, organizations must shift their mindset and approach when it comes to networking and network security. The answer lies in a cloud delivered secure access service edge, SASE.

 

Narrator:

What is a SASE solution? What are the benefits? What exactly is driving this shift in paradigm? In this program, we answer these questions and more with two of the industry's leading experts. Join Gartner Research Vice President, Neil MacDonald, and Palo Alto Networks Field CTO, Jason Georgi, for a detailed insightful discussion around SASE. Ultimately, you'll walk away with a clear understanding of how SASE can empower your mobile workforce, distributed branch offices and your business with comprehensive visibility and security.

 

Neil MacDonald:

Digital business transformation has fundamentally inverted network traffic patterns. It used to be when we had network and network security architectures, we would put the data center at the center of the universe. Everything came into the data center, whether it was a remote user, whether it was our branch offices. In this world of digital transformation, everything we need is basically outside of the data center. It's in software as a service, it's in public cloud infrastructure as a service. Where our users need to go is outside, not in the data center. So we're seeing an inversion. The data center is no longer the center and the design point, it's the user, the identity of the user, the identity of the device, the location. Even things like IoT devices and branch offices, they're at the center needing connectivity everywhere to all of these resources that are distributed throughout the internet. And we call this inversion and conversion pattern the secure access service edge or SASE. And most notably, what we see is a convergence between network as a service and network security as a service into SASE delivered as a cloud-based service.

 

Neil MacDonald:

If your users are everywhere and the data is everywhere, then your protection must be everywhere, which means delivered as a cloud-based service. So the perimeter, it's no longer a location, it's no longer the edge of just the data center. The perimeter is now a capability. This dynamically delivered secure access service edge delivered when and where needed based on policy that's assessed dynamically at the point of access. The user, the location, the time of day, the device, all of this factored into that access decision with an emphasis on high levels of automation in real time driven by policy.

 

Neil MacDonald:

Network and network security architectures that funnel everything through the data center are an inhibitor to the needs of digital business. We need access capabilities everywhere the users aren't, everywhere our data is, which means everywhere, which means cloud-based delivery of a service, whether it's a user going to Office 365, a user going to my internal app, a user going to an application that happens to be hosted in AWS or Azure or a branch office. These are all just variations of the same connectivity problem. So what we're talking about with SASE first of all is a convergence of network and network security as a service, but also a shift wherever possible to deliver the bulk of these services from the cloud. We call that a light branch heavy cloud model on premises where you must and cloud wherever you can and that is one of the key discontinuities in the evolution to SASE. It's a lot like the shift to public cloud infrastructure as a service that transform the data center. It's about agility and speed. Getting rid of boxes and focusing on business policies and business enablement.

 

Neil MacDonald:

In our research on the secure access service edge, we've separated the capabilities into three categories. First are the core capabilities we believe a SASE solution must have and that includes SD-WAN, secure web gateway, cloud access security broker capabilities, zero trust network access and firewall as a service including IPS capabilities. Now, in all of those services, the customer must have the ability to open up and identify sensitive data and malware, which means the ability to encrypt and decrypt and inspect the content at line speed and at scale.

 

Neil MacDonald:

Now, for recommended capabilities, the second category, we list web application and API protection including web application firewall capabilities, remote browser isolation, recursive DNS, network sandboxing, and then in the optional capabilities category, we include things like network privacy as a service, [inaudible 00:06:37] as a service and local Wi-Fi protection. These are the three categories, but note, the must have category, the very first category includes both SD-WAN and security as a services capabilities. A fundamental concept that is the core of our SASE research.

 

Neil MacDonald:

When you look at the Gartner's strategic planning assumption, you may say, "Wow, this is very slow," but what we're seeing is rapid transformation. The rapid convergence of secure web gateways, zero trust network access and cloud access security brokers. These are already coming together. Many of the pieces that we just talked about that will build SASE are coming together from many different competing vendors. You're going to start to see winners separating from losers over the next one or two years, and one of the primary drivers is organizations want to reduce complexity. They want that agility and speed that we've talked about, but they want fewer vendors, fewer consoles, fewer ways to have to set and define policies that will drive this rapid adoption over the next several years of these SASE concepts.

 

Neil MacDonald:

There are several ways that organizations can begin evaluating SASE offerings today. So for example, if you're looking at a branch office project for direct internet connectivity, perhaps you should include security services alongside of the SD-WAN capabilities. These should come together. If you're on the security side of things and you're looking at your strategy for securing branch offices, you should be including SD-WAN as a part of that evaluation. These are coming together. Also look at the architecture of these SASE providers. Make sure they favor this light branch heavy cloud model that we discussed earlier. Small on premises footprint do the heavy lifting, the heavy inspection from a delivery of cloud-based services. And location matters. Latency matters. Where does the provider have local points of presence that are close to your users, your branch offices? That becomes a very important consideration and a single pass architecture looking for both sensitive data and malware. The idea is this, secure access capabilities, a dynamic service edge delivered when and where needed for all of your users, all of your locations.

 

Jason Georgi:

When data and applications were essentially confined to data centers, legacy security and network architecture has made sense. Build an appliance-based security perimeter around applications in the data center and use wide area networks to connect branches to them. Cloud transformation started the erosion of the security perimeter concept because now data and applications are everywhere and users are now working from anywhere. With the internet being the most efficient path between users and their applications today, backhauling branch office and user traffic to the data center for access and security no longer makes sense. Access to applications within line security inspection belongs at the edge protecting users, applications and data regardless of where they are. A secure access service edge or SASE, converges the delivery of network and security capabilities as a service at the edge addressing head on the challenges today's cloud and mobile forward organizations face with their legacy architectures. This is what Palo Alto Networks is delivering with Prisma Access.

 

Jason Georgi:

Based on my own experiences and through regular conversations I have with customer executives about their cloud journeys, the number one thing they're all trying to achieve is greater business agility. Hands down. Cloud simply makes organizations more productive and innovative through faster development of it services, better user experiences, more mobile friendly applications and collaboration among teams and third-parties. CIOs who have become business partners where IT is now the execution wing of achieving business objectives through technology, specifically cloud, to be more agile and gain competitive advantage.

 

Jason Georgi:

SASE may be a new term, but the problem we're trying to solve is not. SASE helps organizations achieve agility and speed with the convergence of two essential groups of capabilities, networking as a service and network security as a service. By design, SASE's core components reduce complexity by eliminating a bunch of point products that had been cobbled together to achieve the same goal. Cloud delivery of SASE capabilities reduces operational complexity and cost by allowing administrators to focus on policy management. SASE also reduces an organization's risk by providing consistent security policy regardless of where the application or data is, whether that's in the cloud, SAS, data center, the internet, but also wherever the user is. Being in line provides full visibility and security for all enterprise traffic.

 

Jason Georgi:

This goes back to the legacy network and security architectures that were set up for a purpose. Users were working in offices and applications were only in data centers. Ideally, connectivity should just be access. Access of the seamless, transparent and secure with the same policy regardless of where the applications are or where the users are. A SASE based approach provides this desired seamless access, providing complete visibility and security to all traffic. Also, organizations must consider the security of the applications themselves. This is very important. Cloud and SAS applications are now using more than just web protocols. And with that, there should be no compromising on the need to fully inspect all traffic across all ports and protocols. If you're not, you're simply not seeing everything and you can't manage what you don't see.

 

Jason Georgi:

The same logic applies to zero trust network access. It should include full inspection of traffic for threat and data protection between applications and users, especially in the case of third parties, contractors, and unmanaged devices. An extra benefit for branch offices is that SASE allows organizations to leverage more lower costs and higher bandwidth internet connectivity providing greater flexibility and cost optimization than MPLS.

 

Jason Georgi:

Because of the breadth of services SASE offers, not every vendor will deliver on every capability. That being said, there are a few key things an organization should look for when evaluating SASE vendors. One, emerging SASE leaders must offer the core components of a cloud-based secure web gateway, a [inaudible 00:14:06], zero trust network access, firewalls as a service, and SD-WAN all natively within a single platform. This is the whole point of convergence and simplification. Trying to do this with point products only solves part of the problem. Look at things like Google Cloud, Azure, AWS, and other cloud providers. We can get everything from a single vendor. It just makes things so much simpler. Further, the fewer vendors being managed, the better you set yourself up for automation in the future, which is the goal of so many organizations. Finally, access to services just needs to be adaptive and policy driven.

 

Jason Georgi:

Number two, it should have a cloud-based policy and decision engine. Leading SASE architectures will do all of the heavy processing in the cloud, which can then be applied to cloud-based enforcement points or using a thin branch device. And finally, number three, SLAs. Service availability is no longer enough for organizations with critical applications being delivered to the cloud and SAS. SASE vendor SLA should absolutely include guaranteed performance to the SAS applications themselves.

 

Jason Georgi:

Palo Alto networks addresses these three elements through Prisma Access as follows, Prisma Access has offered the core security capabilities as a service for years, and we recently launched our SD-WAN capability, which is available now. This allows us to natively deliver all of the core SASE components. Additionally, Prisma Access is fully compliant with the thin branch heavy cloud model. We do this by leveraging our firewalls for OnRamp to the SD-WAN while doing all of the security processing in the cloud.

 

Jason Georgi:

Finally, Prisma Access offers SAS performance SLAs in addition to the standard SLAs for service availability and security processing time. These are what makes Prisma Access the industry's most comprehensive SASE platform.