Co-authored by Jason Hofmann and Jeff Brainard
With Gartner releasing its latest Magic Quadrant for WAN Edge Infrastructure earlier this month, it seemed an appropriate time to explore the intersection of SD-WAN and SASE. Both of these technological approaches hold great promise and are large, billion-dollar markets, sharing the common goal of connecting users to the data and applications critical to doing their job. The two technologies demonstrate the increasing overlap and tightening linkage between networking and security investments.
Leveraging the concept of a virtualized network overlay to connect branch offices, SD-WAN allows organizations to better tap the public Internet and low-cost broadband to save on expensive, legacy MPLS WANs. Analysts like Gartner estimate SD-WAN can help enterprises cut costs by as much as 65% compared to traditional alternatives. SD-WAN benefits run deeper than just infrastructure savings, including increased network availability, better traffic prioritization, and more intelligent path selection. For example, SD-WAN routing decisions can be based on performance requirements (e.g. bandwidth and latency-sensitive voice or video traffic), the criticality of the application (e.g. Office 365 vs YouTube), or characteristics of the user or their connection.
SD-WAN is sometimes perceived as lacking the cloud-native mindset that’s increasingly expected as the world adopts the cloud in all its permutations. That’s not entirely true since SD-WAN is a great enabler for organizations to get traffic to and from the cloud in a more efficient and cost-effective way. With that said, SD-WAN was designed at its core to address the challenges of managing connectivity between hundreds or thousands of enterprise branches, not necessarily an enterprise where the majority of employees are now remote workers and the branch has been put on the back burner, at least temporarily. Since the COVID-19 pandemic began earlier this year, organizations have had their old way of doing business upended. And as this new work from home norm takes hold, it may indicate what’s in store for the future as more organizations embrace remote work on a more permanent basis.
This is where client technologies, like the Netskope Client, can bridge the gap and complement SD-WAN deployments. Not only does the Netskope Client extend cloud security to wherever the user roams, but it does this with unified policies, plus the intelligence to auto-disable traffic steering once the user returns to the branch while continuing to perform all other functions such as displaying notifications and performing endpoint posture management.
The intersection of SD-WAN and SASE
SD-WAN shifts older WAN architecture to a newer, still private, but much more cost-effective and agile overlay network. SASE, on the other hand, is 100% grounded in the cloud and subsumes much of SD-WAN, pivoting away from focusing primarily on the branch to instead focusing on users connecting from literally anywhere. SASE is especially critical in this new age of remote work. In the SASE world, the concept of the perimeter and branch changes—or you could say “moves”—with the user. This connection from a single device or endpoint to the service edge or new WAN edge is at the heart of SASE, combined most importantly with the critical security delivered as a cloud service necessary to protect the user and their traffic while in motion.
Security considerations have always been imperative to SD-WAN architectures, including creating secure tunnels to protect critical application traffic in-transit while also guarding against the risks and data protection challenges associated with going direct-to-net. This creates natural tailwinds for cloud security, SASE-focused vendors like Netskope because traditional approaches that steer traffic to a few security control points are increasingly irrelevant as a result of the cost—both measured in dollars and in performance—of backhauling traffic to remote locations. And in addition, this legacy approach to security runs counter to the flexibility and performance tenets that are core to SD-WAN.
With the pivot to cloud and SASE, whether it’s users safely browsing the web, accessing their SaaS apps and workloads in the public cloud, or even remotely connecting to their private apps, significant gaps exist for optimizing connectivity between these destinations and the new WAN edge. It’s not just safe to say it’s all HTTP and HTTP-based protocol traffic bound for the Internet and performance can simply be addressed by adding more bandwidth or relying on an antiquated backhaul architecture. And this is where you see the intersection forming between SD-WAN and SASE.
While some of the SD-WAN vendors have attempted to layer security capabilities into their SD-WAN offerings, claiming they are SASE-ready, much of this is happening through bolt-on acquisitions or a slimmed down, incomplete set of security features. Fundamentally SD-WAN is the domain of networking experts working in the world of routing traffic, enhancing network reliability, and exploiting optimization techniques for an improved application experience. Security technologists occupy another sphere of understanding the threat landscape, being able to identify users, threats, data, and application instances and stitching these contexts together to improve security posture.
Analysts, vendors, and customers provide evidence of this dua