The large market for managed network and security services is highly competitive and rapidly evolving. Network and security technologies are converging and moving to a cloud-based model. This convergence, which is called Secure Access Service Edge or SASE , will have a significant impact on associated managed service offerings and the managed service providers (MSPs) themselves over the next five years.
MSPs and communication service providers (CSPs) will need to revamp their organizational structure to deliver integrated networking and security services. They should take advantage of the rapid innovation available from technology partners both large and small. MSPs will need to deliver hybrid—premise and cloud solutions—to meet a wide variety of customer requirements. They will need to decide which supplier, or suppliers, are best positioned to provide the SASE architecture, and how much internal development they should invest to differentiate their offerings.
Defining the SASE architecture
SASE is an architecture for the convergence of networking and security at the network edge such as branch and remote offices. The driving forces behind SASE are:
- Rapid increases for IaaS (infrastructure-as-a-service) and SaaS (software-as-a-service) usage has changed network traffic patterns to direct Internet access, which requires fundamental change in how network and security intelligence is delivered
- Advances in software and cloud intelligence have enabled integrated network and security solutions, such like SD-Branch, which enable application prioritization, cloud acceleration and centralized management
- Organizations with critical IoT applications require low-latency network/security intelligence to be delivered in a cloud-based model.
SASE combines premise and cloud-based services to deliver a broad range of network/security functionality, including SD-WAN, SD-Branch, firewall, software-defined perimeter (SDP), zero trust, and data loss protection.
SASE as a managed service
Distributed organizations have long benefited from outsourcing network, such as WAN, and security services to MSPs and CSPs. The developing SASE architecture provides new options for service providers (SPs) to enhance their managed services with more comprehensive, integrated offers. Most customers will require a combination of on-premise and cloud-based intelligence to meet their network and security requirements. Delivery options for SPs include SD-Branch and virtual customer premises equipment (vCPE.)
SD-Branch
SD-Branch, which combines LAN, Wi-Fi, SD-WAN, routing and security functionality in an integrated solution, is a prime example of a SASE architecture. Vendors continue to enhance their SD-Branch solutions by improving integration between technology elements and offering end-to-end quality of service, security policies and unified management.
RELATED: Industry Voices—Doyle: Managed SD-Branch to provide new options for distributed organizations
SD-Branch-as-a-service offerings are in a nascent stage of development and delivery. Many SD-Branch suppliers offer solutions that are strong in one or two areas—LAN/Wi-Fi, SD-WAN or network security—but are weak in others.
vCPE
CSPs are deploying virtual customer premise equipment (vCPE) on x86 servers to provide flexible delivery of network and security services including SD-WAN, routing, VPN and firewall functionality. The advantage of vCPE is its ability to provide flexible hardware at the customer location combined with cloud-based intelligence that can power a range of SASE functionality. CSPs can easily deploy new business services via software updates without changing the physical platform at customer locations.
RELATED: Industry Voices—Doyle: vCPE and SD-WAN's impact on managed business network services
vCPE is generally associated with a best in breed or multi-vendor supplier strategy to deliver managed services. SPs are challenged to integrate the management offerings from the various suppliers. Most SPs find vCPE solutions expensive to deploy and challenging to manage.
Technology supplier options
SPs planning to deliver SASE as a managed service will be able to select from dozens of network and security supplier offerings. Large IT suppliers, such as Cisco, HPE Aruba and VMware, are developing SASE architectures through a combination of acquisitions and integration of their portfolios of network and security technologies. Network security suppliers such as Fortinet are expanding their offerings to including SD-WAN and SD-Branch solutions.
An example of a SASE-related merger is the recent acquisition of CloudGenix. CloudGenix provides SD-WAN features with cloud-based intelligence. It was recently acquired by Palo Alto Networks, which plans to integrate CloudGenix solutions with its Prisma cloud security offering.
Conclusions
The convergence of network and security with cloud-based intelligence is impacting the architectural options for MSPs to deliver managed networking and security services. Current SASE solutions are immature and have limitations (such as weak functionality or poor integration) across the range of technologies required for the complete SASE architecture. Over the next five years, the depth and breadth of SASE functionality will significantly improve.
The complexity and diversity of organizational requirements for network and security at the edge challenges any single supplier to deliver on the complete SASE vision so technology supplier selection will be critical for MSPs. MSPs will need to invest in education and training for their technical staff and to gain experience to deliver converged edge solutions as a service.
Lee Doyle is Principal Analyst at Doyle Research, providing client focused targeted analysis on the Evolution of Intelligent Networks. He has over 25 years’ experience analyzing the IT, network, and telecom markets. Lee has written extensively on such topics as SDN, NFV, enterprise adoption of networking technologies, and IT-Telecom convergence. Before founding Doyle Research, Lee was Group VP for Network, Telecom, and Security research at IDC. Lee holds a B.A. in Economics from Williams College. He can be reached at [email protected] and follow him @leedoyle_dc
Industry Voices are opinion columns written by outside contributors—often industry experts or analysts—who are invited to the conversation by Fierce staff. They do not represent the opinions of Fierce.