VMware is putting its weight behind creating a secure access service edge (SASE) platform by blending zero-trust networking into its SD-WAN. VMware has integrated its VeloCloud SD-WAN with its Workspace ONE end-user client to enable zero-trust networking down to the device level.
With millions employees making the move to work-from-home environments due to the coronavirus, combining SD-WAN with Workspace ONE enables zero-trust to be deployed on more than 100 global points-of-presence (some of which are VMware's while others are owned by service providers) across more than 2,000 gateways.
Ever since Gartner analysts defined SASE last year, vendors have been scrambling to plant their SASE flags. SASE is mainly about the unification of enterprise access security initiatives and WAN networking platforms, including SD-WAN.
Unlike some of the upstarts in the SASE sector that are starting from scratch, VMware's Sanjay Uppal, SVP and general manager of SD-WAN, said VMware brings more than 10 million managed clients to the SASE table through Workspace ONE, as well as its NSX inside of the points-of-presence (PoPs.) Along with VMware's VeloCloud SD-WAN, NSX and vRealize Network Insight are part of VMware's software-defined networking (SDN) Virtual Cloud Network.
While some VMware SD-WAN power users can take a VeloCloud device home with them, it's not practical for the bulk of the employees who are now working from home, or for when they are on the move. By enabling zero trust and SD-WAN at the client level, there's no need for hardware. The SD-WAN Zero Trust Service can provide a multi-region VPN service for iOS, Android, Windows and MacOS clients.
"As we expand out our SD-WAN beyond branch access, and include secure remote access, we're not starting from ground zero either on the SD-WAN point of presence architecture or on the client side," Uppal said. "What they can get now is a zero trust network service from VMware connected through their SD-WAN to get the benefits of both security and high performance.
"Because people are now working from home, or working from anywhere, the branch end is becoming the home end, or the user end. It's not enough to say that you're just at the branch. You've got to come all the way into individual clients."
Remote workers use the Workspace ONE agent that runs on their various devices, or they can access their workloads and applications through an online zero-trust portal.
"We think that the zero trust network access is a really good next generation service that customers would want for their secured remote access," Uppal said. "You don't need to deploy anything more in the data center. You get control over who has access to what based on who they are and which machine they are coming in from. In the future, because of our Carbon Black acquisition, you'll get even more insight.
"We will be able to get more and more granular about knowing who you are, what device you're coming in from, what is running on your device, and whether your device has gone rogue. We'll be able to determine those things as we add more specificity into what's happening at the client level."
In addition to the integration of Carbon Black, Uppal said a cloud web security service and next gen firewall service are on VMware's SASE roadmap.
The SASE journey
Last week during Cisco Live, Cisco announced it was integrating its Viptela SD-WAN service with various elements of its security portfolio in its latest SD-WAN software release. Uppal said that unlike Cisco, VMware is willing to work with third parties to fill out its SASE platform.
Uppal also noted that contrary to Aryaka and Cato Networks, VMware works with telcos instead of competing against them. He said service providers could opt to take different pieces of VMware's SASE platform to resell to their customers.
"What we're saying is SASE is both a platform as well as it's a solution for a set of services," he said. "The first part of the SASE journey is where does the journey begin? The SASE journey begins from what we've done with SD-WAN. What we've done is really filled out an entire in architecture, which is an end-to-end architecture, meaning that it starts with a branch and then goes up to a data center or to the cloud.
"The zero trust network access service is the first incarnation of client to cloud to container using SD-WAN. So that's really our starting point of this journey."