Backgrounder – SD-WAN and SASE:
A software-defined wide area network (SD-WAN) uses software-defined network technology, mostly to communicate over the Internet using overlay tunnels which are encrypted when destined for internal organization locations. If standard tunnel setup and configuration messages are supported by all of the network hardware vendors, SD-WAN simplifies the management and operation of a WAN by decoupling the networking hardware from its control mechanism. This concept is similar to how software-defined networking implements virtualization technology to improve data center management and operation. In practice, proprietary protocols are used to set up and manage an SD-WAN, meaning there is no decoupling of the hardware and its control mechanism.
A key application of SD-WAN is to allow companies to build higher-performance WANs using lower-cost and commercially available Internet access. That enables businesses to partially or wholly replace more expensive private WAN connection technologies such as MPLS. When SD-WAN traffic is carried over the Internet, there are no end-to-end performance guarantees. In sharp contrast, Carrier MPLS VPN WAN services are not carried as Internet traffic, but rather over carefully-controlled carrier capacity, and do come with an end-to-end performance guarantee.
Gartner’s 2022 SD-WAN Magic Quadrant report identified Cisco, Fortinet, VMware, Palo Alto Networks, Hewlett Packard Enterprise (HPE) Aruba, and Versa Networks as market leaders. The analyst firm estimates the top 10 vendors make up more than 80% of the market. To determine SD-WAN leaders, Gartner reviewed vendors’ product capabilities such as the ability to operate as a branch office router, and having a centralized management for devices, zero-touch configuration, and VPN with a basic firewall. The analyst firm also reviewed vendors’ business and financial performance based on their volume of customers, sites, and contracts.
Gartner coined the acronym SASE (Secure Access Service Edge) in an August 2019 report The Future of Network Security in the Cloud and expanded its functionality in their 2021 Strategic Roadmap for SASE Convergence. SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (e.g. SD-WAN) to support businesses’ secure access needs. Previously, security for SD-WAN was an open, unresolved issue.
SASE is a holistic framework that brings security and networking connectivity together through a cloud-centric base. Businesses can save equipment, human and financial resources thanks to SASE’s underlying cloud design, and they can scale performance with minimal hardware needs.
Omdia Analyst Fernando Montenegro describes SASE as a “framework architecture, not a solution.”
MEF SD-WAN and SASE Standards:
In August 2019, the MEF published the industry’s first global standard defining an SD-WAN service and its service attributes. SD-WAN Service Attributes and Services (MEF 70). The MEF SD-WAN standard describes requirements for an application-aware, over-the-top WAN connectivity service that uses policies to determine how application flows are directed over multiple underlay networks irrespective of the underlay technologies or service providers who deliver them. However, it does not address interoperability because it does not specify either a UNI or NNI protocol stack.
MEF 70 defines:
- Service attributes that describe the externally visible behavior of an SD-WAN service as experienced by the subscriber.
- Rules associated with how traffic is handled.
- Key technical concepts and definitions like an SD-WAN UNI, the SD-WAN Edge, SD-WAN Tunnel Virtual Connections, SD-WAN Virtual Connection End Points, and Underlay Connectivity Services.
SD-WAN standardization offers numerous benefits that will help accelerate SD-WAN market growth while improving overall customer experience with hybrid networking solutions. Key benefits include:
- Enabling a wide range of ecosystem stakeholders to use the same terminology when buying, selling, assessing, deploying, and delivering SD-WAN services.
- Making it easier to interface policy with intelligent underlay connectivity services to provide a better end-to-end application experience with guaranteed service resiliency.
- Facilitating inclusion of SD-WAN services in standardized LSO architectures, thereby advancing efforts to orchestrate MEF 3.0 SD-WAN services across automated networks.
- Paving the way for creation and implementation of certified MEF 3.0 SD-WAN services, which will give users confidence that a service meets a fundamental set of requirements.
Last year MEF introduced an updated version of its SD-WAN standard, MEF 70.1, which added critical enhancements. MEF is also currently at work on version MEF W70.2 and MEF W119 Universal SD-WAN Edge, which will address the need for interoperability, among other things.
In December 2022, MEF published two Secure Access Service Edge (SASE) standards defining 1.] SASE service attributes, common definitions & a framework and 2.] a Zero Trust framework that together allow organizations to implement dynamic policy-based actions to secure network resources for faster decision making and implementation for enterprises. MEF’s SASE standard defines common terminology and service attributes which is critically important when buying, selling, and delivering SASE services. It also makes it easier to interface policy with security functions for cloud-based cybersecurity from anywhere. MEF’s Zero Trust framework defines service attributes to enable service providers to implement and deliver a broad range of services that comply with Zero Trust principles.
- SASE Service Attributes and Service Framework Standard: specifies service attributes to be agreed upon between a service provider and a subscriber for SASE services, including security functions, policies, and connectivity services. The standard defines the behaviors of the SASE service that are externally visible to the subscriber irrespective of the implementation of the service. A SASE service based upon the framework defined in the standard enables secure access and secure connectivity of users, devices, or applications to resources for the subscriber. MEF’s SASE standard (MEF 117) includes SASE service attributes and a SASE service framework.
- Zero Trust Framework for MEF Services: The new Zero Trust Framework for MEF Services (MEF 118) defines a framework and requirements of identity, authentication, policy management, and access control processes that are continuously and properly constituted, protected, and free from vulnerabilities when implemented and deployed. This framework also defines service attributes, which are agreed between a subscriber and service provider, to enable service providers to implement and deliver a broad range of services that comply with Zero Trust principles.
–>PLEASE SEE Pascal Menezes CTO of MEF COMMENTS BELOW THIS ARTICLE.
Enter SSE (Secure Service Edge):
In it’s above referenced 2021 report, Gartner defined SSE (Secure Service Edge) which is a separate entity that doesn’t include SD-WAN. “SSE is the security components of SASE focusing largely on the cloud access security broker, secure web gateway, and zero-trust network access products to enable secure use of the internet and cloud services for a hybrid workforce working from anywhere,” Gartner analyst Charlie Winckless told SDxCentral.
Telefónica tapped cloud security vendor Zscaler to develop a new managed SSE platform in a bid to address changing workforce dynamics and cloud consumption. The announcement illustrated a growing trend around the Gartner-coined product category, in which cloud security and SASE vendors alike announce “new” products and services around the buzzword.
But for the most part, these SSE products aren’t so much new as they’re rebranded and repackaged SASE services that’ve been stripped of their SD-WAN capabilities, if they ever had them in the first place. Zscaler’s SSE is built around the same Zscaler Internet Access and Zscaler Private Access products that, just a few months ago, it was calling SASE.
“The contrast is that SASE focuses on a user’s secure access needs as a part of the solution. SSE, on the other hand, mainly focuses on cloud-centric security services for the protection of users,” according to Juta Gurinaviciute, Forbes Councils Member and CTO for NordLayer, a remote access security provider. Gurinaviciute explained that SSE is SASE minus SD-WAN. SSE is essentially a way for enterprises to focus more on cloud-based security as a stepping stone to a full SASE service. She wrote:
As per Gartner’s suggestion, some companies may select a single-provider SASE offering, while others prefer partnered SD-WAN and SSE offerings from separate providers based on companies’ needs. Your business may have already invested in SD-WAN in advance. SSE would be a more meaningful choice in the short-term in such a case. If your company’s current setup doesn’t need SD-WAN, security may be a much more urgent requirement, in which case SSE would make more sense. Even if your organization only has a single regional branch or a simple branch, SSE may still be helpful.
Considering all of these reasons, SASE, the implementation of which may seem challenging and daunting for security professionals, can be done much faster with SSE adaptation first. The journey can be completed much more smoothly using this option, and SSE may benefit a wide range of companies that need robust protection.
“I think everybody’s really excited about SASE because enterprises keep asking about it,” Omdia Analyst Adeline Phua told Light Reading in a recent podcast. “It’s got so much buzz in the market.” However, Phua found that excitement about SASE/SSE hasn’t necessarily equated to mass adoption of the service. “We’re thinking that maybe adoption is really hitting that tipping point, only to find out when we talk to service providers and to enterprises that the adoption is really not there yet,” she added.
A Dell’Oro group July 2022 report found that the SSE market grew 40% year-over-year to more than $800 million in the first quarter. A December report noted that SSE achieved its tenth consecutive quarter of sequential revenue expansion in 3Q-2022. Dell’Oro’s Director of Network Security, SASE, and SD-WAN Mauricio Sanchez said the strong growth is a testament to more enterprises preferring cloud-delivered security over traditional on-premises solutions. Sanchez told SDX Central: “The growth factors that have existed largely since the pandemic started are still with us. That’s the shift to hybrid work, the shift of workloads to the cloud, and the importance of the digital experience.”
While Dell’Oro forecasts the overall SASE market to grow to $8 B for the full year 2023, an Omdia survey found that SD-WAN is only expected to achieve 87% market penetration at the end of 2023. Omdia’ Phua says that enterprises which are using SD-WAN aren’t deploying it at all their sites. Part of the problem stems from supply chain challenges triggered by COVID-19 which have resulted in a shortage of products and SD-WAN deployment delays.
Where service providers can make progress in assisting their enterprise customers’ adoption of SASE is by providing it as a managed service with significant value add “on top of just the staff, the platform itself,” explained Omdia’s Fernando Montenegro. That might look like providing more visibility into network health and potential security threats.
Phua echoed Montenegro’s assessment: “Service providers will still need to keep looking out for new innovations and what else can we onboard to make sure that is a more complete solution for the enterprise customers. So there’s still a lot of way to go in terms of this journey.”