Today, one of the hottest topics in IT is the emerging Secure Access Service Edge (SASE) model, an architectural framework conceived by Gartner that outlines the future vision for transforming legacy WAN and security technologies to a cloud-managed edge, combining WAN edge capabilities with cloud-delivered network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.
The question of the day: Is now the time for Managed Service Providers (MSPs) to define and formalize a SASE offering to deliver an expanded set of managed and professional services that support an integrated enterprise network and security transformation?
Often, IT executives prefer to “buy” vs. “build” when it comes to the WAN or network security by selecting a single or multiple Managed Service Providers (MSPs) to provide either a turnkey managed WAN/SD-WAN service, a managed security service for their corporate WAN sites or a combination of both in some cases.
Managed SD-WAN & Security Services
Do you want a fully managed service in which the MSP handles everything (service delivery, management, monitoring, troubleshooting)? Or do you prefer a co-managed service that enables you to retain certain “self-service” capabilities like making firewall rule changes, adding new SaaS applications, configuring business intent policing, or updating approved web proxy lists?
Whether fully managed, co-managed or self-service, it’s necessary to carefully examine the SLAs of any new SASE managed service offerings. What is the turnaround time when problems arise as they inevitably will? Does the provider help develop and enforce security policies? How do you securely support new SaaS applications across all WAN sites?
Today, MSPs have an opportunity to be the IT solution provider and integrator of these two important technologies: networking and security. Leading MSPs have dedicated technical expertise and resources in both domains to design, build and implement either a turnkey managed security service or a managed SD-WAN service.
Many MSPs also choose “best-of-breed” network security and “best-of-breed” SD-WAN technology vendor partners as part of their managed WAN/SD-WAN and security service offerings.
So, are MSPs embracing SASE and are they ready to help enterprises implement their network and security transformation? This is where you need to do your due diligence.
The MSP service delivery model aligns well with SASE, opening up a world where managed services are defined, refined, and deployed on demand, allowing cost-efficiencies, scalability, and simplicity.
Convergence of MSP SD-WAN and SASE strategy
MSPs, however will likely need to revamp their existing siloed organizational structures to be able to deliver integrated managed networking and security services to enterprise customers, which is really what SASE is all about. MSPs need to partner with their networking and security technology vendors to leverage open APIs, automation, provisioning/deployment integrations and service chaining between security and SD-WAN vendors to help simplify the service integration and an eventual path towards SASE. This will also enable you to select your preferred SD-WAN and security vendors and technologies in alignment with your business requirements.
To realize the promise of a SASE architecture however, a basic SD-WAN solution with limited WAN edge capabilities simply won’t deliver the application performance and high quality of experience enterprises strive to achieve with a cloud-first transformation.
MSPs offering a “best-of-breed” managed solution should partner with a SD-WAN vendor that supports the following eight capabilities which are the attributes of an advanced SD-WAN platform that will fully deliver on the promise of a SASE architecture.
- First-packet application identification and classification to enable granular, automated traffic steering
- Automated, daily application definition and TCP/IP address table updates to all sites across your network
- Automated orchestration with cloud-delivered security services from best-of-breed cloud-security vendors including Zscaler Internet Access, Netskope Security Cloud, Check Point CloudGuard Connect and Palo Alto Prisma Access
- Automatic failover to a secondary cloud enforcement point if the primary is unreachable
- Automatic reconfiguration and redirect should a closer enforcement point become available
- Enable enterprises to implement a SASE architecture at their own pace
- Offer enterprises the freedom of choice to avoid vendor lock-in, enabling the adoption of new security innovations as they become available in the future, including MSPs own cloud-delivered security services
- Flexibility to deploy DIY, managed, and co-managed services
MSPs will need to adapt and deliver hybrid—premise and multi-cloud solutions—to meet a wide variety of enterprise use cases on the path toward SASE. This includes partnerships and integrations with the major public cloud providers. They will need to decide which technology vendor partners, are best positioned to deliver the solutions to support a SASE architecture and assess the internal development and system integration investment required to launch new SASE managed edge services.
Some vendors market and offer an “all-in-one” SASE solution promising seamless integration, simplicity and the benefit of having a “one-throat-to-choke” business model. While this may sound enticing on the surface, it routinely results in vendor lock-in and compromises. It means either compromising the advanced networking functionality to fully optimize your SASE architecture. Or it means potentially exposing the MSP and enterprises to new threats that require rapid intervention.
The MSPs and enterprises that have started their journey towards adopting a SASE framework should ensure that they retain the “freedom of choice” to select an open, advanced SD-WAN platform that enables MSPs and enterprises to transform their security model, adapt to the changing networking and security landscape, and fully embrace SASE at their own pace.