How Did We Go From SD-WAN to SASE to SSE?

A decade ago, enterprise branch offices had a primary connection (usually MPLS) to the data center and other internal sites. Some large or high-value locations utilized multiple connections or backup links during outages.

Then Viptela introduced the software-defined wan or SD-WAN. One of the benefits of SD-WAN was that it enabled the use of active paths across multiple disparate types of transport. Whereas hardware-based networks are slower and harder to connect to additional remote locations. It accomplished this by creating an overlay network on top of these transports and routing traffic on it. When we say “overlay,” we really mean “tunnels.” The tunnels are required to provide the enterprise-grade security and privacy the internet lacks but network traffic needs.

This was a major advance of SD-WAN technology: It provided a cost-effective way to add and enable rapid bandwidth provisioning at branch locations without the need for expensive routers and more investments into the network infrastructure. Add SD-WAN’s flexibility and agility, and you can see the fundamental advantages of a software-defined wide area network. Still another cost-saving feature of SD-WAN was that the physical components of the infrastructure were virtualized using SDN principles so that the network functions could be executed as software on low-cost hardware.

Another advancement and advantage of SD-WAN and this was regardless of the vendor or service provider delivering the SD-WAN technology, was that it allowed customers to build a single network infrastructure that includes different types of connections, such as multiprotocol label switching (MPLS), broadband, as well as cellular connections.

But since then, and with the drive towards digital transformation, cloud workloads have become pervasive, and traffic patterns have changed. Essentially, the perimeter of the network—which frontier enterprises fought to secure—disappeared. Now the network is everywhere. As a result, how we deploy security and address the ever-evolving cybersecurity needs must change. And because there were doubts about how reliable the internet connection was, packet loss and latency became real problems for operators and service providers who ran real-time or latency-sensitive applications on heavily used circuits. Something needed to change.

To meet the challenge, enterprises are adopting cloud-delivered security services. Traffic can directly exit the branch and be secured by a cloud security service like Netskope, iboss, or Zscaler. Internal traffic can still route to hub sites and data centers, but cloud or internet-destined traffic does not need to.

Many SD-WAN vendors began to add these features to their products, and security vendors began to include SD-WAN features. This created a new category called Secure Access Services Edge (SASE).

While this seems like a great idea, access (the “A” in SASE) has proven very difficult, and network performance and user experience suffered. The volume of tunnels required to create an overlay at scale has driven up infrastructure costs, increased operational overhead, and added immense complexity. You build tunnels to jam as much traffic as needed to deliver data to the security stack down it. Also, you can utilize a service that should have been accessible without the need to redesign your network or make considerable investments into deploying a new end-to-end SD-WAN.

Faced with this issue, security vendors have rebranded themselves as Secure Services Edge (SSE) platforms. Rather than fix the access problem, they eliminated the “A.” They just gloss over the whole access issue: “It just works. It’s magic!”

What a mess! It is time to realize that security is a service like the cloud and SaaS. But to do that, we need to fix access, not ignore it.

Security was built into MPLS but at an extremely high cost. SD-WAN fixed the cost issue and was radically more agile to deploy and manage than MPLS, but it broke security. What enterprises need is a new access model that combines the high performance and rock-solid security of MPLS with the lowered cost and agility of SD-WAN.

Click here to see how the Graphiant Network Edge provides precisely that. It is a private, programmable fabric that lets workloads, devices, and applications consume the services required on demand.

So, this blog is really about how we went from SD-WAN to SASE to SSE to the Graphiant Network Edge.

Author's Bio

Ali Shaikh


Ali Shaikh, CPO, is responsible for the strategic direction for Graphiant, technical alliances, and driving the product roadmap. He led Systems Engineering for Meraki & Viptela at Cisco and was the first Solution Architect and Customer Success Engineer at Viptela. He was responsible for designing and deploying the largest SD-WAN implementations globally.