With Gartner releasing its latest Magic Quadrant for WAN Edge Infrastructure earlier this month, it seemed an appropriate time to explore the intersection of SD-WAN and SASE. Both of these technological approaches hold great promise and are large, billion-dollar markets, sharing the common goal of connecting users to the data and applications critical to doing their job. The two technologies demonstrate the increasing overlap and tightening linkage between networking and security investments.
Leveraging the concept of a virtualized network overlay to connect branch offices, SD-WAN allows organizations to better tap the public Internet and low-cost broadband to save on expensive, legacy MPLS WANs. Analysts like Gartner estimate SD-WAN can help enterprises cut costs by as much as 65% compared to traditional alternatives. SD-WAN benefits run deeper than just infrastructure savings, including increased network availability, better traffic prioritization, and more intelligent path selection. For example, SD-WAN routing decisions can be based on performance requirements (e.g. bandwidth and latency-sensitive voice or video traffic), the criticality of the application (e.g. Office 365 vs YouTube), or characteristics of the user or their connection.
SD-WAN is sometimes perceived as lacking the cloud-native mindset that’s increasingly expected as the world adopts the cloud in all its permutations. That’s not entirely true since SD-WAN is a great enabler for organizations to get traffic to and from the cloud in a more efficient and cost-effective way. With that said, SD-WAN was designed at its core to address the challenges of managing connectivity between hundreds or thousands of enterprise branches, not necessarily an enterprise where the majority of employees are now remote workers and the branch has been put on the back burner, at least temporarily. Since the COVID-19 pandemic began earlier this year, organizations have had their old way of doing business upended. And as this new work from home norm takes hold, it may indicate what’s in store for the future as more organizations embrace remote work on a more permanent basis.
This is where client technologies, like the Netskope Client, can bridge the gap and complement SD-WAN deployments. Not only does the Netskope Client extend cloud security to wherever the user roams, but it does this with unified policies, plus the intelligence to auto-disable traffic steering once the user returns to the branch while continuing to perform all other functions such as displaying notifications and performing endpoint posture management.
SD-WAN shifts older WAN architecture to a newer, still private, but much more cost-effective and agile overlay network. SASE, on the other hand, is 100% grounded in the cloud and subsumes much of SD-WAN, pivoting away from focusing primarily on the branch to instead focusing on users connecting from literally anywhere. SASE is especially critical in this new age of remote work. In the SASE world, the concept of the perimeter and branch changes—or you could say “moves”—with the user. This connection from a single device or endpoint to the service edge or new WAN edge is at the heart of SASE, combined most importantly with the critical security delivered as a cloud service necessary to protect the user and their traffic while in motion.
Security considerations have always been imperative to SD-WAN architectures, including creating secure tunnels to protect critical application traffic in-transit while also guarding against the risks and data protection challenges associated with going direct-to-net. This creates natural tailwinds for cloud security, SASE-focused vendors like Netskope because traditional approaches that steer traffic to a few security control points are increasingly irrelevant as a result of the cost—both measured in dollars and in performance—of backhauling traffic to remote locations. And in addition, this legacy approach to security runs counter to the flexibility and performance tenets that are core to SD-WAN.
With the pivot to cloud and SASE, whether it’s users safely browsing the web, accessing their SaaS apps and workloads in the public cloud, or even remotely connecting to their private apps, significant gaps exist for optimizing connectivity between these destinations and the new WAN edge. It’s not just safe to say it’s all HTTP and HTTP-based protocol traffic bound for the Internet and performance can simply be addressed by adding more bandwidth or relying on an antiquated backhaul architecture. And this is where you see the intersection forming between SD-WAN and SASE.
While some of the SD-WAN vendors have attempted to layer security capabilities into their SD-WAN offerings, claiming they are SASE-ready, much of this is happening through bolt-on acquisitions or a slimmed down, incomplete set of security features. Fundamentally SD-WAN is the domain of networking experts working in the world of routing traffic, enhancing network reliability, and exploiting optimization techniques for an improved application experience. Security technologists occupy another sphere of understanding the threat landscape, being able to identify users, threats, data, and application instances and stitching these contexts together to improve security posture.
Analysts, vendors, and customers provide evidence of this duality. Most SASE implementations in the market today consist of two vendors, one focused on network and the other on security. And this demonstrates precisely how SD-WAN and SASE are perfect complements to one another. While SD-WAN allowed for a near-total transformation of the WAN back when security could be centralized, the role of SASE is to deliver the right security where and when it’s needed—ideally at the Internet edge, which is also where most SaaS apps and websites live. That leaves only one connection left for SD-WAN to optimize in most scenarios—from users to the security stack at the Internet edge. It’s for this reason Netskope is excited to partner with and have robust integrations with leaders in SD-WAN, including VMWare (Velocloud), Silver Peak, Versa Networks, among others.
Netskope’s approach to SD-WAN offers customers the most flexibility to embrace SASE without having to tie their network and security decisions together and get locked into a single vendor’s rigid architecture. Customers get the ability to choose best-of-breed solutions to ensure their exact business requirements are met. Netskope accomplishes this by supporting secure networking standards, including GRE and IPSec tunnels, to steer traffic from whatever SD-WAN solution a customer has in place to Netskope’s NewEdge network. These same tunnel-based approaches are proven methods also utilized to steer traffic from legacy web proxies or next-gen firewalls to Netskope.
The various Netskope Security Cloud services for security and data protection reside within NewEdge. While customers need little convincing to recognize the world-class security technology Netskope offers with its Next-Gen Secure Web Gateway, CASB, and DLP solutions, the situation is different on the network side. Why should a networking professional prefer NewEdge as an extension of their network for cloud security? Beyond rich, powerful, and context-aware data security, what does the Netskope network have to offer?
The number one concern of networking professionals is whether their network is up and running. Then they focus on its performance, wanting to ensure it is fast, responsive, and able to handle their critical business traffic. Beyond the standard claims around service assurances and SLAs or the capacity of cloud security vendor’s infrastructure to handle large volumes of users and traffic, it’s this performance piece that is often overlooked.
What good is the very best SD-WAN solution paired with cloud security if this new SASE-ready WAN edge doesn’t perform? What if it slows down business processes, impacts user productivity, or in the worst-case scenario drives users to exploit workarounds to get the speed and experience they demand? And even worse, what if this cloud security approach then fails to adequately protect valuable data, achieve compliance objectives, or guard against threats. That’s why Netskope has invested more than $100 million to build out NewEdge, the world’s largest, highest-performing security private cloud.
One of the key things we’ve talked about in the NewEdge blog series has been precisely these characteristics of NewEdge, namely its performance, coverage, and connectedness. While other vendors in cloud security focus on features, they overlook or underinvest in the network and ignore the growing linkage between the two, especially when delivering security as a service. Or in some instances, vendors talk about checkbox integrations with networking investments, like SD-WAN or peering, and meet only the minimum level of acceptable capabilities.
Netskope with NewEdge takes a different approach and fundamentally allows customers to take SD-WAN to the next level and get the most out of these sizable investments. Powered today by data centers in 40 regions, any customer, anywhere in the world can benefit from Netskope’s global coverage. NewEdge is built both with coverage and performance in mind, delivering low, single-digit millisecond latency for on-ramping traffic from any users, from any device, from anywhere in the world. This includes SD-WAN solutions deployed at a branch site or consolidated at an egress gateway. It also includes users who are off-net, working remotely and using the Netskope Client, or leveraging clientless options Netskope provides for unmanaged devices.
From an end-user perspective, the web, cloud, and SaaS apps are just as fast and secure, whether users are at the branch or working remotely. Case in point, based on recent third-party performance tests, every NewEdge data center in the world is just milliseconds away from Microsoft and Google. The same incredible performance is seen connecting NewEdge to public clouds for fast, optimized access to workloads in AWS, Azure, and Google Cloud.
This brings me to my second point, namely the connected nature of NewEdge with its extensive direct peering with the CDN, cloud, and SaaS providers. Netskope is the only cloud security vendor that directly peers with Microsoft and Google in every NewEdge data center, and today NewEdge handles roughly 20% of all commercial Office 365 traffic globally. In addition to these “top two” business productivity suites, NewEdge also peers with Salesforce, Box, Dropbox, Apple, Facebook, among many others. Through this peering, Netskope holds the unique position of being the most well-connected network of any security vendor, and ultimately this delivers tangible value to customers, especially networking teams. In a customer’s SD-WAN environment, this translates into the fastest and best user experience accessing the web, cloud, and SaaS apps that users care about without security trade-offs.
As customers evaluate SD-WAN, NewEdge provides the performance “edge” required for the emerging SASE-ready WAN edge, a technical advantage that isn’t possible with cloud security solutions built on the public cloud with their inherently unpredictable performance. NewEdge provides the perfect complement to SD-WAN—delivering on the security mission with the performance guarantees required to aid customers in their journey to the cloud and to embrace SASE. To learn more about NewEdge and try it for yourself, please visit https://www.netskope.com/platform/newedge and be sure to participate in our webinar on