Last week during its digital Cisco Live 2020 event, Cisco announced its secure access service edge (SASE) solution. Although the company has had multiple flavors of SD-WAN available for some time, it had yet to roll out a formal SASE offering. SASE is a term coined by Gartner that describes a wide area network (WAN) architecture that has fully integrated, cloud-native security, and networking capabilities.
Cisco certainly isn’t the first vendor with a SASE solution, but it arguably has the broadest set of services. The latest 17.2 release of Cisco SD-WAN brings together products from its networking and security product lines. This includes components from Viptela and Meraki for networking, IDS/IPS, and URL filtering and Umbrella for secure web gateway, DNS security, cloud access security broker (CASB), and firewall capabilities. Cisco is also integrating security capabilities from its zero-trust products, which include AnyConnect for VPN, SD-Access for segmentation, and multi-factor authentication (MFA) from Duo. These products address identity and access requirements. I believe this is the broadest set of integrated SASE services from any single vendor to date.
Because of its size, Cisco does have some interesting differentiators. One of the elements of Gartner’s definition is networking and security capabilities are to be availed in the cloud. All of the existing SASE vendors rely on public cloud, colocation, or could providers for service delivery. Cisco can leverage its global network and cloud points of presence (PoPs) from its existing Umbrella cloud-native security as well as Meraki’s cloud. The Umbrella network came to Cisco via the 2015 OpenDNS acquisition.
Also, the Gartner definition calls for the security and network services to be cloud-native, but Cisco SD-WAN customers can leverage Cisco’s on-premises infrastructure, such as its widely deployed integrated services router (ISR) and manage via the cloud. This is where Cisco’s implementation of SASE and Gartner’s definition diverges. This was a topic of discussion during a podcast on SASE
with Beth Schultz (listen below), where it’s my belief cloud-managed is a viable option to cloud-native with the ultimate deployment model being determined by the needs of the location. I think large customers might choose a mix of cloud-native and cloud-managed on-premises technology.
Cloud-native is ideal for most locations where the network and security requirements are fairly cookie cutter. For example, all work from home users will have the same basic set of needs – VPN connectivity, basic firewalls, network connectivity, MFA, and so on. Cisco customers could easily and quickly provision these services in the cloud giving home workers the same level of protection they have in the office.
Cloud-managed is optimal for customers that have large sites, custom requirements, or want to maintain their investment in existing network and security technology. Cloud-native is great for a small number of users, but pushing updates and configurations changes to and from the cloud in a cloud-delivered situation can generate a significant amount of network traffic, making it more efficient to keep things like routers and firewalls on-premises. Also, a company may have a branch office that requires a higher level of security. This could be something like the corporate finance division for a financial services firm that’s dealing with a lot of secretive information. The localized security provides an extra layer of protection.
I believe Gartner’s definition to be limited and unrealistic, as the transition to cloud-native networking is going to be a long one. There’s no real reason for Cisco customers to “lift and shift” existing infrastructure and services just to run them in the cloud for cloud sakes. The move to cloud-native needs to be carefully thought out architecturally and done, where it makes sense for the customer and not forced to meet some arbitrary definition. The combination of cloud-managed and cloud-native is what makes Cisco unique, as they can deliver SASE any way a customer wants to consume it.
The 17.2 software release delivers SASE, but Cisco has added several other capabilities that extend its offering, such as:
- Unified communications integration — Cisco SASE includes a voice gateway for reliable and secure UC from private and public clouds delivered over Internet connections. With this, customers can create a communication network that optimizes voice that can be managed from the Cisco dashboard.
- Cloud OnRamp for SaaS services — Cisco has created a number of direct connections to the top 15 SaaS services such as Office365, Dropbox, Salesforce, and more. This feature is enabled in the IOS XE operating system that runs on Cisco ISRs and creates a “private” connection experience, even when the public Internet is used.
- Managed service provider innovations — Of all the SASE providers, Cisco easily has the largest ecosystem of managed service providers. SASE complexity created by all these options will push many enterprises towards using an MSP. Cisco enables MSPs to deliver custom WAN services through CLI templates. This aligns with a recent Work From Home survey that I ran, sponsored by MSP, Masergy, that found a whopping 66% of respondents will use a managed service to partially or fully perform the upgrade to an SD-WAN. I didn’t specifically ask about SASE as it’s still emerging, but given it’s more complex, I would suspect the MSP number to be higher.
The SASE competitive landscape is very crowded, but most vendors have strengths in security and networking. Cisco is certainly late to the SASE game, but the industry is still in the first inning, so it’s not like it has lost many opportunities. Cisco is the market leader in networking and security and can bring UC expertise into the fold, as well as giving it an interesting competitive edge. Cisco is better off having waited and brought a solution to market that gives its customers options rather than forcing them into a solution that only meets part of the market.