By Pete Finalle, Research Manager, IDC
Driven by productivity gains, employee flexibility, and the reality of the COVID-19 pandemic, the shift to hybrid work has further fragmented corporate IT. No longer do we await the new normal or the next new normal. Today's reality is as normal as it is going to get. The monolithic on-premises perimeter is dead; hybrid work has made it imperative that employees have a seamless work experience regardless of whether they connect to the on-premises LAN or the Internet itself as the primary network. Decentralized and distributed zero-trust themed approaches have become our manifest destiny as this normal exceeds the capabilities of legacy network security models.
With a traditional centralized network security approach, branch offices and remote workers typically have a limited security posture compared to the main office, ending with a significant portion of the workforce at the mercy of legacy, backhaul technologies like virtual private networks (VPN). The location-agnostic nature of hybrid work not only shifts many workers to home offices, but travel introduces workers to a continuous stream of new cyber-hostile locations, resulting in windows of heightened vulnerability for nearly all employees. Additionally, the suffering security posture brings with it a degraded user experience, as backhauling traffic to centralized control points brings a corresponding amount of latency and loss of quality of service.
Hybrid work has given rise to the need to secure access to both private, on-premises resources and public, cloud/web resources regardless of the user's location - in the main office, branch office, or remote. Secure remote access in a hybrid work reality is not something that can be accomplished through a collection of stand-alone products and services, which only adds to the existing burden for security professionals of managing multiple products, user interfaces, and apps/agents. Instead, hybrid work's complexity has created a new set of requirements — that security products function as integrated features for a single security platform, with a single management interface, unified connectivity and security policies, and a consistent security posture and networking rules.
Hybrid work demands that we rethink the following secure access concepts:
- The network perimeter is no longer a well-defined physical location, and sensitive resources are no longer confined to a centralized datacenter. The new, hybrid work perimeter is more inclusive by design, and is defined by device identity which spans the main office, branch office, and remote devices.
- The branch office is no longer the corporate last mile for providing a consistent security posture. The remote workforce increasingly accounts for a significant portion of sensitive traffic to on-premises and cloud resources that must be adequately protected.
- The need to secure hybrid work environments has created a sprawl of a la carte products, which substantially increases complexity, adds cost, and reduces effectiveness. With budgets and qualified personnel being finite, this approach is not feasible for meeting the needs of this global trend. Thus, while business resources continue to decentralize, security capabilities must consolidate to a manageable level.
- Setting separate policies and managing multiple interfaces creates inconsistencies, decreases reaction time, and reduces the overall effectiveness of a secure connectivity solution. A fully integrated security solution only requires a single interface with a shared security policy across all security products that can be custom tailored to the access requirements of users, both remote and on premise, and resources, both public and private.
- A collection of best-of-breed products is not a superior or even competitive approach to a consolidated security platform. Security platforms typically provide a superior dollar-to-feature ratio, improve interoperability/cross functionality, and drastically increase efficiency of operation and management.
- Although vendor consolidation continues to happen, only a select few companies are able to provide a complete secure access service edge (SASE) feature set as a single in-house product. Partnerships may get some vendors close, although such arrangements inherently lack the tight integration and enhanced functionality of a single consolidated product.
Secure Service Edge (SSE) is the embodiment of rethinking existing network security concepts and expanding the network edge to all devices and resources, both internal and remote. By providing a complete security stack as a service, SSE can provide consistency of security to nearly all devices and resources.
The addition of SD-WAN capabilities further consolidates capabilities and elevates the value of a service-based security stack by creating an integrated package of both network infrastructure and protection, referred to as SASE. Additionally, the integration of SD-WAN provides security tools with complete visibility over network traffic, enhancing the functionality of security capabilities. A well-designed SASE product serves as a truly stand-alone product that excels at providing secure connectivity to all facilities, devices, and assets outside of the main office.
Maximizing the Usefulness of SASE
SASE can only reach its full potential when integrated with established network security products. Thus, SASE should not be independent and isolated, functioning separately from traditional on-premises technologies. With firewall appliances alone accounting for $14.9 billion in worldwide revenue for 2021, hardware and on-premises software technologies are not going to disappear any time soon. SASE integration with on-premises security is the only path forward to a truly consolidated secure connectivity platform that meets the needs of hybrid work environments.
Thus, while SASE is the key to addressing the evolving hybrid work environment, it is most efficient when combined with on-premises technologies under a single management console, utilizing the same security policies. This allows large enterprise customers, which have significant investment in security appliances and connectivity infrastructure, to continue to leverage their on-premises hardware performance benefits without incurring the complexity of an additional management layer for SASE.
While IDC expects the network attack surface to continue to expand, an effective security approach to hybrid work ecosystems is a hybrid security portfolio that simplifies management and operations while expanding the existing on-premises security stack to remote devices.