With more and more workloads moving to the cloud, and workers accessing them from a growing variety of locations, the need to ensure the security of the wide area of connections that link them together has never been greater.

This is the goal of SASE (secure access service edge), a concept that eschews traditional data centre-centric security models, and instead delivers wide area network and security controls directly to the source of the connection.

By converging network connectivity with security functions, SASE delivers a unified approach to connectivity and security across decentralised networks, along with a simplified and consistent experience – in theory, at least.

The reality is that many organisations are only partway along their cloud journey, and are often maintaining a variety of legacy security architectures, meaning that SASE implementations are unable to protect the entirety of these environments

Even for those organisations that have embraced the SASE vision, integrating the numerous components and vendors needed for a SASE architecture – which may include SD-WAN, secure web gateways, CASB, ZTNA and encryption – into a comprehensive environment can prove challenging.

The reward for those organisations that can pull these components together is a flexible, policy-based network that provides consistent, enterprise-grade security and safe access.

According to Markets and Markets the global SASE market size is projected to grow from US$1.9 billion ($2.88 billion) in 2023 to US$5.9 billion ($8.93 billion) by 2028, with Gartner reporting that SASE was one of the top two technologies that CIOs planned to invest in in 2024 (along with generative AI) to simplify the delivery of critical network and security services via the cloud.

The challenge of building a SASE architecture can mean that its full benefits are only realised over the long term, with implementation often taking between three to five years.

Security leaders must also make decisions that can have a long-term impact on their eventual outcome, such as whether to pursue a single vendor framework or seek a best-of-breed approach that integrates components from multiple suppliers. Even opting for the former requires the converging of SD-WAN services with security tools. Either decision may demand the replacement of existing investments to deliver the desired outcome.

That long deployment period will also see security professionals choosing from a set of components that will themselves evolve, especially as vendors bring more AI and ML capabilities into their tools.

These trends may prove highly beneficial for channel partners, who will increasingly be called upon to provide the security expertise needed to implement and manage SASE initiatives. For MSPs, there is also the growing opportunity to offer subscription-based SASE services using a consumption-based model.

As is often the case with cyber security, creating a simplified environment will only come through navigating a series of complicated decisions.

But for those organisations that are seeking to create a decentralised cloud environment while maximising flexibility for workers – and also reducing complexity and costs – these challenges are worth overcoming – at least until the next great idea comes along.

The Australian Computer Society’s (ACS) environment supports an array of workloads - from standard corporate functionality, to a large guest network and a startup community of organisations operating within the same premises. Users are geographically dispersed across Australia, with many working remotely. The Society is also cloud-first, making use of multiple SaaS and PaaS providers.

Wiltshire says the move to a converged enterprise SASE network enabled the ACS to remove the MPLS and SDWAN network and associated hardware from its offices, centralise networking and security “as a service” to its guests and start-up community, and drive cyber security improvements across the board.

“From a cost perspective alone, the ROI on the implementation of SASE along with a full refresh of our entire LAN environment, was under six months,” he said.

“Strategically, SASE changed the game in our network and cyber security strategies and allows us to get on with offering value to our customers while providing a highly reliable and redundant environment without the complexity and cost of a traditional MPLS or SD-WAN network.”

The ACS’ operating environment now comprises “a series of Local Area Networks primarily over WIFI 5 and some structured Ethernet for fallback and limited workstation use.”

“Our SASE Edge is serviced by internet breakouts that can be negotiated on a location-by-location basis with the telco provider that best services that location, rather than locking into large contracts that only service some regions,” Wiltshire said.

“We leverage our provider’s global private backbone to deliver and optimise global application access using smart egress capabilities that allow us to exit specific traffic at a geographically designated POP. This is particularly useful for our start-up community who traditionally work at a global level.

“To control access to the network we utilise ZTNA/VPN for all access, whether in the office or remotely. This allows us to define policies rather than use complex routers, firewalls etc to segregate our workloads. The ZTNA workstation client allows staff to connect to any network with the right degree of access to protect them from threats, but while also allowing them to function.”

According to Wiltshire, the value of SASE was recently demonstrated when a customer connected to the guest segment of the network using a compromised computer that tried to move laterally.

“Our platform automatically blocked the lateral movement but allowed our customer to continue to operate unaware. Our engineers were able to pinpoint the persons’ location and advise them of the issue prior to returning to their home network, potentially avoiding a disaster.”