ESG's John Grady and Bob Laliberte discuss upcoming ESG research on the convergence of security and networking (SASE).
John: Hi, I'm John Grady, ESG Senior Analyst covering Network Security. And today, I'm pleased to be joined by another ESG Senior Analyst and Practice Director for our Network Research, Bob Laliberte. Bob, thanks for joining me.
Bob: Absolutely. Glad to be here, John.
John: We're here today to discuss the convergence of security and networking setup by the concept of secure access service edge or SASE, which is the convergence of networking technologies such as SD-WAN, WAN optimization, network as a service. And then on the security side, things like secure web gateway, CASB, firewall as a service.
I just researched on this topic about a year ago, and we found that 68% of organizations either feel they're using it already or are very interested in looking at this type of approach. What do you think is driving this shift and this interest in a converged approach?
Bob: Yeah, great question, John. I mean, I think it's really a number of larger higher-level factors that are driving this. And then when I think about it, it's really the...what's driving these initiatives is that need to have a more comprehensive approach to networking and security. Organizations are distributing their applications across their private data centers, multiple public cloud, and edge locations.
It's not just the applications that are being distributed across the environment. Because of the global pandemic, we now see that a lot of these organizations' employees are being distributed. We need to make sure that all of these applications and employees are securely connected to each other so that they can remain productive and we can deliver better experiences to our customers. That's really what I'm starting to see and why there's a big need for that convergence.
John: Absolutely. You know, the data point I referenced previously was really pre-pandemic. From that point till now, I mean, you've seen things accelerate because the security organization is having a lot of issues maintaining that consistent enforcement as things become more distributed. And, you know, cloud-based solutions certainly can help address that from a network security perspective. I think you're already at an inflection point where there was more interest in cloud-delivered solutions, and then as SASE came through and, kind of, started to spread the idea of converging some of these capabilities and the timing seemed right.
What do you think this means from a partnership perspective between network and security vendors? So we've seen some acquisitions in this area. But from an end-user perspective, is every organization going to move to an all-in-one approach in the short term?
Bob: Right now, organizations have partial solutions already deployed. They'll have security functions that they have, perhaps in the cloud, perhaps on-prem. There has been a lot of SD-WAN vendors who have rolled out...and not only just to either being consumed themselves, right, as do-it-yourself implementations, but also in partnership with managed service providers, and also a lot of the communication service providers or telecommunication companies that are delivering those services.
What I've seen is that the early incarnations, as you've mentioned, were around an ecosystem, meaning they were partnered with the security vendors. But I think we're seeing is much more of a drive now to integrate more tightly that network and security functionality. Some of the big questions that brings up is are organizations looking to take a platform-type approach, meaning they get everything from one vendor, or do they favor more of a best in breed and will assemble it together and leverage APIs to interconnect everything?
So, like I said, it really brings up a lot of questions in this space, more than there are answers right now.
John: Yeah, we've seen that, kind of, story over time. It goes back and forth, at least from a security perspective where, you know, organizations try to get their arms around things from an effectiveness perspective as, kind of, the threat vector start to multiply and the attacker landscape becomes more complex, so you look for best of breed, and then as you start feeling like you're doing a better job from that perspective, you look for efficiencies and maybe look for more of a platform approach.
Some of it is organizational dependent, what are their drivers, what are their priorities? And then there's the organizational aspect as well, right. How do these teams, kind of, change the way that they're used to doing things, become more collaborative. That's an issue that we're seeing across a lot of different areas of even just security because IT ops, network ops, how well these teams work together, especially as security becomes more decentralized really changes the way organizations should evaluate and ultimately purchase some of these solutions.
Bob: Yeah, I know. It's a great point. There's, sort of, this push for now to be this NetSec team, right, where the network and security teams are coming together. But obviously, that's not a normal motion. I think while a lot of them talk to each other, there's still very siloed walls in most organizations. So that's an organizational change and cultural change that's going to have to be addressed. There's also the behind-the-scenes aspects of, you know, whose budget does it come out of and who do these organizations really want to buy from?
Do they want to buy the security from a networking team? Do we buy networking from a security company? Do you want to consume at all from a telecommunication provider? So there's a lot of questions that are still yet to be answered.
John: On that point, you and I are actually going to be starting a new research project on this topic because a lot has changed since I... I did, the project I referenced about a year ago. And so we have our hypothesis on a lot of these topics. But I think our goal is to put some quantitative research around how organizations can feel about some of these issues, where they're going, where they are on the journey, what challenges they're facing as they've started to roll out SASE solutions. So we're going to get started on that imminently.
Bob: Yeah, absolutely. I'm looking forward to that. I think it's going to bring a lot of answers to so many of the questions that are hanging out there today about these SASE-type solutions and framework and how organizations are looking to adapt. So we look forward to bringing you more on that.
John: Definitely. Bob, thanks so much for joining me and thanks to everyone for watching.