Understanding the Difference Between SASE and SD-WAN

By Douglas Gatto, Solutions Architect

The more Secure Access Service Edge (SASE) grows in popularity, the more questions I get around the differences between SASE and Software-Defined Wide Area Networking (SD-WAN). So, if you’re looking to understand the two solutions better, how they’re different, their benefits, and how they work together, you’re in the right place.

In a way, SASE and SD-WAN are just two solutions designed to connect geographically disparate endpoints together in a flexible and adaptable way — they’re essentially two different networking technologies that use a different means to get to the same end. The main differentiator is that SD-WAN is a network solution that doesn't have an inherent security play baked in, whereas SASE’s intention is to converge network and security into a unified cloud-delivered service model.

Network connectivity vs. comprehensive cloud security

Looking at things from an architecture perspective: SD-WAN is SDN applied to the WAN interface, using a virtual network overlay to connect remote locations all with a centralized management. For SD-WAN, the focus is on connecting remote locations back to a central private network to control network traffic securely and efficiently. SASE, on the other hand, is focused on the cloud. SD-WAN can optimize Software as a Service (SaaS) performance using on-ramp capabilities and such, but it's not built with the cloud as a focus. With SASE, the cloud is the focus being that the distributed Points of Presence (PoPs) establish the virtual network overlay. Rather than just connecting locations to a central network, SASE’s focus is on connecting individual endpoints to the actual service edge consisting of the SASE provider’s distributed PoPs, where the SASE solution software stack runs and integrates routing and security functions.

When you look at SD-WAN from a security perspective, depending on the solution, it doesn't necessarily have built-in security capabilities like next-gen firewalls, secure web gateways, cloud access security brokers, etc. You can add these types of features to your SD-WAN solution, but SASE is meant to integrate them from the start.

Network and security architects today may argue that integrating security functionality into the SD-WAN platform enables customers to leverage best-in-breed technologies; however, an argument can also be made that stitching together multiple point products makes it more challenging for network and security staff to learn different systems and technologies and creates greater risk of outages and security vulnerabilities due to misconfiguration and interoperability issues. As this strategy pertains to traffic inspection, SD-WAN will have to leverage service chaining to manage and secure traffic flow, inspecting traffic by one security function at a time, one after the other, until the traffic has passed through all security functions. In comparison, SASE offers more efficiency because multiple policy engines run in parallel at each PoP to inspect and secure traffic with fewer steps.

SASE doesn’t do away with SD-WAN

And for those who are wondering, SASE doesn’t take away the need for dynamic traffic steering or application-aware routing, which is one of the main benefits of SD-WAN. Also, there will always be clients that aren’t looking to expand their cloud presence or may require a centralized approach to security and threat detection managed internally. What SASE solutions can do is enable the convergence of network and security to complement everything that you have in place already. And, because SASE is hosted in the cloud, it may offer some organizations replacement or consolidation for many existing tools. Most organizations have scores of vendors just for security functions. Anything that helps consolidate in the long run can help you minimize technical debt and move toward a more flexible, future-friendly infrastructure.

How to adopt SASE

It’s important to understand that adopting SASE is a multiphased, strategic approach. SASE is a security concept, not a tool, so you’re not going to be able to flip a switch and turn it on. Adopting SASE requires identifying your pain points in the network and really defining your edge — whether it’s a data center, cloud, remote workforce, or what have you. Once your edge is defined, you have to define your use cases (for example, whether you have remote workers with VPN clients or remote workers with clientless access, etc.) and your end-state goal. For instance, are you trying to move to a borderless architecture, or are you trying to stick with a centralized data center — in which case, SD-WAN would remain a focal point. Once you define these parameters, you can begin to outline the networking and security features you’ll need and from there determine whether the SASE platform you plan to adopt and consume actually offers the capabilities and security features you need for your unique use cases.

Because of its nature as an integrative approach to security in the cloud, the SASE conversation includes cloud, security, infrastructure, policy, users, and more. Your adoption strategy will need to include more than just an evaluation of vendors. You need input from several different groups within your organization to start to realize this strategy in the phases that make sense for your organization. When you’re looking for a vendor whose SASE platform aligns with your goals, Insight Cloud + Data Center Transformation (CDCT) can help. Our clients find a lot of value in the fact that we’re not a one-vendor shop. We make it our job to understand the ins and outs of every solution available and help you find the fit that’s best for your organization. Contact us if you have any questions about implementing a SASE approach to security in your environment.