The past 18 months have seen the SD-WAN and security markets rapidly converge around a relatively new but now well-known product category called secure access service edge (SASE).

Coined by Gartner in its 2019 Hype Cycle report, SASE melds elements of cloud-based security, edge compute, and SD-WAN into a single product. Since then, almost every SD-WAN and cloud-security vendor has built, bought, or partnered their way into the market.

To this end, vendors have spent millions — verging on billions — of dollars on networking and security technologies necessary to compete in the space, which analysts expect to reach $5 billion by 2024.

So what drove SASE’s ascension to one of the hottest categories in both the networking and security worlds? According to Neil MacDonald, one of the Gartner analysts who penned the original SASE definition, the answer is pretty simple. The rapid and unexpected shift to remote work in the wake of the pandemic forced enterprises to rethink how they architect their networks. Suddenly VPNs that were perfectly adequate to support the few hundred remote workers were overwhelmed. And SASE, packed with goodies like zero-trust network access, secure web gateway, and cloud access security broker, had its in.

“There's no doubt COVID-19 and the shift to remote work accelerated this dynamic,” MacDonald said. “There are many clients that have embraced this idea of a branch office of one. A given employee should just be able to work, whether they’re at home, whether they need access to SaaS app, or they need access to private apps.”

And ultimately, this is the promise of SASE: One architecture to support access to applications and workloads regardless of where you are or where the application lives.

But while the pandemic has been a heyday for cloud-security vendors venturing into the SASE market, SD-WAN hasn’t gone anywhere, MacDonald said.

The pandemic may have helped accelerate the development and adoption of SASE security functions among SD-WAN vendors and enterprises. But MacDonald says that as workers return to the office, investments in SD-WAN will return as well.

“People are returning,” he said. “They will be returning to the office, and MPLS offload and the cost savings associated with that are back on the front burner.”

SD-WAN plays a key role in the SASE architecture by acting as an aggregation point for branch and campus environments. It also provides routing logic for locations with redundant WANs or legacy connections like MPLS. Some vendors provide on-premises firewall functionality as well, but Gartner has flagged demilitarized zones as something to avoid moving forward.

But while SD-WAN isn’t strictly necessary in all SASE implementations, it does offer several advantages over a software agent, MacDonald said. “The reality is there are devices out at the branch, and especially the edge, that will never have an agent,” he explained. “So you end up building a gateway with some kind of intelligence that looks and identifies the entity and the type of traffic and how to handle it and where to route it.”

In other words, an SD-WAN appliance.

What’s more, MacDonald said the move to a full SASE architecture is going to take several years for most enterprises, and the need to support legacy connections like MPLS aren’t going to away anytime soon. But as MPLS circuits are phased out in favor of bulk internet access, he said SD-WAN’s purpose becomes less obvious.

“Maybe [SD-WAN] handles legacy branch-to-branch communications,” he said. “In a SASE model, most of the vendors would say ‘why don’t you send the traffic to the SASE PoP,’” rather than deploying an end-to-end tunnel between two locations.

MacDonald foresees a future where SD-WAN will be consumed by SASE, and SD-WAN appliances will give way to edge gateways that all lead to the SASE point of presence (PoP). “I think that when we evolve to that type of state, that's when a vendor like Zscaler, Netskope, and others will really start to overlap their branch connector capabilities with what today we call SD-WAN today,” he said.

Edge computing lives at the very core of the SASE model. SD-WAN provides routing intelligence at the branch edge, while cloud security functionality run within the vendor or service provider’s PoP.

However, not all PoPs are created equal. Some vendors are physically building out their PoPs, while others already have an expansive edge presence — Cloudflare and Akamai come to mind — and still others are effectively piggybacking off the public cloud providers.

These are all valid approaches, according to MacDonald, but it does mean customers will need to understand the implications of how each vendor has implemented their PoPs. For example, a globally distributed enterprise might want to avoid a SASE vendor that only has PoPs in the U.S.

“My advice, when I talk to customers is: 'What are your requirements? What locations do you need a local point of presence for low latency connectivity?’ And that may make a difference between the vendors,” MacDonald said. “Ultimately, the difference should come down to: Does it make a difference in price, or SLA, or quality of service? And if the vendor meets those expectations and the points of presence map to what you want, then you don't necessarily have to own the points of presence, you can use the hyperscale provider.”

Additionally, MacDonald expects to see SASE tackle multi-edge composite applications, one of the “least developed” areas of SASE today.

MacDonald explained that most SASE implementations aren’t well suited to handle applications that are distributed across multiple clouds.

This problem has spawned a new market with companies like Alkira, Aviatrix, and Prosimo attempting to reduce the complexity of these kinds of deployments.

“We believe SASE has a role to play there, but it's one of the least evolved areas,” he said.

MacDonald expects SASE and multi-cloud to converge as well as multi-edge and/or multi-cloud distributed applications become more prominent. “I don’t think they can evolve separately, although they might initially, just like SD-WAN did years ago,” he said. “But ultimately they should converge.”

Another area ripe for innovation is sensitive data discovery and monitoring.

“In order to correctly protect the session, and route traffic, and apply conditional access, you need to understand the sensitivity of the data or the application that you're accessing,” MacDonald said. “Not all security vendors are good at this.”

He added that some security vendors have a DNA of fighting back and using known bad signatures. That can work, he added, but it’s equally important to be able to classify known good signatures. “You have to do both.”

“I would say this is still an area where organizations need to take a deep dive on the particular vendor they're looking at, and whether [that vendor is] going to satisfy their requirements for the identification, discovery, and protection of sensitive data across the different clouds and across these different applications,” he said.

Despite SASE’s relative immaturity, Gartner still recommends enterprises begin developing a roadmap for adoption.

In the research group’s 2021 Strategic Road Map for SASE Convergence, analysts made the case for deploying zero trust network access now to augment and eventually replace VPN functionality, as well as begin consolidating networking and security functionality under either a single vendor or “two explicitly partnered vendors.”

Additionally, Gartner recommends choosing vendors that allow control of where the inspection takes place, how traffic is routed, what is logged, and where those logs are stored to meet privacy and compliance requirements across geographies.

Overall, Gartner expects the widespread adoption of SASE to be a multi-year journey, especially for large enterprises where networking and security teams remain segregated. Because of this, the analyst group advises enterprises to limit contract lengths to three years or fewer as they move to adopt new SASE technologies.