For all the hype secure access service edge (SASE) has received since Gartner coined the term, cloud-based security still isn't for everyone, wrote Cisco's Ravi Chandrasekaran in a blog post.

Chandrasekaran, who serves as SVP of Cisco's core software and intent-based networking groups, outlined when and where SASE may be appropriate, as well as when more traditional appliance-based approaches may be a better fit. "People are starting to talk in absolute terms about a particular capability of a technology," he wrote in reference to cloud-based security and routing made possible by SASE architectures.

SASE, as it's described by Gartner, outlines a product category that ties together elements of SD-WAN, security, and edge compute into a single, cloud-managed package. In this regard, SASE is commonly associated with secure web gateways (SWG), cloud access security broker (CASB), cloud-based firewalls, and SD-WAN. However, few vendors today can claim to offer a full networking and security stack and many instead partner to provide a SASE offering.

Chandrasekaran argues that Cisco is one of the few vendors that not only offers a full SASE stack, but it also offers it in a way that makes it easy for customers to start anywhere and move toward a full SASE architecture leveraging both cloud-based security and appliance-based SD-WAN.

This is important, he said, because enterprises are at various phases of their WAN transformations, and customer's needs today may be better addressed by SD-WAN, but in the future may benefit from SASE.

Chandrasekaran explained that while SASE can make a lot of sense for particular applications, there remain scenarios where on-premises security or routing may be more appropriate. "I think the key question IT needs to answer is: 'what is the best architecture to meet the needs of business operations,'"he wrote.

For example, for enterprises utilizing direct internet connections to access software-as-a-service applications, SASE — or more specifically cloud-based security like Cisco's Umbrella platform — is a good fit.

"However, not all threats arrive from the internet," Chandrasekaran wrote. "Many types of threats still propagate in enterprises in the east-west direction — using local traffic traveling from a device to an on-site application or among IoT devices."

In this scenario, Chandrasekaran argues that on-premises appliances like SD-WAN appliances are better suited as east-west traffic is beyond the scope of a cloud-based security platform.

Additionally for latency-sensitive applications routing all traffic through a SASE point of presence (PoP) can increase end-to-end latency, he claimed. "Requiring all traffic from a branch to flow through a cloud security broker makes optimizing the middle-mile much more complex to manage," he wrote. "Providing security in edge routers, at a branch, or in a local PoP, enables [network operations] to optimize middle-mile performance to keep applications performing as promised in SLAs."

And in some cases, Chandrasekaran argues that a combination of on-premise and cloud-based security may be the best mix. "Some organizations or companies may go fully SASE, some may have to be in a traditional secure SD-WAN, and there's a third one where people may do both."

Chandrasekaran also touched on some of the regulatory challenges enterprises face when connecting branches in disparate parts of the world.

"Data privacy regulations like GDPR can prevent some organizations from adopting cloud-hosted security because personal data must be kept within specific geographic boundaries," he wrote. "These types of regulatory requirements warrant the application of security policies on-premise before traffic exists the source and hits the WAN, therefore cloud-hosted security may be difficult to implement correctly."