Secure access service edge (SASE) is the key to shepherding Cisco's networking and security products to an as-a-service model, said Jeff Reed, Cisco's new security SVP in an interview with SDxCentral.

"I believe that security and networking have been laggards in the as-a-service movement," he said. "SASE is really going to jumpstart the move of security and networking delivery into more and more of an as-a-service model."

SASE ties together elements of SD-WAN, managed security, and edge computing into a single, cloud-delivered package.

Reed, who early last month took over as SVP and GM of Cisco's cloud and network security business, explained that until recently, there has been a reluctance among networking and security professionals to adopt these kind of cloud-based or cloud-managed services.

However, as more enterprises have rearchitected their networks and begun pushing applications out of the data center and into the cloud, suddenly "moving my security control set to the cloud became a very good option," he said.

While Reed has spent the last three years entrenched in Cisco's security business, his roots in the company go much deeper.

"I spent my first seven years at Cisco Networking," he said. "I led product management for all of our enterprise routing. In fact, I was closely involved with the Viptela acquisition."

This cross-experience in networking and security, Reed argues, is critical to understanding SASE's full potential.

The vendor in May announced plans to bring a SASE product, based on its Viptela SD-WAN, Umbrella security suite, and Duo authentication platforms to the highly competitive market.

"SASE started fundamentally as really a security value proposition," he said. "I'd say SD-WAN was an instigator for the need for SASE."

As more and more traffic moves to the cloud edge, there is an opportunity to roll out new capabilities that are much more networking focused, said Reed, adding that as the platform evolves, Cisco is positioned not only to provide secure access to applications, but also to secure the applications themselves.

Additionally, he said SASE's disaggregated nature opens the door to other performance enhancements like middle-mile optimization — and he expects Cisco's $1 billion acquisition of ThousandEyes will "play a critical role" in this regard.

According to Reed, much of Cisco's SASE strengths are rooted in its Umbrella security service, which Cisco inherited with its OpenDNS acquisition in 2015.

In addition to domain name system (DNS) security and distributed denial of service (DDoS) protection, Umbrella includes several key SASE security functions including secure web gateway (SWG), firewall-as-a-service, and cloud-access security broker (CASB).

"I've, for years now, referred to [Umbrella] as our best pound-for-pound fighter in the security business. Does it catch everything? No. No security product does, but I submit that you'd be hard pressed to find another security product that is as effective as it is easy to deploy," he said.

On top of Umbrella, Cisco integrated core elements of its zero-trust networking portfolio — which includes Duo, SD-Access, and AnyConnect — to verify identity and enhance the overall security of the offering.

"Because it's a native cloud solution, we just roll out capabilities essentially every week," Reed said of Cisco's SASE, adding that layer 7 application visibility and control would be coming to the platform in the near future and data loss prevention is currently in field trials.

However, the security and routing stack are two pieces of a larger puzzle. According to Reed, the company is actively expanding Umbrella's footprint, which forms the basis of Cisco's service edge. "We're shipping tons and tons of gear on a monthly basis all across the world to increase the scale and capacity of that," he said.

"We've under marketed our capabilities in this space, [which] is one thing that keeps me up at night," he said. "I feel like when we have the opportunity to explain all the capabilities that we have, eyes light up."

According to Reed, much of the SASE security stack, including SWG and DNS security, are fairly mature at this point, while others still have room to grow.

Reed remains suspect of early cloud-based firewalls in particular, arguing they still have a ways to go before they can replicate the functionality of a next-generation firewall. He adds that remote access, which has helped to drive the early adoption of SASE products in response to COVID-19-related work-from-home orders, also has room for improvement.

"It's not just about replacing your VPN," Reed said. "It's how do I get user identity capability in there; what are the different ways I can expose applications. Some are tunnel-based, some reverse proxy... and then how do I tie all that back to my broader security infrastructure?"