The intersection of security and networking isn’t a fixed specification. Instead, it’s an ongoing conversation, informed by innovation, practical experiences and the operating environment of the time.

When SASE first came to the fore in 2019, Gartner was clear that the future of network and security is in the cloud, providing a holistic architecture where networking and security are managed together as a cloud service. They positioned SASE as a framework rather than a specific fixed product: a structure that allowed for alternative hosting models, mixed vendors, and different network and security functions.

Since then, Gartner have advanced their thought leadership through their Strategic Roadmap for SASE Convergence (2021), Magic Quadrant for Security Services Edge (2022), Magic Quadrant for SD-WAN (2022/23), Magic Quadrant for Single-vendor SASE (2023) and more besides.

Some questions arose when they released the Magic Quadrant for SSE about how it related to SASE and SD-WAN. Would these new SSE products replace SD-WAN?

However, the root of Gartner’s messaging hasn’t changed– the core concept of secure networks remains SASE, which continues to be the combined architectures of SD-WAN and SSE. Gartner isn’t pivoting away from SD-WAN being one of the two towers of SASE. It’s probably more helpful to see the separate Magic Quadrants as recognition that many firms are buying SDWAN and SSE from different vendors, with the remainder taking both from a single-vendor ecosystem.

The separate Magic Quadrants also shine a light on different sourcing strategies where a client might start with Zero Trust Network Access (ZTNA) for VPN replacement, compared to an organisation that starts with branch WAN transformation. These separate quadrants are also helpful to organisations that want a dual vendor arrangement, rather than a single-vendor approach to SASE, allowing vendors to focus on one area or the other. As I see it, Gartner are actually doubling down on SASE with the release of the Magic Quadrant for single-vendor SASE.

IoT devices such as smart building and occupancy sensing solutions are now mainstream capabilities. From room and desk occupancy sensors, power monitoring, asset tracking to flood and smoke detection and wayfinding – all these sensors, gateways and controllers need unique treatment.

These elements need securely onboarding onto the network with authentication and posture checking from the LAN, but also segmentation on the WAN. They usually require direct internet connectivity, so security is essential, but they also need application classification so performance and reliability can be assured. The separation of endpoints into different personas with their own network requirements speaks to the power of SD-WAN.

Ultimately, the needs of the future network are going to be defined as much by stakeholder groups such as property management as they are by application owners or network teams.  Failing to keep pace creates the ideal conditions for shadow IT to creep in. By supporting rapid and easy technology adoption. SD-WAN is increasingly an effective part of defending against unsanctioned and unseen IT projects.

A significant part of our work in BT Business is enabling our customers to transform their applications and networks for hybrid cloud. The vast majority of our customers are in multiple public clouds and many continue to invest strategically in private cloud for compliance, data sovereignty or economic reasons.

One of the challenges of public cloud is that costs rise as utilisation increases. This also applies to the network where data transfer out (DTO) fees increase with peaks in network traffic, especially when connecting branch sites to public cloud via the Internet.

We help customers understand the importance of intelligent placement of workloads and data to counter the potential for bill-shock. We also demonstrate how SD-WAN has a key role to play not only in providing flexibility to move data and workloads between hosting locations, but also to aggregate user traffic for routing via private cloud connections. Options such as ExpressRoute and Direct Connect offer more attractive DTO fees, including unlimited data plans, thus minimising the link between user demand and the cost to run the public cloud egress network.

The agility of SD-WAN to route traffic by policy is extremely helpful in cases where a firm wants to experiment or innovate with a new cloud provider or perhaps to differentiate routing of traffic for a development instance compared to production or for branches in one cloud region compared to another. For example, a European firm primarily using EU Azure regions using ExpressRoute to minimise costs, but also using Internet egress to connect to an AWS instance in the USA for a small number of sites in that region or a small amount of traffic from EU sites towards an application hosted out of region.

SD-WAN provides the flexibility for this level of differentiated routing, allowing for smart placement of workloads, securing the data as well as optimising cost. 

Some question the role of SD-WAN in small offices, thinking it’s overly complicated and expensive for their needs. In fact, from a small site perspective, SD-WAN provides many benefits that legacy WAN’s cannot match. 

Small offices, kiosks, and concessions in shopping malls, airports or fuel filling stations tend to face challenges on user experience, security and budget. Plus, there can be a resource challenge to delivering at scale if there’s a large estate requiring transformation.

The trend for these small sites is to favour an all-in-one solution where the WAN, LAN, Wi-Fi and security functions are consolidated onto the same physical appliance, or at least all managed via a single central controller and management plane. This level of consolidation can’t be achieved on a practical basis without an underlying SD-WAN service.

As organisations turn to the internet, they find variations in performance can adversely impact end-user experience, even nations with excellent fibre infrastructure can have peering strategies based on consumers rather than business.

In attempting to mitigate this, a common approach is to load share across multiple broadband or mobile LTE/5G circuits. SD-WAN features such as path monitoring, application-aware path steering, packet duplication and error correction are key to enabling efficient use of multiple paths, as well as to the use of potentially lower-quality underlay.

SD-WAN is also important to the continuous measuring, reporting and diagnostics of performance that support user experience. In fact, visibility has always been one of the biggest challenges across all IT services and is one of the most welcome and valued benefits of SD-WAN.

In theory, yes– with novel router features and configurations, deep packet inspection, policy-based routing into manually created IPSec tunnels with IPSLA monitoring and more besides. We were doing this a decade ago and it was this complexity that led to the emergence of SD-WAN.

You would do this better today using modern automation tooling, but without a control plane, you're basically performing a bespoke one-of-a-kind router-based configuration, which is a tall order when you need to deploy and manage hundreds or thousands of routers globally. At least not at a resource cost or risk appetite that most firms will tolerate.

The bottom line is organisations don't want to be reliant on novel workarounds that are difficult for their network vendor to navigate when it comes to complex faults. Vendors don’t perform regression testing for one-off bespoke configurations, instead they expect you to take their SD-WAN package as the majority will.

If you look at the vendor landscape, whether they started life as a security vendor or network vendor, and no matter their heritage, the trend is very much towards a joined-up SSE and SD-WAN portfolio.

Even long-established, dyed-in-the-wool security vendors have by now added a cloud-based SSE. The majority have also worked to acquire or develop their own SD-WAN solutions, tightly integrating them into their ecosystem. Even vendors we think of as being pure-play cloud security vendors have launched branch connectivity options with SD-WAN-like features. All credit to them for tracking where the market was heading and pivoting their strategies.

One thing is for sure: the vendors are clear that SD-WAN and SSE go hand in glove and they’re all delivering tremendously powerful and innovative solutions to deliver on the overall SASE framework.