Back before the pandemic, most people commuted to office daily. Then, everything changed when workers were sent home for “two weeks.” This forced remote connectivity to evolve from supporting the occasional worker to supporting most (if not all) staff. For IT Security, there was extra concern about how company data was accessed and where it was stored.
Most decent-size companies were already able to support remote access long before COVID. But this was more about granting secure access to internal systems. Plus, a lot of companies did not plan on how to support a remote workforce. With everyone working remotely, management tools like Active Directory group policies may not update like before as staff may not always connect to the VPN. Add in cloud applications, like Office 365, that staff may not need to connect to at all. Over time, it has become evident that VPN is not good enough.
Replacing VPN
Fortunately, there is Secure Access Service Edge, or SASE. SASE constitutes endpoint security solutions like secure web gateway (SWG), cloud access security broker (CASB), and VPN, plus replaced traditional WAN with SD-WAN.
Unlike traditional VPNs, end users should not need to think about when to connect back to the on-premises environment as the SASE solution would handle it. If end users need to access emails (such as Office 365), the connection should be direct to the cloud service. When the end user needs to connect to an on-premises server, the connection happens without the end user needing to initiate a VPN session.
Basically, there are two overall types of SASE solutions: converged and integrated. A converged solution is where a vendor includes every aspect of SASE. This makes the solution operationally simple but may not include best of breed through the entire SASE stack. On the other hand, an integrated solution is where the vendor provides the client part but connects back to another SD-WAN solution. This allows companies to use different solutions, so closer to best of breed, but having different vendor products working together could make things messier as they may not always work seamlessly.
SASE is a great tool for keeping end users safe while securing access to data, no matter if it is in an on-premises server or in the cloud. Of course, IT departments will have to transition from VPN to SASE. This could start with changing WAN connections over to SD-WAN to give a connection point for the SASE client. Then the VPN client can be replaced with the SASE client to keep that remote access functionality.
The problem is where security services have already been deployed to support remote workers. If there is already a web security product like Zscaler, does the company have to throw this out to go with a SASE provider from a networking company? Some vendors may say yes making the transition a bigger project. That is not something that may be appreciated.
VMware Can Help
VMware may not be the first to the SASE market, but they do offer an easier transition to SASE. Companies can deploy any part of VMware’s solution, or even go with the full converged solution if desired. By allowing for pieces of the solution to be installed, VMware is not forcing IT departments into a “rip and replace” scenario. Rather, the replacement can be done over time so as not to impact the business too much.
For instance, Zscaler has a secure web gateway product that processes millions of transactions daily (https://trust.zscaler.com/zscaler.net). The Zscaler client connector gets installed on laptops allowing internet access to be secured. Switching to some converged SASE solutions may require getting rid of Zscaler, which could complicate a SASE deployment. The VMware solution can allow internet access to continue through Zscaler but on-premises access goes through VMware SASE. If desired, Zscaler can be dropped later in favor of the VMware solution.
Conclusion
VPNs are no more good enough to support remote and hybrid workers. By upgrading to a SASE solution, end users no longer need to make the decision when to connect over a VPN. However, replacing a VPN and existing web security solutions could be a daunting task. Fortunately, companies like VMware help by offering a SASE solution that can be deployed in stages while working with existing security services like Zscaler.
Recently, I was part of a discussion with VMware about their solution. You can listen to that conversation as part of the Tech Field Day Showcase or go to https://sase.vmware.com/sase to learn more about the offering.