theNet by CLOUDFLARE

Accelerating the journey to SASE

Making network transformation more approachable

Building flexible and scalable networks

The public Internet is becoming the new corporate network — a shift that calls for a radical reimagining of network security and connectivity. Secure Access Service Edge (SASE) is a cloud-based security model used to respond to evolving security and connectivity challenges.

SASE is often a complete transformation of an organization’s approach to security and networking. It involves combining a variety of security and networking services — including firewalls, zero trust network access, secure web gateways, and software-defined WANs — onto a single cloud-based platform. With SASE, corporate data centers are no longer the central location for network controls. Instead, controls move to the cloud edge, thereby closer to users, wherever they are.

According to Gartner, completing the implementation of the SASE security model can take years and involves implicating decisions around the integration of existing providers and how to stitch together patchwork network security solutions. Identifying the right steps for your unique organization and the order of enhancements can be time-intensive and require the involvement of many stakeholders.

This planning and consensus-building activity can seem daunting and often inhibit organizations from taking small yet significant steps. Getting left behind on this journey to network transformation means confronting greater risks for data loss, insider threats, and network attacks, both today and in the future.

The path to integrating a comprehensive SASE architecture is arduous but worth taking — with an end goal of reducing security gaps and enabling the future of work.

To simplify the process, here are four key questions organizations can ask on the road to adoption.


4 questions for simplifying SASE adoption

1. Draw a picture: What does your network traffic look like?

Make a map of your network traffic and how it flows from users, offices, and data centers to your most critical business applications. On your completed diagram, label the connections that are burdened with the greatest amount of latency or complexity on a scale of 1 to 10. This may be correlated to backhauling, VPNs, MPLS circuits, or other routing decisions that no longer make sense for your business.

This can help you decide what changes to make early in the process and find ways to avoid backhauling data through VPNs, MPLS circuits, and firewalls. Since the “trombone effect” of these legacy solutions adds latency and unnecessary complexity, looking at a map to see where traffic is being processed around the globe — and where users are located — can illuminate potential quick wins for enhancements.

2. List and rank: Where are the biggest risks for insider threats?

The SASE model starts with a Zero Trust security strategy that limits access to resources based on a real-time evaluation of identity and posture. Assess which users may have excessive access permissions to resources by making a list of key user groups, then ranking which ones have the most privileged access to services. The groups at the top of the list could be a good place to focus first.

Revealing questions to ask include:

  • Can developers access infrastructure over SSH for long periods without re-authentication?

  • Are contractors given limited, time-based access, or blanket access rights?

  • Do executives have super admin rights to applications that could pose a risk?

3. Time it out: When do your legacy networking and network security contracts expire?

When building a plan for the next steps, identifying contract expiration dates for legacy solutions can help promote a natural SASE progression and control costs. If DDoS and firewall hardware appliances are already due for replacement, or your MPLS contract is up for renewal, that can be an opportune moment to make larger changes. Planning migrations to coincide with opening up new branch offices or amid mergers and acquisitions can also be a natural time for change and consolidation.

When contracts for legacy products are expiring but you are not yet ready to migrate, consider a shorter renewal contract to keep your options open in the medium-term future.

4. Make a milestone: What quick wins are possible for targeted departments?

Starting small can be a way to gain momentum and increase support from stakeholders, improving the likelihood of buy-in for larger projects in the future. To this end, consider starting with a SASE pilot program.

Where should you start with this pilot? Examine which teams, business units, and applications could serve as a pilot project for a migration, ideally with enough flexibility to streamline implementation. Treat teams like customers whose productivity problems you are solving.

Decision factors for where to start include:

  • Flexibility and openness to change — for example, the security team might be the best first customer for a SASE implementation

  • Roles that are at greater risk for attacks — such as developers, who have access to valuable data

  • Potential speed for migration — contractors are often a user type with limited access needs, which can simplify a migration

In discussions of SASE, it is natural for technological matters to dominate the conversation. Keep in mind that transformational shifts around people, processes, and budgets will also be pivotal for success.

After developing a thorough understanding of your organization’s needs, look for a vendor that can meet you wherever you are on the journey to network transformation — and integrate with your existing tools for network on-ramps, identity management, endpoint security, log storage, and other pieces of the network security equation. Many vendors champion an all-in-one platform but in actuality, require organizations to integrate several different point products. Transitioning to SASE will be easier if you select a vendor with a fully integrated solution, ideally one with a consistent cloud-based delivery model and service architecture.


Getting started

Cloudflare One is a comprehensive Zero Trust network-as-a-service offering that allows you to run your corporate network at the edge of the Internet. With a massive global reach, Cloudflare One provides highly secure, performant, and reliable connectivity for your workforce, workplace, and workloads — wherever they are. And single-pass inspection of requests means you can avoid backhauling traffic.

With a simple, intuitive, and unified control plane, you can set networking and security policies in one place to be applied everywhere. Cloudflare One makes it easy to tailor your approach for the best long-term outcome and implement solutions that coexist with your existing infrastructure.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.


Key takeaways

After reading this article you will be able to understand:

  • What SASE is and why it matters

  • What’s at stake for the enterprise without it

  • 4 questions that can help you evaluate and identify next steps

  • The resources available to help simplify the process




Dive deeper into this topic.

To see how Cloudflare One stacks up against eight other SASE vendors, get the Availability and Buying Options in the Emerging SASE Market report from EMA.

Get the report

Receive a monthly recap of the most popular Internet insights!