Is SASE the VPN Killer?

If you are in Washington, D.C., and you want to get to New York, you probably wouldn’t choose to travel via Denver. A direct trip along the East Coast would be shorter and quicker, and probably more reliable as well. Going via Denver makes no sense at all. 

Yet, if you are working remotely in Washington. D.C., and your corporate data center happens to be in Denver, then what happens when you connect your laptop to the internet and fire up the corporate VPN? Your data travels all the way to the Denver data center, even if it’s destined for a cloud service somewhere in New York. The trip out west and back means latency and a hit to cloud application performance — not to mention putting strain on your data center network.

Remote Working Surge

Thanks to the global pandemic, most enterprises have seen a huge increase in remote working over the last 12 months, and this has meant that companies with the infrastructure in place to handle five or ten percent staff working remotely have had to scramble to accommodate 80 percent or more trying to connect via the corporate VPN. 

Cisco and others made this a little less costly, for a time at least, by offering free VPN client licenses, but many enterprises were and still are struggling to cope with huge increases in VPN traffic. This includes traffic that, once it arrives at the data center, heads straight back out to the cloud. 

It’s against this background that the Secure Access Service Edge (SASE) security model really begins to look attractive. 

Also read: Remote Work Could Boost SASE, Slow SD-WAN

SASE Alternative

Using an SD-WAN combined with SASE, a user in Washington D.C. connects to a local security service point in the cloud. This is the Service Edge and ideally this would be in the same city as the user. At this SASE service point (you could call it a point of presence), security services such as filtering, next generation firewalling, sandboxing, data loss protection, cloud access security broker (CASB) functionality, and much more can be applied. The user’s traffic can then travel straight on to the New York cloud service, without the need to make the diversion to Denver first to be processed through the data center security stack.

Scalable, Faster, Cheaper

That’s bound to have a significant benefit when it comes to the cloud service’s performance. But that’s not the only benefit of SASE for remote workers. SASE can also provide benefits when the user needs to connect back to the corporate data center in Denver to access applications and data running in-house.

For example, a SASE solution is much more scalable than a traditional VPN approach. If a company suddenly has to accommodate thousands of new remote workers, it can “switch on” more SASE services in the cloud, close to wherever those remote workers happen to be. 

SASE is also likely to be quicker and less costly to implement, because there’s no need to rush out and purchase more VPN concentrators, VPN licenses, network access control capacity and the like. That in turn also reduces network complexity. With the SASE security stack managed in the cloud by the SASE provider, IT staff also have less to configure, manage and maintain.

Also read: The Home SD-WAN and SASE Markets are Rapidly Expanding

Legacy Remote Working

So where does this leave the traditional corporate VPN? Let’s imagine a company that has a fairly constant number of remote workers. This number hasn’t changed for a while, and is unlikely to change in the future. And these workers predominantly use corporate applications running in the data center — the use of cloud applications is minimal. 

This type of company can quite happily continue to use a traditional VPN to allow staff to connect to the corporate network securely. But here’s the thing. Does this company sound like any that you are likely to encounter? Remote working has shot up during the pandemic, and future teleworking habits are uncertain, although they are likely to be higher than the pre-pandemic levels. And, cloud usage continues to rocket as companies adopt software-as-a-service, as well as moving their own applications to virtualized or containerized infrastructure in the cloud. 

SASE is a Better Fit for the Future

So there’s certainly an argument that the traditional VPN model, which was designed to allow a small proportion of staff to connect to data center applications remotely, should be considered a legacy approach to remote working, applicable now only to a small minority of enterprises. 

An SD-WAN/SASE approach is much better suited to today’s remote working habits, which may involve a large proportion of the workforce from time to time, and a significant proportion of traffic heading to the cloud rather than the data center. 

If that’s really the case then the traditional VPN is likely to become increasingly rare. SASE may not be the VPN killer, but in the medium to long term it will be responsible for edging VPNs out of the mainstream. 

Read Next: SD-WAN is Important for an IoT and AI Future

Paul Rubens
Paul Rubens is a technology journalist specializing in enterprise networking, security, storage, and virtualization. He has worked for international publications including The Financial Times, BBC, and The Economist, and is now based near Oxford, U.K. When not writing about technology Paul can usually be found playing or restoring pinball machines.

Latest Articles

Follow Us On Social Media

Explore More