Multi-vendor SD-WAN environments and poor WAN visibility can complicate the move to a SASE architecture.
The transition from software-defined WAN (SD-WAN) to secure access service edge (SASE) is proving to be difficult for many enterprises, according to new research from Enterprise Management Associates (EMA).
If you’re a network or security professional, you’re probably familiar with SASE, a new class of solutions that integrates SD-WAN, secure remote access, and cloud-delivered, multi-function network security. Many enterprises are now evolving their SD-WAN implementations into a SASE solution, either by adopting their SD-WAN providers’ SASE capabilities or integrating their SD-WAN with third-party, cloud-based network security solutions.
[ Download our editors’ PDF SASE and SSE enterprise buyer’s guide today! ]
EMA polled 313 IT professionals about their WAN strategies for its new report, “WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Success.” Only 11% of survey respondents described the transition from SD-WAN to SASE as very easy. In fact, 30% described it as genuinely painful. Large enterprises (10,000 or more employees) were especially likely to express challenges with this transition.
Why is this SD-WAN-to-SASE transition so painful? EMA’s research data uncovered several roadblocks to success.
Multi-vendor SD-WAN complexity
Nearly 43% of the enterprises in EMA’s research reported having multiple SD-WAN vendors. Respondents with multiple SD-WAN vendors reported experiencing the most difficulty with a SASE transition. Some of the problems they reported included difficulty implementing consistent security policies and controls across their network. They also struggled with skills gaps in the network team.
Why is multi-vendor SD-WAN so common? There are several drivers. Some companies have different sites that have different vendor requirements, such as factories versus sales offices. Others have independent business units that make their own decisions around IT strategies. Others are transitioning slowly from one vendor to another. Regardless of the reasons behind this vendor complexity, IT organizations need to find ways to mitigate the issue.
DIY versus managed SD-WAN services
SD-WAN implementation and management can be difficult, despite what some vendors might tell buyers. This issue is exemplified by the fact that more than 66% of IT organizations prefer to consume SD-WAN as a managed service. More than 21% prefer a do-it-yourself SD-WAN implementation. The rest (nearly 13%) are still determining their preferences.
Organizations that adopt a DIY approach to SD-WAN are much more likely to struggle with a SASE transition, according to our research. Consumers of managed SD-WAN experienced easier transitions. In fact, 40% of consumers of managed SD-WAN services told us they preferred a managed service over DIY specifically because it enabled better integration with other managed services, such as SASE security services. A managed provider has the internal expertise and the vendor relationships to implement a SASE transition effectively.
Poor WAN observability
SASE solutions deliver security functionality via globally distributed points of presence (POP). These POPs often replace centrally deployed network security solutions in an enterprise’s data center. SASE POPs add more optimal routing of traffic, but they also add traffic complexity, making observability essential for planning, design, and ongoing monitoring and troubleshooting.
SD-WAN and SASE products typically offer an integrated WAN monitoring features that provide insights into network and application health and performance, especially into the tunnels that an SD-WAN solution establishes across a WAN underlay. EMA’s research found that only 40% of IT organizations are completely satisfied with the native monitoring capabilities of their SD-WAN vendors. Organizations that were less satisfied with these monitoring features were the most likely to report challenges with their transition to SASE.
Most enterprises also monitor their SD-WAN networks with third-party network performance management tools, often to get better visibility into the WAN underlay, which is a mix of managed and private WAN services, broadband, and wireless WAN connectivity. This underlay visibility is important to SASE success. Overall, 76% of IT organizations told EMA that they can establish an end-to-end view of their WAN underlay with a monitoring tool. Organizations that were unable to establish this visibility were much more likely to struggle with the transition from SD-WAN to SASE.
Charting a path forward
EMA recommends that enterprises establish a mature SD-WAN foundation for SASE success. (Check out EMA’s free research webinar on WAN transformation.) This SD-WAN foundation should be based on a single SD-WAN vendor that is delivered via a managed service to mitigate engineering and operational complexity. However, enterprises should not outsource operations completely to that managed services provider. Good WAN observability is essential to SASE success.
Shamus McGillicuddy is the research director for the network management practice at EMA.