Americas

  • United States
by Alex Korolov

Pros and cons of managed SASE

Feature
Jan 20, 202311 mins
Network SecuritySD-WANWAN

Managed SASE can be appealing for enterprises that want a single provider for deployment and management of WAN and security infrastructure, but there can be tradeoffs depending on provider flexibility, platform interoperability, and cost.

hottest and coldest outsourcing trends city globe
Credit: Thinkstock

AmerCareRoyal, which provides disposable products for the food service and hospitality industries, is the product of six mergers and acquisitions over the past several years, and its former network security setup couldn’t keep up.

Jeff DeSandre, who joined the company as CIO in 2019, wanted an SD-WAN platform that came with more advanced management options and firewalls. After looking at the market, he added threat detection and response capabilities to his wish list. “I was focused on getting our arms quickly around our wide area network and securing our edge, and then making sure that the solution I went with could scale to my long-term roadmap,” he says.

Secure access service edge, or SASE, fit the bill.

[ Download our editors’ PDF SASE and SSE enterprise buyer’s guide today! ]

First coined by Gartner in 2019, SASE is a network architecture that combines SD-WAN with security services, including secure web access gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), and firewall-as-a-service (FWaaS), in a single, cloud-delivered service model.

SASE adoption is moving fast, with Gartner predicting 80% of enterprises will have adopted a SASE architecture by 2025. But SASE implementation can be challenging.

AmerCareRoyal’s existing IT staff didn’t have the proper training to set up and maintain a new networking and security implementation, and hiring more people wasn’t a viable option. It can be difficult to hire and retain architect-grade networking talent when a company’s core product isn’t technology, says DeSandre. “It is equally difficult to support a 24-7-365 network operations center to maintain operations properly,”

DeSandre wanted experts. “I wanted the best,” he says. “I wanted people that do it all the time, that see it with different customers, and that know what good looks like.”

AmerCareRoyal chose to deploy SASE through a managed service provider. A SASE infrastructure would cover its security and networking requirements, and the MSP model would provide the expertise the company needed for proper implementation and ongoing management.

AmerCareRoyal chose Open Systems’ managed SASE. Open Systems isn’t just an MSP. It’s also a SASE vendor, and it’s recognized by Gartner as one of only nine vendors that offer a complete SASE solution.

It took about three months to get deployment started. That was during the COVID pandemic, which slowed things down a bit, DeSandre says. The results were outstanding, he says, and now the company has been able to integrate additional security components over time.

“We’re just now using their secure email gateway, we’re using their secure gateway services, and we’re in the process of doing tiered trust,” he says. “This year, we’re going for CASB.”

Meanwhile, Open Systems hasn’t made AmerCareRoyal’s own IT team obsolete. Instead, the company is now able to focus on business expansion. “We still have very seasoned and talented infrastructure resources on staff,” says DeSandre. “However, they focus on growth and innovation instead of running activities. This equates to measurable value to the business.”

AmerCareRoyal isn’t alone in turning to a managed SASE service provider to take pressure off its IT team, but it’s among the early adopters. Managed SASE is relatively new and has only been around since 2021, says Jonathan Forest, senior director analyst at Gartner.

“Managed SASE offerings provide a single source for SASE service with a single-provider buying and supporting experience for the enterprise,” he says. “Fundamentally, with managed services, the service provider operates the solution on behalf of the enterprise.”

An MSP can make SASE implementation a viable option for an organization that would find it difficult or impossible to do on its own, but companies should carefully weigh the pros and cons and make sure they’re getting maximum value and quality of service before choosing a provider.

Benefits of managed SASE

If a company decides to deploy SASE by going directly through SASE vendors, they’ll have to configure and implement the service themselves, says Gartner’s Forest.

“The benefits of a managed service provider are a single source for all setup and management, the ability to redeploy internal resources for other tasks, and the ability to access skills and capabilities that don’t exist internally,” he says.

Getting in-house IT staff with the right expertise to handle SASE can be a real challenge, particularly in today’s hiring climate: 76% of IT employers say they’re having difficulty finding the hard and soft skills they need, and one in five organizations globally is having trouble finding skilled tech talent, according to a 2023 survey by ManpowerGroup.

The access to outside experts is particularly appealing to companies that don’t have the resources to manage SASE themselves.

Managed SASE providers have specialized expertise in deploying and managing SASE infrastructure, says Ilyoskhuja Ikromkhujaev, software engineer at software developer Nipendo. “Which can help ensure that your system is set up correctly and stays up to date with the latest security features and protocols,” he says.

And there’s an additional financial benefit, says Ikromkhujaev. “By outsourcing the deployment and management of your SASE infrastructure, you can reduce the need for in-house IT staff and hardware, leading to cost savings.”

Using an MSP also allows for flexible financing models, including as a service, says Michael Moore, senior manager, portfolio development, network and security, at consulting firm Insight. And it offers faster time to value than do-it-yourself SASE implementations and consolidated billing for SD-WAN and security services, says Moore.

SASE is implemented by combining SD-WAN with various security technologies, often from multiple vendors, and it presents some difficulties. “Adopting any new technology comes with its own challenges, particularly when it spans two traditionally siloed business units – the networking and security teams,” says Moore.

The big challenge is to apply security policy and access control equally to all these technologies, says Vincent Berk, chief revenue and strategy officer at quantum-safe data security company Quantum Xchange.

“The big benefit of managed SASE is that the technologies that will be deployed are tuned to each other, and buyers can expect a fairly seamless experience applying policy,” he says. “Add to that network and security operations that are integrated and also tuned to the technologies that are used – it makes for a compelling package.”

Managed SASE requires prep work, process tuning

When a company chooses to use a managed service for SASE, they depend on the service provider to handle all facets of their SASE infrastructure, but that doesn’t mean they’re totally off the hook.

Companies might have to do some groundwork to ensure they have a functional relationship with their MSP, according to AmerCareRoyal’s DeSandre. “A challenge at first was adhering to the best practices our vendor enforces,” he says. “This forced us to standardize and clean up many years of bad habits, which was painful at first.”

AmerCareRoyal had to rebuild all of its firewall rules and fix some bad processes because its SASE wouldn’t operate efficiently otherwise. “It was looking at the way we architect our infrastructure and [addressing] the application we were doing at the firewall level that we should have been doing at the core application level,” says DeSandre.

AmerCareRoyal piloted the service at one location to make sure everything was fixed. “The first three months were really [focused on] going back and removing all the sins of the past,” says DeSandre. “We really worked out the kinks, but then it went pretty quickly.”

Managed SASE can require forfeiting control, customizability

Relying on an MSP for SASE has its risks, one being that a company has to depend on an outside service for its security operations.

Companies may have less control over their own security infrastructure, says David Farkas, founder and CEO of advertising services company The Upper Ranks. “If the provider experiences any issues or downtime, it can impact a company’s security and access to resources,” he says.

Managed SASE also comes with the risk of having to use technologies that might not suit a particular company’s needs. And a company might not have much choice about the technologies they use when going through an MSP, says Nipendo’s Ikromkhujaev. “You may have less control over the configuration and customization of your SASE infrastructure,” he says.

A big drawback is that each organization is unique in its mission, says Quantum Xchange’s Berk, and the interlocking SASE technologies an MSP provides can remove a lot of flexibility and ability by the buyer to fit their connectivity needs to the business organization goals.

A company could also run into trouble if it doesn’t clearly understand what its MSP is offering.

It becomes vital for the company to know how to interact with its service provider and be able to expedite the resolution of any issues or problems that have arisen with the service, says Rik Turner, senior principal analyst for emerging technologies at Omdia.

Experience working with service providers on the connectivity side helps, but Turner notes that SASE extends to WAN security and encompasses not only office staff but remote workers as well. “Managing the relationship with that provider will be key to keeping the SASE up and running and maintaining a good user experience across all those geographically dispersed employees,” he says.

Companies should put careful focus on service level agreements to ensure excellent responsiveness from their MSP, says Maxime Martelli, consulting cybersecurity manager and SASE leader with global technology research and advisory firm ISG. “An incorrect business case could reduce the benefits of a managed SASE solution,” he says.

Companies need to agree on the scope and identify overlaps with existing security stacks and should avoid any contractual dead-ends, says Martelli. “The MSP should be responsible for managing the SASE solution, without co-contractors.”

Managed SASE add-ons are key to selection

When choosing a SASE service provider, differentiation comes from value-add capabilities, such as managed operation and response services, as well as threat intelligence and streamlined procurement and operations, says Fernando Montenegro, senior principal analyst for cybersecurity at Omdia.

“We expect service providers to be particularly active offering SASE capabilities, usually combining technology from a handful of technology vendors,” he says.

AmerCareRoyal didn’t choose OpenSystems only for its SASE expertise. “For us, the SASE was table stakes,” says DeSandre. The key differentiator was Open System’s managed detection and response, which is a security feature that isn’t always included with SASE.

“Their MDR is top-notch,” he says. “We had some of our executives spoofed that were signed in from Africa, and they caught this within minutes.”

Enterprises should decide who would be the best managed service provider for them by looking at their own pain points and assessing who can add the most value, says Ken Bisnoff, senior vice president, channel chief at telecommunications company GTT.

“Companies should partner with a managed service provider with adaptive network technology choices, global connectivity, and security packages that integrate the functionality of SD-WAN with cloud security features such as ZTNA, SWG, CASB, and firewall-as-a-service,” he says.

The ideal service provider should include a professional services offering with dedicated skills such as solution architects, design engineers, and technical managers to ensure the best technology deployment for the customer, he says.

“They should also look for providers who can deliver global Tier 1 internet connectivity alongside secure networking,” Bisnoff adds. “This is because of the leading role enhanced internet now plays in many enterprise network landscapes, underpinning SD-WAN, for example, in which security should not compromise the quality of network performance and online experiences.”

A company should make sure the cost is worth it to go with a managed service provider, says Gartner’s Forest.

“What is the managed service provider doing above and beyond what the enterprise can get directly from the SASE vendor themselves?” asks Forest. “Do they have deep integrations with the vendors to add incremental value?”

A company should have a better service experience that is higher performing, accelerates setup, is more agile in making changes, and offers better troubleshooting when using managed services, he says.

“Bottom line, enterprises should be careful to avoid overpaying for managed SASE and also determine the value offered by managed service providers to ensure it is demonstrably better than what the enterprise can do themselves by working directly with the vendors,” Forest says.

AmerCareRoyal’s DeSandre says the good results he’s seen from using Open Systems for managed SASE have brought him peace of mind. “I no longer need to worry if our network is running, or worse, under duress or attack,” he says.