Multiple SD-WAN vendors can complicate move to SASE

Enterprises over the past several years have embraced SD-WAN for many reasons, including the flexibility of cloud architecture, enhanced security, centralized management of distributed locations, and improved application availability and performance. In turn, the popularity of SD-WAN has helped propel interest in secure access service edge (SASE), a network architecture that converges connectivity and security services.

But as IT organizations look to transition from SD-WAN to SASE, they’re finding they may need to do some internal housecleaning first. Having multiple SD-WAN vendors can exacerbate management complexity and represent some hurdles when IT organizations move to adopt SASE. If they want a smooth and successful migration, IT organizations should consider consolidating their current SD-WAN providers, improving collaboration across networking and security teams, and evaluating managed service providers (MSP), analysts say.

SD-WAN to SASE progression

The SASE model combines network security functions with WAN capabilities, delivering the security elements in the cloud and using SD-WAN at the edge or in the cloud. Key security functions include secure web gateway (SWG), zero trust network access (ZTNA), firewall as a service (FWaaS), and cloud access security broker (CASB).

Interest in SASE is increasing as IT organizations look to reduce management complexity while securing multiple, disparate end users.

“Enterprise IT generally wants to find efficiencies in managing their environments, and any way that can simplify complex networks is worth evaluating,” says Brandon Butler, research manager for network infrastructure at IDC.

Networking and security vendors have moved into the SASE market, some with an SD-WAN foundation and others with a security background. Some vendors provide the full set of SASE features, and some players piece together services from various partners. Example SASE vendors include Barracuda Networks, Broadcom, Cato Networks, Cisco, Citrix, Cloudflare, Forcepoint, Fortinet, Juniper Networks, Palo Alto Networks, Versa Networks, VMware and Zscaler, among others.

The market overlap makes sense, according to industry watchers, and it hints at a need for greater collaboration among traditionally siloed IT operations. The walls between networking and security teams must come down to deliver cloud-based security and network services across today’s sophisticated networks. 

“The opportunity to leverage a cloud-based architecture to enforce security policies to distributed locations and remote workers is the real value of SASE. It offers management efficiencies, it supports a modern workforce, and it supports an important integration between the network and security teams,” IDC’S Butler says. “In today’s world, when you have so many people working from home and so many distributed applications, a cloud-based security approach is really appealing.”

As the market continues to evolve, vendors are boosting their capabilities – networking vendors are acquiring or developing security capabilities to offer SASE, and security providers are augmenting their product portfolios with advanced networking capabilities to offer SASE. That aligns with adoption trends; a majority (68%) of 830 respondents to an IDC survey said they would like to use the same vendor for their SD-WAN and security/SASE solution.

Taking stock of your SD-WAN foundation

One of the motivators to move to SASE is that everything is tightly integrated, says Shamus McGillicuddy, vice president of research at Enterprise Management Associates. “As the traffic passes through one point in the SASE cloud, all the security checks are done at one time, rather than separate processes across locations,” McGillicuddy says.

This level of integration is a key reason many IT organizations are considering advancing from an SD-WAN platform to a fully integrated SASE solution, but this transition represents challenges for many. In particular, IT organizations are finding that using multiple SD-WAN vendors can cause issues when trying to migrate to a cloud-based security approach.

“More than 20% of companies we surveyed have multiple SD-WAN vendors. For instance, many organizations will have an SD-WAN vendor in place and then have a need for a new functionality that their existing vendor doesn’t offer, so they get another product,” says McGillicuddy.

Other reasons that multiple vendors could be in place at one business is due to the different capabilities needed for a corporate headquarters or a data center versus a branch office or retail location with lower bandwidth requirements. Company mergers and acquisitions could result in multiple SD-WAN vendors, and various IT and business teams deploying SD-WAN technology independently could also be a factor.

Regardless of how they get there, multiple SD-WAN vendors will complicate a move to SASE.

As happens with many technologies, the more proprietary SD-WAN tools in an environment the more difficult it becomes to gain visibility across tools or manage various components from a single, centralized console. Part of the problem is that when adopting a SASE architecture, IT must build tunnels into the SD-WAN to connect the SASE points of presence (PoP) and apply the cloud security policies to the traffic. With multiple SD-WANs, IT organizations must build many tunnels, which is time-consuming and reduces the potential to gain true visibility into all traffic.

According to EMA Research, more than half (54%) of survey respondents said they would integrate a third-party security services solution with their incumbent SD-WAN vendor. But which one if there are many vendors already in place? That’s when consolidating vendors becomes a priority.

“Whether they are doing SASE or not, IT organizations should look for ways to consolidate SD-WAN vendors. SD-WAN projects and environments are more successful when they are provided from a single vendor, and if SASE is a goal, consolidating SD-WAN vendors would help,” EMA’s McGillicuddy says.

If a single SD-WAN vendor isn’t a realistic option for the business, IT organizations should evaluate MSPs to reduce the pain and some of the complexity of managing and securing traffic across multiple vendor SD-WANs. MSPs should be able to offload the management of multiple SD-WANs, monitor the traffic, and gain visibility into application performance across the entire environment.

“Our research shows that about two-thirds are already using MSPs to help with SASE and SD-WAN. IT organizations should look for an MSP that can manage multiple vendors as one big network,” EMA’s McGillicuddy says.

MSPs often specialize in managing specific vendors in the SD-WAN market, and it is critical for IT leaders to evaluate MSPs based on the SD-WAN or SASE provider they believe they will partner with for the long-term. Working with an MSP should reduce management toil and headaches for the IT team. If an MSP introduces more complexity because it cannot manage existing SD-WAN or SASE vendors, it is not the right choice for the business.

“There are many operational benefits to consolidating vendors, reducing complexity, and enforcing security policies consistently across an environment,” IDC’s Butler says. “MSPs can help with management complexity, and network observability platforms could also increase visibility across the inevitably heterogeneous environments.”