KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Usually presentations end with lessons learned. I start this session with lessons learned. This one thing that I learned today is never, never do a presentation on the topic after having Martin and El talk about it before. So nevertheless, I try it. My task for this 30 minutes talk was to give guidance, to give support, to give help on the topic of sassy and how to implement that and give a quick start recommendation how to do that properly. That was my task.
Martin said that York has these, these ideas to give presentations and that that are more visionary, et cetera, or more, really closer to the actual questions that people have as of now. And I hope I can support you. So it's a quick start recommendation. So let's start with that. My agenda for today very quickly. I want to talk about sassy in a nutshell, you know, all of that, especially after having L me talk about that, nevertheless, I give three slides explanation of what I consider to be sassy.
Then we will have this use case based approach that Martin mentioned several times, then putting sassy into your context. So really helping you in understanding where it could help, where it does not make any sense. And finally, some tactic strategy and integration aspects as an outlook of how to continue with as sassy after the quick start.
So, and if there are any questions, please interrupt me. Just let me know. So first of all, laying the foundation explaining what sassy is.
Of course, it's the term coined by the G company, but nevertheless, it's something that we need to care of because it's, it's important. And it plays an important role for many organizations. So laying the foundation sassy in a nutshell. So what we consider to be sassy, it's the combination of cloud networking. So cloud based cloud delivered networking and cloud delivered security. So you have a cable and you have the security on the cable. And that cable is virtual. That is what you're looking at. It's software defined, networking, cloud networking, plus cloud delivered security.
And you connect everything that you have potentially everything that you have to this infrastructure containing out of consisting out of networking and security. These would be all users. And when I say all users mean all users, all the things that we mentioned before, not just the carbon based life forms that are in this room, but all the items that could connect the devices and we connect them from every location where they might be.
That's the idea having this virtual cable plus the security and the areas where they could come from ranging from the branch office are actually inside the castle and at home, somewhere in the cloud, OT environments, the edge. So somewhere disconnected or loosely connected areas. Everything is connected to this sassy service. And it comes with the promise of being widely available and providing uniform access to these resources, no matter where they are, that's the promise. This is what the vendors tell you. Maybe they're right.
We have integrated security controls because it's in the middle of the picture. And this is the biggest promise. It's actually some kind of infinitely scalable. This is the promise of sassy, where it comes. So you have something that is a network security connect things, the typical capabilities also what is in this sassy solution.
It, I, I boiled it down together with John. Who's just actually writing a, a leadership compass on that topic. So we made sure that we talk the same language here. First of all, it's the networking like in the picture before? So we have something like software defined wide area network, plus one optimization.
That's, that's the networking part. And we add security components. And these are a few examples of those, but you add everything that is needed to secure the communication on that network in transit, and make sure that you have secure entry points and secure exit points. So that's the idea for that. So you add something like a secure web gateway. You add something like zero trust network access to gate into the system. So you make sure that you can combine that and have a proper solution for securing it, ideally. And to end it's part of the promise.
And usually when you go to the vendors out there, we had a presentation yesterday by, by vendors who are, and today as well regarding SASI solutions. You need to make sure that you check what's actually in the box and they add unified management. And that is also a big promise. You manage that everything, every connection from everything to every resource with a unified management. So this is a large promise, but the offering's very substantially just make sure that you check what's in the box. So what are the perceived benefits?
What is the message that the vendors tell you, of course, all of this and more, and we go quickly through that. We, they, they tell you, you have network short shortcomings, you can overcome them. So scalability, performance, networking, shortcomings, think of mid of March last year. I don't mention the C word. You need to make sure that there is access at the right time to the right resources. You made have security shortcomings, and you want to get rid of them better insight, policy enforcement, efficiency, shortcomings, onboarding, onboarding of users, partners, applications.
That is the promise. Of course, when you have all that, you can improve the user experience because things are faster. Things just work. You have new access methods to things that are around there. You might improve it. Operations skills gap mentioned many times before. Maybe you can delegate that to somebody who does it for you. And maybe you have some, and you've mentioned that as well in the talk by, by L and by Martin, the too many tools thing, maybe we can replace many point solutions with one bigger solution bridge.
The skills gap mentioned that move to cloud native architectures away from this homegrown, somehow build and, and evolving architecture. And finally leading maybe to this cost effectiveness, that of course is a promise that everybody of us likes to hear better getting better service with less money.
That's, what's the sassy in a nutshell approach. So just to have a common understanding of what I think sassy is, and now let's get to that quick start that York asked me to explain and how to help you to get to that quick start and how to start and how not to the idea is not to save the whole world, the whole enterprise in one take, just address the actual challenges. That would be enough. And how do you address actual challenges you take? The Martin mentioned it use spaced approach. So not SASSI is cool. I want to have it.
Of course, nobody would really say that, but some think that, so I want to have a SASSI project to be up to date. No, I want to move my security into the cloud without a proper use case does not work. And I want to improve security by adding, changing, replacing a new tool. Technology does, does not make any sense, but solve problems, identify the stakeholders that do have problems, issues, challenges, missing solutions. Talk to your stakeholders, achieve benefits for the organization, for the end users, for the business, achieve something, get to something tangible, solve existing issues.
And these issues could arise from many different sources that could be compliance because you don't have proper insights. So you need to something that provides the proper insight. You want to get more efficient onboarding part part I've mentioned, maybe you really want to and can reduce cost because your old T1 and old and privately lease lines are really expensive. You want to get rid of them. That might be an issue.
Scalability, of course, 15th of March last year, not enough VPN entry points could be enough to make a good decision towards, towards SDWAN and sassy and agility because this architecture software defined might be the solution for getting to solutions much more quickly. So we, we have not, we have buts and we really need to understand whether you are in the right organization to have such approach, or if there are better ones to, to compare this with I'm focusing on the sassy aspect. So I won't dive like, like E I won't dive into serial trust architecture.
I don't want to dive into other aspects, but you have to keep them in mind because these are the competitors in the space. Be clear beforehand. That's the second part. That's the second part of the end, whether you are choosing a tactical solution to solve an immediate problem, which has an end date and might be replaced by a more modern different approach, or it is really a strategy to move towards sassy for the good and any other aspect as well. So that would be the starting point, finding the right use cases. How do you find the right use cases? Don't be afraid. I don't read that out.
So, but the, the headlines are the important ones. What are use cases when you really want to achieve something? And if you look at the headlines, there might be used cases where SASSI could really help enable access. Think of somebody sitting in a branch office, wanting to have direct access to a, an edge device, get the data from there, critical data secured through a cable virtually secured on the cable via via the actual security measures that come with it. That might be a solution to solve a problem to solve with it increased performance.
Maybe we really can speed things up by not back hauling security to your data center, and then getting out again to the internet or to a solution that is somewhere else that might help distributed inspection, not inspection in the data center with these huge firewalls and network filters. Maybe Martin will, will we beat me for that? Maybe direct access to success solutions without going through the public internet, but really going through the SD van that might be abuse case, but you need to make sure that you understand what that means. Improve security and compliance.
I've mentioned that in on the slide before, if your auditor tells you that you should have user behavior analytics, for reason, ABC, you should find a solution. And maybe SASI is one of those secure web gateway, identifying unsanctioned access, unsanctioned, traffic, protect data and traffic. If you are an organization that says, this is crown jewel data traffic, and that must not go through the public internet, no matter which kind of encryption, then you need to have a solution for that. Then maybe sassy might be a solution, or you back to T1. That might be the other problem.
Efficiency via automation, protection of endpoints, cloud delivered protection of endpoints as part of the SASSI solution that might be starting points. And once you have these use cases, then you can, can apply proper scrutiny to identify. That's what make sense for me. Does it pay off? Does it solve the problem? Really? So let's look at some of these use cases quickly. How will this picture look like to the left? We have the areas where users can be, this is just an example. The picture's far from being complete, but we have anywhere we have home and we have branch office HQ.
So the, the lower one being the one that more or less still the, the castle and the Mo example, one step to the right. We have, we have ex exemplary users. We have customers, we have partners, we have things. We have actors, we have employees, we have devices, or maybe even agile. It being rolled out as part of this concept that Martin mentioned of bases and dream, to make sure that you really get to a proper, to a proper agile delivery of services to the right. We have the services that we want to connect to.
And that range from, to the top, the edge, the data center, still there, cloud IAS, we have cloud AAS, and we maybe even have the public internet and to control the traffic there. That might be a use case, make sure that you understand it properly. And in the middle, this picture has been shown before we have the SAS solution. So first of all, the use case that might be connecting branch users to edge systems is already in the headline. So what do you need? Maybe something like that. So you have the employee who is represented through his device and he's in the branch office.
And he wants to access this critical data, which is processed on the edge system. So you need to have some or more of these components. Don't ask me why this box is red and the others blue. These are examples, but you need to make sure that you paint the right picture for you. As part of this picture. When you do this assessment of your use case, you have the use case, it's sassy the right solution. That would be one approach.
Next one, connect the partner employee with a corporate data center app. So somebody outside needs to have inside. So that might be a solution, put a proper agent for access to the SASI solution on the endpoint of the partner, and then make sure that you get to such a solution.
And again, we have the device, we have the partner he's anywhere because you can't control the partner and he will run, or he, or she will run through the ASD van with additional security measures and he will have access, or he, or she will have access to the data center app, make sure that this solves the solution, find the right provider. Talk about money, talk about integration.
Next one, VPN upgrade 15th of March, 2020. So you need to make sure that you have trusted remote or access to all resources through a secure software defined network. So that that could look like this. So we have users actually at home anywhere. You're quite sure where they or not are. They're not in the branch office because 15th of March, you have SD van as the network component.
And you have many of the security components that are inside the sassy solution to connect to at least these three, maybe this as well, and maybe even to the, to the internet, because you want to have sanctioned access to the internet. And if there is a, where is it?
The, oh, okay. Not even red. If you have a secure weapon gateway and you have a CASB, you can make sure that people understand that moving to to P star hub is not allowed to go there. So via the sanctions access that you provide via the SAE final use case connect work from anywhere to infrastructure as a service. And that of course is critical access. So maybe it's something that is not even available on the public internet. It's the private cloud as L E put it in her presentation.
So what you would have is that there is somebody who is somewhere is an employee using a device, and then you can apply all these nice security features to get access to the ground jewel application that has been lifted and shifted to the infrastructure as a service solution. These are proper use cases, in my opinion, at least examples of those that you can use to understand whether sassy makes sense for you. And that is what I think makes sense for a quick start towards sassy, putting sassy into your context. Why is this of I importance?
I think one of the most important things to understand, and Annie has talked about that and Martin, and LHE talked about that in their discussion as well, is that you need to understand what ASD van is in Germany. We have the same tine in nor insulation, old wine in new bottles. ASD van is around for some time and for many vendors, this is also a great opportunity to resell this old wine coupled with some security, but first the strengths and benefits. I don't read them all out. You all see them. I just want to pick a few of them. And that I think one important thing is quality of service.
When you have an nest event that provides a quality of service, then you can keep your SLAs when they are required, they offer the potential for cost optimization and you have been done, right? The flexibility and the agility that is required, challenges and risks. First of all, there is, I I've asked John is there as SASSI without SD van. And he said, no, no, I don't think so. And I don't think so either. So it's required for virtually any sassy deployment and without these additional components that we had in the big box, there's no security on SD van. No.
And then we have this macro perimeter as LME put it. And I think that makes perfect sense to put that in that context. So you need more components to secure the SD van. And we have talked about that.
Actually, one thing is missing on that list. You need to trust the vendor. You need to trust the service provider without the trust you need the service you can do, can't do anything. And once you have that trust and you have chosen it, you have a commercial lock in because they can change conditions, whatever they want. You have a technical lock in because no one will change this whole policy framework that you created in this unified management of the five years. You have a single point of failure because this service is provided to you via points of pre presence, POS.
And at least you need to make sure that you understand that risk. You have a single point of attack that could be the unified management blowing up all the policies at a time. Great. That would be a good starting point for intrusion into a network. So what you should do in my opinion, and what we usually do in our advisory work is that we take these use cases and we try to understand what that really means for an organization. So putting it into context for the individual organization. So I have these four use cases that I just shown here, listed them here.
I have a metrics which says, okay, does this improve the network? Does this improve security? Does it increase efficiency? Because these were the promises that we talked about. Do we add functionality? And do we know something about cost effectiveness? Does it get cheaper and better? That's the idea. And we have four possible solutions, probably because it's the plan should work. We have maybe, I don't know, to be defined. Let's find out when the actual solution is really implemented and probably not. So we have this one, this one, this one, this one, and let's look at that.
And I did this exercise just in five minutes and to make sure to understand what the, yeah. I knew it to make sure that I really understand that. And the important column actually is this one, the comments you, you guess that it's red. So in the comment are all these things that you should think about that are that go beyond the benefits. So this is my evaluation. I don't walk through all of this, what you need to do when you start your quick, start through this for your use cases to understand what really makes sense.
And if we look at what we want to achieve, let's take one of those, the VPN upgrade. Does it improve the network? Yes. Because people can access the information that they want to have to access to. Does it improve security?
I said, yes, because I think sassy comes with the right solutions to achieve that. Does it increase efficiency? I don't know.
Maybe, maybe onboarding of new users is more efficient. Maybe not. Does it add functionality apart from that things work again? No.
And is it, it cost effective? Yeah. I don't know. Let's talk to the vendor. They will tell you. And the red column is the, is the interesting one. First of all, you need to trust, you get to a lock in to a real tough lock in, and you are connected to this availability topic.
When the, as event, the SASI provider is not available, you are not available actually. And that is again what, what Ellen said. And I did not know I laughed this macro perimeter thing. It manifests the castle and mode paradigm, but this time you put it into the SASSI solution, there is the castle and you jump onto the cast with your environment.
And there are other approaches you should consider when thinking about that, think of zero trust approach as a modern alternative, we've talked about that actually put it after the, the sassy solution, as the better approach, think of cloud native solutions as a modern alternative. Maybe you don't want to have this way through this infrastructure in the middle and actually this a bit.
Yeah, let's, let's stop it with that. Do this exercise for all the solutions, as you can see, there's a pattern here. There is no, no worried about cost effectiveness because this is what your purchasing department will do. Not here added functionality, not that much, but that might be due to my chosen use cases. I admit usually it's network improvement and security improvement, but that's the promise of sassy strategy and tactics very quickly. I have six minutes left and lots of slides to go, but I think they're really helpful. Best practice considerations.
What do you need to think of, first of all, think about the adequacy for your organization, for individual organizations. There are more heterogeneous organizations. There are more these startup cloud first organizations and the applicability of SASI will vary much, very, very much with the distinction between where you are on that, on that scale. So the traditional heterogeneous organization might have used cases that are very easily to be fulfilled with a SASI solution for a startup cloud native organizations. There must be good reasons to go to go.
SASSI think of SASSI being a combination of many services under one umbrella, and maybe this is not a solution that grew out of itself and has extended over time, but it's something that one vendor bought there and fair and there, and somehow integrated that, and that will influence the applicability of SASI solutions in general, understand that it's delivered as a service. That's not a product. And you need to make sure that you understand the vendor service provider as a partner to your team.
Otherwise, this thing will not work. I I've mentioned that before and having started deploying a sassy solution, welcome to the lock in. You need to make sure that next time you have a problem, the sassy solution is the right solution because you've already paid for that. And that increases the lock in. And then that's to say, it's a slippery slope down to sassy, only approach on the lock in. And we need to understand that SASI still an emerging market. We see the products around, but things are changing and maybe even change over time.
And so vendors and the provided services, of course, underlying market changes. I wouldn't promise that the SASSI vendor X, Y, Z is available next year with the same offering. And it's your corporate network. Thanks to keep in mind, you need to think, and you need to be mature enough to think in policies, it's the organization mature enough to do so you have to answer that question for yourself. The teams will move together. They might even merge.
I mean, the teams within the organization, security and networking, and maybe across a larger organization with, with mother company and lots of branches and lots of brands and daughter companies, that might be an issue that's this I've mentioned already, proper governance needs to be applied, and you need to make sure that you repurpose your staff because they won't do the actual lifting of the technical stuff. They do more management, more control, more supervision.
So going sassy a checklist functionality, make sure that the solution that you look at at least is capable of fulfilling your today's and assumed future requirements, make sure that they promise you that they can keep up with your requirements when it comes to SLAs.
Very important point number three is there are solutions within your B within your architecture that won't go away, make sure that they are properly integrated, that that might start with the identity and access management, but because you won't replace that, does it play well with your identity and access management when they provide zero trust network access, as part of the security features needs to be well understood. So, and, and that's exactly how we should look at it as well.
The macro parameter does this work well with your future architecture framework that you're looking in, and that might be zero trust. Does this play well? You need to understand that sassy is much more than just VPN from the cloud. That's very important. Is it a support or is it an obstacle almost final slide? When you go down that LA that lane, you need to make sure that you have very clear defined checkpoints where you could start or stop or continue, start, start with the strategy.
This, this asterisk means we can help you there Get to a first tactical solution. That's the use case thing that I explained for for many minutes right now, what needs to be accomplished first, do that as a test case, if you have identified the right test case, selected sassy platform, supporting all expected business and security demands, and we can help there do a risk assessment. What does that really mean now that I know what's the product? What's the use case. What's the risk for that?
And if you understand that risk and you still want to continue, you need to make sure that you prepare your organization strategically, at least do the proper it training and education, and then implement and integrate a limited, quick start use case through the test drive, maybe in a test environment, maybe really life develop ongoingly, your strategy, end user training education, because things will change. Your team will change. And if you still want to go sassy, then build upon that solution by solution and go down that slippery road. Final thought, I don't read it out.
We need to rethink it. Maybe sassy is solution, but maybe not just make sure that you understand what you're doing. And as Annie explained, it comes with it's pros and cons. And I hope that helps you in your quick start towards sassy or not. So that's it from my side. Thank you very much. If you have any questions, I would be happy to answer.