A Practical Guide to SASE Migration

September 28, 2023
Cloud, Data Protection

Chances are you’ve been hearing a lot about Secure Access Service Edge (known as SASE and pronounced sass-ee) — including from US Signal. That’s because, in both the IT and business world, it’s kind of a big deal.

With the digital transformation of businesses, security is moving to the cloud. That’s driving a need for converged services to reduce complexity, improve speed and agility, facilitate multi-cloud networking, and secure the new SD-WAN-enabled architecture.

That’s what SASE delivers. But how do you know when it’s time to migrate to SASE? How do you find the budget to do so? And what kind of planning is required to make the migration successful?

The following information, drawn from materials provided to us by our SASE provider and partner Cato, answers these and other questions regarding an SASE migration.

When Should You Migrate to SASE?

Migrating to SASE is a long-term project that requires thorough planning. The sooner you start, the better. The ideal time for actual migration would be before digital transformation. However, your organization can benefit whether the migration happens before, during, or after a digital transformation. But if you’re looking for signs that indicate it’s time to start planning your SASE migration, here are four to look for:

  • Lack of agility. Your current network isn’t flexible enough to adapt to business changes and future initiatives, such as supporting new cloud workloads, addressing the growing mobile workforce, and fostering quick branch expansions.
  • Cumbersome security. You’re getting overwhelmed by the heavily fragmented security solutions and find yourself having to install, manage, and maintain more and more products in order to secure new and existing sites, applications, data, and users.
  • Poor performance. Your employees are complaining about poor business application performance that affects their productivity. This is especially apparent with latency-sensitive applications, such as voice and video, and the situation only worsens for remote workers.
  • Limited visibility. You don’t have full visibility into your network, making it hard to control and manage application performance and security. Imagine having to figure out which QoS configuration needs to be adjusted without being able to see the root cause of a voice quality problem.

What it comes down to is: if your network can’t support business needs and growth plans, it’s time to migrate to SASE.

How Do You Fund a SASE Migration?

Most SASE vendors support a gradual migration process, during which a SASE platform can co-exist with legacy networks and security products until they’re fully retired. So when you’re considering current and upcoming spend on your existing legacy network, you’ll likely realize the budget for SASE already exists around these key events:

  • MPLS contract renewal. MPLS services are expensive, and even more so when bandwidth must be added. SASE, which includes a global private backbone and natively integrated SD-WAN, can augment and ultimately replace MPLS altogether. SD-WAN aggregates multiple high-capacity Internet links, providing a significant last-mile bandwidth increase over MPLS with built-in redundancy. Leveraging the private backbone for the middle mile guarantees network performance and availability to any enterprise, regardless of size and geographical distribution.
  • Security appliance refresh. Most network security spend is related to purchasing security appliances, such as NGFW, UTM, and IPS. As existing network security appliances reach their end-of-life, you can use their refresh budget for migrating your network security to SASE. Since SASE delivers all network security needs from a cloud service, you’ll no longer have to worry about appliance lifecycle management.
  • Budgeted business initiatives. Initiatives such as cloud migration, regulatory compliance, and M&A integration all come with a budget. Take an M&A integration project, for instance: The budget for aligning the different networks and security stacks into a single SASE platform can be rerouted to your SASE migration.

Don’t be concerned about the extent of the migration project. The right SASE vendor will facilitate your needs with a gradual plan catered to your budget and based on the pace of your business transformation.

What Goes Into Planning a SASE Migration?

Careful planning, including searching for the right vendor and solution, is essential for a successful migration. The following tips can help:

1. Eliminate SASE-wannabe vendors.

    Listing the available and relevant SASE vendors can be simple if you remain focused on what is and what isn’t SASE (see more on this below). This will immediately reduce the list to just a few valid vendors, saving you the time and effort associated with background research and screening processes. A real SASE vendor will include the following architectural capabilities as part of its offering:

    • Convergence: SASE delivers multiple, distinct network and security services, including SD-WAN, SWG, CASB, SDP/ZTNA, DNS protection, and FWaaS, all from a single, unified software stack with single-pass processing. Packets need to be decrypted only once for all inspection and routing operations, guaranteeing optimal performance and efficiency.
    • Cloud-native architecture: The SASE architecture leverages key cloud capabilities, including elasticity, adaptability, self-healing, and self-maintenance. This provides a platform that is highly efficient, always available, and easily adapts to emerging business requirements.
    • Support for all edges: SASE creates one network for all company resources: data centers, branch offices, cloud resources, and remote users. For example, SD-WAN appliances support physical edges, while mobile clients and clientless browser access connect users on the go.
    • Globally distributed PoPs: To ensure the full networking and security capabilities are available everywhere and deliver the best possible experience to all edges, SASE PoPs must be globally distributed, expanding their footprint to deliver a low-latency service to enterprise edges.

    2. Make sure your SASE doesn’t require additional products.

    Verify that the vendor can replace point products like MPLS, SDWAN, and VPN with its SASE platform. Pay attention to security players who claim to have a SASE offering but refer you to a different vendor to buy SD-WAN alongside their SASE. Beware of networking players offering another vendor’s security solution. A true SASE platform delivers SD-WAN and network security that is natively integrated.

    In addition, make sure the SASE platform incorporates these capabilities:

    • Global private backbone to guarantee network performance and availability to all geographies.
    • Built-in WAN optimization for maximizing throughput and application performance.
    • Cloud optimization for connecting cloud resources efficiently and securely.
    • Advanced threat prevention for protecting against known/unknown network attacks and malware.
    • Flexible management models for having the option to manage everything (not just analytics or read-only rights) on your own.

    3. Set up a SASE proof of concept (PoC).

    A PoC is the ideal way to ensure your vendor of choice will deliver on the promise of SASE. Verify that the PoC covers both SD-WAN and security capabilities and that all are provided by a single vendor and managed from a single pane of glass. Make sure you’re getting a natively converged solution and not multiple applications and an orchestration layer.

    What Do You Do Next?

    Clearly, a SASE migration isn’t something to jump into — at least if you want it to be successful and generate the benefits you expect. Do your research. Learn about the various SASE vendors and the solutions they offer. Make US Signal one of them.

    Our team of experts can help you determine if SASE is right for you now — or in the future if you should first adopt SD-WAN or if some other solution is appropriate.

    Check our Resources section frequently as well, as we’ll be adding numerous materials on both SASE and SD-WAN.