SASE Solutions redundancy

jolefebv · ‎10-20-2021

Hello dear community!

We are currently building a new network architecture. We would like to connect remote offices and roaming users directly to the cloud in order to decentralize the firewall/webproxy for internet connectivity in the branches.

However, one question that I struggle to answer is the following. When choosing a SASE solution, how do you handle the resiliency? What can we do in case one of the company providing this service is getting issues or the service provider simply go bankrupt ?

As those solutions can be quite expensive, having two of them might not be that easy and having on-premise equipment and backhauling everything back to the data-center defeats a bit the purpose ...

Any advices ?

Kind regards,

J.

luisantonio · ‎10-20-2021

Kind of vendor lock-out.
In this case, my source is Gartner. Those at the top are consolidated and will not let you down.
We were trying a product with success a few months ago. If you are interested in the results please let me know.

Luis. Security Engineer. IT Manager.

jolefebv · ‎10-20-2021

Hi Luis,

It's my first time working with SASE providers. The vendor lock-out is always a bit scary. Is there a notice period in the contract you are getting ? For example: "in case of closure, the service will be maintained for a period of X months". Any SLA that these companies usually provide for service availability ? Any idea what is typical ?

Thanks for taking the time to reply, highly appreciate it 🙂

tmekelburg1 · ‎10-20-2021

If you go with the top providers as @luisantonio stated, e.g., Cloudflare, Akamai, Cisco, etc., the risk of the business going under or not providing the SASE service anymore is very low to non-existent if you were to map this into a risk register. The more likely scenario is the service going down due to a misconfiguration, which happens.

If you're super paranoid you can always check out their past SEC filings on financial stability/growth.

sergeling · ‎10-23-2021

Aside from the budget/money concern, is it even possible to be running 2 SASE solutions together? I think the endpoint would be confused on how traffic route/send to.

With major SASE providers, usually they have several data centers at different locations so if one region suffer difficulties, it will fall to another data center to provide resiliency.

jolefebv · ‎10-24-2021

Yes this is one of my concern. As they usually work with installing roaming clients, it's not clear if having two of them will be possible. This and the extra work to maintain identical configuration on two separate systems. ( manual as it would be different vendors)

Caute_cautim · ‎10-30-2021

@jolefebv I think you have to ask very critical questions from the outset of your chosen providers. SASE is great term at the moment, and many are actually jumping on the bandwagon with both feet, with SASE like features. Gartner is a good place, to check the top providers, but review the SASE construct itself very carefully. What do you need to prepare for such a construct within your organisation? One vendor will tell you have to fully go with us entirely to be successful, but ask questions about standards, interoperability and integration issues - how they all fit together or will they fall apart when it all comes together. Plus many high end providers with good pedigree, have their own private backbones, or for instance partner up with Google to ensure high speed links are guaranteed, that latency and performance issues are a thing of the past.

Do you own due diligence, ask those awkward questions for how often does your backbone fail, and how quickly will it recovery or will it have a impact on my organisations ability to deliver services?

But above all dig deep, and understand the SASE architecture, and the technology behind it - do not get sidelined by great marketing, dig deeper and make good decisions.

Regards

Caute_Cautim

sergeling · ‎10-30-2021

Managing two solutions would be difficult, if even possible. As you mentioned these solutions often require roaming client and I believe endpoint would be confused as to where to send the traffic to. Unless you want to keep one SASE solution on passive/disable and only activate/enable when primary SASE solution fail.

Maybe it's more feasible to have non-SASE solution as backup to continue provide (limited?) access. During normal operation it is disabled but when SASE solution failed you activate/enable it for temporary access until issue resolved. The challenge is of course to secure it properly and train user on how to use the backup method.