When people think of virtualization and IT, most of them also think of VMware. So, it’s no surprise that network professionals planning to virtualize their networks include VMware on their list of vendors.
VMware has stitched together a broad Secure Access Service Edge (SASE) offering that ticks all the right boxes. Does that then make VMware the SASE answer to enterprise networking and security challenges? Let’s find out.
What is SASE?
As we’ve discussed in previous articles, SASE represents the convergence of networking and security capabilities. It’s ideally delivered as a cloud-native service instead of using edge appliances that are common to IT.
While SASE encompasses about a dozen security capabilities, the focus is less on a feature-by-feature comparison and more about reducing complexity through integration. This integration enables IT to deliver consistent, accurate and high-performance security and connectivity to users globally with minimal administration and overhead.
It’s that last part that’s so important — minimal administration and overhead. The capabilities SASE vendors provide are nothing new. We’ve long had firewalls, cloud access security brokers (CASBs) and the rest of the lot. What is new is the convergence of those technologies into a global, cloud-delivered service architecture. Those changes make for a revolutionary approach in the way SASE connects and secures the enterprise.
Components of VMware SASE Platform
VMware documentation describes VMware SASE Platform as a cloud-native platform that brings together cloud networking and cloud security “to deliver flexibility, agility, protection and scale for enterprises of all sizes.” The company says it’s unique in how its points of presence (PoPs) act as an on-ramp to SaaS and other cloud services.
Several VMware products comprise the VMware SASE Platform. To connect into VMware SASE, sites run VMware software-defined WAN (SD-WAN) edge devices; remote users connect through VMware Workspace ONE. VMware claims both options comply with zero-trust network access (ZTNA) principles.
The VMware SASE PoP strategy includes the following components:
- VMware Secure Access enables ZTNA-based access.
- VMware SD-WAN Gateway provides cloud access. VMware claims more than 3,000 cloud gateways are available in hundreds of PoPs worldwide.
- VMware Cloud Web Security integrates secure web gateway (SWG), CASB, data loss prevention (DLP), URL filtering and remote browser isolation (RBI).
- VMware NSX Cloud Firewall provides next-generation firewall (NGFW), intrusion prevention systems and intrusion detection systems.
In addition to VMware SASE Platform, the vendor offers VMware Edge Network Intelligence, which uses AI for IT operations to provide end-to-end visibility from the WAN to the branch and LAN.
VMware analysis
As with Palo Alto Networks’ SASE, the VMware SASE Platform appears to check the right boxes required to be a SASE platform. Yes, it has SD-WAN and is secure access-compliant with ZTNA. It also offers NGFW, SWG, CASB, DLP and RBI. The company’s gateways are an important asset to bringing SD-WAN traffic closer to an organization’s cloud instances.
However, VMware’s SASE offering feels rushed to market, a set of discrete products grouped under a SASE brand. SD-WAN comes from the VeloCloud acquisition; mobile access management from AirWatch; and security from Carbon Black and Menlo Security. The cloud-hosted components are point services service-chained together. Each product requires its own management portal.
The PoPs touted by VMware are vastly different than what we’ve seen from Cato Networks or Aryaka, where PoPs comprise a global private backbone that could replace an organization’s WAN. To replace a WAN with VMware, enterprises need to bring in a third-party backbone provider, which leads to even more complexity. Nor do all the VMware PoPs deliver the same set of SASE capabilities, adding further complexity to the network.
In short, VMware’s SASE brings along much of the complexity and costs that have long marked the buying approach that has complicated IT.
Lots of features but not a lot of SASE
VMware SASE certainly provides many capabilities. And if enterprises were happy with discrete appliances beforehand, they’ll be familiar with the appliance-centric approach VMware offers.
Those enterprises expecting something new are likely to be disappointed. VMware is more like a custom product integration than a single SASE platform, and the degree of integration is key.
SASE’s innovation was never in defining new capabilities; it has always been the promise that through tight integration of capabilities and moving them to the cloud, IT would evolve. Sadly, that promise is still missing in VMware SASE.