12 Questions You Should Ask a SASE Provider

In the first half of our SASE series, we addressed some of the basics of the SASE framework – what it is, who it’s designed for, and some common misconceptions about what SASE does and doesn’t do. In the second half of this series, we’ll get down to brass tacks and look at the implementation side of SASE, beginning with a list of qualifying questions to ask a potential SASE vendor. Consider using the following 12 questions as part of your SASE vendor evaluation process.

1. What does a successful SASE deployment look like?

While each SASE implementation is unique to the business it serves, at a minimum, a successful SASE deployment should significantly enhance the performance and protection of enterprise applications, while simultaneously simplifying the work needed to manage them. That said, the definition of a successful SASE deployment might look very different depending on the specific use case. The right vendor should be able to provide examples of successful client implementations, help you define the metrics and KPIs that you can use to benchmark progress, and provide guidance in terms of integrating SASE into your team’s standard operational practices.

2. What SASE use cases does your solution address?

As we outlined in the third blog post in this series, SASE: Defining Traits & Common Use Cases, there is a wide spectrum of use cases that SASE can address which can range from VPN replacement to edge computing and IoT. It’s important to not only understand and prioritize the use cases that are most relevant to your own business, but to also make sure that the vendors you are evaluating have a proven ability to execute on your specific use cases.

3. Was your cloud platform built natively from the ground up or did you port security appliances/software to the cloud?

It’s important to fully understand how a vendor’s cloud platform was initially built as it will have a direct bearing on their ability to efficiently manage and troubleshoot it. For instance, is the solution designed to be run natively in the cloud or is it simply a virtualized firewall running in a third-party cloud? A cloud-native network design is intrinsically more efficient, delivering improved network quality at lower costs – benefits that cannot be realized by merely porting software or hosting an appliance in the cloud.

4. How does your networking infrastructure support efficient data flow across the cloud and through to the network edge?

As the nature of work evolves from a central corporate office to an increasingly decentralized work-from-anywhere model, applications and the data they house must be able to flow seamlessly and securely across the cloud and out through to the network edge. A mature SASE provider should be able to demonstrate that they are capable of efficiently routing traffic without introducing unnecessary latency that degrades performance.

5. How does your solution handle integrations with third-party tools such as SIEM, SOAR and EDR?

Because of the growing volume of advanced security threats and malicious threat actors, most enterprise security teams rely on a mix of Security Incident and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and Endpoint Detect and Response (EDR) tools to monitor their network and respond to threats. A robust SASE solution should be able to leverage these threat intelligence sources and demonstrate the ease in which they are able to integrate these tools into their platform.

6. How large is your partner ecosystem and how does it support native capabilities?

Many vendors will use the term SASE to describe a solution that delivers some SASE benefits. It should also be noted that no single vendor can deliver the full scale of SASE capabilities, which is why you should ask questions to gauge the scope of a SASE provider’s partner ecosystem. Beyond the sheer number of partners they have, it’s also important to understand the specific technical gaps these partners fill relative to the organization’s needs, the nature of the partnership itself, and whether they can support cloud-native capabilities to support future growth.

7. What capabilities of a next-generation Secure Web Gateway (SWG) do you support as part of your SASE architecture (i.e. adaptive access control, data protection, third-party risk, etc.)?

Next generation SWGs are designed to meet the many and varied security challenges of today’s cloud-first world and are an integral component of a mature SASE solution. Among other things, a credible SASE provider should be able to detail how their SWG addresses advanced threat protection, enables visibility and policy control, and how it’s able to inspect encrypted traffic.

8. Do you manage and optimize the entire cloud infrastructure, from the first through to the last mile?

Many vendors rely on an an assortment of third-party partners to support and manage their own cloud infrastructure. While this is common, each of these external parties represents an additional layer of integration that can complicate troubleshooting when issues arise. Therefore, it’s essential to gain a holistic understanding of a SASE provider’s cloud infrastructure and what tools and processes they use to help ensure network resiliency and performance.

9. How many PoPs do you operate and how do you help ensure they all provide a consistent level of service?

The edge of SASE relies upon a globally distributed network fabric that is comprised of a set of cloud gateways, or Points of Presence (PoPs). These PoPs are either owned and operated by the SASE vendor themselves or they partner with a public cloud provider to use their PoPs. The more PoPs owned and operated by a SASE provider, the more likely it is they will be able to provide assurance related to performance and the faster they will be able to remediate issues.

10. How has ZTNA been implemented within your solution? Do you rely on third-party products, or did you build your own ZTNA capabilities?

Zero Trust Network Access (ZTNA), which extends the principle of least privilege access across the network, represents one of the key pillars of SASE. A potential SASE provider should be able to demonstrate how they have implemented ZTNA and how it will enable you to configure application-specific access based on user identities for cloud, mobile, and on-premises users and resources.

11. How do you connect all edge endpoints into your SASE solution?

A SASE platform, via its secure web gateways and the branch customer provided equipment (CPEs), connects all corporate edge points, enabling secure access for remote workers, IoT devices and branch offices. Understanding exactly how all these edge endpoints are connected within a SASE solution matters (for instance, traffic backhauled to a corporate LAN and then out to the Internet can add unnecessary latency).

12. Do you have a service management portal and what does it look like? How does the service portal enable orchestration of service provisioning?

The service management portal functions as the user interface and is what your team will use on a day-to-day basis to manage the SASE solution. Does the portal have an intuitive and easy-to-use interface, or does it require a certain level of training? Ask for a demo of the service portal and have the SASE vendor show you how to provision and orchestrate services from within the portal.

In our next SASE series post, we’ll dive into some of the key considerations for a successful SASE implementation.

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. This document represents Lumen’s products and offerings as of the date of issue. Services not available everywhere. Business customers only. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2021 Lumen Technologies. All Rights Reserved.