After being canceled in 2021 and postponed numerous months this year, the 2022 edition of the RSA Conference (RSAC) finally went into the books last week. Perhaps throwing a bit of caution to the wind–we are still in a pandemic after all–I met with nearly 40 vendors, 23 of them consisting of at least a 30-minute conversation and sometimes a couple of hours. In this blog, I summarize three takeaways from my week at RSAC 2022.
-
Buzzwords starting with ‘S’ keep coming: SWG, SD-WAN, SASE, and now SSE
The industry likes buzzwords that start with ‘S’ for whatever reason. The first ‘S’ came some twenty years ago with the arrival of SWG (Secure Web Gateway). Then came the second, SD-WAN, around a dozen years ago. After that, things were quiet until three years ago, when the third, SASE (Secure Access Service Edge), arrived. And the most recent, SSE (Security Service Edge), emerged last year and was in full view at RSAC 2022.
So why SSE? I blame the pandemic.
The pandemic caused an explosion in remote work that exposed severe inadequacies in enterprise IT networks to handle large numbers of remote workers. Fortunately, a crop of vendors–most with a SWG pedigree–were poised to help with their cloud-based security that was ideal for remote work. But SWG was a twenty-year-old marketing term and no longer cool. So instead, vendors wrapped themselves in the SASE mantel.
Confusion ensued since there were competing narratives by networking vendors, who ironically were primarily SD-WAN vendors and tended to remain more faithful to the original SASE premise of network and security convergence. So instead of picking sides, the industry created a new term, SSE, to let security vendors distinguish themselves. So yes, today’s emerging SSE vendors are, in many instances, yesterday’s SWG vendors. What’s different about SSE than prior SaaS-based SWGs is that now multiple security functions run in the cloud, such as CASB (Cloud Access Security Broker), ZTNA (Zero Trust Network Architecture), and FWaaS (Firewall-as-a-Service).
At RSAC, there wasn’t much talk about SD-WAN, but there was about SASE and SSE. It was humorous to hear certain security vendors sometimes use SASE and SSE in the same sentence as if they were freely interchangeable. On the one hand, they were trying hard to check off all the buzzwords, but on the other, a clear symptom of immature markets.
- Traditional Network Vendors Double Down and Get More SASE
Two stalwarts of the enterprise networking landscape, Cisco and Juniper, introduced updates to their SASE portfolio.
Cisco has had all the pieces to deploy SASE for some time, but there was no substantive integration. At RSAC, they introduced a new strategy to build a tighter integration between the Cisco SD-WAN and SSE (Umbrella) houses through a new unified manager based on the Meraki cloud management platform. Moreover, Cisco intends to sell everything, whether the cloud service or the hardware, as a subscription.
Meanwhile, Juniper has improved its recently introduced cloud-based security platform, Secure Edge. At RSAC, they announced the addition of CASB and DLP (Data Loss Prevention) services to Secure Edge. Like Cisco’s management approach, they also have a unified manager, Security Director, spanning SRX firewall elements and the cloud-based Secure Edge.
Both Cisco and Juniper are taking an interesting approach to SASE. It’s not all in the cloud since the networking/SD-WAN piece is still effectively on-prem, but nor is it disaggregated bag of parts. They’ve provided me with a lot of food for thought that I plan to infuse into my upcoming SASE research.
- Cloud Workload Security Remains a Smorgasbord
Over the last half-year, I’ve been meeting with vendors large and small to understand what cloud workload security, i.e., securing apps/workloads moving to a cloud architecture, means to them. From the onset, things have been cloudy (no pun intended).
On the one hand, we can all agree that the enterprise shift to the cloud is a significant change in IT architecture. The challenges, nuances, and caveats that must be dealt with during the journey from a traditional on-prem legacy app enterprise to a cloud-based, cloud-native app enterprise are significant. It’s a problem-rich environment that has given rise to dozens, if not hundreds, of security vendors.
On the other hand, the marketing most cloud-focused vendors use to describe themselves is on the verge of hyperbole. But it makes some sense why this is. Considering there are so many problems and challenges to solve, there isn’t any one company that solves them all or even close. So in a landscape that still requires many technologies from many vendors to solve most cloud problems, what does an individual vendor need to stand out? That answer is that they lean heavily on marketing and make it seem like they cover more than they do.
At RSAC, I met with a handful of cloud-focused security vendors, which only reinforced my conviction that it is a smorgasbord of products and overly creative marketing and far from being a single product or even a handful of solutions. Some vendors focus on threat detection. Some focus on risk and compliance. Others focus on the identity implications. Others seek to protect container communication. It’s a literal zoo of vendors. However, in this zoo of vendors, there are some emerging delineations.
Give me any cloud-focused vendor, and I’m pretty sure they’ll fit into one of three significant buckets, code security (coding/build security), IaaS/PaaS platform security (ensuring the runtime platform is as secure as possible), and app/container security (runtime security). I’ll be delving deeper into cloud workload security in an upcoming advanced research report. Stay tuned.
While not a numbered takeaway, my parting thought is that after two years of working exclusively via video conference, I’ve concluded that it doesn’t replace face-to-face meetings. There’s a quality and richness that face-to-face brings that current video conference technology fails to replicate. As such, I look forward to upcoming opportunities to engage the security community in person and the next RSAC in April 2023.
