SASE: How Lumen is enabling hybrid remote working

The pandemic exposed the need for a secure flexible network that better supports remote/hybrid workers. This accelerated the Secure Access Service Edge (SASE) market. This article explores SASE and the benefits Lumen can bring to your organisation.

Why do we need SASE?

Public cloud and SaaS services are already having a profound effect on network architecture. As the amount of application traffic served over the internet has increased, many organisations have questioned whether an internet-first network strategy would support adequate security in addition to the cost optimisation. Gartner predicts that by 2025, 40% of enterprise sites will have only internet transport[1] and SASE is the key enabler.

An Internet-first approach gives enterprises the ability to access public cloud applications directly which can be much more efficient, especially for remote workers, but data security and privacy compliance are compromised.  Older infrastructures, such as MPLS IPVPNs with a central internet breakout, were not designed to support a highly variable number of remote workers but had the benefits of in-line security and compliance.

When SD-WANs with internet transport came onto the scene, they helped to enable hybrid networking and maximised RoI for secondary access circuits by using them in active-active mode. Trusted internet-delivered applications could also break out locally at the branch. While this has significantly improved performance for office workers, the solution was somewhat incomplete for remote workers.

Where does SASE come in?

SASE allows the enterprise to adopt an efficient Internet-first approach, support remote/hybrid workers, maintain data/security compliance and flex as the cloud journey continues.

The visibility and control, that’s essential for compliance, coupled with agility and end-user experience is what SASE is about. Let me illustrate with one simple example. For an all-hands Zoom meeting during lockdown, the meeting admin asked everyone at home to drop their VPN connections to avoid a catastrophic end-user experience. IT didn’t have control of what applications to trust! It was down to the remote end-users to use the VPN connection where they saw fit. With a SASE model, that VPN client would be configured to trust particular public cloud applications for direct access over the Internet and the visibility and control would be handed back to IT in order to preserve data compliance. Zero-Trust networking is a corner stone of SASE.

SASE was designed to meet the demands of a modern cloud-enabled enterprise. This architectural framework is founded on five key technologies: SD-WAN, Firewall as a Service (FWaaS), Cloud Access Security Broker (CASB), Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA).

Unlike pure SD-WAN, SASE has security built into the SD-WAN fabric, rather than statically added onto the side, offering a far more secure basis for Working From Anywhere (WFA).

Work From Anywhere using ZTNA

ZTNA allows remote users to securely access internal applications and trusted public cloud applications. Unlike traditional remote access VPNs, which offer complete access to a corporate network, ZTNA solutions permit granular policies to be applied, so the user can only access services that they have explicitly been granted access to. The security admin can determine and configure what applications can locally breakout over the Internet to bypass the corporate in-line SWG. IT takes back visibility and control, and compliance is restored.

Secure Web Gateway (SWG)

These are cloud-based centralised Internet breakout points that support Intrusion prevention and malware protection for a range of Internet traffic types including the encrypted traffic from SSL/HTTPS. They tend to be delivered from a SASE cloud gateway that can perform other SD-WAN & Security functions.

What does Lumen’s SASE offer look like?

The Lumen platform provides a robust foundation for SASE. It is based on Versa’s SASE offering with Versa SD-WAN with Versa Secure Access (VSA) for remote user ZTNA access and Versa Secure Web Gateway (SWG). It’s aimed at international enterprises that are increasingly embracing public cloud services and WFA (Work From Anywhere)

What differentiates our solution?

  • We have built the technology into Lumen’s Edge Cloud platform. The SASE cloud gateways are therefore part of the customer’s WAN. This avoids the need for static legacy-type tunnels built between the WAN and a third party SWG provider which minimises risks and complexity. This ensures that the whole network is orchestrated and under the performance management of the SD-WAN control plane.
  • VSA is our ZTNA solution for remote users. It allows organisations to decide which applications should route through the corporate WAN’s security, and which should route straight out onto the internet. This allows cloud-enabling security governance for remote workers to be put in place, without leaving the decision on when to use the VPN client to the end user.
  • On-prem VPN concentrators are not required unless the organisation specifically needs a SASE node on-prem (in which case, it can connect to and leverage the organisation’s own security stack).
  • Lumen has the largest, most deeply peered global Internet backbone that maximises performance at scale. It’s also diverse from our global MPLS backbone.
  • It’s evolved from a foundation of 250+ SD-WAN customers giving us the experience to deliver to expectation.

Lumen’s SASE roadmap

With 60% of organisations predicted to have SASE adoption strategies by 2025[2], we’re investing heavily in expanding our SASE solutions.

This investment is focused on five main areas:

  1. We’ve built 60+ Edge Compute PoPs mainly across US and Europe and we’re expanding elsewhere to create an Edge Cloud. This allows organisations to consume compute and storage solutions on demand, such as ‘Bare Metal as a Service’ and ‘Virtual Machines as a Service’. These PoPs will also become the home of our platform-based networking and security solutions that leverage SDN & NFV. Customers will be able to turn up SASE gateway solutions (such as SD-WAN, SWG, vFirewalls etc) on demand within Lumen’s Edge Cloud.
  2. Our uCPE (the Lumen Edge Gateway) will be able to support our SASE on-prem elements on demand.
  3. We’re building a new systems stack allowing organisations to self-serve Lumen platform solutions on demand, or to work with the support of our sales team. In either case, services will provision in minutes instead of months.
  4. We’re be building solutions based on four leading vendors: Versa, Fortinet, VMware and Palo Alto.
  5. Building a new modular service wrap that allows the customer to manage their own network over our infrastructure all the way up to a fully managed service.

To summarise, we’re bringing new on-demand experiences to SASE and expanding our vendor options.


[1] Magic Quadrant for Network Services, Global, 2 March 2021, Gartner  — this reference be updated to Feb 2022 as it appears in the 2022 MQ

[2] Gartner Says that SASE will grow at 36% CAGR over the next 5 years, 27th July 2021, Gartner