Those who have migrated on-prem VPN to SASE solution, what vendor do you use, how was the migration, and what is your current experience?

My company currently uses on-prem Cisco ASAs and AnyConnect for our remote access VPN solution. We split-tunnel traffic, so only data center bound traffic traverses into the data center. Doing this makes sense in an increasingly SaaS based world, but it has had huge implications for our visibility and security posture.

A while ago, we had a proactive penetration test, in which after gaining initial access, the tester was able to stand up C2 tunnels on remote endpoints. Besides EDR failing to detect it, we NEVER even had a chance to see this C2 traffic, as it never traversed into the data center, and through our network detection platform, or any other tools. That's when we realized what a huge visibility gap this is. The only issue is, despite how hard we try, we cannot get buy in to end split tunneling (makes sense why, for reasons I mentioned earlier).

I have told management if we want to address this we need to look into a SASE solution, as we can avoid owning the infrastructure and having to tunnel traffic in through our own hardware, but still get visibility and security on all internet bound traffic from remote endpoints. They are not a huge fan of this idea. They are weary of not owning the infrastructure, and even more so are in the boat of "do not want to pay for something more expensive when what we have now "works"". Regardless, I have had vendor talks regarding Palo Prisma Access, ZScaler ZIA/ZPA, and Cato Networks. All SASE solutions.

So, who here has migrated from an on-prem VPN solution to a SASE one? What was your experience? Do you think it is the proper move? Will everyone end up there eventually? And finally, when everything was implemented and operational, did the costs align with what you expected, or were there any surprise costs? submitted by /u/tjobarow
[link] [comments]


http://dlvr.it/T6KlMv