Americas

  • United States
Maria Korolov
Contributing writer

Who’s selling SASE and what do you get?

Feature
Apr 07, 202213 mins
Access ControlEnterprise Buyer’s GuidesNetworking

SASE rolls networking and security into a cloud service, making it easier for enterprises to provide simple, secure access to corporate resources. Many vendors offer SASE services, but what they actually provide and how they provide it varies widely.

10 cloud security breach virtualization wireless
Credit: Getty Images

Demand for secure access service edge (SASE) has grown tremendously during the pandemic. As adoption picks up, vendors are promising feature-rich and integrated SASE solutions. Customers have different needs when it comes to SASE, however, and it’s not always easy to understand what a SASE provider is offering.

As an approach, SASE combines networking and security into a scalable cloud service that fits with the remote and hybrid work models companies use today. Potential benefits include easier network and security management, flexibility to scale up or down as business needs require, and lower costs.

Functionally, the five main pillars of SASE are SD-WAN, firewall-as-a-service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB), and zero trust network access (ZTNA).

Many SASE vendors don’t yet have the full stack of features, and some partner with other companies to fill the gaps.

The SASE vendor-selection process is complicated further by the fact that vendors are differentiating themselves by promising additional capabilities such as remote browser isolation, data loss prevention, AI and machine-learning integration to automate IT functions, self-healing for improved operational efficiency, and IoT security.

Given the wide range of SASE capabilities, some industry watchers are predicting SASE adoption paths will prioritize either networking or security functions, depending on an enterprise’s most pressing requirements.

According to Gartner, instead of using multiple vendors to get cloud-delivered SWG, CASB, ZTNA, and FWaaS, 30% of enterprises will use a single vendor by 2024, up from less than 5% in 2020.

The security side of SASE, which includes CASB, SWG, and ZTNA, has seen the most adoption lately, since that’s the biggest pain point for many enterprises. As a result, Gartner has split security out into its own category, which it calls security service edge (SSE).

The research firm expects to see SSE bundles gain in enterprise interest. For example, by 2025, instead of choosing a dedicated vendor for ZTNA, 70% of organizations will choose an SSE provider instead, says Gartner, up from 20% in 2021.

The transition to get the full SASE stack from a single vendor will take longer, says Charlie Winckless, senior research director at Gartner.

“I think that SSE is growing extremely fast as organizations try to tackle employees that are now everywhere – and nobody wants to bring everything back to a data center and then push it back out to the cloud again,” Winckless says. “We really see the SSE market converting to a market much faster than the overall SASE.”

Pros and cons of single-vendor SASE

Full-stack SASE vendors offer a solution where all five key SASE technologies are available from a single company, which could result in better integration – but not all vendors offer all the SASE pieces.

SASE vendors tend to start out either with a network or with a security focus, says Mauricio Sanchez, research director for network security, SASE, and SD-WAN at market research firm Dell’Oro Group. And SASE customers also tend to break down the same way, he says. Networking and security teams have different criteria for their vendors, different purchasing timelines, and different budgets.

Single-vendor SASE is more appealing to mid-market and smaller enterprises because they have fewer staff and might not have separate network and security teams, Sanchez says. “It’s a small team that has multiple roles, and so they’re looking to press that easier button.”

Getting everything from one vendor means that you’re not always getting the best-of-breed product for each service. In addition, some enterprises are worrying about putting all of their eggs in one basket. “Clients doing that have to be extremely careful that they’re not getting substandard products on either the SD-WAN or especially on the SSE side from those vendors,” Winckless says.

The biggest marketing message of single-vendor SASE – tight integration – isn’t always all that it’s cracked up to be, Winckless warns. Since it’s still early, many full-stack SASE vendors have bought other companies in order to fill gaps, and they may not have fully integrated the tools yet. “Integration is hard,” he says.

Sometimes, he adds, vendors that partner to get the full SASE stack might wind up with better integrations.

SIngle-vendor SASE providers

Whether looking for single-stack or vendors with strengths in particular areas, there’s a lot of choice when it comes to SASE.

Dell’Oro Group listed 35 SASE vendors in its September report.

Gartner lists 11 SASE vendors and nine honorable mentions in their SSE Magic Quadrant, and 15 in the WAN Edge Magic Quadrant, with three vendors appearing on both lists — Versa, Cisco and Palo Alto Networks. In June, Gartner released a report that listed eight full-stack SASE vendors. The five other companies are Cato Networks, Forcepoint, Open Systems, Fortinet, and Citrix.

The following are full-stack vendors with the strongest features sets, industry adoption, and analyst evaluations.

Cato Networks

The Cato SASE Cloud is built from the ground up, and with the addition of CASB in February, is now a full stack offering. Data loss and remote browser isolation will be added later this year.

Cato’s SASE cloud has a global private backbone with over 70 points of presence worldwide that Cato owns and has control over. Cato also offers managed detection and response which can be activated and used immediately.

The redesigned self-service Cato Management Application, announced in December, has functionalities for controlling the entire service through a single dashboard.

Cisco

Cisco’s approach to SASE combines network, security, and observability capabilities into a single cloud-managed offering. in recent months, Cisco added features including the ability to support remote browser isolation, data loss prevention, and cloud malware detection.

According to IDC, Cisco leads the SD-WAN market with 37% market share, and it was determined to be the overall SASE leader in revenue share for 2021 by Dell’Oro Group.

Cisco shows up frequently on Gartner clients’ shortlists for SSE, and clients liked the affordability and ease of use of its entry-level SSE offerings. However, some reported it’s difficult to understand what’s required to gain complete SSE functionality from Cisco.

Cisco’s SD-WAN revenue comes from internal development as well as a series of acquisitions including Meraki in 2012, Viptela in 2017, Duo Security in 2018, and ThousandEyes in 2020.

Forcepoint

Forcepoint recently launched Forcepoint ONE, its new all-in-one SSE built on AWS’ Hyperscaler platform, offering 300 points of presence around the world, says Jim Fulton, vice president of product marketing at Forcepoint.

The company offers integrated cloud data loss prevention and remote browser isolation at no extra cost to customers.

Forcepoint acquired SSE company Bitglass in late 2021 and acquired remote browser isolation company Cyberinc in May 2021 for its remote browser isolation solution.

Fortinet

Fortinet is a leader in Gartner’s Magic Quadrant for WAN Edge Infrastructure.

Fortinet acquired the startup Opaq in 2020 as part of its pivot from SD-WAN to SASE. Fortinet introduced its integrated SASE solution, FortiSASE, after the acquisition, and it includes FWaaS, SWG, ZTNA, next generation firewall, data loss prevention, and an intrusion prevention system.

Gartner says Fortinet’s FortiSASE platform is largely unproven in the market but also says the company has high customer experience scores.

Open Systems

Open Systems’ SASE+ includes the full stack as a combination of in-house, partners, and open-source components.

The company has 187 customers with a total presence in 184 countries and a CAGR of 15% over the last five years. Open Systems focuses on multinational small and medium-sized enterprises with 1,000 to 10,000 employees.

In the future, the company plans to offer self-service features, a simpler user authentication process, advanced phishing protection with an integrated AI-based engine, and ZTNA browser-based access to SaaS applications.

Palo Alto Networks

Palo Alto appears more frequently than many other vendors on client shortlists, according to Gartner, though client feedback indicates that it can be expensive and confusing to achieve full SSE functionality.

In a January report by identity and access management company Okta, Palo Alto was the most-used remote access solution.

In 2021, Palo Alto introduced new CASB features including zero-day protection. It also released ION 1200 which gives organizations the ability to deliver 5G WAN to branch networks as part of the Prisma SASE solution, and added AIOps capabilities using machine learning and analytics to automate IT operations and provide real-time analysis and detection of IT issues.

Palo Alto also recently introduced new Prisma SASE enhancements for managed service providers aimed to simplify management and support SASE services for customers.

Versa Networks

In March 2021, a report by analyst firm EMA identified Versa SASE as having the most SASE-supported functions.

Versa is a leader in The 2021 Magic Quadrant for WAN Edge Infrastructure and a niche player in the 2022 Magic Quadrant for Security Service Edge.

According to Gartner, even though it offers all SASE functions, Versa appeals primarily to existing SD-WAN customers, but the company says it’s seeing particular interest from new customers who need support in real time applications such as video, unified communications, and real time IoT.

Versa’s SASE offering includes secure SD-WAN, ZTNA, SWG, CASB, FWaaS, and remote browser isolation. Versa also has multi cloud support and is investing in 5G and IoT security.

Versa has some major customers, including BP and Capital One. “We are over 90 regions, over 90 PoPs, and that’s growing,” says Michael Wood, chief marketing officer at Versa. “I think this year we’ll get to 100 if not over.”

Versa is available as a cloud service where enterprises can operate, manage, and host their own private Versa Cloud Gateways wherever they want.

VMware

VMware SASE is developed in-house and includes SD-WAN, ZTNA, CASB, FWaaS, and SWG.

In addition to the standard SASE features, VMware offers data loss prevention, URL filtering, and remote browser isolation. VMware is a leader in Gartner’s Magic Quadrant for WAN Edge Infrastructure. It’s VMware’s Cloud Web Security service has about 150 points of presence globally.

VMware says it also works with third-party vendors for those customers who wish to get some parts of the SASE stack elsewhere.

For example, VMware offers enhanced integration with Zscaler to make it easy to deploy and manage a joint VMware-Zscaler SASE solution, says Abe Ankumah, vice president of product management for VMware SASE.

Partial-stack SASE vendors

Many large enterprises are focused on a dual-vendor SASE solution, and they don’t necessarily want or need one provider for everything.

Some partial-stack vendors offer a stronger networking product, some offer better security features, and separate teams within a large company can pick their vendors based on those strengths.

Netskope and Zcaler are top picks for customers looking for a dual-vendor solution from the security side, says Gartner’s Winckless.

Akamai

Best known as a content delivery network provider, Akamai has around 4,200 PoPs and 365,000 servers in more than 135 countries and over 1,350 networks around the world. Its security offerings include ZTNA, SWG, CASB, multi-factor authentication, network access control, and web application and API protection.

Akamai plans to launch a FWaaS offering in the near future. Akamai purchased micro-segmentation company Guardicore in late 2021 to extend its zero-trust security portfolio to fight malware and ransomware.

Akamai doesn’t provide SD-WAN solutions, but says its products integrate with leading SD-WAN vendors’ infrastructure.

Barracuda Networks

Through its CloudGen WAN and CloudGen Access platform, Barracuda offers four of the five core SASE components: FWaaS, SD-WAN, ZTNA, and SWG. It’s missing a dedicated CASB piece, but the company says that a lot of the CASB functionality is already in place. The company’s SASE platform also includes malware scanning, content filtering, DDoS protection, and an intrusion prevention system.

Barracuda says that its core technology stack was developed in-house while specialized technologies like forward error correction were purchased from partners. The company says it’s working on a full set of web application and API-protection services that will also be integrated into its SASE platform.

Barracuda’s SASE platform boasts a tight integration with Microsoft Azure. Barracuda provides private SASE services in Azure and uses Azure’s global network as a connectivity backbone.

The company focuses on mid-size enterprises and managed service providers. But despite Barracuda claiming to have more than 200,000 customers, Gartner says the company has low visibility in the SASE market, which will limit its ability to grow.

Cloudflare

Cloudflare began as a content delivery network provider. Today, its Cloudflare One solution offers ZTNA, SWG, and FWaaS along with remote browser isolation, DNS filtering, DDoS protection and other threat and data protections using a single management interface.

Cloudflare acquired Vectrix, a CASB company, in February and it partnered with VMware, Aruba, and Infovista for the SD-WAN piece in 2021.

iboss

iboss offers a containerized zero-trust service that’s deployed in more than 100 PoPs globally. It provides SWG, CASB, ZTNA, FWaaS, remote browser isolation, anti-malware, and anti-phishing features. It doesn’t offer SD-WAN but says it integrates with all major SD-WAN solutions.

According to the company, its zero trust platform differs from that of other vendors because it covers both Internet-facing and internal network edges with the same security edge, while other companies have different edges for Internet and private connections, resulting in different levels of protection and visibility.

Gartner says iboss SASE customers automatically receive a license for the ZTNA product, instead of having to pay separately for the zero-trust feature. That makes the pricing more attractive and increases the overall value of the iboss SASE platform.

Lookout

Gartner says Lookout appears less frequently on shortlists but has strong data security capabilities and a strong sales strategy for a relatively small vendor.

Lookout’s SASE offering is called Lookout Security Platform, and the company partners with HPE, VMware, and Versa for its SD-WAN.

The Lookout Security Platform has CASB, ZTNA, SWG, user and entity behavior analytics, data loss prevention, and enterprise digital rights management. FWaaS is not offered.

Netskope

Netskope is considered a leader in Gartner’s Magic Quadrant for SSE and appears frequently on clients’ shortlists. Netskope’s SASE offering is called the Netskope Intelligent Security Service Edge.

Netskope Intelligent SSE offers security components including SWG, CASB, ZTNA, cloud security posture management, FWaaS, data loss prevention, and user and entity behavior analytics. SaaS security posture management and remote browser isolation were also introduced in the last year.

Netskope doesn’t offer SD-WAN, but it says it can integrate seamlessly with SD-WAN technologies.

Perimeter 81

Perimeter 81’s SASE product, the Cybersecurity Experience Platform, was developed in-house and includes ZTNA, FWaaS, and SWG. CASB is in their product roadmap. The company has over 2,200 customers, over 40 global points of presence, and its growth has been 400% year over year.

Perimeter 81’s cloud-delivered ZTNA was recently recognized by Forrester as a zero trust leader. The analyst firm called it the best option for smaller enterprises that need a ZTNA service because they can sign up quickly and onboard dozens of applications in less than a month using its self-service portal.

Zscaler

Zscaler is a leader in Gartner’s Magic Quadrant for SSE and is frequently seen on shortlists. In the past year it’s improved its CASB offering by introducing API integrations with more SaaS applications, integrating remote browser isolation, and improving data security features.

Zscaler offers SWG, CASB, FWaaS, and ZTNA and has a global presence through more than 150 of its data centers. Gartner estimates that it has a large share of the market for cloud-based SWGs and ZTNA.

The company is missing the SD-WAN piece but offers it through partners including Silver Peak, Viptela, and VMware. According to Gartner, it has stronger partnerships with tighter integrations than other vendor.