Buyer’s guide: Secure Access Service Edge (SASE) and Secure Service Edge (SSE)

What today is known as secure service edge (SSE) started under a different name — secure access service edge (SASE) — with a slightly different meaning. But both terms are relevant today.

In 2019, Gartner created the term SASE to describe a cloud-based service that combines networking and security to give remote workers safe access to internet-based resources.

[ Download our editors’ PDF SASE and SSE enterprise buyer’s guide today! ]

Gartner had put its finger on a new set of challenges that enterprise IT faced as employees shifted to remote work during the COVID-19 pandemic and applications migrated to the cloud. But Gartner overshot the runway a bit; vendors were caught flatfooted and scrambled to cobble together full suites of SASE features.

On the customer side, a recent Gartner survey of CISOs revealed that “a majority of buyers are planning for a two-vendor strategy for SASE,” with security and networking teams making separate buying decisions rather than opting for single-vendor SASE. In response to these realities, Gartner coined a new term, secure service edge (SSE), which is essentially SASE minus SD-WAN, the network access part of the equation.

In This Buyer’s Guide

• Secure Access Service Edge (SASE) and Secure Service Edge (SSE) explained
• What to look for in SSE and SASE
• Leading vendors for SSE
• Leading vendors for SASE
• Full-stack SASE providers
• Partial-stack SASE vendors
• What to ask before buying SSE and SASE
• 10 questions to ask prospective SSE vendors
• 10 questions to ask prospective SASE vendors

What to look for in SSE and SASE

In Gartner parlance, SSE includes, at a minimum, secure web gateway (SWG), cloud access security broker (CASB), and Zero Trust network access (ZTNA). It can also encompass a constantly growing laundry list of additional features such as firewall as a service (FWaaS), browser isolation, sandboxing, data loss prevention (DLP), and web application firewall (WAF). As previously noted, SASE adds SD-WAN.

IDC splits the difference between SASE and SSE. It uses the term “network edge security as a service” (NESaaS) to describe a converged approach that includes SWG, CASB, and ZTNA as prerequisites, but IDC treats networking capabilities like SD-WAN and digital experience monitoring (DEM) as “optional points of integration.”

“SSE is but one side of the coin. The other side is networking, which, unfortunately, still tends to be overlooked too often. An SSE vendor should have a strategy for taking their customers on the complete SASE journey,” says Mauricio Sanchez, research director at Dell’Oro Group.

Acronyms defined

• CASB: cloud access security broker
• DEM: digital experience monitoring
• DLP: data loss prevention
• FWaaS: firewall as a service
• NESaaS: network edge security as a service
• PoP: point of presence
• SASE: secure access service edge
• SD-WAN: software-defined wide area network
• SSE: secure service edge
• SWG: secure web gateway
• WAF: web application firewall
• VPN: virtual private network
• ZTNA: Zero Trust network access

Leading vendors for SSE

Dueling definitions aside, both IDC and Gartner have identified a broad range of vendors that provide these services, giving enterprise IT leaders lots of choices.

Before engaging with potential SSE vendors, organizations need to get their own ducks in a row. “I think it’s critical to focus on outcomes that you are able to execute and drive in a reasonable time frame,” says Gartner analyst Charlie Winckless. “What do I need to deliver? What are my priorities?”

All the vendors have strengths and weaknesses, particularly when it comes to SSE, which is an amalgam of multiple technologies. Winckless cautions that going with the vendor who offers the longest list of features might end up being too expensive and might not address the organization’s most pressing needs. The key question to ask is: Which vendor best fulfills the capabilities that are most important to me?

Other considerations are how well the SSE service coincides with existing refresh cycles, and how well the SSE service integrates with the organization’s IT stack. Winckless says organizations also need to investigate the financial stability of the vendor and their track record of innovation.

Most enterprises have longstanding relationships with a group of established vendors that turn up regularly on any short list of prospective candidates for new products and services. But SSE is different; some of the top providers might not be familiar to IT leaders, which makes it even more important to ask their right questions when evaluating vendors.

For example, the 2023 Gartner Magic Quadrant for SSE puts Netskope in a leadership position, along with Palo Alto Networks and Zscaler. In the visionary category, there’s Forcepoint, Lookout, and Skyhigh Security. Cisco Systems, probably an automatic on everybody’s list of potential vendors, is described as a challenger by Gartner because it lacks integration of the many SSE components and doesn’t offer a full-feature Zero Trust solution.

IDC has slightly different criteria (SSE vs. NESaaS), but a similar assessment. IDC’s Marketscape lists Netskope, Palo Alto Networks, and Zscaler as the Big 3, but adds Akamai and Cloudflare to the leadership category. IDC says Akamai, Broadcom, Check Point, Cisco, Forcepoint, Fortinet, Lookout, and Skyhigh are major providers, while Gartner puts Broadcom, Cloudflare, and Iboss in the niche category.

When it comes to Cisco, IDC agrees with Gartner, noting that Cisco “currently lacks a traditional ZTNA product” and “still has significant progress to make in integrating its vast portfolio into a single, consolidated product.” Cisco shows up frequently on Gartner clients’ shortlists for SSE, and clients liked the affordability and ease of use of its entry-level SSE offerings. However, some reported it’s difficult to understand what’s required to gain complete SSE functionality from Cisco.

Here are snapshots of some of the major providers in SSE:

Akamai: Akamai has the global cloud platform required to deliver SSE, and a strong track record. It offers SWG, CASB, and ZTNA, but might not have the broadest suite of add-ons, and in some cases requires integration with third parties, rather than offering a full-blown single-vendor integrated approach. Its strong points are performance and ZTNA.

Cloudflare: Cloudflare is trying to expand beyond the small business market and attack the enterprise with an offering that includes ZTNA, CASB, SWG, DLP, FWaaS, browser isolation, WAF, DDoS mitigation, and bot management. On the plus side, Gartner says Cloudflare offers the largest number of points of presence (PoPs), a 100% SLA for uptime, and broad geographic coverage that together mean “there is rarely significant latency to reach a Cloudflare PoP.” Gartner cautions that Cloudflare lacks some features, such as file malware sandboxing, DEM, and full-featured built-in reporting and analytics.

Netskope: IDC says, “Netskope is a natural short-list option for organizations that prioritize data protection and cloud capabilities based on the company’s expertise and strength in CASB and inline proxy controls. Enterprises looking for digital transformation may well be served by the performance and reliability of the Netskope NewEdge private cloud network.” On the other hand, Gartner clients report that Netskope is “usually one of the most expensive options in a competitive pricing situation.”

Palo Alto Networks: Palo Alto Networks has a large installed base of customers who use its on-premises security tools. The company has put together a compelling SSE/NESaaS offering that provides customers with the opportunity to manage both environments from a single console. Palo Alto has a strong ZTNA offering, and it can provide SD-WAN for organizations that want to take the single-vendor SASE route.

Zscaler: With its vast global cloud network, Zscaler’s strength is the ability to pass all traffic through its platform, where all manner of security processes can be applied. Zscaler offers ZTNA, CASB, SWG, FWaaS, and DLP at its core. Sandboxing analysis, remote browser isolation, WAF, deception, and user experience monitoring are also on the menu.

Leading vendors for SASE

Functionally, the five main pillars of SASE are software-defined wide area network (SD-WAN), firewall as a service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB), and Zero Trust network access (ZTNA). But many SASE vendors don’t yet have the full stack of features, and some partner with other companies to fill the gaps.

The SASE vendor-selection process is complicated further by the fact that vendors are differentiating themselves by promising additional capabilities such as remote browser isolation, data loss prevention, AI and machine-learning integration to automate IT functions, self-healing for improved operational efficiency, and IoT security.

Whether you are looking for single-stack or vendors with strengths in particular areas, there’s a lot of choice when it comes to SASE.

Dell’Oro Group listed 35 SASE vendors in its September 2022 report. Gartner listed 11 SASE vendors and nine honorable mentions in their 2022 SSE Magic Quadrant, and 15 in the WAN Edge Magic Quadrant, with three vendors appearing on both lists: Cisco, Palo Alto Networks, and Versa. In June 2021, Gartner released a report that listed eight full-stack SASE vendors. The five other companies are Cato Networks, Citrix Systems, Forcepoint, Fortinet, and Open Systems.

Full-stack SASE providers

The following are full-stack vendors with the strongest features sets, industry adoption, and analyst evaluations.

Broadcom’s VMware unit: VMware SASE was developed in-house and includes SD-WAN, ZTNA, CASB, FWaaS, and SWG. In addition to the standard SASE features, VMware offers DLP, URL filtering, and remote browser isolation. VMware is a leader in Gartner’s Magic Quadrant for WAN Edge Infrastructure. Its VMware’s Cloud Web Security service has about 150 points of presence globally. VMware says it also works with third-party vendors for those customers who wish to get some parts of the SASE stack elsewhere. For example, VMware offers enhanced integration with Zscaler to deploy and manage a joint VMware-Zscaler SASE solution, says Abe Ankumah, vice president of product management for VMware SASE.

Cato Networks: The Cato SASE Cloud is built from the ground up, and includes CASB, DLP, and remote browser isolation. Cato’s SASE cloud has a global private backbone with more than 70 points of presence worldwide that Cato owns and has control over. Cato also offers managed detection and response which can be activated and used immediately. The redesigned self-service Cato Management Application has functionalities for controlling the entire service through a single dashboard.

Cisco Systems: Cisco’s approach to SASE combines network, security, and observability capabilities into a single cloud-managed offering. Features include the ability to support remote browser isolation, DLP, and cloud malware detection.

Forcepoint: Forcepoint One is built on Amazon Web Services’ hyperscaler platform, offering 300 points of presence around the world. The company offers integrated cloud DLP and remote browser isolation at no extra cost to customers. Forcepoint acquired SSE company Bitglass in late 2021 and acquired remote browser isolation company Cyberinc in May 2021 for its remote browser isolation solution.

Fortinet: Fortinet is a leader in Gartner’s Magic Quadrant for WAN Edge Infrastructure. Fortinet acquired the startup Opaq in 2020 as part of its pivot from SD-WAN to SASE. Fortinet introduced its integrated SASE solution, FortiSASE, after the acquisition, and it includes FWaaS, SWG, ZTNA, next-generation firewall, DLP, and an intrusion prevention system.

Open Systems: Open Systems’ SASE Experience includes the full stack as a combination of in-house, partners, and open-source components. Open Systems focuses on multinational small and medium-sized enterprises with 1,000 to 10,000 employees.

Palo Alto Networks: Palo Alto appears more frequently than many other vendors on client shortlists, according to Gartner, though client feedback indicates that it can be expensive and confusing to achieve full SSE functionality. Palo Alto’s CASB features include zero-day protection. Its Ion 1200 product gives organizations the ability to deliver 5G WAN to branch networks as part of the Prisma SASE solution, and it provides AIops capabilities using machine learning and analytics to automate IT operations and provide real-time analysis and detection of IT issues.

Versa Networks: Versa is a leader in Gartner’s 2021 Magic Quadrant for WAN Edge Infrastructure and a niche provider in the 2022 Magic Quadrant for Security Service Edge. According to Gartner, even though it offers all SASE functions, Versa appeals primarily to existing SD-WAN customers. Versa says it’s seeing particular interest from new customers who need support in real time applications such as video, unified communications, and real time IoT. Versa’s SASE offering includes secure SD-WAN, ZTNA, SWG, CASB, FWaaS, and remote browser isolation. Versa also has multicloud support and is investing in 5G and internet of things (IoT) security. Versa is available as a cloud service where enterprises can operate, manage, and host their own private Versa Cloud Gateways wherever they want.

Partial-stack SASE vendors

Many large enterprises are focused on a dual-vendor SASE solution, and they don’t necessarily want or need one provider for everything. Some partial-stack vendors offer a stronger networking product, some offer better security features, and separate teams within a large company can pick their vendors based on those strengths.

Netskope and Zcaler are top picks for customers looking for a dual-vendor solution from the security side, says Gartner analyst Winckless.

Akamai: Best known as a content delivery network provider, Akamai has around 4,200 PoPs and 365,000 servers in more than 135 countries and more than 1,350 networks around the world. Its security offerings include ZTNA, SWG, CASB, FWaaS, multifactor authentication, network access control, and web application and API protection. Akamai doesn’t provide SD-WAN solutions, but says its products integrate with leading SD-WAN vendors’ infrastructure.

Barracuda Networks: Through its CloudGen WAN and CloudGen Access platform, Barracuda offers four of the five core SASE components: FWaaS, SD-WAN, ZTNA, and SWG. It’s missing a dedicated CASB piece, but the company says that a lot of the CASB functionality is already in place. The company’s SASE platform also includes malware scanning, content filtering, distributed denial-of-service (DDoS) protection, and an intrusion prevention system.

Barracuda’s SASE platform boasts a tight integration with Microsoft Azure. Barracuda provides private SASE services in Azure and uses Azure’s global network as a connectivity backbone.

The company focuses on mid-size enterprises and managed service providers.

Check Point’s Perimeter 81 unit: Perimeter 81’s SASE product, the Cybersecurity Experience Platform, was developed in-house and includes ZTNA, FWaaS, and SWG. Perimeter 81’s cloud-delivered ZTNA was recently recognized by Forrester as a Zero Trust leader. The analyst firm called it the best option for smaller enterprises that need a ZTNA service because they can sign up quickly and onboard dozens of applications in less than a month using its self-service portal.

Cloudflare: Cloudflare began as a content delivery network provider. Its Cloudflare One solution offers ZTNA, SWG, and FWaaS along with remote browser isolation, Domain Name Service (DNS) filtering, DDoS protection, and other threat and data protections using a single management interface.

Iboss: Iboss offers a containerized Zero Trust service that’s deployed in more than 100 PoPs globally. It provides SWG, CASB, ZTNA, FWaaS, remote browser isolation, antimalware, and antiphishing features. It doesn’t offer SD-WAN but says it integrates with all major SD-WAN solutions.

According to the company, its Zero Trust platform differs from that of other vendors because it covers both internet-facing and internal network edges with the same security edge, while other companies have different edges for internet and private connections, resulting in different levels of protection and visibility.

Gartner says Iboss SASE customers automatically receive a license for the ZTNA product, instead of having to pay separately for the Zero Trust feature.

Lookout: Gartner says Lookout appears less frequently on shortlists but has strong data security capabilities and a strong sales strategy for a relatively small vendor. Lookout’s SASE offering is called Lookout Security Platform, and the company partners with Broadcom VMware, HPE, and Versa for its SD-WAN.

The Lookout Security Platform has CASB, ZTNA, SWG, user and entity behavior analytics, DLP, and enterprise digital rights management. FWaaS is not offered.

Netskope: Netskope is considered a leader in Gartner’s Magic Quadrant for SSE and appears frequently on clients’ shortlists. Netskope’s SASE offering is called the Netskope Intelligent Security Service Edge.

Netskope Intelligent SSE offers security components including SWG, CASB, ZTNA, cloud security posture management (CSPM), FWaaS, DLP, and user and entity behavior analytics. SaaS security posture management and remote browser isolation were also introduced in the last year. Netskope doesn’t offer SD-WAN, but it says it can integrate with SD-WAN technologies.

Zscaler: Zscaler is a leader in Gartner’s Magic Quadrant for SSE and is frequently seen on shortlists. In 2022, it improved its CASB offering by introducing API integrations with more SaaS applications, integrating remote browser isolation, and improving data security features. Zscaler offers SWG, CASB, FWaaS, and ZTNA, and it has a global presence through more than 150 of its data centers. The company is missing the SD-WAN piece but offers it through partners including Silver Peak, Viptela, and VMware. According to Gartner, it has stronger partnerships with tighter integrations than other vendors.

What to ask before buying SSE and SASE

Because every enterprise is different, you need to get a clear grasp on your specific needs, capabilities, and resources before engaging prospective vendors and then choosing specific solutions for SSE and SASE.

10 questions to ask prospective SSE vendors

1. What is your SASE strategy? “SSE is but one side of the coin,” says Mauricio Sanchez, research director for networking, security, and SASE/SD-WAN at Dell’Oro Group. “The other side is networking, which, unfortunately, still tends to be overlooked too often. An SSE vendor should have a strategy for taking their customers on the complete SASE journey.”
2. What integration points do you support into the larger third-party technology ecosystem? SSE is a small part of a larger technology landscape, so an SSE vendor should be able to show integrations with client security (EPP/EDR), identity and access management (IAM), and security management (SIEM/SOAR/XDR) tools, as well as integration with the cloud hyperscalers, says Sanchez.
3. What is your track record for scalability, reliability, and performance? Sanchez points out that SSE vendors are responsible for keeping the network running smoothly, while processing encrypted traffic at scale for threat detection purposes, which he describes as “a computationally intensive process.” He adds, “I’ve heard horror stories of enterprises burned by SSE clouds that underperform and generate more headaches than they solve.”
4. Does your global delivery network align with my business needs? Multinational companies need to make sure that the SSE vendor has points of presence that correspond to their locations. Be sure to ask where the PoPs are, what the roadmap is for adding more, what the plan is for covering gaps, and what the plan is for surviving an outage, says David Holmes, a senior analyst at Forrester.
5. How many agents do I need to install on end user devices and what is the cost per device? Holmes recommends that prospective buyers pin vendors down on whether a single agent can handle virtual private networking (VPN), ZTNA, SWG, etc., or whether more than one agent is required. And in today’s bring-your-own-device (BYOD) world, with users connecting to the network on multiple devices, what operating systems and mobile devices are covered? Is there an extra charge per device, or is the service per user?
6. What are your strength and weaknesses? Ask the vendor for an honest assessment of which technology in the SSE smorgasbord is their strongest, and make sure that aligns with your requirements. If they say it’s SWG but your main driver is CASB, then Holmes says it might make sense to “continue your search.”
7. What can you do with ZTNA? What can you do? Holmes recommends that prospective buyers ask the vendor what ports and protocols they cover; how they handle VoIP/SIP and UDP protocols. Can they integrate with multiple identity providers concurrently? “Not all can,” says Holmes, “and this is an important management feature for larger organizations that want to give partners Zero Trust access to their applications.”
8. What is the management setup? Winckless says organizations need to implement SSE in a way that is seamless for administrators to configure and monitor. Will I have fewer consoles? Or more?
9. How easy is it to apply security policies? Organizations need to make sure that they retain the ability to apply the same rules across multiple channels, says Winckless.
10. What is the customer experience? All that back-end technology is great, but organizations need to make sure that the SSE delivers a smooth and seamless user experience. That last thing you want, says Winckless, is to disrupt the way the company does business.

10 questions to ask prospective SASE vendors

1. Does the vendor offer all the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses, and priorities?
2. How well integrated are the multiple components that make up the SASE? Is the integration seamless?
3. Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor’s approach in terms of building capabilities internally or through acquisition? What is the vendor’s track record integrating past acquisitions? If building internally, what is the vendor’s track record of hitting its product release deadlines?
4. Whose cloud is it anyway? Does the vendor have its own global cloud, or is it partnering with someone else? If so, how does that relationship work in terms of accountability, management, SLAs, and troubleshooting?
5. Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements? Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application, or the data.
6. How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection?
7. Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting? Is policy enforced consistently for all the possible access scenarios — individual users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged?
8. Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Because the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand.
9. Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs.
10. One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time?

Essential reading

• Is SASE right for your organization? 5 key questions to ask
• What to expect from SASE certifications
• Enterprises turn to single-vendor SASE for ease of manageability