Enterprises turn to single-vendor SASE for ease of manageability

Before the start of the Covid epidemic, a traditional WAN architecture with centralized security worked well for Village Roadshow. “Advanced security inspection services can be applied, firewalls can provide separation, and a demilitarized zone can be implemented,” said Michael Fagan, chief transformation officer at Village Roadshow, the largest theme park owner in Australia.

But it required backhauling traffic from remote sites to a data center or hub for security inspection, which can hurt application performance, create a poor user experience, and cost the company in productivity, he said.

When the pandemic led the company to transition to a hybrid workforce, with most people working from home or from a remote site, it prompted Village Roadshow to rethink its network and security approach.

“A person working from home is a branch office of one,” Fagan said. “Likewise, a new theme park ride could be considered a new office. Both need access to data securely, and in different ways.”

To address the issue, the company turned to SASE – secure access service edge – which offers security and networking in cloud-based architecture that’s designed to ease deployment and management and simplify scalability.

At first, Village Roadshow used two vendors, Zscaler and Check Point, for different parts of the SASE stack. But the company soon realized that the market was heading towards convergence, Fagan said.

Today, Village Roadshow uses a single vendor, Palo Alto Networks, to provide the full set of SASE features, which Gartner defines as SD-WAN, a secure web gateway, a cloud access security broker, network firewalls, and zero trust network access (ZTNA).

“We now have a single vendor providing us best-in-class security and consistency across our entire network,” Fagan said.

As a result, Village Roadshow has saved time and money. SASE costs less than dedicated MPLS circuits, it’s carrier agnostic, and it’s scalable, Fagen said, giving the company “the ability to spin up new connected sites quickly – food stalls at our cinemas, marketing or customer days at our theme parks.”

On the productivity side, employees no longer have to remember passwords to connect to company VPNs or carry physical tokens on their key rings. “Simply connect to an internet connection anywhere you are located with a company-issued laptop, and within a few seconds you will be connected to the internal network,” Fagen said.

“Overall, we have a much stronger security posture and protection for our employees no matter if they are in the office or working from home.”

Working with a single vendor is important to Fagen.

“I had an experience in a previous CIO role where switches and routers from two different vendors would not work with each other, and both pointed fingers at each other,” he said. “You need to ensure that you are looking at technologies that integrate together seamlessly so you can simplify and consolidate your technology stack and remove as much complexity as possible.”

One unexpected benefit of the move to SASE is a reduction in the number of calls to the service desk, which frees team members to focus on higher value, more complex tasks that can’t be automated, Fagan said.

Single-vendor SASE emphasizes integration

Village Roadshow isn’t alone in moving to consolidate their SASE infrastructure.

Smaller and mid-sized companies in particular can benefit from SASE, said Jeffrey Caso, an associate partner at McKinsey & Company.

“There’s a significant market opportunity to bring traditionally enterprise-grade security services to the midmarket and to small and medium-sized business,” he said. “For many smaller companies, SASE is an opportunity for an all-in-one security and networking solution that allows them to offer more advanced security without the complexity or price tag of standalone solutions.”

Gartner has also been seeing growing interest from clients for single-vendor SASE platforms, said analyst Andrew Lerner, who covers enterprise networking for the research firm.

Small companies without separate security and networking teams are particularly interested in single-vendor solutions, as are companies large enough to have architecture teams. (O-I Glass, a $6.9 billion global glass bottle and jar company, is one example of a large enterprise that opted for single-vendor SASE.)

“Architecture teams sit above the day-to-day operations,” Lerner said. As a result, they can see the challenges associated with using multiple vendors.

“Those challenges include multiple points of integration, multiple policies, multiple management planes, multiple points of presence,” Lerner said. “That all has to be tied together, and that creates administrative inefficiency and inefficient traffic flows.”

The smaller-sized and mid-market enterprises don’t have the silos between operations and security, he added. “They’re responsible for the full breadth of architecture.”

Gartner has come up with a list of vendors that offer the full stack of SASE services, including Cato Networks, Forcepoint, Fortinet, Netskope, Palo Alto Networks, Versa Networks, and VMware. (Citrix was on the list when the report was published in September, but it has since exited the market.)

“The delta between them comes from the degree of integration,” said Lerner. “Some of the vendors have cobbled multiple products together and slapped a nice management interface on top of it.”

(A related trend is the use of a managed service provider for SASE; a managed SASE offering provides a single source for SASE services, and the provider handles deployment and management for the enterprise. A managed SASE provider may take a single-vendor SASE or a multivendor SASE approach to build their offering, Gartner notes.)

Bridging the gaps

For companies that have followed a best-of-breed or siloed approach to networking and security, bringing the two together can be a management challenge.

“You have to get the teams working together and communicating regularly,” Lerner said. “That’s the starting point. You have to remove individuals who are toxic and silo-oriented. You have to measure team performance based on business outcomes instead of siloed organizational metrics.”

In addition, there might be other challenges to overcome. For example, different systems may have different refresh and renewal cycles, he said. SD-WAN might be up for renewal now, but a company may not have the budget or opportunity to tackle security until next year.

“Or the security team might say, ‘this is our preferred vendor,’ and the networking team might say, ‘this is our preferred vendor,’ and the two aren’t the same,” he added. Single-vendor SASE would require both teams to commit to a vendor.

SASE is an opportunity for network teams and security teams to start joining forces, said Allie Earle, partner at Ernst & Young’s Parthenon Software Strategy Group, and for security to play a bigger role.

“The way in which businesses work and interact and grow their footprints has to have security at the forefront, at the very beginning,” she said. “That mindset is fairly new to businesses. The faster organizations can acknowledge that the two will need to harmonize, the better they will be able to securely scale and grow.”

Risks of single-vendor SASE

Getting all the SASE pieces from a single vendor does make implementation and management easier, but it comes with some downsides.

For example, a single vendor might offer all the features but not have the depth of best-of-breed point solutions in every single area, said Ernst & Young’s Earle. 

In addition, the industry is evolving quickly, she said. Companies that might be weak in a particular area will partner with or acquire other companies that have the desired strengths.

Enterprise customers are also changing. A single SASE vendor that’s a good fit today may not be the best fit tomorrow. “With all the disparate data areas, the secure edge, the cloud, IoT – all the things are growing rapidly, and it is hard to predict how your company may evolve,” she said.

Another potential downside of going with an all-in-one SASE provider is the fact that this industry segment is so new, said Gartner’s Lerner. “A lot of the vendors do not have widespread deployment with thousands of customers,” he said. “It’s still very early, and there are risks whenever it’s very early.”

A single-vendor SASE solution also carries concentration risks. If something happens to that one vendor, the entire stack of SASE services is affected, he said.

Lerner recommends running a functional pilot in a real location, or a real user base, to gain experience; choosing shorter contract time frames; talking to the vendor’s reference customers; and doing the due diligence to make sure that the vendor is the best fit for your actual use case.

Weighing single-vendor SASE attributes

CloudFactory, a business process outsourcing company that specializes in helping companies develop AI training data sets, is currently going the single-vendor route. Shayne Green, CloudFactory’s head of security operations, weighed the pros and cons of a single provider before committing.

“Overreliance on a single vendor is always a bit of a risk, especially if your business comes to depend on the services that the vendor brings,” Green said. “For that reason, it’s always sensible to diversify.” Plus, working with multiple vendors keeps things competitive, he said.

On the other hand, in the SASE world, with so much overlap in functionality between different SASE vendors, using multiple providers may be inefficient, Green said.

“Also, a single vendor may be more committed due to the mutual dependency,” he said. “Write your plan and then map that to the vendor capabilities. Seek a strong partnership from your vendor and challenge them, as this in turn will help with the overall evolution of the technology.”

“It’s easy to get caught up in the glossy, utopian nature of SASE marketing,” he added.

CloudFactory’s move to SASE took place in 2020, Green said. The company uses Cato Networks’ SASE solution to provide secure connections between its staff, its services, and its clients. CloudFactory also uses Cato’s cloud access service broker, data loss prevention, and web filtering rules.

That includes posturing, to ensure that devices meet a minimum-security baseline before they can connect.

“Having a global network of secure access gateways to target is a huge advantage as it provides us with extensive options for rapid scalability,” Green said. “Having a single management portal through which to configure and monitor all services is a huge advantage.”