We compare 10 leading SASE security vendors with an overview of the market.
Who are the top 10 SASE security vendors? Cato, Cisco, Cloudflare, Forcepoint, Fortinet, Open Systems, Palo Alto, Versa, VMWare and Zscaler.
2020 was a boon to vendors providing the technology that enabled society’s sudden transition to a remote, online lifestyle. Chief among them was SD-WAN, which became critical for organisations needing to maintain robust connectivity for work-from-home (WFH) employees tethered to video conferences for much of the day.
However, organisations soon realised that once they delivered reliable baseline communications, user and data security was the next layer of their hierarchy of needs. As we mentioned in our article on domestic SD-WAN vendors, “Security is the hottest sub-segment of the SD WAN market, with the emerging SASE market, which adds security features to an SD WAN solution, expected to more than double annually over the next several years, reaching 60 percent of SD WAN deployments by 2024 according to Gartner.”
“Security is the hottest sub-segment of the SD WAN market, with the emerging SASE market, which adds security features to an SD WAN solution, expected to more than double annually over the next several years.”
- Dell’Oro expects the SASE market to grow at 116 percent annually over the next five years, resulting in more than a 20-fold increase in revenues from 2020. Sales will start out primarily as SASE software bundled with hardware appliances, but will transition to a combination of software and cloud services managed by a carrier, ISP or SASE vendor.
- 650 Group is less bullish, but still predicts SASE revenue to quintuple by 2025 for a CAGR of 38 percent.
- Revenue at Zscaler, one of the few public pure-plays on cloud-based SASE products, is increasing 55 percent annually with billings up 71 percent year-over-year, numbers will make it a billion dollar company by mid-2022. Zscaler illustrates the potential for rapid expansion of SASE usage, with 5,000 customers, including 500 in Forbes’ Global 2000, and more than 20 million seats licensed accessing Zscaler’s services from one of 150 data centers worldwide.
“SASE is a collection of network, user and application security technologies tailored for remote, edge locations like a branch office, retail store, warehouse or employee home.”
What are the primary features of SASE?
SASE is a Gartner neologism that has evolved into both a marketing buzzword and nascent product category. Despite differences in implementation, vendors invariably agree with Gartner’s canonical definition as comprising five elements.
- SD-WAN virtual network overlay that aggregates one or more physical networks, such as home broadband cable and DSL or branch office carrier Ethernet and 5G, into a logical connection. As we detail in our earlier report, SD-WAN uses a software control plane to improve link reliability, performance and predictability and that also allows inserting network services like those provided by SASE.
- Next-generation firewall-as-a-service (FWaaS) that duplicates the features of a next-gen hardware firewall. Using software firewalls on a software-defined network like an SD-WAN allows for NFV (network function virtualization) service insertion at any point on the network, including edge locations like a branch office or employee’s virtual desktop environment.
- Secure Web Gateway (SWG) is an L7 Web content filter that supplements L3-L7 firewalls to block malicious traffic, enforce content and data access policies and monitor web traffic to identify potentially harmful anomalies or capacity bottlenecks. Unlike NGFWs, which are ‘bumps on the wire’, SWGs proxy servers that terminate traffic, which allows them to detect exploits that firewalls might miss.
- Cloud Access Security Broker (CASB) extends SWG, which focuses on Web content, to any Web- or cloud-based application, notably the many SaaS products WFH employees regularly use. CASB traditionally provides four features — traffic and application visibility, policy compliance, data security such as anomaly detection, sandboxing of suspicious code and enforcing TLS, and threat protection for SaaS applications.
- Zero-trust network access (ZTNA) is a granular replacement for point-to-point (or client-to-gateway) VPNs to improve network and application security. While VPNs protect network traffic from unauthorised snooping, without carefully designing subnets and gateway termination points, they don't limit user access once authenticated on the VPN. In contrast, ZTNA treats every network connection attempt — for example, accessing a file share or collaboration system — as a separate transaction that requires authentication and authorisation before establishing a temporary encrypted TLS connection. ZTNA security policies are defined by three factors:
How to evaluate and compare SASE vendors?
“We agree with Aryaka product director Paul Liesenberg when he says that delivering the SASE vision requires a seamlessly orchestrated, cloud-first network and full-security stack.”
- Network performance (throughput, latency, jitter, availability)
- SaaS application coverage
- Integration with existing security systems and enterprise directories
- Global or regional coverage (POPs)
- Client support and limitations (if any).
“Understand that given the immaturity and rapidly evolving nature of SASE products, buyers are unlikely to find any products excelling at every requirement, thus, prioritisation is critical.”
Finally, assess the vendor’s business and service model since there are three primary avenues for procuring SASE services:
- Directly from a SASE developer operating a cloud network-as-a-service (NaaS), typically by renting IaaS resources from one of the hyperscale cloud providers (AWS, Azure, Google Cloud, Alibaba Cloud), which provides broad international coverage and high availability.
- From a national or regional carrier like AT&T, Verizon, CenturyLink or Comcast.
- From a regional or national managed service provider (MSP).
Who are the top 10 SASE security vendors?
“Beware that much like the consolidation that happened in the SD-WAN market, most pure-play SASE vendors will be acquisition targets of larger firms, so their products might end up rebranded over the next year or two.”
What SASE solution does Cato Networks offer?
Cato offers SD-WAN and SASE services using cloud infrastructure and a cloud-native architecture via a network of 60 POPs on-ramps on every continent. The service optimises network connectivity to IaaS and SaaS products using a “single pass engine” that performs packet routing, optimisation and security processing. Cato also provides ZTNA identity-based authentication for access controls, QoS and threat analysis.
What SASE solution does Cisco offer?
What SASE solution does Cloudflare offer?
What SASE solution does Forcepoint offer?
What SASE solution does Fortinet offer?
What SASE solution does Open Systems offer?
What SASE solution does Palo Alto Networks offer?
What SASE solution does Versa offer?
What SASE solution does VeloCloud offer?
What SASE solution does Zscaler offer?
What are use cases for SASE and the recommendations?
- Integration with existing network infrastructure and management software. For example, organisations with significant investments in Cisco or VMware products should start evaluations with them.
- Internal integration among SASE components. Some providers use NFV service chaining to link disparate security modules, using a single management UI to control them, however, connecting this way can reduce performance, complicate management and leave gaps in security.
- Reduce evaluation overhead by keeping detailed product bake-offs to two finalists.