Sorry. There are no results for ""

Return to Blog

Who are the top 10 SASE security vendors?

Written by Kurt Marko

I am an engineer and technologist whose experience is both broad and deep, designing and building digital systems ranging from sub-micron transistors to Web-scale infrastructure. I now apply the knowledge and skills from a 20+ year career in R&D and IT architecture to analysis, consulting and communications.

We compare 10 leading SASE security vendors with an overview of the market.

Who are the top 10 SASE security vendors? Cato, Cisco, Cloudflare, Forcepoint, Fortinet, Open Systems, Palo Alto, Versa, VMWare and Zscaler.

2020 was a boon to vendors providing the technology that enabled society’s sudden transition to a remote, online lifestyle. Chief among them was SD-WAN, which became critical for organisations needing to maintain robust connectivity for work-from-home (WFH) employees tethered to video conferences for much of the day.

However, organisations soon realised that once they delivered reliable baseline communications, user and data security was the next layer of their hierarchy of needs. As we mentioned in our article on domestic SD-WAN vendors, “Security is the hottest sub-segment of the SD WAN market, with the emerging SASE market, which adds security features to an SD WAN solution, expected to more than double annually over the next several years, reaching 60 percent of SD WAN deployments by 2024 according to Gartner.


“Security is the hottest sub-segment of the SD WAN market, with the emerging SASE market, which adds security features to an SD WAN solution, expected to more than double annually over the next several years.”

SASE is overtaking SD WAN as the primary decision making aspect for IT Managers.



SASE interest is so intense that Gartner’s latest Hype Cycle rankings put it at the Peak of Inflated Expectations, poised for the excitement to crater as buyers realise that SASE isn’t a silver bullet for all their security problems. Nonetheless, SASE will be a critical addition to the security portfolio of the vast majority of enterprises that are permanently transformed into a work-from-anywhere organisation with remote, geographically dispersed employees. Indeed, Gartner sees the number of organisations adopting SASE quadrupling to 20 percent by 2023.
 
SASE, namely secure access service edge, is a suite of capabilities designed for remote users, offices and devices that rides atop an SD-WAN substrate. While the concept is new, its components are not, contributing to rapid advances in the technology, product offerings and customer acceptance. It’s hard to quantify a SASE market because the terminology and means of implementing the technology are sufficiently malleable that some vendors are SASE-washing legacy network management or security products. Nonetheless, most analysts see a robust market, predicting triple-digit growth over the next few years. For example,
 
  • Dell’Oro expects the SASE market to grow at 116 percent annually over the next five years, resulting in more than a 20-fold increase in revenues from 2020. Sales will start out primarily as SASE software bundled with hardware appliances, but will transition to a combination of software and cloud services managed by a carrier, ISP or SASE vendor.
  • 650 Group is less bullish, but still predicts SASE revenue to quintuple by 2025 for a CAGR of 38 percent.
  • Revenue at Zscaler, one of the few public pure-plays on cloud-based SASE products, is increasing 55 percent annually with billings up 71 percent year-over-year, numbers will make it a billion dollar company by mid-2022. Zscaler illustrates the potential for rapid expansion of SASE usage, with 5,000 customers, including 500 in Forbes’ Global 2000, and more than 20 million seats licensed accessing Zscaler’s services from one of 150 data centers worldwide. 
SASE is a collection of network, user and application security technologies tailored for remote, edge locations like a branch office, retail store, warehouse or employee home. SASE can be implemented as a set of software and hardware appliances on private infrastructure, however, with organisations coping with pandemic uncertainty and lockdowns by significantly increasing the use of cloud infrastructure and applications, SASE is better consumed as a cloud-based service. 
 

“SASE is a collection of network, user and application security technologies tailored for remote, edge locations like a branch office, retail store, warehouse or employee home.”

SASE is the required framework to deliver security to all staff, devices and IoT..



For example, SaaS collaboration tools like Slack, Teams, Meet and Zoom have been indispensable in maintaining business operations and workgroup interactions. Consequently, many enterprises have also shifted from self-hosted productivity tools, email systems and file shares to SaaS products like Office365 and GSuite.
 
With WFH employees and remote contractors reliant on cloud services, it makes little sense tunnelling their network traffic to privately-operated SASE infrastructure only to route it back out to the Internet. Far better to direct employee traffic to a globally distributed SASE service that is often hosted in the same hyperscale data centres used by the major SaaS applications. Thus, as we detail below, most SASE vendors are either an ‘arms dealer’ selling technology to a service provider or a combination of product developer and cloud service provider.
 
What are the primary features of SASE?

SASE is a Gartner neologism that has evolved into both a marketing buzzword and nascent product category. Despite differences in implementation, vendors invariably agree with Gartner’s canonical definition as comprising five elements.

  1. SD-WAN virtual network overlay that aggregates one or more physical networks, such as home broadband cable and DSL or branch office carrier Ethernet and 5G, into a logical connection. As we detail in our earlier report, SD-WAN uses a software control plane to improve link reliability, performance and predictability and that also allows inserting network services like those provided by SASE.
  2. Next-generation firewall-as-a-service (FWaaS) that duplicates the features of a next-gen hardware firewall. Using software firewalls on a software-defined network like an SD-WAN allows for NFV (network function virtualization) service insertion at any point on the network, including edge locations like a branch office or employee’s virtual desktop environment.
  3. Secure Web Gateway (SWG) is an L7 Web content filter that supplements L3-L7 firewalls to block malicious traffic, enforce content and data access policies and monitor web traffic to identify potentially harmful anomalies or capacity bottlenecks. Unlike NGFWs, which are ‘bumps on the wire’, SWGs proxy servers that terminate traffic, which allows them to detect exploits that firewalls might miss.
  4. Cloud Access Security Broker (CASB) extends SWG, which focuses on Web  content, to any Web- or cloud-based application, notably the many SaaS products WFH employees regularly use. CASB traditionally provides four features — traffic and application visibility, policy compliance, data security such as anomaly detection, sandboxing of suspicious code and enforcing TLS, and threat protection for SaaS applications.
  5. Zero-trust network access (ZTNA) is a granular replacement for point-to-point (or client-to-gateway) VPNs to improve network and application security. While VPNs protect network traffic from unauthorised snooping, without carefully designing subnets and gateway termination points, they don't limit user access once authenticated on the VPN. In contrast, ZTNA treats every network connection attempt — for example, accessing a file share or collaboration system — as a separate transaction that requires authentication and authorisation before establishing a temporary encrypted TLS connection. ZTNA security policies are defined by three factors:
a. The initiating device
b. The initiating user
c. The target application or service
 
ZTNA implementations typically include five elements:
 
a. A single sign-on (SSO) service and associated user directory
b. A device inventory with associated credentials 
c. A certificate authority (CA)
d. A policy database and engine for security enforcement 
e. A device access proxy to terminate incoming requests
 
ZTNA eliminates vulnerabilities from a compromised VPN credential by enforcing granular access control over individual services and applications. ZTNA is often paired with two-factor authentication (2FA) using a hardware security key or application-generated one-time passcodes. ZTNA was first popularised by Google’s 2014 BeyondCorp paper, which the company used as the model for a newly-released BeyondCorp Enterprise service.  
 
When combined, SASE services provide comprehensive security for today’s distributed, cloud-first enterprise.
 
How to evaluate and compare SASE vendors?
Every significant network vendor has a SASE strategy and most have a product to sell, however modest, even if it involves linking multiple partners into a virtual network fabric. Since SASE is primarily an umbrella term for capabilities already widely available, it’s easy for vendors to craft a marketing message and slideware to woo prospective customers without investing in much product development. Thus, caveat emptor for feature washing.
 
Unfortunately, slides, Web pages and a management interface linking in some network service partners might be the extent of the implementation for most vendors. Thus, any SASE product and vendor evaluation should start with detailed system architecture and service implementation. We say “service” because SASE is ideally delivered as a cloud service, not as installable, user-managed software. We agree with Aryaka product director Paul Liesenberg when he says that delivering the SASE vision requires “a seamlessly orchestrated, cloud-first network and full-security stack.”
 

“We agree with Aryaka product director Paul Liesenberg when he says that delivering the SASE vision requires a seamlessly orchestrated, cloud-first network and full-security stack.”

Aryaka uses partners to deliver their SASE solutions.



After using the architecture and cloud implementation to filter the SASE trailblazers from the pretenders, next consider how your organisation’s priorities map to network optimisation, content filtering and security features. Rank and weight the following factors:
 
  • Network performance (throughput, latency, jitter, availability)
  • SaaS application coverage
  • Integration with existing security systems and enterprise directories
  • Global or regional coverage (POPs)
  • Client support and limitations (if any).
Understand that given the immaturity and rapidly evolving nature of SASE products, buyers are unlikely to find any products excelling at every requirement, thus, prioritisation is critical.
 

“Understand that given the immaturity and rapidly evolving nature of SASE products, buyers are unlikely to find any products excelling at every requirement, thus, prioritisation is critical.”

SASE is still relatively new but the underlying features have been offered by security vendors for some time.
 


Finally, assess the vendor’s business and service model since there are three primary avenues for procuring SASE services:

  • Directly from a SASE developer operating a cloud network-as-a-service (NaaS), typically by renting IaaS resources from one of the hyperscale cloud providers (AWS, Azure, Google Cloud, Alibaba Cloud), which provides broad international coverage and high availability.
  • From a national or regional carrier like AT&T, Verizon, CenturyLink or Comcast.
  • From a regional or national managed service provider (MSP).
Carriers and MSPs usually don’t develop SD-WAN and SASE software. Instead, they buy from or partner with one of the companies we profile below, often large infrastructure vendors like Cisco, Palo Alto or VMware from whom they already buy network equipment and software.
 
Winnow the list to a couple of finalists that meet all your requirements and prefer those with integrated, self-contained systems over those that use virtual services provided by external partners.
 
Who are the top 10 SASE security vendors? 
Given the SASE market's dynamism, any vendor list is necessarily incomplete, but the following is a representative sample of top products and vendors. Beware that much like the consolidation that happened in the SD-WAN market, most pure-play SASE vendors will be acquisition targets of larger firms, so their products might end up rebranded over the next year or two.

“Beware that much like the consolidation that happened in the SD-WAN market, most pure-play SASE vendors will be acquisition targets of larger firms, so their products might end up rebranded over the next year or two.”

Certain SASE vendors could be acquired during your contract period.



What SASE solution does Cato Networks offer?

CATO Networks

Cato offers SD-WAN and SASE services using cloud infrastructure and a cloud-native architecture via a network of 60 POPs on-ramps on every continent. The service optimises network connectivity to IaaS and SaaS products using a “single pass engine” that performs packet routing, optimisation and security processing. Cato also provides ZTNA identity-based authentication for access controls, QoS and threat analysis.



What SASE solution does Cisco offer?

Cisco Meraki-1

Cisco has a dual-track SASE strategy based on its Viptela (data centre, carrier) and Meraki (client) SD-WAN products, Umbrella cloud security service and Secure Access by Duo zero-trust 2FA and endpoint visibility products. Cisco is a prime example of a company with the SASE technology pieces already in place, understands the vision, but is still working through the product and service integration and customer education and migration plans.
 
SASE Providers 2
 

 
What SASE solution does Cloudflare offer?

iu-2

Cloudflare One is the company’s recently-announced product that unifies various network optimisation and security technologies under a comprehensive SASE service. Cloudflare One provides network optimisation services using WARP (endpoints), Magic Transit (SD-WAN-like interconnect) and Network Interconnect (CNI; data centre fabric) and Argo for routing. To these core Cloudflare features, One adds security features that include traffic inspection and filtering, DDoS protection, SWG and ZTNA. One integrates with Cloudflare’s other products for access control (Access), logging (Logpush) and a forthcoming IDS.
 
SASE Providers 1



What SASE solution does Forcepoint offer?

Forcepoint

Forcepoint Dynamic Edge Protection is a cloud-based suite of SASE services including Web content scanning and filtering, CASB, NGFW, ZTNA, DLP (data loss prevention, malware scanning and sandboxing, edge connectivity for both branches (using GRE or IPSec) and clients using Forcepoint One Endpoint agent, which provides encrypted connectivity without the overhead of a VPN client.



What SASE solution does Fortinet offer?

Fortinet Logo

Forcepoint Dynamic Edge Protection is a cloud-based suite of SASE services including Web content scanning and filtering, CASB, NGFW, ZTNA, DLP (data loss prevention, malware scanning and sandboxing, edge connectivity for both branches (using GRE or IPSec) and clients using Forcepoint One Endpoint agent, which provides encrypted connectivity without the overhead of a VPN client.
 
SASE Providers 3



What SASE solution does Open Systems offer?

Opensystems logo-1

Open Systems Hybrid SASE combines SD-WAN and network monitoring, security features and predictive analytics of network and security event and performance data. The product can be deployed on-premises or in the cloud and provides most of the core SASE capabilities including IDS, IPS for both SD-WAN networks and connected endpoints, NGFW, CASB, SWG, secure email gateway, cloud-based application sandbox. Notably absent is zero-trust authentication (ZTNA), although Open Systems does support 2FA for remote VPN authentication.



What SASE solution does Palo Alto Networks offer?
Paloalto logo
Palo Alto Networks’ SASE solution is a combination of CloudGenix SD-WAN, which the company acquired last year, and Palo Alto’s Prisma Access security service. CloudGenix is delivered as a physical appliance with various sizes for both data centres and branch offices and includes ML analytics and automation features to improve performance and manageability. Prisma Access is a cloud-based SASE service that includes NGFW-as-a-service, SWG, CASB, DLP content filtering, ZTNA, SSL inspection, sandboxing of suspicious code and DNS security (automatic blacklisting of suspicious domains). Palo Alto has recently improved the integration of CloudGenix with Prisma Access by allowing the two to be deployed and configured with one operation.



What SASE solution does Versa offer?

Versa SD WAN Logo

Versa SASE is an integrated suite of products built on the Versa OS (VOS) delivered from the cloud or on-premises infrastructure. SASE features include NGFW, SWG, ZTNA, CASB and risk-based inspection (RBI) for browser-based exploits atop an SD-WAN and cloud networking core. VOS runs on variously sized hardware appliances with remote users connecting via the Versa Secure Access Client (VSAC) available for Windows, MacOS, Linux, iOS and Android. VOS supports multi-tenant cloud deployments which makes it popular with carriers and MSPs wishing to deliver SD-WAN and SASE services



What SASE solution does VeloCloud offer?
Velocloud VMWare Logo
VMware SASE combines a VeloCloud SD-WAN backbone with ZTNA secure access, SWG, CASB and an NSX-based NGFW in a service delivered from more than 100 POPs worldwide. Its secure access gateway supports passthrough, RADIUS, SecurID (one-time passcode), smartcards/2FA tokens, certificates and SAML federated authentication. Access gateways work with VMware’s Workspace ONE client, which provides endpoint security and management.

 
What SASE solution does Zscaler offer?

Zscaler logo

Zscaler offers four products that collectively provide network security for business and IaaS-based applications, remote access clients and SaaS users. It provides the full set of SASE features via an architecture that builds on the Zscaler WAN and cloud security platform with its Internet Access product that offers a mix of access control, threat and data protection features to secure remote clients. Zscaler’s proxy-based design provides in-line inspection of both clear and SSL encrypted traffic. Zscaler delivers its services from 150 data centres spread across every region, currently handling more than 150 billion transactions per day with 5-nines availability.
 
SASE Zero Trust Security
 

 
What are use cases for SASE and the recommendations?
In the WFH era, SASE has fast become a critical security feature to protect remote employees, branch office and manufacturing locations, business partners and retail outlets and should be considered a requirement for any SD-WAN evaluation.
 
Since SASE is often delivered by an MSP or carrier rather than directly from the vendor, the choice of product is often not under a customer’s direct control. If an organization already has an established and productive business relationship with a major data or wireless carrier or MSP, it is natural to default to whatever SASE product they have selected. Large enterprises considering working directly with a SASE vendor should weigh several factors when evaluating products:
 
  • Integration with existing network infrastructure and management software. For example, organisations with significant investments in Cisco or VMware products should start evaluations with them.
  • Internal integration among SASE components. Some providers use NFV service chaining to link disparate security modules, using a single management UI to control them, however, connecting this way can reduce performance, complicate management and leave gaps in security.
  • Reduce evaluation overhead by keeping detailed product bake-offs to two finalists. 

Author

Kurt Marko insider@netify.com 07590 212100 Last Updated: 08.04.2021

Medivet, CDC Global, British Legion, Permira & Tilney used the Playbook.

Download the SD WAN Playbook

An at-a-glance comparison of leading SD WAN vendors & providers.

We’ve included every key data point we know to be important when buying software-WAN services.