At SD-WAN Experts, clients frequently ask us to run single-vendor Secure Access Service Edge requests for proposal.
IT leaders often look for a Gartner Magic Quadrant (MQ) in a technology area to focus RFP selection. The Gartner MQ has become a go-to guide for enterprise selection across industries. But, to date, a Gartner MQ is unavailable for single-vendor SASE, which is why we put together an analysis of the SASE market.
Our analysis pulled heavily from Gartner’s Market Guide for Single-Vendor SASE (you can download a free copy from any one of the SASE vendors). While we structured our approach as an MQ-like analysis, the methodology was ours. We relied solely on publicly available information and tempered our theoretical analysis with our own real-world experience deploying SASE platforms.
According to Gartner’s Market Guide, single-vendor SASE offerings use a cloud-based architecture to deliver multiple network and security-as-a-service capabilities. At a minimum, vendors have to provide software-defined WAN (SD-WAN) and line-rate operation, as well as the five security capabilities below:
- Secure web gateway (SWG).
- Cloud access security broker (CASB).
- Zero-trust network access (ZTNA).
- Network firewalling services.
- Sensitive data and malware inspection.
While numerous vendors currently offer multivendor SASE, Gartner’s guide identified only nine vendors as single-vendor SASE offerings. Of those, we review Cato Networks, Cisco, Fortinet, Netskope, Palo Alto Networks, Versa Networks and VMware below. Regarding the other two vendors Gartner included, Citrix declared end of life for the two products that constituted its SASE offering, and we haven’t seen Forcepoint in the field.
Why single-vendor SASE?
In general, SASE brings operational benefits to organizations. But single-vendor SASE brings certain benefits, including the following:
- Enhanced security strategy. Single-vendor SASE reduces the complexity of security functions, enforcing an enterprise-wide single security policy and minimizing the attack surface.
- Efficient use of network and security personnel. This benefit stems from faster deployment times, reduced dependency on advanced networking and security skills, and the removal of redundant tasks. It also enables a single security policy.
- Better user and system administrator experiences. Teams can more easily manage latency and jitter, diagnose end-to-end issues and have a single database for all event data and logs.
Implementing such a system, however, comes with its own set of challenges, such as dealing with organizational silos and existing IT investments. For new single-vendor SASE entrants, global coverage can also pose an issue.
The completeness of vision: Our take
Gartner’s MQ measures offerings based on the completeness of the vendor’s vision and the vendor’s ability to execute.
To measure completeness of vision, we wanted to capture how closely vendor strategies align with the ultimate vision of single-vendor SASE: one cloud service that connects and secures all enterprise edges — sites, remote users, IoT devices and cloud resources — for all traffic, including north-south internet-based traffic and east-west WAN-based traffic. The vision also includes whether the offering uses one console for management.
Let’s unpack that vision. A cloud service relieves enterprise customers of the operational burden normally associated with running the replaced product or service. Consider how AWS replaces physical servers and storage or Microsoft 365 replaces Exchange servers.
Similarly, SASE should be provider-managed, while the enterprise — or an MSP — maintains its own implementation within that infrastructure. This means the SASE software should be cloud-native — multi-tenant, elastic and independent of hardware. The provider ensures the underlying platform is always available and performing as expected, relieving enterprises of the high availability planning, scaling and infrastructure maintenance typical of legacy networks.
Security should always be current and enabled, making it the SASE vendor’s responsibility to maintain relevant threat intelligence and to develop and deploy patches against new vulnerabilities and zero-day threats.
Like the best cloud services, single-vendor SASE capabilities should be cohesive and delivered worldwide. They should also have consistent performance, uptime and operational overhead, regardless of the traffic volume, enabled capabilities, network complexity or location — all factors that have disrupted the network and security experience in the past.
All these factors make architecture critical. A platform with the right features running on discrete appliances or converged on a hardware-centric architecture might be able to meet some SASE needs. But it needs significant investment and compromises to deliver a line-rate, worldwide cloud service.
Like Gartner, we prefer SASE to be a software-based architecture where all security capabilities are parallelized and fully integrated into one processing engine. The SASE software must be near sites and mobile users, which ideally calls for all capabilities to run in all points of presence (PoPs). Backhauling traffic between PoPs for inspection and processing undermines performance. PoP distribution should not only be global, but have enough regional density to cover the locations of all edges.
SASE data should be stored in one data warehouse with a unified data model for log and event data. Analytics should be coherent across all capabilities. A common policy set should guide security inspections everywhere, customized to user specifics, such as location and device. Management should occur through a single management platform. The SASE service should be easy to use and easy to consume, ideally with consumption-based billing.
So, that’s the vision of single-vendor SASE. To measure vendors on how they aligned with that strategy, we developed a matrix based on our analysis of the Gartner Market Guide to Single-Vendor SASE. We converted the core and secondary capabilities of a SASE platform in the guide, as well as the recommended characteristics, into a features table.
We grouped the features into the following five categories:
- Architecture (35% of the score).
- Integration (35%).
- Unified management and policy (10%).
- Flexibility and ease of use (10%).
- Networking and security capabilities (10%).
Our approach emphasized the internals — architecture and degree of integration — which we believe are most essential to selecting a SASE platform at this point of the market. We scored offerings based on the following metrics:
- It lacked a feature (0).
- It offered a feature in part or with additional integration (1).
- It provided the feature in full and without additional integration (2).
The ability to execute: Our take
To quantify a company’s ability to execute on delivering a worldwide SASE platform, we at SD-WAN Experts measured indicators of what resources — company maturity, financial, partners, etc. — were available to the company.
Once we had some indication of the company’s fiscal maturity and strength, we then looked at the degree to which companies would be constrained by their underlying technical architecture. We looked at how the vendor’s approach would enable a worldwide cloud platform and the coverage of that platform. In other words, a company might be financially healthy, but if SASE functions are distributed with discrete appliances using different OSes and APIs, it will consume too many resources translating those appliances into a global SASE platform.
Using the factors above, we developed the following scoring method:
- Architecture (50% of the score).
- PoP locations (25%).
- Maturity of the company and the SASE platform (20%).
- Inter-PoP connectivity (5%).
Below, we explore seven single-vendor SASE offerings, listed alphabetically.
1. Cato Networks
The Cato SASE Cloud platform comprises 75-plus PoPs worldwide with customers in more than 150 countries. PoPs are interconnected by Cato’s optimized global private backbone. Each PoP runs multiple instances of Cato Single Pass Cloud Engine (SPACE), which is Cato’s cloud-native packet processing engine. SPACE provides route optimization, dynamic carrier selection and protocol acceleration, and it applies security inspection and enforcement.
All of Cato’s security capabilities — firewall as a service (FWaaS), SWG, intrusion prevention system (IPS), next-generation antimalware, ZTNA, CASB and data loss prevention (DLP) — run within Cato SPACE, making them available worldwide.
Sites connect to Cato PoPs with Cato Socket, Cato’s SD-WAN device, or through IPsec from any capable device. Remote users connect with the Cato Client or Clientless options. Cloud data centers connect through native IPsec or a virtual appliance, and cloud applications connect through Cato’s cloud-optimized routing.
All networking and security event data is stored in a common data lake, while management is from one console.
- A global cloud-native, single-pass engine is the right architecture for single-vendor SASE. It provides line-rate, security inspections and optimized traffic worldwide for all company edges — sites, mobile users and the cloud — even for encrypted traffic. Based on our experience at SD-WAN Experts, Cato outperforms all competitors, with performance improving dramatically as intersite distance increases.
- Cato fully maintains the underlying infrastructure of Cato SASE Cloud. This frees IT from updating security signatures in response to the latest zero day. For example, Cato frequently points to its low time-to-protect metric, which details how quickly an IPS signature is developed and put into action.
- The single management platform converges security and networking, which eliminates swivel-chair IT troubleshooting. Cato’s event screen is a good example of convergence, as it provides a single interface for all networking and security event data for the past year.
- Cato, a relatively young company, competes with much larger networking and security players. As such, Cato SASE Cloud lacks some of the extra features its larger competitors have, such as remote browser isolation (RBI). That said, Cato has made progress in closing the gap. Last year, Cato claimed to have delivered over 3,000 features and is expected to release RBI in the first half of 2023.
- Cato SASE requires use of its PoPs, but the cloud might not be the best strategy in some cases, such as when users need to access applications in the same location.
- Telecom relationships to provide managed services have been challenging. Legacy vendors, such as Cisco, have well-developed telecom relationships that serve many large enterprises. Cato is still new to the area. But Cato has made inroads, signing partnerships with MSPs and working with a variety of non-telecom MSPs that provide services.
Built around Cisco’s acquisition of OpenDNS, Cisco Umbrella spans multiple existing Cisco products, mostly developed through acquisitions and partnerships. The 42 Umbrella PoPs are interconnected by the internet and run DNS security, CASB and DLP engines.
Sites connect through Cisco Meraki SD-WAN or Cisco SD-WAN (previously Viptela) appliances or routers. Remote users connect through Cisco AnyConnect and Duo, and IaaS connects through other SD-WAN and Meraki options. SaaS applications are not specifically supported.
On the security side, Cisco provides NGFW, SWG, ZTNA and IPS through various offerings. Management depends on the platform.
- Cisco brings its brand strength, incredible channel and a rich product portfolio to enable the company to address about every possible use case one can imagine for SASE.
- Talos threat intelligence provides deep security insight, gathering and analyzing data across Cisco products.
- Cloud-native DNS security is a bonus, enabling Cisco to detect and prevent threats before users even reach a website.
- SASE is about tight integration — aka convergence — and Cisco’s SASE portfolio is far from converged. Customers need multiple products to fully implement Umbrella. Umbrella is primarily a mix of homegrown and acquired products that takes a complex, still evolving integration approach to building SASE.
- Umbrella still lacks the cloud-native delivery of firewalling and other SASE components. It doesn’t have a single management platform for the full SASE experience. Multiple products have overlapping functionality, which complicates deployment and design. Core functions might require additional virtual or physical appliances, such as relying on Identity Services Engine when authenticating remote users for enterprise access.
- While Umbrella runs some functions from PoPs worldwide, others, such as NGFW, require customers to deploy appliances for east-west traffic. Connectivity between PoPs is through public peering, not a global backbone. And the customer — or a third party — manages high availability planning and security updates for the NGFW, not in the native platform.
FortiSASE was originally an edge- and hardware-centric approach to SASE, but it has grown into the cloud. Fortinet’s cloud-centric approach initially came through its Opaq Networks acquisition in 2020. That approach was later replaced by FortiSASE, a homegrown cloud-based platform, running FortiGate VMs in private data centers, such as Equinix.
Fortinet currently maintains 21 PoPs worldwide, all interconnected by the internet. The PoPs run the FortiSASE software that performs FWaaS, SWG, CASB and ZTNA for remote users who run FortiClient. FortiClient provides integrated endpoint protection platform (EPP) and ZTNA functions as part of Fortinet’s Secure Private Access.
Sites run FortiGate SD-WAN to connect with one another and FortiSASE PoPs, and customers can also use IPsec. FortiGate provides site security. Remote users must connect to a FortiSASE PoP to reach corporate applications.
- Fortinet brings a strong security brand that serves it well in security-centric deals. Fortinet Security Fabric, the company’s cybersecurity platform, has a strong feature set and is regularly named a leader in network firewall evaluations. The company’s security street credibility is further enhanced by the threat intelligence provided by FortiGuard Labs.
- The company’s SD-WAN enables granular configuration that suits a range of network topologies and configurations. Like Cisco and others, Fortinet can be used as a single-tenancy deployment for security-sensitive use cases.
- Fortinet’s SASE agent, FortiClient, provides integrated EPP and ZTNA capabilities, therefore avoiding the need to install additional software on the user’s device.
- Fortinet’s strength is in running converged networking and security on every on-premises and cloud edge, thanks to FortiOS. The company has developed custom silicon to address the processing limitations typical of branch security devices.
- Fortinet does not yet deliver a converged SASE cloud for all edges. FortiSASE secures remote users but not sites, and the security engine runs on virtual appliances instead of cloud-native software. Customers still need to deploy discrete products, and firewalls are still required at locations.
- The various products have multiple consoles to manage the full FortiSASE deployment. This makes FortiSASE complex operationally, so users have to switch between multiple consoles to diagnose problems.
- The scope of the FortiSASE cloud remains limited. The PoPs are primarily located in North America, with Fortinet having the least number of PoPs in Asia-Pacific and few in Europe.
Netskope started as a leader in CASB and has since added capabilities, including NGFW, SWG and Netskope Private Access, to position itself as a SASE competitor. Netskope delivers these capabilities from one platform with a single management console, which is essential to the SASE vision.
In August 2022, Netskope acquired Infiot, an SD-WAN provider, to meet the basic criteria for single-vendor SASE. Mobile users connect with Netskope Client for secure internet access. Users access data center applications by connecting with Netskope Private Access via Netskope Client. This process uses a Netskope Private Access Publisher VM that is deployed alongside the destination resource.
- Strong cloud-native architecture gives Netskope the right approach for delivering a global SASE platform.
- Geographically, Netskope maintains a strong PoP presence, delivering its service from data centers in 50-plus regions. Data centers provide all service features and are managed by Netskope, not simply instantiated using a public cloud provider. As such, Netskope has complete control over network expansion.
- Functionally, Netskope provides strong CASB and DLP capabilities, providing protection and visibility for data at rest (Netskope API protection) and data in motion (inline CASB).
- While strong in CASB and DLP, Netskope’s capabilities are weaker in other areas. It doesn’t have inspection for private access traffic, and a third party provides sandboxing. While the PoP deployments are significant, inter-PoP connectivity relies on the public internet, not a private network.
- Netskope’s Infiot SD-WAN acquisition is still new and will take time for all data and policy enforcement to be tightly integrated into one management and data store with the rest of Netskope’s functional elements.
- Netskope does not provide private egress IP addresses to customers without backhauling traffic, which leads to higher latency. Instead, customers share egress addresses, which prevents organizations from implementing adaptive multifactor authentication or source IP anchoring policies and leads to an increased attack surface.
5. Palo Alto Networks
The Prisma SASE service from Palo Alto is the result of multiple acquisitions and the placement of VMs into Google Cloud Platform (GCP) and AWS. In addition to NGFW, those VMs run DNS security, threat prevention, SWG, DLP, CASB and ZTNA.
Sites connect with one another and to the cloud-based VMs using Prisma SD-WAN (formerly CloudGenix SD-WAN) appliances. VPN options include IPsec and clientless VPN for connecting users and networks. Remote users can also access data centers or applications via Prisma Access ZTNA as needed.
Prisma Access requires a subscription to Cortex Data Lake to store network logs generated and used by the security products. Management is through either Palo Alto’s Panorama network security management, which provides centralized administration across Palo Alto NGFWs and Prisma Access, or the less feature-rich cloud-native management application.
- Palo Alto brings a strong brand as a security leader with best-in-class NGFW, CASB and DLP features. Security intelligence is provided by its Unit 42, a leader in threat intelligence and incident response.
- The Palo Alto SD-WAN technology developed by CloudGenix is a strong platform that emphasizes application-aware policies for improving UX and easing network operations.
- Palo Alto’s rich security portfolio provides enterprises with the tools to address nearly any possible use case.
- Prisma SASE remains challenging to deploy and manage. It’s complex and involves configuring and installing Prisma SD-WAN devices at each site. Prisma SASE includes FWaaS, but it is for north-south traffic. Customers might need separate on-premises appliances for east-west traffic.
- SASE cloud processing requires minimal latency between the enterprise edge and provider’s compute nodes to be effective. But Prisma relies heavily on GCP, which touts thousands of edge nodes that are merely ingress/egress points into the network. The total number of worldwide GCP compute nodes is 35, and not all security functions are implemented in those nodes, further affecting latency. GCP has the least number of North American compute nodes — eight — of the SASE platforms.
- The provider should run cloud offerings, and that’s not the case with Prisma. Enterprises still need to consider high availability planning in their acquisition, which requires them to instantiate redundancy in Prisma Cloud, increasing costs and complexity. The same is true with updating security infrastructure.
6. Versa Networks
Versa SASE converges security, networking, SD-WAN analytics and automation within Versa Operating System on appliances that can be deployed in the cloud, on premises or both. Versa Cloud Gateways (VCGs) provide security service edge capabilities — ZTNA, SWG, CASB, NGFW, DLP and RBI, as well as advanced threat prevention.
Sites connect to one another and to VCGs by Versa’s CSG appliance series or Dell SD-WAN appliances. Virtual appliances connect cloud data centers and SaaS applications. Remote users connect by running Versa Secure Access Client. Concerto UI or Versa Director — hosted in Versa and AWS — manages the SD-WAN and security services. These can be managed by a telecom operator, MSP or the customer.
- Versa has a well-developed SD-WAN product with one of the few fully converged networking and security stacks in the industry.
- Versa is regularly listed as an SD-WAN leader by Gartner and other analyst firms.
- Versa has a strong channel and counts numerous MSPs and telecom operators as partners worldwide.
- There’s often a significant difference between the capabilities offered by Versa and the ones available through its MSP and telecom partners. In our experience, MSPs can take several months to deliver new Versa capabilities.
- Versa SASE is missing key architectural components. The convergence of networking and security is done on appliances and not in a cloud-native platform. VCGs are not cloud-native, running on a combination of bare-metal servers in Equinix or VMs in AWS and Azure.
- The lack of a cloud network of PoPs is a critical weakness in Versa’s SASE strategy. The company claims to have a network of PoPs, shares white papers describing its global reach and provides multi-tenant SASE components that enterprises or telecom operators can instantiate in AWS, Azure or other hyperscalers. However, Versa does not offer a publicly available PoP status page, which is a fundamental piece of evidence offered by any service provider.
VMware SASE stitches together various acquisitions and OEM relationships. It is a cloud-hosted offering in which the vendor service-chains the various point services together. VMware PoPs provide connectivity to cloud applications and cloud data centers. Enterprises connect to those PoPs over the public internet or through third-party networks.
Sites connect with SD-WAN from the VeloCloud acquisition. Remote users connect through VMware Workspace One. VMware’s OEM relationship with Menlo Security provides internet and cloud security. EPP comes from its acquisition of Carbon Black. Each product requires its own management portal.
- VMware provides an industry-leading SD-WAN offering through its VeloCloud acquisition.
- Like other established vendors, VMware brings strong MSP and telecom partnerships that can help with enterprise relationships.
- VMware Workspace One is a key component of ZTNA, providing mobile device management, mobile application management and mobile content management.
- VMware has rushed its SASE offering to market by stitching together various acquisitions and OEM relationships to deliver its version of SASE. It is a cloud-hosted offering in which appliances — virtual or otherwise — are service-chained together. This is a far cry from the converged, cloud-native platform envisioned for SASE.
- SASE is meant to be a cloud service that the provider keeps current. But that’s not the case for VMware. Customers might not always have access to the latest version of the service, and updates remain the customer’s responsibility.