Who are the best rated SASE Vendors?

SASE, namely Secure Access Service Edge, is a suite of capabilities designed for remote users, offices and devices that rides atop an SD-WAN substrate. In recent years, lower SASE pricing made potential deployments more affordable. While the concept is new, its components are not, contributing to rapid advances in the technology, product offerings and customer acceptance. It’s hard to quantify a SASE market because the terminology and means of implementing the technology are sufficiently malleable that some vendors are SASE-washing legacy network management or security products. Nonetheless, most analysts see a robust market, predicting triple-digit growth over the next few years. For example:

• Dell’Oro expects the SASE market to grow at 116 percent annually over the next five years, resulting in more than a 20-fold increase in revenues from 2020. Sales will start out primarily as SASE software bundled with hardware appliances, but will transition to a combination of software and cloud services managed by a carrier, ISP or SASE vendor.
• 650 Group is less bullish, but still predicts SASE revenue to quintuple by 2025 for a CAGR of 38 percent.
• Revenue at Zscaler, one of the few public pure-plays on cloud-based SASE products, is increasing 55 percent annually with billings up 71 percent year-over-year, numbers will make it a billion dollar company by mid-2022. Zscaler illustrates the potential for rapid expansion of SASE usage, with 5,000 customers, including 500 in Forbes’ Global 2000, and more than 20 million seats licensed accessing Zscaler’s services from one of 150 data centres worldwide.

SASE is a collection of network, user and application security technologies tailored for remote, edge locations like a branch office, retail store, warehouse or employee home. SASE can be implemented as a set of software and hardware appliances on private infrastructure, however, with organisations coping with pandemic uncertainty and lockdowns by significantly increasing the use of cloud infrastructure and applications, SASE is better consumed as a cloud-based service.

With WFH employees and remote contractors reliant on cloud services, it makes little sense tunneling their network traffic to privately-operated SASE infrastructure only to route it back out to the Internet. Far better to direct employee traffic to a globally distributed SASE service that is often hosted in the same hyperscale data centres used by the major SaaS applications. Thus, as we detail below, most SASE vendors are either an ‘arms dealer’ selling technology to a service provider or a combination of product developer and cloud service provider.

What are the primary features of SASE?

SASE is a Gartner neologism that has evolved into both a marketing buzzword and nascent product category. Despite differences in implementation, vendors invariably agree with Gartner’s canonical definition as comprising five elements.

1. SD-WAN virtual network overlay that aggregates one or more physical networks, such as home broadband cable and DSL or branch office carrier Ethernet and 5G, into a logical connection. As we detail in our earlier report, SD-WAN uses a software control plane to improve link reliability, performance and predictability and that also allows inserting network services like those provided by SASE.
2. Next-Generation Firewall-as-a-Service (NGFWaaS) that duplicates the features of a next-gen hardware firewall. Using software firewalls on a software-defined network like an SD-WAN allows for NFV (Network Function Virtualisation) service insertion at any point on the network, including edge locations like a branch office or employee’s virtual desktop environment.
3. Secure Web Gateway (SWG) is an L7 Web content filter that supplements L3-L7 firewalls to block malicious traffic, enforce content and data access policies and monitor web traffic to identify potentially harmful anomalies or capacity bottlenecks. Unlike NGFWs, which are ‘bumps on the wire’, SWGs proxy servers that terminate traffic, which allows them to detect exploits that firewalls might miss.
4. Cloud Access Security Broker (CASB) extends SWG, which focuses on Web content, to any Web- or cloud-based application, notably the many SaaS products WFH employees regularly use. CASB traditionally provides four features — traffic and application visibility, policy compliance, data security such as anomaly detection, sandboxing of suspicious code and enforcing TLS and threat protection for SaaS applications.
5. Zero-Trust Network Access (ZTNA) is a granular replacement for point-to-point (or client-to-gateway) VPNs to improve network and application security. While VPNs protect network traffic from unauthorised snooping, without carefully designing subnets and gateway termination points, they don’t limit user access once authenticated on the VPN. In contrast, ZTNA treats every network connection attempt — for example, accessing a file share or collaboration system — as a separate transaction that requires authentication and authorisation before establishing a temporary encrypted TLS connection. ZTNA security policies are defined by three factors:
   1. The initiating device
   2. The initiating user
   3. The target application or service

ZTNA implementations typically include five elements: a. A Single Sign-On (SSO) service and associated user directory b. A device inventory with associated credentials c. A Certificate Authority (CA) d. A policy database and engine for security enforcement e. A device access proxy to terminate incoming requests

ZTNA eliminates vulnerabilities from a compromised VPN credential by enforcing granular access control over individual services and applications. ZTNA is often paired with Two-Factor Authentication (2FA) using a hardware security key or application-generated one-time passcodes. ZTNA was first popularized by Google’s 2014 BeyondCorp paper, which the company used as the model for a newly-released BeyondCorp Enterprise service.

When combined, SASE services provide comprehensive security for today’s distributed, cloud-first enterprise.

How to evaluate and compare SASE vendors?

Every significant network vendor has a SASE strategy and most have a product to sell, however modest, even if it involves linking multiple partners into a virtual network fabric. Since SASE is primarily an umbrella term for capabilities already widely available, it’s easy for vendors to craft a marketing message and slideware to woo prospective customers without investing in much product development. Thus, caveat emptor for feature washing.

Unfortunately, slides, web pages and a management interface linking in some network service partners might be the extent of the implementation for most vendors. Thus, any SASE product and vendor evaluation should start with detailed system architecture and service implementation. We say “service” because SASE is ideally delivered as a cloud service, not as installable, user-managed software. We agree with Aryaka product director Paul Liesenberg when he says that delivering the SASE vision requires “a seamlessly orchestrated, cloud-first network and full-security stack.”