How to buy SASE

Secure Access Service Edge combines networking with security and bundles it up as a service, but there are differences among the offerings. Here’s key questions to ask vendors.

nw how to shop for vpn shopping cart
bsd555 / Traitov / Getty Images

Wouldn’t it be great if there were a cloud-based service that combined networking and security so that users located anywhere could safely and efficiently access applications and data located anywhere? That’s the aim of SASE (rhymes with gassy). SASE isn’t a single product, but rather it’s an approach, a platform, a collection of capabilities, an aspiration.

Gartner coined the term Secure Access Service Edge in a 2019 research report, and the name stuck. Vendors have been doing backflips trying to cobble together complete SASE offerings, which would include at a minimum software-defined WAN (SD-WAN), secure Web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS) and zero trust network access (ZTNA).

SASE resources: What to expect from SASE certifications; SASE checklist: 7 key evaluation criteria; Gartner: SD-WAN, SASE are biggest drivers of WAN edge infrastructure

As things stand now, few, if any, vendors have a complete, mature SASE offering. In its 2021 Strategic Roadmap for SASE Convergence, Gartner cautions, “Not every vendor claiming to offer a SASE product currently delivers all of the required and recommended SASE capabilities. Even then, not all of the SASE vendor’s capabilities are at the same level of functionality and maturity.”

But not to fret. Gartner points out that “enterprise transition to a complete SASE model will take time.” To give some sense of the rough timelines, Gartner predicts that by 2025, at least 60% of enterprises will have strategies and timelines for SASE adoption, with full adoption farther off in the future.

How quickly an organization can move to SASE will be impacted by a variety of factors, including hardware refresh cycles, the pace of branch office transformation projects, IT skills gaps, and organizational rifts between security and networking teams.

So, it will take a while, but now is the time to get started on the journey. This buyers guide will outline the vendor options and identify the key questions that enterprises need to ask in their quest for SASE.

What is SASE?

First, let’s define the cluster of capabilities that are included in SASE.

  • SD-WAN: Software-defined WAN technology is deployed at remote sites in order to aggregate, secure and optimize all types of WAN traffic. Originally sold as a way to reduce reliance on expensive MPLS links, SD-WAN has become indispensable for branch office employees who need to access Web-based productivity apps.
  • FWaaS: Next-generation firewall-as-a-service replaces the hardware firewall with a cloud-based software equivalent that is easier to deploy and manage. FWaaS typically includes IPS/IDS and anti-malware.
  • SWG: Secure Web gateway is a content filter that blocks malicious traffic but also helps enforce content and data access policies. SWG capabilities include URL filtering, SSL inspection, and DNS monitoring.
  • CASB: Cloud access security brokers monitor both outbound and inbound traffic for security and policy compliance. CASBs also provide visibility into SaaS applications.
  • ZTNA: Zero Trust is another analyst-inspired term (John Kindervag) that is also more of an approach than a specific product. The Zero Trust concept is that all users and devices, regardless of location, should be considered untrusted by default, should be required to authenticate at each log-in, should have limited access to applications and should be monitored for unauthorized or suspicious activity throughout the session. Methods for implementing Zero Trust include multi-factor authentication, granular access control and network segmentation.

Those are the core SASE capabilities. But there are other, secondary capabilities that could also be part of a buying decision, such as the ability to perform SASE functionality at line rate, remote browser isolation, network sandboxing, support for unmanaged devices, and Web application and API protection. In addition, depending on the use case, Wi-Fi hot-spot protection or support for legacy VPNs might be part of a package.

SASE vendor landscape

The list of vendors offering SASE seems to grow by the day, but here are the main categories of SASE vendors.

Networking vendors

Cisco, Extreme, VMware and others have jumped on the SASE bandwagon. These vendors have made strategic acquisitions and are trying to stitch together a full SASE portfolio, either internally or through partnerships.

For example, in August, Extreme bought Ipanema Technologies, an SD-WAN/SASE vendor. Cisco is working to integrate multiple acquisitions under the banner of its Umbrella SASE, including Viptela (SD-WAN), Meraki (SD-WAN) and Duo Security (Zero Trust, multi-factor authentication.) VMware is merging its VeloCloud SD-WAN acquisition with its NSX network virtualization and security platform. It is also partnering with Menlo Security and Zscaler to flesh out its SASE offering.

Traditional Security Vendors

Security vendors such as Palo Alto, McAfee, Forcepoint, Barracuda and Fortinet are also piecing together SASE offerings, both through internal development and acquisitions.

Palo Alto bought SD-WAN vendor CloudGenix, Fortinet bought OPAQ for zero trust, Barracuda picked up zero trust startup Fyde, McAfee bought browser isolation vendor Light Point Security, and Forcepoint acquired security service edge company Bitglass.

Cloud-native security vendors

Several companies have created their own global cloud networks and are building out cloud-native SASE capabilities. That list includes Cato Networks, Netskope, Versa, and Zscaler. Similar to the traditional security vendors, these newcomers are busily adding new SASE capabilities to their portfolios, either internally or through partnerships. For example Cato just announced it has raised $200 million in new funding, which the company said will help it speed the development of its CASB offering.

Content delivery network (CDN) vendors Cloudflare and Akamai have built SASE capabilities into their global cloud networks. And powerhouse vendors such as AT&T and Verizon are cobbling together SASE offerings, again in partnership with other vendors. AT&T recently announced a SASE service using Palo Alto gear. Verizon announced a SASE offering that includes technology from Versa and Zscaler, and IBM is partnering with Zscaler to offer SASE.

Having that many options to choose from may seem daunting, and it can be difficult to tease out which SASE capabilities are homegrown and which has been acquired from another vendor, but one important benefit of the fact that Gartner defined the term, rather than a vendor, is that there is no ambiguity on a number of fronts. There are no decisions to be made in the realm of hardware vs. software, on-prem vs. cloud, best-of-breed point products vs. strategic partner. SASE, by definition, is a software-only, cloud-based, managed service that should be delivered by one, or at most two, providers.

Here are some specific questions to ask potential SASE providers that will help narrow down your search:

Questions for enterprises to ask

For networking and security vendors:

  1. Does the vendor offer all of the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all of the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses and priorities? In other words, if your biggest need is Zero Trust, and the vendor’s strength is SD-WAN, then the fit might not be right.  
  2. How well integrated are the multiple components that make up the SASE? Is the integration seamless?
  3. Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor’s approach in terms of building capabilities internally or through acquisition? What is the vendor’s track record integrating past acquisitions? If building internally, what is the vendor’s track record of hitting its product release deadlines?
  4. Whose cloud is it anyway? Does the vendor have its own global cloud, or are they partnering with someone? If so, how does that relationship work in terms of accountability, management, SLAs, troubleshooting?

For managed service providers:

  1. How many PoPs do they have and where are they located? Does the vendor cloud footprint align with the location of your branch offices?
  2. Do the vendor have the scale, bandwidth and technical know-how to deliver line-rate traffic inspection?
  3. For the cloud-native vendors: How can you demonstrate that your homegrown SASE tools stack up against, say, the firewall functionality from a name-brand firewall vendor?
  4. Is there a risk that the vendor might be an acquisition target? As the market continues to heat up, further acquisitions seem likely, with the bigger players possibly gobbling up the cloud-native newcomers.
  5. For the traditional managed services powerhouses like AT&T and Verizon, do theyy have all the SASE capabilities, where did they get them, and how well are they integrated? What is the process for troubleshooting, SLAs, and support? Is there a single management dashboard?

For all potential vendors:

The tradeoff of taking the SASE route is that enterprises gain the benefit of offloading a lot of headaches onto the service provider’s shoulders (deployment, configuration, updates, etc.) At the same time, IT is still responsible to end users if something goes wrong. So, there has to be a strong relationship between the enterprise and the service provider, particularly when it comes to management. Here are specific questions to ask:

  1. Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements?
  2. Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application or the data.
  3. How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection?
  4. Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting?
  5. Is policy enforced consistently for all of the possible access scenarios--individual end users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged?
  6. Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Since the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all of that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand.
  7. Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs.
  8. One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the end user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time?
  9. Will the SASE deliver a transparent and simplified end user experience that is the same regardless of location, device, OS, browser, etc.?

Getting started: Break down siloes, drop VPNs

Gartner makes it clear that SASE is a journey. “Enterprises can’t flip a switch and adopt SASE. The vast majority of enterprise SASE adoption will occur over several years, prioritizing areas of greatest opportunity in terms of cost savings, eliminating complexity and redundant vendors, and risk reduction through adoption of a zero trust security posture.”

Companies need to take the time to develop an overall SASE strategy with specific timelines and measurable goals. And remember, SASE is an edge strategy. SASE needs to align with strategic initiatives relative to data centers, to multi-cloud architectures, to digital transformation, and to applying zero trust across the entire enterprise.

Internally, companies should begin breaking down the siloes between networking and security teams. Creating cross-disciplinary working groups that also include workforce transformation and branch office transformation is a good first step.

In terms of specific steps, companies should start moving off of legacy VPN-based network access as quickly as possible and begin replacing VPNs with ZTNA. Map out refresh cycles and come up with a plan to move off of appliance-based point products, and shift to cloud-based options. The goal is to methodically consolidate the number of vendors in order to cut costs and reduce complexity.

In this transitional phase, keep contracts short, make sure to enforce SLAs, and continue to revisit your SASE migration plans as the market consolidates and matures.

Copyright © 2021 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022