Just a year since its introduction from Gartner, Secure Access Service Edge has become a widespread force across the enterprise networking and security industries. Today, nearly every major security or networking player claims to offer some sort of SASE offering, but prospective buyers must understand what SASE vendors can actually achieve against the vendor marketing buzz.
SASE architecture defines a cloud service that connects and secures all enterprise endpoints -- sites, mobile users, cloud resources and IoT devices -- across any physical network. The goal of a SASE system is to unify the disparate security tools and networks that together have resulted in high capital costs and complicated troubleshooting, creating holes in security infrastructure.
Differentiating between the SASE hype and reality can be challenging. Prospective SASE customers should consider both the current facts and what they hope to achieve in their product selection process.
SASE: The theory
SASE emerged in response to enterprise adoption of the cloud and mobility. Legacy enterprise networks assumed users worked in offices, accessing data and applications in the data center. For security reasons, internet access was typically available to users through a secure gateway in the headquarters or data center.
This article is part of
But, as data and applications shift to the cloud and remote work becomes the norm, enterprises are rethinking how to deliver secure network access. Backhauling traffic to a data center adds too much latency, and legacy networks lack bandwidth. Besides, the classical security perimeter, where a fixed firewall protects the enterprise network from the unsecured internet, makes little sense in an infrastructure where users and data sit beyond the perimeter.
Organizations need a more holistic defense posture that encompasses a multiplicity of technologies from endpoint protection to malware prevention to content inspection -- a point recently underscored by the Cybersecurity and Infrastructure Security Agency in its Cyber Essentials Toolkit.
Practically, running such a holistic approach has been challenging, particularly for midsize enterprises. Holes in security infrastructure are vulnerable to attackers, and specialized skills to protect against such incidents increase staffing costs. Often, the demands of day-to-day operations prevent lean IT teams from implementing strategic best practices, like penetration testing or proactively devising incident strategies.
SASE addresses these networking and security challenges by envisioning a global network of points of presence (PoPs) interconnected by a high-performance backbone. Security and networking software ideally runs on a cloud-native, multi-tenant platform in the PoP, giving SASE all the elasticity, scaling and cost benefits of a cloud service.
Enterprises connect their edge to these PoPs across any available local internet connection. Edges include software-defined WAN (SD-WAN) to connect sites; VPN clients and clientless access for remote users; native connections; or virtual appliances for the cloud. As such, SASE can, in theory, replace global MPLS networks, site-to-site VPNs, remote access VPNs, cloud gateways and direct cloud interconnects of legacy networks.
A portfolio of security functions can inspect all traffic sent to the PoPs. Gartner identified a broad range of security technologies that a SASE platform should implement, including secure DNS, next-generation firewall (NGFW), secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA) and data loss prevention. A single platform with all those technologies integrated together creates a security infrastructure that is both easier to run and to maintain.
The convergence of technologies brings other benefits as well. Troubleshooting is easier for IT admins, as all networking and security data should, in theory, be exposed through a unified console. IT admins no longer need to jump between interfaces, which complicates the troubleshooting process.
Bringing all technologies together improves IT agility. According to research from SD-WAN experts, one of the challenges COVID-19 presented was that companies suddenly had to scale up remote access platforms that were dimensioned for only 10% to 15% of the workforce working a few hours of the day to the entire workforce working all day.
These changes mean enterprises have to purchase more VPN server resources and need increased internet connectivity as traffic must terminate at those VPN servers. More VPN servers might be necessary, whether for availability or to accommodate users working in areas across the globe. Companies still need to ensure all security policies and performance optimization are in place to provide a secure, enterprise-grade remote experience for their workers. SASE architecture directly addresses these very issues.
SASE: The reality
The reality of SASE, though, is quite different from the theory of SASE. SASE as an architecture is still a work in process for the next three to five years. No platform currently meets every Gartner criterion.
Today, SASE products differ significantly in functionality. With perhaps one exception, networking and security vendors are simply not yet in a position to deliver on the full vision of SASE. It's that simple. As such, the biggest question buyers should ask is exactly what parts of the SASE vision does a vendor's architecture currently implement in its SASE product.
In my experience, all real SASE vendors are expected to deliver the following:
- networking and security integration -- but the richness and extent of that integration will vary;
- support for remote users and sites, though this might currently require deploying small SD-WAN devices at home offices; and
- support for a global private backbone of their own or from a third party, such as Azure, AWS or others, as the global internet is too unpredictable to consistently deliver a low-latency experience globally.
Moving forward, customers should expect the following from SASE systems:
- become true cloud services, helping to reduce costs through a cloud-native architecture;
- have a single management console that converges both security and networking domains; and
- be identity-driven, where all networking and security policies depend on the user, not a device IP address.
How to compare SASE vendors
Below is a brief look at five SASE platforms prominent on the current market. We've asked each vendor about the following five areas:
- Briefly describe your SASE architecture.
- Identify any multi-tenant components in your SASE platform.
- Do you provide a private backbone? If so, how many PoPs do you offer in each region (North America, Latin America, EMEA, APAC and China)?
- What three features would you point to that enable you to beat competitors?
- Describe your pricing model.
1. Cato Networks
Cato provides Cato Cloud, which reportedly connects all branch locations, remote users and cloud resources into a global and secure cloud service.
Cato claims it was architected to address all key SASE requirements: convergence of networking and security into a single-pass and identity-based engine, cloud-based and cloud-native service, global footprint and support for all edges.
Cato Cloud consists of a global private backbone of more than 60 PoPs and fully managed security services, including NGFW, SWG, next-generation antimalware, an intrusion prevention system, native cloud integration, remote access, unified management and an SD-WAN device -- the Cato Socket.
Cato offers its services as an annual subscription. Price is based on last-mile capacity of connected branches and the number of remote users.
2. Open Systems
Open Systems' managed SASE products securely connect an organization's users to applications, from branches to clouds anywhere in the world. The company claims it protects and constantly monitors customers' digital assets to proactively detect and respond to threats.
The company's managed SASE platforms are built upon Open System's unified, future-proof platform that integrates key networking and security services, including SD-WAN, app optimization, NGFW, SWG, CASB and remote access. Open Systems has no multi-tenant components or backbone -- it recommends customers rely on third-party backbones.
Open Systems has a user-based pricing model. A one-time setup fee covers project costs, design and implementation. A monthly recurring cost covers software and hardware licenses, lifecycle management and support.
3. Palo Alto Networks
The Palo Alto SASE platform uses the CloudGenix SD-WAN edge with Palo Alto Prisma Access to secure SD-WAN endpoints and mobile users, as well as Prisma SaaS to secure sanctioned SaaS applications. Prisma Access is a multi-tenant application that enables customers to host multiple instances on a single Panorama appliance. Prisma Access tenants get their own dedicated instances, which are not shared between tenants.
While Palo Alto does not have a private backbone, it claims to offer consistent cloud-delivered security from a multi-cloud architecture that spans over 100 locations across 76 countries.
Current pricing models are based on bandwidth utilization.
4. Versa Networks
Versa delivers SASE services both on premises and via the cloud using its Versa Operating System (VOS). Versa SASE is available as a private cloud service that enterprises can operate, manage and host with their own private Versa Cloud Gateways.
Versa SASE services include SWG, NGFW, virtual desktop infrastructure, sanitized DNS, edge compute protection, VPN, ZTNA and SD-WAN. A single management interface manages the VOS software stack.
Versa Cloud Gateways are distributed across 90 locations. While Versa does not provide a backbone, it has the ability to interconnect Gateways across private backbones within Azure, AWS and Equinix. Remote browser isolation, network sandbox and CASB are in beta.
Versa SASE is available as a subscription service and priced based on features and capabilities that users require.
The VMware SASE platform converges cloud networking, cloud security and ZTNA with web security. It includes VMware Edge Network Intelligence, providing added user visibility.
The VMware SASE platform is available as a managed service or DIY using a global network of more than 2,700 cloud service nodes across over 100 PoPs. These PoPs serve as on-ramps to SaaS and other cloud services. VMware does not provide a backbone, however, relying on service provider partners instead.
Networking and security services can be delivered in an intrinsic or sequenced manner to branches, mobile users, campuses and IoT devices. All components are multi-tenant.
VMware employs subscription-based pricing. Physical VMware Edge devices are available both for purchase and rent; special software bundles are also available to address long-term work-from-home needs.