Part 3: How to go about comparing SASE vendors
By Gavin Smith
In our first blog in this series, we discussed the SASE (Secure Access Service Edge) definition and briefly looked at the types of offering available from different vendors. According to the Gartner definition, SASE converges network and security functionality with access based on user and resource identities, rather than the traditional datacentre-focused model, to meet the demands of an increasingly mobile and cloud-driven world. There are few vendors who meet Gartner’s definition in its entirety, and here we take a more in-depth look at what SASE is and what different vendors are currently offering in the market.
Who is selling SASE?
There is a whole raft of vendors who have moved to re-align their networking or security offerings to meet the new Gartner definition of SASE, for identity-driven, cloud native networking and security that supports all edges. These range from networking hardware vendors, service providers such as the Telcos, as well as network and security point solution providers.
According to Gartner, SASE is a cloud-delivered service, and this is one part of the picture that is often missing from the complete package offered by vendors. Many of the five key components are offered as point solutions:
- SD-WAN
- Firewall-as-a-Service (FWaaS)
- Secure Web Gateway
- Cloud Security Broker (CASB)
- Zero-Trust Network Access / Software Defined Perimeter
Currently, there is only one vendor, Cato Networks, that has developed a SASE package, as defined by Gartner, from the ground up. The majority of other vendors supply some of the different components (Points 2-5 in the definition above) and partner with other vendors to meet any technology gap they have, often partnering with another vendor to supply SD-WAN. It is not always true that the full SASE package is the only option to consider. But, it often does make sense for small to medium-sized organisations who do not have all the skills required to handle the management of many different solutions to meet the same objective.
What to look for in a SASE offering – Check list
1. Identity-driven:
Are networking and security integrated into a single cloud-native platform? Does it enable you to develop one set of networking and security policies for users, regardless of their device or location?
2. Cloud-native architecture:
Provides elasticity, adaptability, self-healing, and self-maintenance.
3. Easy-to-use management:
Bringing together features such as SD-WAN, WAN optimisation, ZTNA, FWaaS can help improve security and network performance. Managing this complexity centrally will also bring down costs and free up time for IT to tackle more strategic business objectives and spend less on maintenance.
4. Supports all edges:
Including datacentres, branch offices, cloud resources, and mobile users. For example, SD-WAN appliances support physical edges while mobile clients and clientless browser access connect users on the go.
5. Zero Trust Network Access (ZTNA):
Moving away from traditional security of VPN and firewall, ZTNA is an important component of SASE, providing identity-driven security, that is a must in a highly distributed business environment.
6. Can be scaled globally:
A global backbone isn’t part of the SASE definition, but for global companies the public internet alone can be too unreliable and lack agility and cost-effectiveness, and it is worth considering a global SLA-backed private backbone.
What to beware of in your SASE solution
1. Question: When is SASE not SASE? Answer: When it is only SD-WAN.
There has been much confusion in the market around the terms SD-WAN and SASE, and sometimes SASE is viewed as next gen SD-WAN, but that is only a piece of the picture. SASE encompasses both SD WAN and Cloud-based security.
2. Patching multiple appliances together or having virtual appliances on edge devices.
This might seem to amount to the same “SASE” result, but the difficulty in managing them can only be handled by IT organisations that have the skills, resources and budget for the scale of the complex environment. True SASE is built with scalability, self-service, ease of use and the agility of the cloud in mind.
3. Telco-managed network services.
The large telecoms providers also claim to deliver SASE, but the disadvantage of leaving them to manage an SD WAN network over an MPLS backbone is that it can create more complexity and difficulty in introducing alternative solutions and ultimately reduce the benefit of flexibility that the SASE framework should achieve. Besides, cloud-based SASE is leaner and processes traffic faster than traditional MPLS.
4. Security providers – integrating various security capabilities in the cloud.
This lacks key SASE elements of controlling network flows and natively supporting the WAN edge. According to Neil MacDonald of Gartner, “a SASE implementation that relies on multiple vendors is inherently less secure”. One of the reasons for this is encrypted traffic, which needs to be decrypted, inspected for sensitive data and re-encrypted by the different vendor solutions. It is better to open and inspect once and then apply user-based policies.
To avoid the complexity of a piecemeal approach with multiple point solutions, the Gartner SASE approach recommends using a single or two vendors at most. It also recommends ensuring that the SASE solutions benefit the organisations requirements, not only for current use cases, but that they have enough flexibility to be rolled out incrementally, if needed, and cover future needs.
Get in touch. We can help you to evaluate your current environment, understand the best fit for your IT infrastructure and business, and help design and implement the right solution. With just an hour-long whiteboarding session we can help set you on your path to SASE and a flexible and secure network. Book a technical consultation >
Have a question? Ask our technical specialists
