Who are the best rated SASE Vendors?
The best SASE vendors are: Cato, Cisco, Cloudflare, Forcepoint, Open Systems, Palo Alto, Versa, VeloCloud and Zscaler. Comparison of features should include FWaaS, ZTNA, SWG, CASB, MDR and SD WAN with cloud native capability.
List of the top 10 SASE vendors:
- Cato Networks - the first true SASE vendor, easy to use with low false positives.
- Cisco - primarily WAN edge but virtualisation is increasing, massive partner eco-system.
- Cloudflare - offering a number of options in addition to SASE which includes full integration with their other products.
- Forcepoint - SASE with an agent based encryption service requiring no VPN client.
- Fortinet - high performing WAN edge devices with strong security experience and history.
- Open Systems - SASE and SD WAN designed to meet the needs of medium to large enterprise business.
- Palo Alto - capable of delivering highly complex security requirements with SD WAN integration.
- Versa Networks - cost effective with good features capable of delivering to all sizes of business.
- VeloCloud - VMware solution which includes huge partner support and experience within virtualisation.
- Zscaler - security vendor used as an integration partner for many of the leading SD WAN providers.
What is a SASE solution?
SASE (Secure Access Service Edge) is a Gartner framework which consists of technologies which include FWAAS, ZTNA, SWG, CASB, MDR and SD WAN virtual network overlay services. Importantly, SASE should be cloud native.
Cato EDR, XDR and MDR are provided by SentinelOne.
Open Systems EDR, XDR and MDR are provided by Microsoft.
Zscaler EDR, XDR and MDR are provided by SentinelOne.
Compare the SD WAN & SASE / SSE Cybersecurity market across 150 providers and vendors now
- Compare DIY or fully managed solutions for your business
- Learn why each solution is a match for your business
- Used by companies including CDC, Permira, Square Enix, British Legion and more
Top rated SASE vendors feature matrix table.
We compare 10 leading SASE security vendors with an overview of the market.
2020-22 was a boon to vendors providing the technology that enabled society’s sudden transition to a remote, online lifestyle. Chief among them was SD-WAN, which became critical for organizations needing to maintain robust connectivity for Work-From-Home (WFH) employees tethered to video conferences for much of the day.
However, organizations soon realized that once they delivered reliable baseline communications, user and data security was the next layer of their hierarchy of needs. As we mentioned in our article on domestic SD-WAN vendors, “Security is the hottest sub-segment of the SD WAN market, with the emerging SASE market, which adds security features to an SD WAN solution, expected to more than double annually over the next several years, reaching 60 percent of SD WAN deployments by 2024 according to Gartner.”
SASE interest is so intense that Gartner’s latest Hype Cycle rankings put it at the Peak of Inflated Expectations, poised for the excitement to crater as buyers realize that SASE isn’t a silver bullet for all their security problems. Nonetheless, SASE solutions will be a critical addition to the security portfolio of the vast majority of enterprises that are permanently transformed into a work-from-anywhere organization with remote, geographically dispersed employees. Indeed, Gartner sees the number of organizations adopting SASE quadrupling to 20 percent by 2023.
SASE, namely Secure Access Service Edge, is a suite of capabilities designed for remote users, offices and devices that rides atop an SD-WAN substrate. In recent years, lower SASE pricing made potential deployments more affordable. While the concept is new, its components are not, contributing to rapid advances in the technology, product offerings and customer acceptance. It’s hard to quantify a SASE market because the terminology and means of implementing the technology are sufficiently malleable that some vendors are SASE-washing legacy network management or security products. Nonetheless, most analysts see a robust market, predicting triple-digit growth over the next few years. For example:
- Dell’Oro expects the SASE market to grow at 116 percent annually over the next five years, resulting in more than a 20-fold increase in revenues from 2020. Sales will start out primarily as SASE software bundled with hardware appliances, but will transition to a combination of software and cloud services managed by a carrier, ISP or SASE vendor.
- 650 Group is less bullish, but still predicts SASE revenue to quintuple by 2025 for a CAGR of 38 percent.
- Revenue at Zscaler, one of the few public pure-plays on cloud-based SASE products, is increasing 55 percent annually with billings up 71 percent year-over-year, numbers will make it a billion dollar company by mid-2022. Zscaler illustrates the potential for rapid expansion of SASE usage, with 5,000 customers, including 500 in Forbes’ Global 2000, and more than 20 million seats licensed accessing Zscaler’s services from one of 150 data centers worldwide.
SASE is a collection of network, user and application security technologies tailored for remote, edge locations like a branch office, retail store, warehouse or employee home. SASE can be implemented as a set of software and hardware appliances on private infrastructure, however, with organizations coping with pandemic uncertainty and lockdowns by significantly increasing the use of cloud infrastructure and applications, SASE is better consumed as a cloud-based service.
With WFH employees and remote contractors reliant on cloud services, it makes little sense tunneling their network traffic to privately-operated SASE infrastructure only to route it back out to the Internet. Far better to direct employee traffic to a globally distributed SASE service that is often hosted in the same hyperscale data centers used by the major SaaS applications. Thus, as we detail below, most SASE vendors are either an ‘arms dealer’ selling technology to a service provider or a combination of product developer and cloud service provider.
What are the primary features of SASE?
SASE is a Gartner neologism that has evolved into both a marketing buzzword and nascent product category. Despite differences in implementation, vendors invariably agree with Gartner’s canonical definition as comprising five elements.
- SD-WAN virtual network overlay that aggregates one or more physical networks, such as home broadband cable and DSL or branch office carrier Ethernet and 5G, into a logical connection. As we detail in our earlier report, SD-WAN uses a software control plane to improve link reliability, performance and predictability and that also allows inserting network services like those provided by SASE.
- Next-Generation Firewall-as-a-Service (NGFWaaS) that duplicates the features of a next-gen hardware firewall. Using software firewalls on a software-defined network like an SD-WAN allows for NFV (Network Function Virtualization) service insertion at any point on the network, including edge locations like a branch office or employee’s virtual desktop environment.
- Secure Web Gateway (SWG) is an L7 Web content filter that supplements L3-L7 firewalls to block malicious traffic, enforce content and data access policies and monitor web traffic to identify potentially harmful anomalies or capacity bottlenecks. Unlike NGFWs, which are ‘bumps on the wire’, SWGs proxy servers that terminate traffic, which allows them to detect exploits that firewalls might miss.
- Cloud Access Security Broker (CASB) extends SWG, which focuses on Web content, to any Web- or cloud-based application, notably the many SaaS products WFH employees regularly use. CASB traditionally provides four features — traffic and application visibility, policy compliance, data security such as anomaly detection, sandboxing of suspicious code and enforcing TLS and threat protection for SaaS applications.
- Zero-Trust Network Access (ZTNA) is a granular replacement for point-to-point (or client-to-gateway) VPNs to improve network and application security. While VPNs protect network traffic from unauthorized snooping, without carefully designing subnets and gateway termination points, they don't limit user access once authenticated on the VPN. In contrast, ZTNA treats every network connection attempt — for example, accessing a file share or collaboration system — as a separate transaction that requires authentication and authorization before establishing a temporary encrypted TLS connection. ZTNA security policies are defined by three factors:
- The initiating device
- The initiating user
- The target application or service<
ZTNA implementations typically include five elements: a. A Single Sign-On (SSO) service and associated user directory b. A device inventory with associated credentials c. A Certificate Authority (CA) d. A policy database and engine for security enforcement e. A device access proxy to terminate incoming requests
ZTNA eliminates vulnerabilities from a compromised VPN credential by enforcing granular access control over individual services and applications. ZTNA is often paired with Two-Factor Authentication (2FA) using a hardware security key or application-generated one-time passcodes. ZTNA was first popularized by Google’s 2014 BeyondCorp paper, which the company used as the model for a newly-released BeyondCorp Enterprise service.
When combined, SASE services provide comprehensive security for today’s distributed, cloud-first enterprise.
How to evaluate and compare SASE vendors?
Every significant network vendor has a SASE strategy and most have a product to sell, however modest, even if it involves linking multiple partners into a virtual network fabric. Since SASE is primarily an umbrella term for capabilities already widely available, it’s easy for vendors to craft a marketing message and slideware to woo prospective customers without investing in much product development. Thus, caveat emptor for feature washing.
Unfortunately, slides, web pages and a management interface linking in some network service partners might be the extent of the implementation for most vendors. Thus, any SASE product and vendor evaluation should start with detailed system architecture and service implementation. We say “service” because SASE is ideally delivered as a cloud service, not as installable, user-managed software. We agree with Aryaka product director Paul Liesenberg when he says that delivering the SASE vision requires “a seamlessly orchestrated, cloud-first network and full-security stack.”
After using the architecture and cloud implementation to filter the SASE trailblazers from the pretenders, next consider how your organization’s priorities map to network optimization, content filtering and security features. Rank and weight the following factors:
Network performance (throughput, latency, jitter, availability)
SaaS application coverage
Integration with existing security systems and enterprise directories
Global or regional coverage (Points of Presence - PoPs)
Client support and limitations (if any).
Understand that given the immaturity and rapidly evolving nature of SASE products, buyers are unlikely to find any products excelling at every requirement, thus, prioritization is critical.
Finally, assess the vendor’s business and service model since there are three primary avenues for procuring SASE services:
- Directly from a SASE developer operating a cloud Network-as-a-Service (NaaS), typically by renting IaaS resources from one of the hyperscale cloud providers (AWS, Azure, Google Cloud, Alibaba Cloud), which provides broad international coverage and high availability.
- From a national or regional carrier like AT&T, Verizon, CenturyLink or Comcast.
- From a regional or national Managed Service Provider (MSP).
Carriers and MSPs usually don’t develop SD-WAN and SASE software. Instead, they buy from or partner with one of the companies we profile below, often large infrastructure vendors like Cisco, Palo Alto or VMware from whom they already buy network equipment and software.
We've narrowed down the list to a couple of finalists that meet most requirements and prefer those with integrated, self-contained systems over those that use virtual services provided by external partners.
1. What SASE Solution does Cato offer?
Cato offers SD-WAN and SASE services using cloud infrastructure and a cloud-native architecture via a network of 60 PoPs on-ramps on every continent. The service helps build an enterprise grade secure network that optimizes network connectivity to IaaS and SaaS products using a “single pass engine” that performs packet routing, optimization and security processing. Cato also provides ZTNA identity-based authentication for access controls, QoS and threat analysis.
Cato is a US-based company and a SASE leader, with 60 PoPs on every continent except Antarctica. Cato’s service optimizes connectivity for an extensive network of bandwidth providers including Sprint (and its subsidiaries), AT&T (and its subsidiaries), China Telecom (and its subsidiaries), Cogent, Comcast Business, NTT Communications Corporation (and its subsidiaries Net Magic), Lumen, PCCW Global and Zayo.
The service, like the rest of the Cato product line, is delivered as an on-demand subscription model or can be provided on dedicated physical hardware appliances through channel partners. The Cato VPN client ensure that all security features are delivered via their cloud service.
2. What SASE solution does Cisco Meraki offer?
Cisco has a dual-track SASE strategy based on its Viptela (data center, carrier) and Meraki (client) SD-WAN products, Umbrella cloud security service and Secure Access by Duo zero-trust 2FA and endpoint visibility products. Cisco is a prime example of a company with the SASE technology pieces already in place, understands the vision, but is still working through the product and service integration and customer education and migration plans.
Cisco Meraki collects and makes available to customers threat telemetry from over 100 million devices worldwide. Every Cisco Meraki device is powered by cloud based analytics that provide insight into network conditions, identify threats, and allow customers to configure protection profiles.
The Meraki security portal provides continuous updates of the threat telemetry for known attack vectors affecting Meraki products and the networks they protect.
These include exploits, malware signatures and malicious URLs used in phishing attacks. If a threat is detected on a customer’s network it can be isolated within seconds through an automated process within the cloud infrastructure before entering their network.
Cisco Umbrella cybersecurity services were effective at stopping malware attacks after researchers discovered a new way to steal data.
After finding a technique called domain shadowing, security researcher Kevin Beaumont decided to test if Cisco Umbrella would stop the attack, which was carried out by infecting local servers. He found that the service blocked 91 percent of phishing URLs from landing on his machine even before they were redirected to their final destination. According to Beaumont, another anti-virus defense system had only stopped about 80 percent of the attacks.
3. What SASE solution does Cloudflare offer?
Cloudflare One is the company’s recently-announced product that unifies various network optimization and security technologies under a comprehensive SASE service. Cloudflare One provides network optimization services using WARP (endpoints), Magic Transit (SD-WAN-like interconnect) and Network Interconnect (CNI; data center fabric) and Argo for routing. To these core Cloudflare features, One adds security features that include traffic inspection and filtering, DDoS protection, SWG and ZTNA. One integrates with Cloudflare’s other products for access control (Access), logging (Logpush) and a forthcoming IDS.
Cloudflare is a venture-backed company founded in 2009. The company operates a global Content Delivery Network (CDN) designed to optimize security and performance for any website, regardless of size or platform. The CDN is built in front of existing web applications and reverse proxies already on the Internet, which enable it to deliver cached objects closer to users while caching dynamic pages at strategically placed servers around the world. When requested by a user's browser, Cloudflare retrieves data from its closest data center. Security services are provided by offering DDoS protection, web application firewall, email protection, domain name server authoritative management, Distributed Denial-of-Service (DDoS) attack prevention, load balancing, bandwidth amplification via memcache and persistent data storage.
4. What SASE solution does Forcepoint offer?
Forcepoint Dynamic Edge Protection is a cloud-based suite of SASE services including web content scanning and filtering, CASB, NGFW, ZTNA, (Data Loss Prevention (DLP), malware scanning and sandboxing, edge connectivity for both branches (using GRE or IPSec) and clients using Forcepoint One Endpoint agent, which provides encrypted connectivity without the overhead of a VPN client.
Forcepoint NGFW, UTM and WAF appliances offer a comprehensive set of security services that help organizations to defend against advanced threats, protect their brand reputation and meet compliance requirements. In addition to providing the industry's highest performing firewall technology, our products deliver world-class anti-malware protection from both inbound and outbound threats via email or web traffic by using multiple layers of inspection technology - blacklisting, whitelisting, static heuristics and dynamic behavioral analysis.
Forcepoint also offers advanced features such as CIPAV for detecting network intrusions associated with data theft which can be used by law enforcement agencies to track individuals suspected of breaking laws while being anonymous over the Internet.
5. What SASE solution does Fortinet offer?
Fortinet's FortiGate security appliances and FortiSandbox technologies provide organizations with the Fortinet Security Fabric, a platform for delivering next generation unified threat management to improve protection against network-borne threats while reducing cost and complexity. Fortinet's FortiGuard Labs offer global threat intelligence from Fortinet's FortiASIC sensors combined with expert human analysis to deliver comprehensive threat protection across many attack vectors.
The Fortinet CASB portfolio offers a combination of security services that can be deployed anywhere – from low-memory smartphones to high-performance servers – offering the best possible protection for your business against today's threats.
Fortinet SWG (Secure Web Gateway) FortiWeb is a purpose-built web security solution that protects organizations from application-layer attacks, including the OWASP Top 10 Application Level Attacks. FortiWeb provides FortiSandbox malware containment and FortiOS IPS signatures which detect zero day threats FortiGuard Labs has identified. Fortinet Web Security Solution also includes Fortinet SWG (formerly Fortibrute) for unique site to site or client to gateway SSL inspection capabilities required by some banking institutions. Read more about Fortinet firewall integration on our blog post on Connecting Fortiguard networks with VPN tunnels
6. What SASE solution does Open Systems offer?
Open Systems Hybrid SASE combines SD-WAN and network monitoring, security features and predictive analytics of network and security event and performance data. The product can be deployed on-premises or in the cloud and provides most of the core SASE capabilities including IDS/IPS for both SD-WAN networks and connected endpoints, NGFW, CASB, SWG, secure email gateway, cloud-based application sandbox. Notably absent is zero-trust authentication (ZTNA), although Open Systems does support 2FA for remote VPN authentication.
7. What SASE solution does Palo Alto offer?
Palo Alto Networks’ SASE solution is a combination of CloudGenix SD-WAN, which the company acquired last year and Palo Alto’s Prisma Access security service. CloudGenix is delivered as a physical appliance with various sizes for both data centers and branch offices and includes ML analytics and automation features to improve performance and manageability. Prisma Access is a cloud-based SASE service that includes NGFW-as-a-service, SWG, CASB, DLP content filtering, ZTNA, SSL inspection, sandboxing of suspicious code and DNS security (automatic blacklisting of suspicious domains). Palo Alto has recently improved the integration of CloudGenix with Prisma Access by allowing the two to be deployed and configured with one operation.
Palo Alto Networks provides comprehensive security services including cloud based next generation firewalls with advanced threat protection technologies to detect known threats as well as zero-day exploits in real time for all applications on the network. Other security functionalities include Application layer firewalls, traffic shaping and VLAN management. The company came across a malware sample downloaded from the DarkComet Command and Control (C&C) servers which uses DNS tunnelling to communicate with the C&C server. Palo Alto Threat Intelligence has identified that this malware is in active use by different threat actors targeting victims worldwide since November 2013 with attack campaigns in Turkey in December 2013 and in Malaysia in March 2014.
8. What SASE solution does Versa Networks offer?
Versa SASE is an integrated suite of products built on the Versa OS (VOS) platform delivered from the cloud or on-premises infrastructure. SASE features include NGFW, SWG, ZTNA, CASB and Risk-Based Inspection (RBI) for browser-based exploits atop an SD-WAN and cloud networking core. VOS runs on variously sized hardware appliances with remote users connecting via the Versa Secure Access Client (VSAC) available for Windows, MacOS, Linux, iOS and Android. VOS supports multi-tenant cloud deployments which makes it popular with carriers and MSPs wishing to deliver SD-WAN and SASE services.
Versa's world-class security technology provides full visibility into what's happening inside the network and responds automatically to prevent cyberattacks in real time. The company has built its product on open standards and uses proactive threat intelligence from global sources to stay two steps ahead of hackers and malware.
However, as with any new security platform, customers want proof that it works before investing in a solution. "Customers need the ability to experiment and ask questions without purchasing expensive equipment or services," explains Jason Reindorp, vice president and general manager at Versa Networks. "This means we need a way to be able to simulate attacks so they can experience our technology firsthand."
9. What SASE solution does VMware offer?
VMware SASE combines a VeloCloud SD-WAN backbone with ZTNA secure access, SWG, CASB and an NSX-based NGFW in a service delivered from more than 100 VMware SASE PoPs worldwide. It's secure access gateway supports passthrough, RADIUS, SecurID (one-time passcode), smartcards/2FA tokens, certificates and SAML federated authentication. Access gateways work with VMware’s Workspace ONE client, which provides endpoint security and management.
10. What SASE solution does Zscaler offer?
Zscaler offers four products that collectively provide network security for business and IaaS-based applications, remote access clients and SaaS users. It provides the full set of SASE features via an architecture that builds on the Zscaler WAN and cloud security platform with its Internet Access product that offers a mix of access control, threat and data protection features to secure remote clients. Zscaler’s proxy-based design provides in-line inspection of both clear and SSL encrypted traffic. Zscaler delivers its services from 150 data centers spread across every region, currently handling more than 150 billion transactions per day with 5-nines availability.
Zscaler was the first CASB vendor to integrate with Intel AMT and we continue to lead this industry by delivering constant protection against cyber threats, regardless of device or location. As part of our powerful integration with Intel AMT, Zscaler can detect compromised laptops as well as exfiltration attempts through covert channels like TeamViewer, VNC, RDP and Citrix through out-of-band management traffic. The Zscaler service is accessible from anywhere using a modern web browser; there's no need for costly VPN provisioning or network changes.
What are use cases for SASE and the recommendations?
- Integration with existing network infrastructure and management software. For example, organizations with significant investments in Cisco or VMware products should start evaluations with them.
- Internal integration among SASE components. Some providers use NFV service chaining to link disparate security modules, using a single management UI to control them, however, connecting this way can reduce performance, complicate management and leave gaps in security.
- Reduce evaluation overhead by keeping detailed product bake-offs to two finalists.
What is the easiest way to create a SASE vendor shortlist?
Take the online quick assessment quiz here to learn which SASE vendors and managed service providers fit your specific needs.