This GigaOm Research Reprint Expires Feb 1, 2025

GigaOm Radar for Secure Access Service Edge (SASE)v1.0

Securing the Enterprise

1. Executive Summary

Secure access service edge (SASE) is a security framework that converges network security functions with wide area networking (WAN) capabilities to support the dynamic, secure access needs of organizations. Delivered primarily as a cloud-native service, SASE enables organizations to apply consistent security policies and network management across all users and devices, irrespective of location, providing a robust security posture.

Supporting branch office, on-premises, and remote worker secure access use cases, SASE’s major components are: a cloud access security broker (CASB), firewall as a service (FWaaS), secure web gateways (SWG), software-defined WAN (SD-WAN), and zero-trust network access (ZTNA). SASE’s cloud-native stack applies security and compliance policies in real time, integrating and centralizing management of services in a cloud-based platform to deliver agility, cost efficiency, and scalability.

While some vendors offer the full stack of features, some partner with other companies to fill the gaps. With each bringing their unique expertise and capabilities to the SASE framework, vendors offering SASE solutions come from various segments of the IT industry, including:

  • Networking and SD-WAN vendors integrating security features into their networking platforms.
  • Security vendors expanding their portfolios to include network solutions under the SASE umbrella.
  • Cloud service providers integrating networking and security services into their cloud platforms.
  • Emerging vendors developing cloud-native SASE solutions from the ground up.
  • Telecommunications companies offering integrated network and security solutions.

Vendors provide a variety of single-vendor, hybrid (combining SASE capabilities with existing networking or security solutions), or multivendor SASE solutions integrating various network and security services and offering different levels of control, security, and flexibility to cater to the diverse needs of organizations. Each solution has unique features and capabilities, with the best choice depending on the specific requirements and preferences of an organization.

While the choice between single-vendor and multivendor SASE depends on an organization’s particular needs and circumstances, single-vendor SASE solutions provide simplified management and enhanced security outcomes via a unified approach. On the other hand, multivendor SASE solutions often provide best-of-breed capabilities, risk diversification, and a more flexible approach to securing diverse network environments. For the purpose of this report, we are considering only single-vendor SASE solutions with support for interim hybrid deployments.

This is our first year evaluating the SASE space in the context of our Key Criteria and Radar reports. This GigaOm Radar report examines 18 of the top SASE solutions in the market and compares offerings against the capabilities (table stakes, key features, and emerging features) and non-functional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the category and its underlying technology, identify leading SASE offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and non-functional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

2. Market Categories and Deployment Types

To help prospective customers find the best fit for their use case and business requirements, we assess how well SASE solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

  • Cloud service provider (CSP): Providers delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
  • Network service provider (NSP): Service providers selling network services—network access and bandwidth—provide entry points to backbone infrastructure or network access points (NAPs). In this report, NSPs include data carriers, ISPs, telcos, and wireless providers.
  • Managed service provider (MSP): Service providers delivering application, IT infrastructure, network, and security services and support for businesses on customer premises, in the MSP’s data center (hosting), or in a third-party data center.
  • Large enterprise: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.
  • Small-to-medium businesses (SMB): Small businesses (fewer than 100 employees) to medium-sized businesses (100-999 employees) with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.

In addition, we recognize the following deployment models:

  • Private cloud: Used exclusively by one enterprise or organization, private cloud computing resources are physically located in an on-premises data center or hosted by a third-party colocation service provider. Tailored to meet specific requirements, private clouds offer compliance, control, and flexibility.
  • Public cloud: Owned and operated by a third-party cloud service provider and delivered over the internet, public cloud providers offer cost-effective, scalable, and reliable on-demand resources for enterprises and SaaS vendors.
  • Hybrid cloud: Enabling data and apps to move seamlessly between two environments, a hybrid cloud combines private, on-premises infrastructure with a public cloud. A hybrid cloud allows compute resources to be brought closer to the edge where data resides—reducing latency and increasing reliability—while still meeting regulatory compliance and data sovereignty requirements.
  • Multicloud: Comprising multiple public cloud services performing different functions, a multicloud deployment allows organizations to take advantage of various public cloud capabilities or geographies. Multicloud deployments may include private clouds, resulting in cloud deployments that are both hybrid and multicloud.
  • On-premises: Consisting of software, hardware, or services installed, run, and managed on an enterprise’s physical, in-house infrastructure, usually in a data center or colocation facility. In an on-premises setup, the enterprise is responsible for the operation, maintenance, and security of the system.

Table 1. Vendor Positioning: Target Market and Deployment Model

Vendor Positioning: Target Market and Deployment Model

Target Market

Deployment Model

Vendor

CSP NSP MSP Large Enterprise SMB Private Cloud Public Cloud Hybrid Cloud Multicloud On-Premises
Aryaka
Barracuda Networks
Cato Networks
Check Point Software
Cisco
Cloudflare
Cradlepoint
Forcepoint
Fortinet
HPE Aruba
Juniper Networks
Netskope
Palo Alto Networks
Roqos
T-Mobile
Versa Networks
VMware
Zscaler

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).

“Target market” reflects which use cases each solution is recommended for, not simply whether it can be used by that group. For example, if it’s possible for an SMB to use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for that market segment.

3. Decision Criteria Comparison

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Converged networking and security
  • Identity-based security and access control
  • Integrated, cloud-native security services
  • Global SLA-backed connectivity
  • Integrated SD-WAN

Tables 2, 3, and 4 summarize how each vendor included in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

  • Key features differentiate solutions, outlining the primary criteria to be considered when evaluating a SASE solution.
  • Emerging features show how well each vendor is implementing capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.
  • Business criteria provide insight into the non-functional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating SASE Solutions.”

Key Features

  • Integrated SASE architecture: SASE combines SD-WAN functionality with CASB, FWaaS, SWG, and ZTNA to enforce secure access wherever applications, devices, or users are located. However, the level of integration varies among solutions. Some SASE solutions are developed in-house from the ground up as a single, fully integrated platform, while others comprise multiple-point products managed via a common UI as a way to enter the SASE market quickly.
  • Dynamic traffic management: Consisting of centralized policy-based traffic routing and forwarding, dynamic traffic management is a sophisticated approach that intelligently controls and allocates network resources to optimize performance and user experience, determining how paths are selected and adapting in real time to changes impacting application security, including network congestion, brownouts, and transport outages.
  • Built-in self-healing: This criterion evaluates a solution’s ability to automatically detect and recover from failures and maintain optimal performance at all levels of its architecture. Built-in self-healing reduces the need for manual intervention, ensuring maximum uptime and reliability. Some SASE solutions switch to an alternative transport model and dynamically adapt connectivity, security policies, and configurations to maintain compliance.
  • Next-generation security: Next-generation security refers to a cloud-native architecture that unifies multiple security functions into a single service. This is crucial as it provides flexible, robust, and scalable security that can be applied regardless of where users, applications, or devices are located, enhancing protection for remote workers and facilitating secure access to applications from anywhere.
  • Local data processing: The practice of processing data close to its source, such as users, devices, or edge computing locations, rather than routing it to a centralized data center, local data processing adds a layer of flexibility and compliance to multinational or geographically distributed organizations, helping align the network and security services with local regulatory, sovereignty, performance, and operational requirements.
  • Advanced data protection: Safeguarding data from threats, SASE solutions must ensure that data in transit is protected by using end-to-end encryption protocols, such as IPsec or transport layer security (TLS), and stringent access controls, while cloud data loss prevention (DLP) technologies monitor and control data transfer to prevent data leaks and unauthorized data exfiltration, ensuring compliance and enhancing the overall security posture of an organization.
  • Comprehensive threat prevention: Offering a holistic approach, comprehensive threat prevention integrates a robust set of security measures with real-time threat intelligence to address various cyber-threat vectors. The goal is to ensure secure, optimized connectivity across the network, safeguarding data and systems from unauthorized access, malware, and other advanced threats, ensuring secure access to applications and services regardless of user location.
  • Multicloud connectivity: Ensuring seamless and secure data flow across multiple cloud service providers, multicloud connectivity provides the ability to link disparate cloud environments together, enhancing agility, flexibility, and scalability, which allows organizations to optimize their workloads based on factors like speed, performance, reliability, geographical location, and security requirements.

Table 2. Key Features Comparison

Key Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Key Features

Vendor

Average Score

Integrated SASE Architecture Dynamic Traffic Management Built-In Self-Healing Next-Generation Security Local Data Processing Advanced Data Protection Comprehensive Threat Prevention Multicloud Connectivity
Aryaka 3.9
Barracuda Networks 3.8
Cato Networks 4.8
Check Point Software 2.8
Cisco 4.1
Cloudflare 4.3
Cradlepoint 4
Forcepoint 4
Fortinet 4.1
HPE Aruba 4.5
Juniper Networks 3.1
Netskope 4.8
Palo Alto Networks 4.3
Roqos 3.8
T-Mobile 4
Versa Networks 4.9
VMware 4
Zscaler 3.6

Emerging Features

  • AIOps: Essential for automating complex IT operations, AIOps, or artificial intelligence for IT operations, this feature leverages machine learning and analytics to help identify configuration and policy anomalies and facilitate automatic detection and response across all components, accelerating troubleshooting, optimizing performance, increasing resiliency, enhancing operational efficiency, reducing mean time to resolution, and improving security outcomes. As an emerging feature in SASE, AIOps is evolving toward more autonomous systems, with advancements in predictive analytics and anomaly detection.
  • Internet of things (IoT) integration: IoT integration connects IoT devices with SASE services to enhance network security and performance. However, securing IoT devices requires deploying IoT security sensors and appliances, which introduces additional operational overhead and costs. IoT integration is crucial, as it enables seamless interoperability, enhances data security, and supports the scalability of IoT applications, thereby strengthening security for remote locations and workforces. Leading SASE solutions incorporate IoT security capabilities to strengthen security for remote locations and workforces.
  • Multitenancy: A single instance of the software serving multiple customers, multitenancy is vital for enabling managed service providers to manage and monitor multiple end customers from a single interface, thereby improving scalability and security. Enhancing efficiency and reducing costs, multitenancy is key to harnessing economies of scale, improving service delivery, and ensuring a balanced blend of customization and standardization in SASE solutions, making them more accessible, manageable, and cost-effective for both providers and end-users.
  • Managed SASE: Managed SASE is a SASE solution provided and managed by a trusted MSP, combining network and security functions into a single cloud service. Offered as a fully managed solution, managed SASE enables companies to adopt SASE more quickly and achieve benefits similar to those with strong internal network and security expertise. Managed SASE service providers offer cost efficiency, customization, and policy creation as a service, improving application performance and enhancing remote workforce security.

Table 3. Emerging Features Comparison

Emerging Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Emerging Features

Vendor

Average Score

AIOps IoT Integration Multitenancy Managed SASE
Aryaka 2.5
Barracuda Networks 1.8
Cato Networks 4.5
Check Point Software 2.5
Cisco 2.3
Cloudflare 4
Cradlepoint 4
Forcepoint 2
Fortinet 3
HPE Aruba 2.5
Juniper Networks 3.3
Netskope 4.8
Palo Alto Networks 4.3
Roqos 3
T-Mobile 1.8
Versa Networks 4.5
VMware 4.3
Zscaler 4

Business Criteria

  • Performance: Ensuring the efficiency of the network in delivering services, including network speed, latency, and user experience, performance depends on the network architecture, edge processing, and the level of integration among components. Some vendors implement proprietary protocols, with each packet touched only once for networking and security, to increase performance and mitigate security exposure.
  • Flexibility: Enabling organizations to respond swiftly to evolving business needs, accommodate network expansion, and support remote work scenarios, flexible SASE solutions support different network configurations and environments, such as remote offices, cloud infrastructures, and mobile users, ensuring consistent security and connectivity despite changes in user count, network traffic, or geographic distribution.
  • Configurability: A SASE solution allows organizations to tailor security policies, manage connections, and optimize access to applications and data to ensure that the security posture is aligned with organizational risk tolerance and compliance requirements, including automated and dynamic adjustments to network and security settings based on real-time conditions.
  • Interoperability: The solution should adhere to industry standards, seamlessly integrate with preexisting network and security infrastructures, and be interoperable with a broad range of devices, systems, and applications from a wide variety of vendors for better visibility and coordination. In addition, the various components of the SASE architecture must be able to communicate seamlessly and exchange data.
  • Manageability: Improving decision-making and response times, one of the core premises of a SASE solution is the inclusion of a centralized platform with a unified view of the end-to-end solution for managing the entire networking and security lifecycle—including configuration, management, scaling, and upgrades—for both local and remote offices and the core network.
  • Observability: Going beyond traditional monitoring by identifying unexpected risks and providing deep visibility into the performance, health, security, and behavior of systems, observability refers to the ability to infer the internal state of a system by observing its external outputs, including metrics, logs, traces, and profiling. Observability systems can leverage this rich data to enhance proactive risk detection and robust system analysis.
  • Support: Vendor support refers to the ongoing services provided by the SASE vendor to ensure the smooth operation, security, and performance of the SASE platform, including tasks such as system updates, patching, troubleshooting, and hardware replacement. These services are crucial because they allow IT teams to focus on strategic tasks while the vendor ensures the reliability, security, and performance of the solution.
  • Cost: Reducing the cost of managing multiple technologies, eliminating the need for expensive hardware, and optimizing existing infrastructure, deploying a SASE solution can be cost-effective by consolidating technologies, transitioning from CapEx to OpEx, retiring old systems, and adopting vendor-neutral solutions. However, the actual cost savings will vary depending on factors such as the size and complexity of the network, the existing infrastructure, and the specific implementation of the SASE solution.

Table 4. Business Criteria Comparison

Business Criteria Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Business Criteria

Vendor

Average Score

Performance Flexibility Configurability Interoperability Manageability Observability Support Cost
Aryaka 4.4
Barracuda Networks 3.5
Cato Networks 4.9
Check Point Software 3.8
Cisco 3.3
Cloudflare 4.4
Cradlepoint 4.4
Forcepoint 3.9
Fortinet 3.1
HPE Aruba 4.4
Juniper Networks 3.5
Netskope 4.5
Palo Alto Networks 3.9
Roqos 4.1
T-Mobile 4.1
Versa Networks 4.5
VMware 4
Zscaler 3

4. GigaOm Radar

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for SASE

As you can see in Figure 1, Cato Networks, Cloudflare, HPE Aruba Networking, Netskope, and Versa Networks are Leaders based on their high scores across the decision criteria evaluated in this report. In addition, Cato Networks, Cloudflare, Cradlepoint, HPE Aruba Networking, Netskope, T-Mobile, and Versa Networks are recognized as Outperformers based on their rate of progress compared to the industry in general.

It should be noted that Maturity (that is, being positioned in the top two quadrants) does not exclude Innovation. Instead, it identifies the solution as being proven in a production setting compared to a newer solution undergoing rapid, ongoing innovation in-house or through acquisitions. In addition, the color of the arrow (Forward Mover, Fast Mover, or Outperformer) is based on customer adoption and execution against roadmap and vision (based on vendor input from the previous report and/or in comparison to improvements across the industry in general).

Furthermore, a position in the Maturity/Platform Play quadrant indicates that the vendor has a proven, fully integrated solution—usually built from the ground up—comprising CASB, FWaaS, SD-WAN, SWG, and ZTNA integrated at both functional and management levels, while placement in the Innovation/Platform Play quadrant indicates that the vendor is in the process of either developing functions in-house or integrating acquired technologies with the goal of releasing a complete, fully integrated SASE solution by the end of 2024. As would be expected, only Leaders in this space are positioned in the Maturity/Platform Play quadrant. However, as vendors execute an aggressive roadmap to deliver fully integrated SASE solutions by the end of 2024, we expect additional vendors to move into the Maturity/Platform Play quadrant in the 2025 report.

Placement in the Maturity/Feature Play quadrant indicates that the vendor has proven networking and security point products—SD-WAN, CASB, FWaaS, SWG, and ZTNA—managed via a common UI and marketed as a SASE solution but lacks integration at the functional level. The Innovation/Feature Play quadrant indicates that the vendor currently relies on key third-party technologies—CASB, FWaaS, SD-WAN, SWG, or ZTNA—to provide a complete SASE solution, usually managed via a common UI with varying degrees of integration or is targeting a limited set of use cases.

Vendors to watch out for include Cradlepoint and T-Mobile, both of which are developing SASE solutions for 5G use cases.

In addition, some established networking and security vendors are positioned as Challengers rather than Leaders. Though many of these vendors have well-known point products recognized as leaders in their respective categories, this report evaluates all capabilities in the context of an overarching SASE solution, with networking and security convergence and functional integration considered crucial factors in establishing leadership. Moreover, the speed at which vendors integrate point solutions or acquired functions into their SASE platforms varies considerably—with smaller vendors often able to do so faster—affecting their position as a Leader or a Challenger.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; there are aspects of every solution that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

5. Solution Insights

Aryaka: Aryaka SASE

Solution Overview
Founded in 2009, Aryaka offers a fully managed, global SD-WAN solution that provides enterprise customers with a combination of hybrid WAN connectivity, optimization, security, and analytics with multitenant automation and orchestration capabilities. Aryaka acquired Secucloud GmbH, a cloud-based SASE platform, in late April 2021 and announced its “All-in-One” SD-WAN and SASE offerings in December 2021, with beta deployments in January 2022 and general availability in late Q1 2022.

Aryaka SASE is a cloud-based service combining two main components, the SASE network and SASE security, in a unified hybrid offering incorporating both Aryaka and third-party solutions. Leveraging Aryaka’s global PoP-centric architecture comprising over 40 PoPs, the SASE network includes Aryaka’s SD-WAN for connectivity, application optimization, and multicloud access. SASE security includes Aryaka’s FWaaS, SWG, antivirus, malware inspection, and third-party CASB and ZTNA. Aryaka SASE incorporates a zero-trust approach to network access and security, requiring verification of every user and device before granting access to an application or network resource.

Based on Aryaka FlexCore, Aryaka SASE includes a network as a service with integrated patented multisegment SD-WAN optimization technology for best-in-class connectivity of sites and users. Aryaka FlexCore is a multilayered traffic steering architecture that provides increased agility and flexibility via a dual-core backbone. The Layer 2 private core delivers guaranteed, deterministic performance—without multiprotocol label switching (MPLS)— backed by Aryaka’s Gold lifecycle services, while the Layer 3 private core delivers enhanced internet performance combined with Aryaka’s Silver lifecycle services.

Comprising a single management plane, unified control plane, and distributed data plane, Aryaka’s single-pass, scalable containerized architecture—with consistent policy enforcement across on-premises and cloud deployments—distributes networking and

security functions across the fabric and includes per-customer resource allocation and task separation for transport, encryption, and protocol acceleration. Tight interworking between Aryaka’s PoPs, network access points (ANAPs), and the customer premises equipment (CPE) provide application acceleration, compression, data deduplication, encryption, redundancy, and strict quality of service (QoS), reducing latency, improving performance, and optimizing the resources required to manage and maintain the security infrastructure.

A unique aspect of Aryaka SASE is the inclusion of Aryaka Lifecycle Services as a critical component. Often neglected within the SASE landscape, lifecycle services are crucial for accelerating adoption, removing barriers, and enabling a more productive and secure hybrid workforce. Aryaka SASE is designed to be consumed as a managed service, offering real-time visibility, strict SLAs, and a high level of customer service.

Strengths
Aryaka offers both unified and multivendor SASE options, catering to customers at different stages of their SASE journey. Aryaka SASE is a cloud-based service that combines wide area networking and security solutions into a unified offering with a single-pass architecture providing global network connectivity and secure access for users and sites to applications and data anywhere, delivered as a high-performance, scalable, and elastic cloud service with integrated lifecycle services and unified management. Deployed on-premises or in the cloud, Aryaka’s fully managed SASE solution, Managed SASE, includes third-party security capabilities from Check Point and Palo Alto Networks. In addition, Aryaka offers a hybrid SASE offering integrating cloud security capabilities from Broadcom, Cisco, Checkpoint, Palo Alto Networks, and Zscaler.

Challenges
Currently relying on third-party integrations, Aryaka needs to develop in-house CASB, DLP, and ZTNA capabilities that are fully integrated into its single-pass architecture to deliver a true unified SASE solution. In addition, the company should expand its AI/ML observability capabilities and transition Managed SASE to a co-managed service model by which customers can apply their own security policies, enhancing self-service capabilities with an intuitive cloud-based user portal. We expect Aryaka to address these challenges by releasing new capabilities and features during 2024. Furthermore, while sales are usually based on Aryaka-led field engagement and proofs of concept (POCs), Aryaka is a channel-driven organization with over 85% of orders fulfilled via the channel.

Purchase Considerations
Aryaka provides transparent pricing with no hidden costs. Tiered per site, per seat, and per application service models use subscription-based licensing depending on the number of sites, number of users, bandwidth, and applications, and includes a one-time installation fee. Optional add-ons include professional services and last-mile circuit procurement and management services. Aryaka SASE is affordable and easy to deploy, making it accessible to SMBs.

Aryaka SASE supports the following use cases for hybrid deployments: global, deterministic network performance; MPLS to SD-WAN and SASE migration; one-stop vendor last mile connectivity; multicloud connectivity and acceleration; SaaS acceleration and secure remote user access; next-gen firewall (on-premises) services and FWaaS; and secure internet access (managed on-premises and cloud SWG).

Radar Chart Overview
Aryaka is a Challenger in the Innovation/Feature Play quadrant. While providing a fully managed SD-WAN spanning a private global backbone with over 40 PoPs reaching more than 95% of business population centers across six continents with sub-30 ms latency, Aryaka is still in the process of integrating Secucloud functionality and developing in-house CASB, DLP, and ZTNA capabilities to deliver a single-vendor solution.

Barracuda Networks: Barracuda SecureEdge

Solution Overview
Founded in 2003 and acquired by KKR, a leading global investment firm, in August 2022, Barracuda Networks is a leader in application delivery, data protection, and security solutions, with an installed base of over 200,000 organizations worldwide. Barracuda launched its SecureEdge platform in May 2023, providing SMBs and MSPs with a SASE solution integrating Barracuda’s Secure SD-WAN, FWaaS, SWG, and ZTNA capabilities. In November 2020, Barracuda had acquired Fyde, a ZTNA provider, rebranding Fyde’s solution as Barracuda CloudGen Access.

The Barracuda SecureEdge Platform (an evolution of Barracuda CloudGen WAN and CloudGen Access) is designed and optimized for the midmarket and MSPs. Comprising multiple integrated products with a common web frontend for central management and a data plane for reporting and analysis, the platform is available as a SaaS offering in 25 geographic locations via Barracuda PoPs, consumed as part of Azure Virtual WAN in 40 Azure regions (excluding China where Barracuda partners with Teridion Liquid Network for China access) or hosted by the customer as a hardware or virtual appliance.

The platform replaces multiple traditional networking and security capabilities with a single cloud-first service connecting any device, application, or cloud/hybrid environment to secure users, sites, and IoT devices. Formerly available only on dedicated network optimization solutions, SecureEdge is based on the security technology of the Barracuda CloudGen Firewall. Advanced security functionality includes application control, IPS, content filtering, and Barracuda’s Advanced Threat Protection with sandboxing.

SecureEdge uses an intent-based approach with applications defined once for all security, SD-WAN, and ZTNA policy settings. SecureEdge can be deployed at the branch level as an SD-WAN-only solution complementing an existing firewall or as a SASE solution consolidating all networking or security functions into a single device, replacing existing firewalls. Rather than relying on manually established IPsec tunnels, every site device automatically establishes a secure connection to the security fabric using up to 16 uplinks, with automatic SD-WAN policy settings.

Connecting clients to SecureEdge edge, firewall, and site services, the SecureEdge Access Agent is available for Android, iOS, Linux, macOS, and Windows from the respective app stores and the Barracuda Download Portal and configured via the Barracuda SecureEdge Manager. The agent provides role-based access enforcement (based on device health, OS restrictions, predefined role-based access, and user enforcement), local URL filtering, and ZTNA.

Strengths
The Barracuda SecureEdge platform is a cloud-native SASE solution integrating various components to provide secure application access, cloud-based security for endpoints, and automated SD-WAN connectivity for sites and industrial facilities of any type or size. Delivered as a service, it simplifies security deployment and management, integrating Barracuda’s Secure SD-WAN, FWaaS, SWG, and ZTNA capabilities. Ensuring optimal performance, the platform uses application steering to automatically choose the most suitable physical path. Deployed and managed directly from the SecureEdge Manager portal for all regions, sites, and remote clients, the platform is easy to set up and manage and does not require specialized IT skills.

Challenges
Rather than being developed in-house as a fully integrated platform, Barracuda SecureEdge Platform comprises several developed or acquired technologies productized as a cloud service and centrally managed via a common web frontend. Moreover, while SecureEdge offers a range of integrated security features, it may not provide the same level of advanced threat detection and response capabilities as some of its competitors and lacks a full-featured CASB. However, Barracuda Networks plans to release an API-based CASB as an add-on product subscription for the platform in 2024. Note that some users have reported that the platform’s user interface could be more intuitive and user-friendly and that the response time for critical issues can be as long as two hours, depending on the support level chosen.

Purchase Considerations
Barracuda offers a transparent tiered subscription pricing model, with costs based on chosen components and services. Potential buyers can obtain a free quote by filling out Barracuda’s SecureEdge Build and Price questionnaire. SecureEdge Site Devices and Secure Connector appliances are available as both physical and virtual appliances with an array of capabilities. Energize Updates are required for all appliances and are purchased as a monthly or annual subscription. Instant replacements, warranty extensions, and external power supply options are also available for physical appliances.

Barracuda SecureEdge Platform’s use cases include application performance optimization, cloud on-ramps and multicloud connectivity, Industrial IoT (IIoT) access to cloud or locally hosted resources, secure internet access (SIA) for remote users via the SecureEdge service, SWGs for offices, and ZTNA.

Radar Chart Overview
Barracuda Networks is a Challenger in the Maturity/Feature Play quadrant. While offering most of the functional prerequisites for a SASE implementation within its product portfolio (a full-fledged CASB being the exception), Barracuda SecureEdge Platform comprises several developed or acquired technologies productized as a cloud service centrally managed via a common UI.

Cato Networks: Cato SASE Cloud Platform

Solution Overview
Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service. Created with the vision of converging enterprise networking and networking security in the cloud, Cato Networks immediately began developing its SASE solution, combining enterprise communication and security capabilities into a single cloud-native platform. Cato claims an installed base of over 2,000 enterprises in more than 150 countries, connecting over 35,000 sites and supporting some 800,000 remote zero-trust users.

Cato Networks’ SASE solution, known as Cato SASE Cloud Platform, is a globally distributed cloud service that replaces physical and virtual point solutions with a cost-effective, scalable, and agile alternative. Delivered as a fully managed cloud-native service providing users with zero-trust network access to on-premises and cloud applications, Cato SASE Cloud Platform provides a simpler network and security stack by consolidating multiple point solutions, reducing upfront costs and eliminating the need for in-house management.

The Cato SASE Cloud Platform is built on the Cato Single Pass Cloud Engine (SPACE) architecture and converges the core SASE capabilities—CASB, FWaaS, SD-WAN, SWG, and ZTNA— with advanced threat prevention (DNS security, IPS, next-generation antimalware, and real-time AI/ML engines), DLP, endpoint protection platform (EPP), remote browser isolation (RBI), and extended detection and response (XDR). The single-pass engine processes each packet for multiple networking and security objectives in parallel, enforcing granular corporate access policies across all on-premises and cloud-based applications.

Providing a platform that instantly adapts to emerging business needs, Cato SASE Cloud Platform leverages key cloud capabilities—including elasticity and scalability—to deliver low latency and predictable performance over a private global backbone comprising more than 80 PoPs connected via multiple SLA-backed Tier 1 NSPs. Each PoP’s cloud-native software provides defense-in-depth with full encryption, distributed policy enforcement, automated load balancing, dynamic route selection, self-healing capabilities, and built-in cloud and WAN optimization for maximum end-to-end availability and throughput. In addition, Cato’s edge SD-WAN device, the Cato Socket, provides last-mile redundancy using application-based dynamic path selection based on QoS policies and provider link performance, packet loss, and jitter.

Cato SASE Cloud Platform is fully identity-aware, enabling IT to tie security and networking policies to the user’s identity. The intuitive Cato Management Application provides self-service management, monitoring, and analytics, enabling users to configure policies directing SaaS traffic from any PoP to egress from the PoP closest to the SaaS instance, enhancing the user experience and improving security via a single interface. Cato also offers client or clientless browser access options, with the Cato SDP/ZTNA Client providing secure connections for remote users to enterprise applications.

Strengths
Simplifying the network and security stack, Cato SASE Cloud Platform is a fully managed cloud-native solution that converges networking and security capabilities, reducing upfront costs and eliminating the need for in-house management. The solution is built on Cato’s SPACE architecture, which is cloud-native, elastic, and scalable. Cato SASE Cloud Platform runs on a private global backbone of over 80 PoPs connected via multiple SLA-backed Tier 1 network providers, ensuring optimal routing for every packet. The platform is fully identity-aware, tying security and networking policies to the user’s identity, and offers self-service management, providing a unique advantage over legacy managed NSPs.

Challenges
While the Cato SASE Cloud Platform offers a comprehensive, cloud-native solution that simplifies the network and security stack, it lacks advanced networking capabilities, sandboxing, and a web application firewall. Moreover, while Cato’s pricing is considered reasonable, it is slightly higher than that of some competitors. Although Cato maximizes performance via a global private backbone, the platform’s reliance on PoPs and Tier 1 NSPs for traffic inspection could potentially introduce latency issues.

Purchase Considerations
Cato offers bandwidth-based subscription licensing with premium security add-ons and remote access based on the number of named users. In addition, Cato and its partners offer co-managed and fully managed service options, with Cato maintaining the underlying platform so customers do not need to upgrade, patch, or otherwise maintain the Cato SASE Cloud Platform.

Cato SASE Cloud Platform enables MPLS migration to SD-WAN, optimizes global connectivity, provides secure branch internet access, and optimizes access to cloud applications, making it suitable for hybrid cloud environments.

Radar Chart Overview
Cato Networks is a Leader in the Maturity/Platform Play quadrant. A fully managed solution developed in-house, Cato SASE Cloud Platform delivers CASB, NGFW, SD-WAN, SWG, and ZTNA anywhere and at scale to any application, location, or user, enabling organizations to maintain an optimal security posture via a secure self-healing, self-maintaining, and self-optimizing cloud-native service.

Check Point Software: Quantum SASE

Solution Overview
Founded in 1993, Check Point Software Technologies provides cybersecurity solutions to corporate enterprises and governments globally. Check Point started developing an integrated SASE solution in 2023, with the immediate availability of Quantum SASE announced on October 11, 2023, following the acquisition of Perimeter 81, a pioneering security service edge (SSE) company. Check Point also acquired Atmosec, an early-stage start-up specializing in the rapid discovery and disconnection of malicious SaaS applications, in September 2023.

Incorporating Perimeter 81 technologies and integrated into Check Point’s Infinity architecture, Quantum SASE combines on-device and cloud-based protections to deliver enhanced internet security and optimized connectivity. Quantum SASE includes FWaaS, SD-WAN, SWG, and ZTNA, but currently lacks a CASB. Providing fast, reliable internet connections with border gateway protocol (BGP) dynamic routing, Check Point’s full mesh global private backbone includes over 50 PoPs built on a combination of Check Point and Tier 1 public cloud data centers with middle-mile acceleration, sub-second failover, optimized routing for over 10,000 applications and users, traffic auto steering based on link health, and zero-touch provisioning with a full branch-level security stack and industry-leading threat prevention.

Built on a scalable and high-performing innovative microservices architecture and serverless platform, Quantum SASE provides a consolidated, user-centric network with granular policy management for enterprises of all sizes, managed and delivered through the cloud. It includes on-device DNS filtering, malware protection, network protection, and web filtering. Moreover, Check Point claims to be the only vendor developing a hybrid approach for direct secure internet access, combining on-device protection with cloud inspection when needed to deliver a localized browsing experience with lower latency, tighter security, and improved privacy by avoiding cloud latency and compliance concerns.

Comprising a single agent, a single management console, and a single cloud edge network, Quantum SASE includes strong context-aware segmentation policies and firewall rules to segment the network, with users authenticated through user password or multifactor authentication (MFA) as well as a device posture check and integration options with leading identity providers. The zero-trust agentless application access feature combines multiple policies to verify the user’s identity, allowing administrators to limit unmanaged devices’ access to specific resources without exposing the network.

Strengths
Offering unified management with a consolidated console for the entire solution, Quantum SASE combines on-device and cloud-based protections, delivering 2x faster internet security. Applying an identity-centric zero-trust access policy, Quantum SASE provides comprehensive safeguards, including on-device network protection, web filtering, DNS filtering, and malware protection. Ensuring secure connectivity among users, branches, and applications, Check Point optimizes SD-WAN performance through its global private backbone built on Tier-1 network providers with middle-mile acceleration. Recognized for its ease of deployment, Quantum SASE boasts a one-hour rollout and a user-friendly administration interface.

Challenges
Quantum SASE does not include a CASB, DLP, or RBI and lacks both EU data residency controls and a hybrid SASE offering with out-of-the-box integrations to third-party security solutions for enabling migration to a single-vendor solution. Moreover, while the combined on-device and cloud-based protections are a key selling point, the solution currently lacks the ability to enforce SWG network security controls directly on the user device, and agentless BYOD is not supported. Furthermore, though customers can buy Quantum SASE today, integration with Atmosec’s advanced SaaS capabilities technology is still underway. However, Check Point is expected to release these capabilities during 2024. In addition, while DNS filtering and FWaaS capabilities provide a level of protection, advanced IoT security capabilities are not on the roadmap.

Purchase Considerations
Check Point offers transparent, user-based internet access and private access annual pricing in three tiers—Essentials, Premium, and Complete—with different levels of functionality, and includes Check Point Standard support. Upgrades to higher SLA-support programs are available at an additional cost. Moreover, the number of available PoPs to which each customer is entitled is based on the number of user licenses purchased. Customers may purchase access to additional PoPs if required.

Quantum SASE is designed for organizations navigating the complexities of hybrid work and cloud integration. Its use cases include providing secure internet access for sites and roaming users, ensuring secure connectivity among users, branches, and applications, and offering on-device and cloud network protections for faster browsing.

Radar Chart Overview
Check Point Software is an Entrant in the Innovation/Platform Play quadrant. While the Atmosec and Perimeter 81 acquisitions underscore Check Point’s commitment to delivering a comprehensive and scalable SASE solution, the solution lacks key features and capabilities—including a CASB, DLP, and RBI— which are due for release in 2024.

Cisco: Cisco Secure Connect

Solution Overview
Founded in 1984, Cisco pioneered the concept of a local area network (LAN) being used to connect distant computers over a multiprotocol router system. Cisco announced its SASE portfolio in March 2021, providing all of the SASE building blocks in a single offer with the option of easily transitioning to a unified subscription service. In June 2022, Cisco launched Cisco Secure Connect, a unified SASE solution designed to simplify the way organizations securely connect users, devices, and applications.

Built on proven Cisco components, Cisco Secure Connect is a unified, turnkey SASE solution that provides secure internet access, private access, and secure SD-WAN connectivity for both branch and remote workers. Powered by Umbrella Secure Internet Gateway (SIG), a cloud-delivered security service offered by Cisco that unifies multiple security functions in a single solution, Cisco Secure Connect simplifies operations and accelerates deployment, offering a single subscription model and a unified dashboard for management.

The solution includes CASB, FWaaS, SWG, DNS-layer security, and DLP, securely connecting users anywhere (branch or remote) to any application (in the private data center, public cloud, or SaaS) via a single subscription with real-time proactive threat updates from Cisco Talos intelligence. It also enables least-privileged access control of private applications with client-based and clientless remote worker access with endpoint posture verification and ZTNA.

Cisco Secure Connect is powered by a range of Cisco technologies and services under a common management interface—including Cisco SD-WAN (formerly Cisco Meraki SD-WAN), Cisco Secure Access, and Cisco Secure Client—to provide a comprehensive, unified SASE solution. As an alternative, Cisco SD-WAN can be swapped out for Cisco Catalyst SD-WAN (formerly Viptela). Combining the security capabilities of Cisco Secure Access’s cloud-native, multifunction security service with the simplicity of Cisco SD-WAN, Cisco Secure Connect extends the fabric to the cloud with just a few clicks, providing centralized management across the organization.

In addition, Cisco Secure Connect provides a unified SASE dashboard powered by the Cisco Meraki dashboard. However, currently users must interact with both the Cisco Secure Connect dashboard and the Umbrella dashboard via single authentication and seamless cross-launches. While the Umbrella dashboard is used to configure select services, most of the time will be spent in the Cisco Secure Connect dashboard for management, configuration, troubleshooting, and visibility into both the networking and security components.

Strengths
Leveraging Cisco’s robust product portfolio, Cisco Secure Connect is a unified, turnkey SASE solution that securely connects users, devices, and applications from anywhere. Providing a consistent operating model extending across premises to the cloud, a single dashboard integrates networking, security, and unified visibility with client and branch office connectivity. The solution includes a secure web gateway, a cloud-delivered firewall, DNS-layer security, a CASB, and DLP. It is offered in two packages to cater to different organizational needs. The solution receives real-time proactive threat updates from Cisco Talos intelligence, providing a secure onramp to the internet and the first line of defense and inspection.

Challenges
Despite Cisco Secure Connect unifying—or bundling—proven networking and security products and packaging them as a single, easy-to-use cloud service in keeping with market trends, the underlying point products are not as tightly integrated as with many other SASE solutions. In addition, the solution is built around Cisco’s product lines, which can make it challenging to implement in non-Cisco environments without a large IT department or support from a managed service provider. Finally, as “open” network and security vendors accelerate innovation in this space, Cisco users may find themselves locked into different code bases and an aging product portfolio.

Purchase Considerations
Primarily targeting existing Cisco customers and organizations that value the integration of networking and security, Cisco Secure Connect is offered as a subscription service, with pricing details typically provided upon request or through a Cisco partner. The service is available in two packages, making it easy for customers to choose the right level of protection and coverage for their organizational needs. The Complete package provides secure internet and private application access to users located in branch offices and working remotely, while the Foundation package provides secure internet and private application access for users located at branch offices only.

Cisco Secure Connect supports three primary use cases: secure internet access, secure private access, and interconnect. Secure internet access provides users with safe access to the internet and cloud applications from any location; secure private access delivers secure connectivity to company assets in private data centers and private clouds; and interconnect provides intelligent routing to and from any application, site, or user connected to Cisco Secure Connect.

Radar Chart Overview
Cisco is a Challenger in the Maturity/Feature Play quadrant. Unifying multiple robust Cisco solutions under a common management dashboard, Cisco Secure Connect is a unified, turnkey SASE solution that provides secure internet access, private access, and secure SD-WAN connectivity for both branch and remote workers.

Cloudflare: Cloudflare One

Solution Overview
Founded in 2009, Cloudflare operates one of the world’s largest networks, reaching about 95% of the world’s population in over 300 cities across more than 100 countries with sub-50 ms latency. Cloudflare One was launched in October 2020, with the on-premises branch connector, Magic Wan Connector, added in October 2023 to connect, steer, and shape IP traffic. In early 2022, Cloudflare acquired Area 1 Security (email security) and Vectrix (SaaS security), boosting its SASE capabilities with the integration of Vectrix’s API-driven CASB and Cloudflare One.

Unifying network connectivity services with zero-trust security services, Cloudflare One is a full-featured SASE platform (CASB, FWaaS, SD-WAN, SWG, and ZTNA) providing consistent security controls delivered globally via Cloudflare’s network. In addition, it includes cloud email security, DLP, and RBI. Designed for simplified connectivity and security for both public and private resources, Cloudflare One’s composable single-pass architecture unifies inbound and outbound networking stacks with the application stack for end-to-end security and performance.

Magic WAN, a service offered by Cloudflare that provides secure, performant connectivity and routing for an entire corporate network, replaces multiprotocol label switching (MPLS) links and SD-WAN deployments with a single network comprising global, cloud-based zero-trust security, performance, and control via a single user interface. Allowing organizations to connect their offices or data centers to Cloudflare’s network, Magic WAN supports a variety of flexible on-ramp mechanisms which, once connected, enterprises can use to define their private networks and routing rules in a central dashboard, enabling traffic to be further filtered and zero-trust access control policies to be enforced.

Cloudflare One is designed to be easy to deploy, manage, and use. Providing a single pane of glass for managing the entire corporate network, the platform includes out-of-the-box integrations with multiple identity, endpoint protection, and cloud providers, enforcing a consistent set of policies across all applications for optimal flexibility. In addition, Cloudflare One includes built-in and unified cloud log storage and security analytics for all services, providing comprehensive visibility and control over network activity. The platform also integrates seamlessly with a wide range of third-party products and services, providing organizations with the flexibility to leverage their existing technology stack.

Strengths
Offering a range of technical strengths and benefits, Cloudflare One features a robust zero-trust security model authorizing every request into, out of, and between entities on the network. Built on Cloudflare’s global network service, Cloudflare One offers fast, easy user onboarding and globally consistent performance and security. A composable architecture allows organizations to deploy components individually to address immediate use cases and build towards a full SASE architecture at their own pace. A centralized control plane enables the management of security and network connectivity services from a single interface. Unique features include a serverless compute development platform and a future-proof design.

Challenges
Despite an impressive array of capabilities and partners, Cloudflare lacks the visibility of some of its larger competitors and may be more complex to deploy and manage than competitive solutions. In addition, Cloudflare One lacks features offered by competitors, including advanced analytics, direct network controls, and out-of-the-box integrations with certain third-party products. Furthermore, Cloudflare does not natively provide a full-featured SD-WAN solution. While Magic WAN Connector offers many features that can be part of an SD-WAN deployment, it primarily focuses on connecting to Cloudflare’s network and does not offer the same level of connectivity, programmability, or control as a full SD-WAN solution. To provide full SD-WAN capabilities, Cloudflare partners with leading WAN and SD-WAN providers to allow organizations to leverage their existing network infrastructure to connect to Cloudflare’s global network. This linking is facilitated through Cloudflare’s Magic WAN, which securely connects data centers, offices, devices, and cloud properties to Cloudflare’s network.

Purchase Considerations
Cloudflare One’s pricing model is primarily based on the number of users and 95th percentile bandwidth. The free plan allows up to 50 users at no cost, while the pay-as-you-go plan costs $7 per user per month. For larger teams that require maximum support and security controls, there are custom-priced contract plans. Unlike some competitors, Cloudflare does not charge for increased bandwidth, number of app connectors, or volume of threats mitigated.

The Cloudflare One platform focuses on four main areas: securing hybrid work, defending against threats, protecting data, and simplifying any-to-any connectivity on the consolidation journey. Cloudflare One can also secure AI tools and developer code, scan SaaS environments for misconfigurations, ensure compliance by protecting regulated data, onboard third-party support securely, and reduce capital expenditures by delivering services from the cloud. It can also replace traditional network infrastructure for improved performance and scalability.

Radar Chart Overview
Cloudflare is a Leader in the Innovation/Platform Play quadrant. Providing a robust, global network offering cloud-based security, performance, and control managed via a single user interface, Cloudflare One delivers CASB, NGFW, SD-WAN, SWG, and ZTNA anywhere and at scale to any application, location, or user. However, Cloudflare does not natively provide a full-featured SD-WAN solution, with Magic WAN Connector primarily serving as the connection between a user’s existing network hardware and Cloudflare’s network, managing network traffic and applying zero-trust security controls.

Cradlepoint: NetCloud SASE

Solution Overview
Founded in 2006 and an Ericsson subsidiary since 2020, Cradlepoint specializes in developing cloud-managed wireless edge networking equipment controlled via Cradlepoint NetCloud, with a focus on unlocking the power of LTE and 5G cellular networks. Following the acquisition of Ericom Software in April 2023, Cradlepoint announced its phased rollout strategy for the industry’s first 5G-optimized unified SASE solution on July 12, 2023. Designed for the enterprise and purpose-built for WAN deployments, the delivery of the NetCloud SASE solution will be phased in over a 12-month period that started on the announcement date.

Cradlepoint’s NetCloud SASE is a cloud-managed platform—leveraging over 50 global Ericom PoPs—designed to provide secure, agile, and reliable connectivity for enterprises. Optimized for 5G and wireless wide area network (WWAN) deployments, NetCloud SASE leverages unique cellular capabilities, in-line traffic for WAN measurements, efficient tunnel mechanisms for client connectivity, single-pane-of-glass visibility of Cradlepoint’s management platform, NetCloud Manager, and zero-trust SIM management and GPS tracking features to enhance physical device security and detect unauthorized use under a common policy model. Furthermore, NetCloud SASE delivers simple remote application access with the ability to enforce data sharing and threat prevention policies on any unmanaged devices.

Simplifying the configuration, deployment, operation, and troubleshooting of WWANs, NetCloud Manager is an intuitive, easy-to-use cloud management and orchestration platform designed for lean IT teams to manage their networks effectively from anywhere, using either a browser or a mobile application. An extension of NetCloud, NetCloud Exchange (NCX) offers 5G-optimized SD-WAN capabilities, amplifying the 5G experience and simplifying the transition from wired to wireless WAN. NetCloud Manager and NCX work together to provide a comprehensive network management solution enabling the setup of application-based policies, recognition and classification of applications, intelligent assessment of the health of WAN links, and insights into cellular WAN usage.

NetCloud SASE integrates NCX’s firewall, SD-WAN, and zero-trust capabilities with cloud-based security technology acquired from Ericom, including CASB, DLP, RBI, SWG, and other services managed through NetCloud Manager to protect users browsing in fixed and mobile environments from threats such as phishing and ransomware. Cradlepoint Cellular Intelligence, a cellular telemetry solution, collects information on cellular metrics such as signal strength and data plan usage, leveraging it for SD-WAN traffic steering. Furthermore, as 5G standalone (SA) networks become more popular, Cradlepoint will use its network slicing capabilities to offer prioritization and slice-based isolation, allowing enterprises to tailor network resources to their specific needs.

Strengths
Addressing the need for a comprehensive 5G-optimized SASE solution with improved capacity, latency, and speed, and incorporating zero-trust principles, Cradlepoint’s NetCloud SASE enables lean IT teams and SMBs to manage network access, security, and observability across 5G wireless connectivity in any hybrid WAN. Minimizing management complexity across a distributed network, NetCloud SASE optimizes traffic in SD-WAN deployments by utilizing cellular telemetries and incorporating network slicing capabilities within 5G SA networks. The solution also includes SIM management and GPS tracking features to enhance physical device security and detect unauthorized use. As a single-vendor solution, NetCloud SASE is integrated with Cradlepoint’s cloud-based NetCloud Manager for single-pane-of-glass visibility. Cradlepoint is delivering NetCloud SASE incrementally in phases, with availability in the first half of 2024.

Challenges
In addition to the cost and availability of LTE and 5G being a barrier for organizations looking to adopt wireless technologies for SD-WAN connectivity, especially at the early stages of the service lifecycle, managing network access, security, and observability across wireless connectivity in any hybrid WAN can still be a complex task, especially for lean IT teams and SMBs. In addition, NetCloud SASE’s reliance on cellular telemetries and network slicing capabilities within 5G standalone networks may present technical challenges in network management and optimization. Furthermore, ensuring the security of physical devices through SIM management and GPS tracking features can be complex when managing numerous remote sites. However, we expect Cradlepoint—and Ericsson—to address these challenges with a variety of innovations in the coming months.

Purchase Considerations
Cradlepoint offers one-, three-, or five-year subscription-based licensing. Networking-centric services—such as hybrid mesh firewall services, software-defined wide area networking, and zero-trust connectivity are priced on a per-site (router) basis, while security services such as CASB, DLP, RBI, SWG, and ZTNA are priced on a per-user basis. All security services are included in the per-user price, with no additional charges for enhanced capabilities.

Optimized for WWAN deployments, the NetCloud SASE solution is designed for diverse use cases across enterprises, particularly those that rely heavily on 5G for reliable connectivity with extended branch, mobile, and IoT networks. Furthermore, it is suitable for education, manufacturing, and smart cities requiring secure, dedicated networks.

Radar Chart Overview
Cradlepoint is a Challenger in the Innovation/Feature Play quadrant. Streamlining the transition from wired to wireless WAN, NetCloud SASE provides a common networking and security policy engine and consistent provisioning experience across all SASE features. Currently available as point products, unified NetCloud SASE with single-pane-of-glass management will be generally available in the first half of 2024.

Forcepoint: Forcepoint ONE

Solution Overview
Founded in 1994, Forcepoint is a cybersecurity company developing data protection and user security solutions. Launched in February 2022 to implement Forcepoint’s data-first SASE security model, Forcepoint ONE’s all-in-one microservices-based cloud security platform integrates with Forcepoints’s FlexEdge Secure SD-WAN, providing a centralized management plane distributing enforcement to the edge. Boosting its SASE capabilities, Forcepoint acquired Cyberinc (RBI) in May 2021, Deep Secure (content, disarm, and reconstruction or CDR) in July 2021, and Bitglass in October 2021.

Forcepoint ONE is an all-in-one cloud platform designed to protect a hybrid workforce and the information it accesses on the web, via the cloud, and in private applications. Built on an auto-scaling distributed architecture from AWS, Forcepoint ONE unifies three foundational gateways (CASB, SWG, and ZTNA) with comprehensive DLP and malware scanning to prevent theft, leakage, or corruption of business data, all managed via a unified set of policies, from one console connected to one endpoint agent. The platform also incorporates smart RBI, CDR file sanitizing, and zero-day sandboxing, which provides seamless protection against advanced threats.

Forcepoint ONE also offers best-in-class DLP SaaS for the cloud (SaaS and IaaS), on the web, and in private applications, preventing data exfiltration in real-time across all channels from a cloud-native DLP platform and simplifying DLP management with over 190 out-of-the-box predefined policies. Data-in-motion scanning blocks malware and data exfiltration between users and any web application, and data-at-rest scanning quarantines malware and controls risky data sharing for many popular SaaS and IaaS storage offerings. Add-on capabilities include cloud security posture management (CSPM) and SaaS security posture management (SSPM), which scan tenant settings for risky configurations and provide manual and automated remediation.

Forcepoint’s distributed architecture is designed specifically for hybrid environments, with the management of policies, analytics, and dashboard visualizations centralized in the cloud, with distributed enforcement at the endpoint for maximum performance and in the cloud for maximum depth of inspection. Hosted in over 470 AWS PoPs worldwide, including data centers on AWS GovCloud, Forcepoint ONE’s architecture enables enterprise-level performance, reliability, and scalability, accommodating surges in user traffic or massive data-at-rest scanning jobs while maintaining low-latency connectivity and 99.99% uptime SLAs.

Strengths
A comprehensive cybersecurity platform integrating CASB, SWG, ZTNA, and zero-trust technologies into a unified cloud platform, Forcepoint ONE offers advanced threat protection across web, cloud, and private applications. It also provides robust data loss prevention and real-time visibility into user behavior. In addition, the platform offers visibility and control of access and data movement, integrates with any SAML identity provider (IdP), includes CSPM and SSPM add-on capabilities, and supports Syslog, allowing third-party apps to upload logs for visualization and analysis. Built on an AWS hyperscale network, Forcepoint ONE ensures enterprise-level performance, reliability, and scalability.

Challenges
While Forcepoint ONE delivers strong access security, some gaps exist compared to leading SASE solutions, especially regarding advanced threat protection—such as deception technology, lateral movement protection, and insider threat detection—and the convergence of networking functions. A Forcepoint ONE ZTNA connector is required for each private data center hosting one or more private applications, potentially adding complexity to the deployment process compared with SaaS solutions. Users report that the initial configuration process can be complex and time-consuming, potentially delaying the deployment of data protection measures, and that the user interface can be challenging to navigate.

Purchase Considerations
Forcepoint offers different Forcepoint ONE editions, including CASB, SWG, ZTNA, and an all-in-one edition, each with different features, in a subscription-based pricing model, but specific costs are not publicly listed and are likely customized based on the specific needs of the customer. Additional support can be purchased, and the platform allows for testing of new features without impacting the production environment. In addition, in April 2023, Forcepoint introduced its managed security service provider (MSSP) program for service providers, distribution partners, and other resellers to provide multitenant pay-as-you-go SASE services.

Forcepoint ONE enforces policies across the cloud, edge, and endpoint, provides secure access to private applications, delivers visibility and control over data in any application, and protects data at rest or in motion between users and managed SaaS apps.

Radar Chart Overview
Forcepoint is a Challenger in the Innovation/Platform Play quadrant. Integrating CASB, CDR, FWaaS, RBI, SWG, ZTNA, and zero-trust technologies from multiple acquisitions into a unified cloud platform, Forcepoint ONE offers advanced threat protection across web, cloud, and private applications. Forcepoint ONE is hosted in over 470 AWS PoPs worldwide, providing low-latency connectivity and a 99.99% SLA.

Fortinet: FortiSASE

Solution Overview
Founded in 2000, Fortinet is a cybersecurity company that provides a broad array of next-generation firewalls and network security solutions. In July 2020, Fortinet acquired OPAQ Networks, combining OPAQ’s purpose-built and patented zero-trust, multitenant network solution with Fortinet’s on-premises or data center Fortinet Security Fabric—a broad, integrated, and automated platform encompassing over 30 orchestrated products—to create FortiSASE.

Powered by the same FortiOS used on FortiGates, along with FortiGuard AI-powered security services, FortiSASE, Fortinet Secure SD-WAN, and FortiManager work together to provide a comprehensive, integrated, and centrally managed SASE solution, with a single management console. Fortinet offers a complete set of networking and security capabilities, comprising CASB, FWaaS, SWG, ZTNA, and secure SD-WAN integration with the same SKU, including DLP, DNS security, an EPP, malware protection, sandboxing, and URL filtering.

Designed to achieve secure internet access for off-net endpoints, FortiSASE reduces latency by connecting endpoints to the closest PoP via a cloud-delivered security service. Fortinet has over 30 PoPs but relies on peering relationships with partners to deliver connectivity via private backbones. In 2023, Fortinet expanded its network reach to over 100 global locations through strategic partnerships with providers such as Google Cloud and investments in Fortinet’s own SASE locations. Using Fortinet’s SD-WAN connector, FortiSASE becomes a part of the existing SD-WAN overlay network, steering user traffic across the best available paths for private application access.

FortiSASE’s architecture includes secure internet access (SIA), secure private access (SPA), and secure SaaS access (SSA). SIA extends an organization’s security perimeter to remote users by enforcing security policies for intrusion prevention systems, application control, web and DNS filtering, and anti-malware, among others. SPA secures private TCP-based applications using ZTNA and FortiSASE’s integration with FortiGate ZTNA access proxy. SSA uses FortiCASB for advanced API-based deep inspection of cloud activity and FortiSASE Inline-CASB functionality for enforcing security policies inline with the traffic as users access cloud applications.

Designed to deliver both a consistent security posture and an optimal user experience for users working from anywhere, the FortiSASE solution includes a unified agent that supports multiple use cases, providing comprehensive control, visibility, and analytics through an intuitive user interface that includes unified network and security visibility. Administrators can instantly see endpoints, users, point-of-presence graphical information, and threat analytics.

Strengths
FortiSASE includes a next-generation dual-mode CASB, FWaaS, SWG, and universal ZTNA, enforcing unified networking and security policies at all network edges by extending on-premises policies to remote users and devices via the standard FortiClient. Integration with the Fortinet Security Fabric, powered by FortiOS, ensures a consistent security posture for users both on and off the network, while internet, private, and SaaS access are delivered via the same solution, with user identities, policy engine, security efficacy, and application identification remaining consistent irrespective of the deployment model. The solution supports MSSP multitenancy deployments, with delegated access for end customers, while providing centralized visibility and management.

Challenges
FortiOS, the foundation of FortiSASE, is not inherently cloud native, posing challenges in achieving a true SASE platform, which is typically cloud native by design. Still, FortiSASE is built with a cloud-native architecture, making it well-suited for cloud-based and hybrid environments. However, FortiClient blocks IPv6 traffic, allowing only IPv4 traffic to traverse the FortiSASE tunnel. While Fortinet has all the key pieces for a SASE solution, the solution is not fully integrated. Released on May 11, 2023, FortiOS 7.4 was the first version of the operating system to support a single management console, integrating FortiManager with FortiSASE and Fortinet Secure SD-WAN. However, while FortiOS 7.4 is the latest version, organizations may use a different version based on their stability needs and the specific features they require, increasing configuration and management complexity.

Purchase Considerations
FortiSASE’s flexible licensing program, FortiFlex, provides flexible, usage-based licensing for Fortinet security products deployed in the cloud, hybrid cloud, and on-premises environments. Customers pay based on actual usage rather than fixed licensing. FortiFlex includes a portal where customers can configure VM entitlements, generate licensing tokens, and monitor resource consumption, enabling customers to optimize budgets by scaling VM usage up or down as needed. Unused prepaid points can also be rolled over. There are optional add-ons available, such as additional bandwidth and dedicated IP addresses. For branch offices, the pricing is based on the appliance used to connect the offices.

FortiSASE caters to various use cases, particularly for remote and hybrid work environments. It provides SIA for agent-based, agentless, and site-based remote users, enabling secure connections to the internet, data centers, and cloud, SPA for ZTNA to private company-hosted applications, and SSA control to SaaS applications,

Radar Chart Overview
Fortinet is a Challenger in the Maturity/Feature Play quadrant. Organically developed and purpose-built, FortiSASE is an integrated, single-vendor SASE solution from an established network security provider, building on Fortinet’s existing security fabric, SD-WAN, firewall, and other products. While appealing to existing Fortinet customers seeking convergence, it has some limitations compared to industry-leading cloud-based SASE offerings.

HPE Aruba Networking: Unified SASE

Solution Overview
Founded in 2002 and acquired by Hewlett Packard Enterprise (HPE) in 2015, HPE Aruba Networking operates as the “Intelligent Edge” business unit of HPE, encompassing HPE’s networking and security-related operations and acquisitions. HPE acquired Axis Security, a cloud security provider, in April 2023, and Athonet, a private 5G cellular vendor, in June 2023, expanding HPE Aruba Networking’s edge-to-cloud security capabilities with a unified SASE solution that integrated cloud security and SD-WAN in a single offering.

Currently known as unified SASE, HPE Aruba Networking’s SASE solution is a single-vendor SASE offering supporting simplified, secure, anywhere access to applications and data while enhancing the application and end-user experience. Integrating HPE Aruba Networking SSE (security service edge) with the HPE Aruba Networking EdgeConnect SD-WAN portfolio (SD-WAN, SD-Branch, and Microbranch) and Aruba EdgeConnect Orchestrator, unified SASE offers enterprises the unique ability to centrally assign business intent policies to secure and control all EdgeConnect SD-WAN traffic.

HPE Aruba Networking SSE is a connectivity-as-a-service platform that integrates CASB, FWaaS, SWG, ZTNA, and digital experience monitoring (DEM) into a single policy engine with agent and agentless access and an intuitive interface. Based on Axis Security’s Atmos and residing on all major cloud infrastructures, HPE Aruba Networking SSE leverages smart routing to view multiple access routes and auto-determine the best path based on the resource requested, directing traffic closer to the application rather than the user. The service runs on all major cloud infrastructures with over 500 onramps and dozens of PoPs running across AWS, Azure, and Google Cloud, providing high resiliency and uptime for customers.

Based on the 2020 Silver Peak acquisition, the HPE Aruba Networking EdgeConnect SD-WAN fabric is built on an application-specific virtual WAN overlay model that enables multiple access gateways supporting locations of any size using any combination of underlay circuits, including 4G/5G, public internet, MPLS, and satellite. Business intent overlays (BIOs) classify applications based on their unique performance and security requirements, first-packet iQ technology automatically identifies more than 10,000 applications to enable granular traffic steering and fine-grained security policy enforcement, and advanced WAN optimization improves the performance of latency-sensitive and data-intensive applications.

Deployed as a virtual machine in an existing environment, as a virtual instance within AWS, Azure, or GCP, or as a cloud-managed service with an optional as-a-service subscription license, Aruba EdgeConnect Orchestrator enables rapid and consistent implementation of network-wide business intent policies, eliminating many of the repetitive and mundane manual steps required to configure and connect remote offices and branch locations. An intuitive user interface provides complete observability into both data center and cloud-based applications.

Strengths
Unified SASE converges sophisticated networking and robust security capabilities in a cloud-native architecture with Aruba EdgeConnect Orchestrator, simplifying the management of diverse configurations for multiple branch devices with a single policy engine and a single user interface. In addition, HPE Aruba Networking EdgeConnect SD-WAN BIOs classify applications based on performance and security needs, while its adaptive internet breakout technology enables granular traffic steering and secure local internet breakout. Smart routing directs traffic closer to the application–rather than the user—for optimal performance. The service provides onramps for branch, small home office (SMHO), and hybrid work environments, includes built-in WAN optimization, and supports multivendor SASE solutions with automated integrations for leading SSE providers. Unified SASE is hosted on major cloud providers, enabling quick failover and failback, and it uses smart routing to determine the best path based on the resource requested.

Challenges
While embracing open, multivendor interoperability and integration for hybrid SASE deployments, HPE Aruba replaced Lookout as its SSE partner following the acquisition of Axis Security in April 2023. Moreover, integration is ongoing, with additional functions and capabilities that simplify secure application connectivity for branches, devices, and users due for release based on an aggressive roadmap. HPE Aruba Networking SSE does not currently leverage advanced AI/ML capabilities. However, the platform uses a single data lake to provide telemetry, insights, and performance data and access to the HPE Aruba Networking data lake by over two and a half million devices and more than 200 million clients. HPE Aruba Networking has all the key technology pieces in its portfolio but needs to bring them together under a single policy engine.

Purchase Considerations
HPE Aruba Networking offers subscription-based licensing for HPE Aruba Networking SSE (per seat) with HPE Aruba Networking EdgeConnect SD-WAN (per device and bandwidth), with customers choosing SSE, SD-WAN, or both. Functionality-based licenses are available in four tiers: Foundation, Foundation Plus, Advanced, and Advanced Plus. HPE Aruba Networking EdgeConnect SD-Branch and Microbranch licenses are assigned per gateway or access point device type with client capacity limits in four tiers: Foundation, Foundation Base, Foundation + Security, and Foundation Base + Security. HPE Aruba Networking’s roadmap includes unifying ordering and licensing during 2024.

HPE Aruba Networking’s unified SASE is designed to enforce universal least privilege access to applications, protect against malware and data leakage, modernize and secure branch networks, and enable hybrid working by securely connecting users from anywhere and any device.

Radar Chart Overview
HPE Aruba Networking is a Leader in the Innovation/Platform Play quadrant. Having acquired Axis Security in April 2023, HPE Aruba Networking has all the key technology pieces in its portfolio for a robust SASE solution but needs to bring them together under a single policy engine based on an aggressive roadmap.

Juniper Networks: Juniper SASE

Solution Overview
Founded in 1996, Juniper is an industry leader in high-performance network infrastructure. Following the acquisition of 128 Technology, a company specializing in SD-WAN solutions, in 2020, Juniper Networks announced its investment in the SASE market with the introduction of Juniper Security Director Cloud in May 2021. Later, in February 2022, Juniper acquired WiteSand, a provider of zero-trust network access control (NAC) solutions, and announced Juniper Secure Edge, a cloud-delivered SSE solution managed by Security Director Cloud, as part of its SASE architecture.

Comprising Juniper Secure Edge, Juniper SD-WAN, Juniper Security Director Cloud, and Juniper Session Smart Routers, Juniper SASE offers full-stack SSE and SD-WAN capabilities leveraging the power of the cloud to deliver optimized zero-trust access to any application from anywhere. Providing a single policy framework, security assurance, and unbroken visibility from client to workload, Juniper’s SASE architecture leverages advanced AI/ML capabilities to optimize both the network and security experience.

A cloud-delivered security solution leveraging public cloud PoPs and providing full-stack SSE capabilities, Juniper Secure Edge includes CASB, DLP, FWaaS, SWG, ZTNA, and advanced threat protection. It provides support for remote users wherever they are by routing them to the nearest Secure Edge PoP. For campus and branch users, Juniper Secure Edge connects each site to the nearest Secure Edge PoP. Alternatively, security services can be offloaded to the Secure Edge cloud, which offers the benefits of anomaly detection, automated troubleshooting, App Control (a suite of application-aware security services for Juniper Networks’ SRX Series Services Gateways and NFX Series devices), AppQoS (for control and optimization of network traffic based on application-specific requirements), Mist AI (optimizes user experiences and simplifies operations insights), and Session Smart Routing (a software-based router that powers Juniper’s SD-WAN solution).

When combined with Juniper SD-WAN, Juniper Secure Edge provides a comprehensive SASE solution to help organizations deliver seamless and secure end-user experiences. Built on an application-aware, zero-trust secure network fabric, Juniper’s AI-driven SD-WAN simplifies network configuration, deployment, and operations across wired and wireless LANs and WANs with cloud-based management. Juniper SD-WAN creates an experience-centric, session-aware environment, combining Juniper’s Session Smart Routing (SSR) with programmable network devices to intelligently steer traffic based on application policies, network conditions, or WAN circuit priority, thereby improving cost, agility, and performance.

Juniper’s management platform, Juniper Security Director Cloud, allows organizations to manage security anywhere and everywhere, on-premises and in the cloud, with an intuitive, centralized, web-based interface and unified policy management that follows users, devices, and data wherever they go.

Strengths
Juniper SASE offers AI-optimized network experiences, zero-trust access, full-stack SSE and SD-WAN capabilities, unified visibility and policy management, and a cloud-delivered architecture, enabling organizations to secure their workforce on and off the network. Driven by Mist AI, Juniper SD-WAN enables enterprises and MSPs to transform their business with simplified operations, better network performance, and improved customer engagements based on resilient WAN connectivity, proactive insights, and advanced automation capabilities. Leveraging Juniper’s AIOps capabilities, Juniper SASE allows MSPs to deliver optimal networking and security performance with fast root-cause discovery, event correlation, and automated troubleshooting.

Challenges
Rather than running over a global SLA-backed private backbone, Juniper SASE leverages public cloud PoPs, potentially impacting performance and availability. Moreover, while making significant progress in developing an integrated solution based on a series of acquisitions, Juniper lags behind the competition and has yet to articulate its long-term strategy for its SASE and SD-WAN portfolio. Furthermore, the lack of out-of-the-box integrations with a choice of third-party security vendors increases complexity for lean IT or SMBs with limited resources and existing security products. Buyers report that Juniper SASE is expensive compared to other solutions.

Purchase Considerations
Juniper offers flexible device- or platform-based subscription licensing based on features, network bandwidth, and the scale of the deployment. However, specific pricing details are not publicly available and are likely to vary based on the enterprise’s needs and the scale of the deployment.

Juniper SASE is designed to secure users on and off the network, providing unified visibility and policy management, secure user access from anywhere, and simplified networking and security stack management. It offers full-stack SSE capabilities and is suitable for hybrid work environments.

Radar Chart Overview
Juniper Networks is an Entrant in the Maturity/Feature Play quadrant. Juniper SASE combines Juniper Secure Edge, Juniper SD-WAN, Juniper Security Director Cloud, and Juniper Session Smart Routers to deliver full-stack SASE capabilities. However, the products are not fully integrated at the functional level.

Netskope: Netskope SASE

Solution Overview
Founded in 2012, Netskope is a global cybersecurity vendor focused on applying zero-trust principles to deliver real-time data and threat protection while accessing cloud services, websites, and private applications. The company acquired WootCloud (IoT device security) in June 2022, Infiot (cloud-managed intelligent access) in August 2022, and Kadiska (DEM) in September 2023, extending Netskope’s SASE, SD-WAN, SSE, and zero-trust capabilities. Moreover, Netskope partners with FIS Global, Halo Global, Hughes Network Systems, and Telstra International to deliver fully managed SASE services.

Combining Netskope Intelligent SSE with Netskope Borderless WAN, Netskope SASE unifies fast, reliable networking and zero-trust hybrid security services in a cloud-based architecture to deliver high-performance connectivity and security for users, devices, branch offices, and multicloud environments. Eliminating the traditional defined network perimeter and patchwork of multiple, hard-to-manage networking and security point products (including firewalls, proxies, routers, SD-WAN appliances, secure sockets layer (SSL) decryption, VPNs, and content inspection devices), Netskope SASE integrates cloud-delivered security with fast, reliable access to support any user, site, or device.

Netskope Intelligent SSE’s converged capabilities include advanced threat protection (ATP), multimode CASB, DLP, cloud firewall (CFW), RBI, cloud-native next-gen SWG, user and entity behavior analytics (UEBA), and ZTNA within a single-pass policy architecture, delivered from a single platform, managed by a single console, and driven by a single zero-trust policy engine offering up to 10x policy simplification. In addition, built-in AIOps capabilities collect users’ service level expectations (SLE) data, detect anomalies, predict SLA violations, and resolve policy violations with network-wide flow analytics.

Netskope Borderless SD-WAN leverages a single lightweight software agent across remote users, branch offices, IoT assets, and multicloud environments with a consistent policy framework recognizing over 75,000 applications prioritized automatically with out-of-the-box smart QoS defaults and context-aware QoE.

The new Netskope Next Gen SASE Branch, powered by Borderless SD-WAN and Netskope Intelligent SSE, converges a unified SD-WAN and security appliance, the Netskope SASE Gateway, with a context-aware SASE fabric, zero-trust hybrid security, and a SkopeAI-powered cloud orchestrator. One-click connectivity from Netskope SASE Gateway to Netskope Intelligent SSE delivers end-to-end context-aware security for any user, anywhere. Available as a single, cloud-delivered offering, the solution includes a thin branch that optimizes and secures traffic from all locations and users to cloud and on-premises locations.

Netskope SASEBorderless SD-WAN is built on Netskope’s cloud-native NewEdge, a cloud-native SASE-ready infrastructure that powers all Netskope real-time, inline and out-of-band API-based services, ensuring 99.999% uptime and single-digit millisecond latency. With no reliance on the public cloud or virtual PoPs as of November 2023, NewEdge was powered by full compute data centers in 71 regions worldwide, with 21 new data centers added in the previous 12 months, delivering high performance, secure access to any cloud, SaaS, or UCaaS application.

Strengths
Netskope SASE is built on a single, converged platform, using one policy framework and one console to simplify technology operations, preserve network performance, and provide more visibility to security and networking teams. Designed to support, secure, and optimize any connection, including new internet-connected devices, remote users, and BYOD, as well as branch traffic going directly to the internet, it ensures robust security combined with consistent, low-latency network performance. Netskope SASE converges networking and security with flexible deployment options for SASE gateways across physical on-premises appliances and virtual public cloud appliances combined with cloud-native Intelligent SSE to secure any location, from the home office to the branch or enterprise data center.

Challenges
While customers can purchase a converged single-vendor SASE platform, integrating Netskope SASE in a hybrid deployment with existing infrastructure is complex and challenging, especially if organizations have separate security and networking decision-makers or existing investments in SSE or SD-WAN infrastructure that they don’t want to replace. In addition, Netskope SASE requires specific deployment options to achieve real-time protection, including combining an API deployment with a forward and/or reverse proxy deployment, which can be complex to set up and manage. Moreover, while Netskope Borderless SD-WAN recognizes over 75,000 applications prioritized automatically with out-of-the-box smart QoS defaults, some SMBs and lean IT teams may be overwhelmed by validating QoS policies for a vast number of applications or managing context-awareness at the branch level, relying on default settings which may not meet the needs of the business.

Purchase Considerations
Netskope offers flexible one-, three-, or five-year subscription-based licensing based on various factors, including the specific services and features required. However, prices are not published, and it’s recommended to contact Netskope directly for the most accurate and up-to-date pricing information.

Netskope SASE creates continuous adaptive trust, enables secure collaboration, and supports remote workers by providing secure, high-performance access to every user, device, site, and cloud. It also protects against advanced and cloud-enabled threats, helps discover and protect sensitive information, and offers visibility and control over SaaS applications.

Radar Chart Overview
Netskope is a Leader in the Maturity/Platform Play quadrant. Netskope SASE unifies fast, reliable Borderless WAN networking and Intelligent SSE zero-trust security services in a cloud-native, fully converged platform with 99.999% uptime and single-digit millisecond latency, protecting users, applications, and data everywhere.

Palo Alto Networks: Prisma SASE

Solution Overview
Founded in 2005, Palo Alto Networks provides a range of cybersecurity solutions, including next-generation firewalls, intrusion detection and prevention, ransomware protection, attack surface management, and incident case management. Palo Alto Networks launched Prisma SASE in September 2021. In November 2023, it acquired Dig Security, a cloud data specialist, and announced its intent to acquire Talon Cyber Security, an enterprise browser start-up, to strengthen its SASE capabilities. In addition, Palo Alto Networks partners with BT, NTT, Orange Business, and Orange Cyberdefense to deliver fully managed SASE services.

Prisma SASE is a cloud-delivered service that converges networking and security for large enterprises and multitenant service providers. Powered by artificial intelligence, Prisma SASE combines the functionality of Prisma Access and Prisma SD-WAN with next-gen CASB, ML-powered DLP, FWaaS, RBI, SWG, ZTNA 2.0, autonomous digital experience management (ADEM), and SaaS security misconfiguration detection and drift prevention in a single offering. Prisma SASE also integrates with Palo Alto’s cloud-delivered DLP and IoT security solutions.

Providing the security foundation, Prisma Access is a scalable, low-latency cloud-native global services edge offering leveraging the combined infrastructures of AWS and GCP, with over 100 service access points across 76 countries, to deliver agentless and agent-based remote user protection and security. Formerly known as CloudGenix, Prisma SD-WAN leverages AIOps and ML to combine deep application visibility with Layer 7 intelligence for network policy creation and traffic engineering, simplifying network and security management. Unified policy management and visibility is provided via onsite (Panorama) or cloud-hosted (Strata Cloud Manager) consoles.

While some critics argue that ZTNA 2.0 is merely a term coined by Palo Alto Networks to make its products look more secure than its competitors, ZTNA 2.0 enforces the principle of least privilege from Layer 3 to Layer 7 of the OSI model, providing a better context for what is happening among users, devices, and applications. Instead of being able to see only which application a user is attempting to access, a ZTNA 2.0 solution can see what they’re trying to do with the application, allowing it to make better decisions on which transactions to allow and which to deny.

In February 2022, Palo Alto Networks introduced Prisma SASE enhancements for MSPs, including an open API framework for MSPs to seamlessly integrate with their back-end infrastructure to automate Day 0 and Day 1 workflows. Supporting fully managed or co-managed lifecycle services, a cloud-based management portal provides hierarchical multitenancy and flexible service creation with sophisticated role-based access control for segmenting customers while ensuring control using granular permissions.

Strengths
A robust solution for organizations with hybrid or remote workforces, Prisma SASE offers comprehensive networking and security services via a cloud-native architecture with a common policy framework and unified management interface. In addition, Prisma SASE’s AI/ML-powered ADEM capabilities provide predictive problem detection and control and response capabilities for advanced threat detection, automated operations, and security remediation. A new feature, Prisma Access App Acceleration, enhances the performance of SaaS apps—like Google Workspace, Salesforce, and SAP—when accessed via Prisma SASE instead of directly through the internet. IoT security integration ensures IoT device information is sent to Prisma SASE to enforce security policies protecting both devices and the applications accessed.

Challenges
While Palo Alto Networks has a strong pedigree in security with feature-rich components, its reliance on acquisitions to deliver critical capabilities and the standalone nature of its components often lead to integration complexities, especially in the case of Prima SASE, which incorporates numerous products. More options from well-established technologies can result in a longer and more complex setup process with the potential to cause unintended gaps or conflicts in security policies, and option overload makes it difficult to determine the appropriate licenses and options required. Palo Alto Networks also lacks a private backbone for high-speed SD-WAN connections, so SD-WAN customers must use public backbone resources or contract with backbone providers. Furthermore, the use of AWS and GCP to build its PoPs limits Palo Alto Networks’ control over routing and its ability to expand according to the geographic requirements of its users.

Purchase Considerations
Palo Alto Networks offers tiered subscription-based pricing based on the duration of the license, bandwidth used across all sites, and the services included for each product. However, customers must purchase add-ons to meet basic SASE requirements and for specialized needs, including: Prisma SASE Colo-Connect (high-bandwidth bidirectional connectivity to secure private apps), Inline SaaS Security (advanced risk scoring, analytics, reporting, and security policy rule authoring for organizations), Next-Gen CASB (multifaceted security for businesses), and ZTNA Connector (simplifies app access in overlapped networks).

Ideal for organizations with hybrid or remote workforces, Prisma SASE provides secure remote access to company resources, outbound internet access, cloud access security for branch offices and retail locations, remote access VPN for mobile users, and ADEM capabilities for insights into the health of the environment.

Radar Chart Overview
Palo Alto Networks is a Challenger in the Innovation/Platform Play quadrant. Despite the advanced capabilities of Prisma SASE, Palo Alto Networks’s reliance on acquisitions to deliver critical capabilities and the complexity, scope, and size of its portfolio prevents it from keeping pace with other vendors building SASE solutions from the ground up.

Roqos: Roqos SASE

Solution Overview
Founded in 2014, Roqos provides appliances with cellular capabilities, cybersecurity, and networking solutions to enterprises and SMBs through its Roqos Core appliances, Roqos apps, and Roqos Cloud. The Roqos SASE service was launched in March 2023 using OmniVPN, a patented VPN signaling technology developed by Roqos. OmniVPN provides direct connections among Roqos Cores via various network access types, including carrier-grade network address translation (CGNAT), multiple network address translations (NATs), private IP addresses, cellular routers, and satellite routers, bypassing ISP limitations and eliminating the need for complex port-forwarding rules on firewalls.

Roqos offers two SASE solutions: Distributed SASE and Private SASE. Both solutions include a control plane in the Roqos Cloud (private or public) and data planes distributed among open source Roqos Core appliances, providing role-based OmniVPN network access for cloud-based and on-premises applications without sending any end-user or application data to a public network.

  • Roqos Distributed SASE extends SASE by leveraging OmniVPN to distribute control and data planes among Roqos Core appliances, eliminating overlay networks. It can be implemented in either a private cloud or private data center without sending any end-user or application data to a public network.
  • Roqos Private SASE is completely contained in a private cloud—without any external communication—and provides the same features as Distributed SASE when implemented on-premises. Roqos claims that this makes Roqos Private SASE the only complete on-premises SASE for organizations that can’t use public clouds. The Roqos SASE UI is designed for less technical users, as it mostly addresses the SME market in which businesses may not have internal cybersecurity teams.

Distributing control and data planes among Roqos Core appliances, Roqos SASE delivers FWaaS, SWG, and universal ZTNA for both local and remote users. CASB is scheduled for delivery in early 2024. Supporting modern BYOD workplaces, Roqos’ universal ZTNA requires all users to authenticate themselves using software installed on their devices, and it continuously monitors and verifies user activity, enforcing re-logins when users change location, their devices go offline, or applications change state.

Roqos SASE provides NGFW functions, automatically blocking new devices and sending alerts, using IP and DNS filters as well as CountryBlock (which allows blocking the entire IP address space for a country) and IPS. In addition, it includes asset discovery, DPI, schedule-based RBAC, threat prevention, real-time alerting, and multitenancy for MSPs and MSSPs. Roqos also has a patented technology that lets it estimate end-user application usage by examining DNS traffic without running agents on end-user devices.

Strengths
Roqos SASE offers a unique combination of networking and cybersecurity features, providing role-based network access for both cloud-based and on-premises applications. Eliminating the need for overlay networks, Roqos’s patented OmniVPN technology enables direct connections among Roqos Cores, bypasses ISP limitations, and simplifies the VPN setup process. Roqos SASE also provides universal ZTNA for both local and remote users, supporting BYOD requirements of modern workplaces. Additional features include threat prevention, real-time alerting, and asset discovery. Roqos Private SASE can be implemented in a private cloud or private data center, ensuring data privacy and compliance with government and security practices.

Challenges
Roqos SASE, while offering a unique blend of networking and cybersecurity features, currently lacks CASB and AI/ML-enabled end-user behavior analysis and abnormal network traffic detection, and provides virtual instances of Roqos Cores and Roqos Cloud only in AWS. However, CASB is scheduled for release in Q1 2024, with Azure and GCP support soon after. While OmniVPN is a built-in feature of Roqos appliances, the setup and management of the technology requires a certain level of technical expertise. Furthermore, Roqos SASE is positioned as a single-vendor cloud service primarily designed for the SMB market, making it challenging to deploy in hybrid SASE environments.

Purchase Considerations
Roqos currently offers perpetual pricing based on the number of Roqos Cores, annual maintenance for each appliance, and an annual subscription fee for each Roqos SASE client running on an end-user device. Private SASE servers are priced separately. Depending on the customer size and value, the upfront cost may be waived as Roqos adopts a subscription-based pricing model.

Primarily designed for companies with limited IT budgets and personnel, Roqos SASE provides role-based network access for both cloud-based and on-premises applications, making it suitable for businesses with a mix of local and remote users and supporting BYOD. Moreover, Roqos SASE can be implemented in a private cloud or private data center, making it a suitable choice for organizations with strict data privacy and compliance requirements.

Radar Chart Overview
Roqos is a Challenger in the Innovation/Platform Play quadrant. Roqos SASE offers a unique blend of networking and cybersecurity features, providing role-based network access for both cloud-based and on-premises applications. However, Roqos SASE currently lacks CASB, AI/ML analytics, and multicloud support, all of which are expected in 2024.

T-Mobile: T-Mobile SASE

Solution Overview
Founded in 1994 as VoiceStream Wireless and with Deutsche Telekom a majority shareholder as of 2001, T-Mobile US, Inc. is a wireless network operator providing wireless voice and data services in the USA under the brands T-Mobile and Metro by T-Mobile. On September 26, 2023, T-Mobile announced T-Mobile SASE, a SIM-based SASE solution offering a 5G SA network slice dedicated to SASE traffic.

Introduced to help businesses and organizations protect their networks, applications, and data from cyber threats in the context of remote and hybrid work environments, T-Mobile SASE is the world’s only SIM-based SASE solution, providing a comprehensive set of security and network management services on a simple, scalable, and cost-effective platform.

T-Mobile SASE offers Private Access for secure connectivity to large-scale business applications and secure internet access for protecting internet-connected devices against cyber threats.

  • Private Access uses a modern ZTNA-based approach to VPNs that provides devices with secure, direct, least-privileged access, connecting employees, systems, and endpoints to remote networks, resources, and applications.
  • Secure internet access includes CASB, NGFW, and SWG, providing robust protection against cyber threats such as viruses, malware, and ransomware despite changing network conditions and security requirements.

Furthermore, T-Mobile’s SASE solution includes two first-in-the-industry capabilities: T-Mobile Security Slice and T-SIMsecure.

  • T-Mobile Security Slice uses T-Mobile’s standalone 5G network to create multiple virtual networks or slices. Each of these network slices can be configured independently to meet specific application and service requirements. Users of T-Mobile SASE with 5G SA-enabled devices have the ability to take advantage of this dedicated network slice for reduced latency and faster data speeds.
  • T-SIMsecure, developed in partnership with Versa Networks, provides clientless authentication by leveraging information from SIM cards, such as the International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI). Devices connecting to T-Mobile’s network are automatically authorized via their SIM cards, simplifying the authentication process for IT and security teams.

By default, T-Mobile SASE provides client-based access authorization and protection on any Wi-Fi or cellular network or wireless carrier. However, for devices that can’t load a client, such as IoT sensors and routers, T-SIMsecure uses the T-Mobile SIM to authorize the device when on the T-Mobile network. Furthermore, T-Mobile SASE is managed via a single cloud-based console, simplifying the management of complex network infrastructures.

Strengths
T-Mobile SASE offers a comprehensive set of security and network management services on a single, scalable, and cost-effective platform. Industry-first capabilities include T-SIMsecure, a SIM-based solution that simplifies the authentication process, and T-Mobile Security Slice, which leverages T-Mobile’s standalone 5G network to create multiple virtual networks for reduced latency and faster data speeds. These features, along with secure internet access and private access, provide broad protection against cyber threats, support for remote and hybrid work environments, and improved network performance, making T-Mobile’s SASE solution a robust and innovative approach to network security.

Challenges
Deploying and managing T-Mobile’s SASE solution is technically demanding. While including industry-first capabilities, it is also limited to T-Mobile’s geographic coverage areas. In addition, the increased attack surface and IoT vulnerabilities associated with 5G technology pose significant security challenges, and the deployment of T-SIMsecure requires devices to be automatically authorized via their SIM cards, which can be a complex process. Moreover, one of the main limitations is the complexity and requirements of 5G SA network slicing, which is a key component of T-Mobile’s SASE solution but is not yet widely deployed by most 5G providers. Lastly, T-Mobile SASE is focused on specific 5G use cases, requiring customers to implement another SD-WAN-based solution.

Purchase Considerations
A fully managed service with predictable costs, T-Mobile SASE’s subscription-based pricing model varies depending on the number of SIMs under management. Potential customers should contact T-Mobile for pricing information.

T-Mobile SASE is ideal for devices that can’t load a client, such as IoT devices, and for workers that share a device or work in roles for which using a client may be too cumbersome, such as field services, frontline, or service employees. T-Mobile Security Slice provides a dedicated security network slice, isolating it from other network traffic and enhancing security for government or enterprise networks.

Radar Chart Overview
T-Mobile is a Challenger in the Innovation/Feature Play quadrant. Despite a crowded market, the recently announced T-Mobile SASE stands out due to its innovative features and the company’s commitment to leveraging T-Mobile’s industry-leading 5G SA network to unlock the power of new technologies across a broad range of industries.

Versa Networks: Versa Unified SASE

Solution Overview
Founded in 2012, Versa Networks provides solutions enabling large enterprises and service providers to transform their wide area networks and branch networks to achieve unprecedented business advantages. Versa Networks began delivering SASE capabilities several years before SASE became an industry term, culminating in the release of Versa Unified SASE in April 2020. The solution has since gained significant traction in the market, establishing Versa as a leader in unified SASE.

Developed in-house from the ground up, Versa Unified SASE is a comprehensive platform converging multiple networking and security capabilities into a single solution managed by a single pane of glass, a single centralized policy, and a single data lake for strong security, deep end-to-end visibility, and rich data analytics. Connecting any user, device, or site to any workload or application, Versa Unified SASE combines CASB, DLP, IPS, IDS, NGFWaaS, RBI, SD-WAN, SWG, ZTNA, UEBA, and other functions with Versa Secure SD-WAN, a fully integrated SD-WAN solution with advanced controls, including first-packet application identification, end-to-end SLA-driven sub-second packet steering, and packet loss reduction.

Versa Unified SASE is available on-premises, cloud-delivered, or hosted by Versa-powered service providers using distributed Versa Cloud Gateways. Customers can leverage the Versa SASE Fabric running on over 90 PoPs connected via an application-aware, traffic-engineered, high-speed backbone, or create their own private SASE fabric running on dedicated infrastructure for a private SASE deployment. In both cases, Versa Unified SASE leverages the single-pass parallel processing architecture found in the Versa Operating System (VOS), a multiservice, multitenant software platformbuilt on cloud principles. VOS’s unique architecture increases performance and mitigates security vulnerabilities and exposure by touching each packet only once for both networking and security.

Versa Unified SASE is cloud-native, software-based, and hardware agnostic. Running in public, private, and hybrid clouds and carrier-neutral facilities on bare metal, containers, microservices, service meshes, and virtual machines, Versa SASE facilitates the deployment of consistent security, networking, business, and analytic policies anywhere in the world. Providing flexibility for hosting multiple customers, lines of business, or functions per instance, while maintaining separation between each customer’s traffic, Versa Unified SASE’s built-in native multitenancy and RBAC support up to 256 separate tenants.

Versa’s unified orchestration and management console, Versa Concerto, provides a centralized cloud-based management portal offering single-pane-of-glass management across data center, SD-WAN, SD-LAN, and SSE with a single policy engine and a unified data lake. Versa Titan also provides a subset of Versa United SASE’s cloud-native services, addressing the needs of lean IT organizations and SMBs.

Strengths
Offering the widest range of deployment options, including cloud hosted or on-premises SASE control software, Versa Unified SASE consolidates multiple natively developed networking and security products into a single solution with a unified software stack integrated at the operating system level, providing a comprehensive platform managed by a single pane of glass, single centralized policy, and a single data lake. The platform is built on Versa’s single-pass parallel processing architecture, combining full-featured SD-WAN, completely integrated security, advanced scalable routing, genuine multitenancy, and sophisticated analytics into one software image. In addition, Versa Unified SASE is a true multitenant solution, enabling organizations to achieve management plane, data plane, and control plane multitenancy at cloud, data center, headend, branch, and edge device locations.

Challenges
While boasting a competitive offering, numerous awards, a healthy roadmap, and over 19,000 customers, Versa Networks faces strong competition from incumbent security players leveraging their relationship with security buyers to insert standalone SSE solutions in the network. Versa should market its SASE on SIM capabilities (developed in partnership with T-Mobile) to meet the needs of 5G and IoT use cases, develop its own DEM and endpoint detection and response (EDR) capabilities, and enhance Versa Unified SASE’s compliance capabilities to meet the needs of enterprises and service providers with specific compliance needs, making zero-trust everywhere a reality.

Purchase Considerations
Versa offers tiered per user- or bandwidth-based subscription licensing based on functional requirements. Versa Unified SASE combines Versa Secure SD-WAN and Versa Secure Access Fabric (VSAF), which includes Versa’s traffic-engineered SASE fabric and SSE capabilities.

Versa Unified SASE is designed for diverse environments, providing secure connections between any user, device, or site and any workload or application, making it ideal for enterprises with a distributed workforce. Its wide range of deployment options, including locally-hosted SASE control software and AI/ML capabilities, cater to organizations requiring high customization and control, such as those in biotech, healthcare, and the military.

Radar Chart Overview
Versa Networks is a Leader in the Maturity/Platform Play quadrant. Designed to overcome the challenges and complexities of on-premises, hybrid, and multicloud environments, Versa Secure SASE is a cloud-delivered, single-vendor SASE offering, delivering converged networking and security capabilities natively built on Versa’s single-stack software architecture and managed by a single pane of glass.

VMware: VMware SASE

Solution Overview
Founded in 1998 and acquired by Broadcom in November 2023, VMware is a leading provider of multicloud services and virtualization technologies, enabling digital innovation with enterprise control. The development of VMware SASE started with the introduction of the VMware SD-WAN Client (now called VMware SD-Access), a high-performance private network fabric, in November 2022. Also, in November 2022, VMware acquired Ananda Networks to help accelerate the development of VMware SD-Access.

Converging networking and security via a cloud-native, edge services platform, VMware SASE leverages a software-defined architecture with a cloud-hosted management platform, centralizing policy creation, distribution, and control. Serving as an onramp to SaaS and other cloud services, over 200 PoPs strategically located in IaaS and co-location data centers worldwide provide less than 10 ms latency from 80% of the world’s population and less than 5 ms latency from AWS, Azure, and GCP interconnects.

With varying degrees of integration, VMware SASE includes VMware SD-WAN, VMware SD-Access, VMware Cloud Web Security, and VMware Edge Intelligence.

  • VMware SD-WAN optimizes app performance over any WAN link, delivering content across multiple transports using policy-based prioritization, intelligent traffic steering, continuous link monitoring, and automatic remediation.
  • VMware SD-Access (formerly VMware SD-WAN Client) provides enterprise IT with an easy and secure remote access solution for workers and IoT devices anywhere that optimizes connections for speed and reliability.
  • VMware Cloud Web Security integrates CASB, DLP, RBI, SWG (OEMed from Menlo Security), threat protection, and URL filtering, into each VMware PoP to provide secure, direct, and optimal access to SaaS applications and internet sites.
  • VMware Edge Intelligence (formerly VMware Edge Network Intelligence) is a vendor-agnostic AIOps platform delivering rich user experience and providing AI/ML-enabled visibility from users to applications across wireless or wired LAN, WAN, and the cloud.

Available as a web-based user interface, VMware Edge Cloud Orchestrator provides centralized, enterprise-wide installation, configuration, and real-time monitoring of VMware SASE services, in addition to orchestrating the data flow through the cloud network.

Strengths
oint products, VMware SASE is a cloud-native platform that converges cloud networking and cloud security services, offering flexibility, agility, and scale for enterprises of all sizes. VMware SASE includes a unified edge and cloud service model, a single interface for managing SD-WAN, SSE, and edge compute, optimized access to both traditional and new applications, direct traffic to cloud and SaaS applications, multicloud readiness, reduced operational complexity, and support for remote workforces. In addition, a global network of over 200 VMware and partner-managed PoPs delivers networking and security services, ensuring consistent performance, connectivity, and security, independent of user or app location.

Challenges
VMware has made several acquisitions, including Ananda Networks and Nyansa, and has OEMed Menlo Security technology to bolster its SD-WAN and SASE capabilities. However, these capabilities are not yet fully integrated into a SASE solution, and the platform appears to be more of a custom point product integration than a fully converged SASE platform. The situation is further complicated by VMware’s recent acquisition by Broadcom, potentially impacting VMware SASE’s future roadmap and innovation. Furthermore, VMware’s partnership with Broadcom’s Symantec division to deliver an integrated SASE solution could further disrupt existing and future VMware SASE deployments, suggesting prospective customers should carefully evaluate their options.

Purchase Considerations
VMware’s SASE pricing model is structured to work with both CapEx and OpEx budgets, servicing needs based on criticality. Pricing includes the appliance (VMware SD-WAN Edge hardware or virtual appliance), software subscription (which includes VMware SD-WAN Edge software, VMware Edge Cloud Orchestrator, and VMware SD-WAN Gateway with Controller), and support and services (which includes VMware SD-WAN Edge hardware replacement services and software support plan). Software subscription bundles with different bandwidth tiers constructed on a per-branch site basis are available with different terms (one, three, five years) and payment periods (prepaid, annual, monthly).

VMware SASE can enhance security and lower costs with network modernization, secure edge computing and optimized network efficiency in multicloud settings, and improve the user experience by placing data and key networking elements closer to the edge. Other use cases include connecting, securing, and optimizing branch offices, enabling remote access directly from any device, and providing secure, agile, and optimal application access for retail outlets.

Radar Chart Overview
VMware is a Challenger in the Innovation/Feature Play quadrant. Despite leveraging a comprehensive portfolio and advanced capabilities, the company still has to create a fully integrated SASE solution. Furthermore, disruption from its acquisition by Broadcom will further delay integration as the company goes back to the drawing board, replacing existing capabilities with Symantec products.

Zscaler: Zscaler Zero Trust SASE

Solution Overview
Founded in 2008, Zscaler provides a security-as-a-service platform that detects data breaches and protects any connected device from cyberattacks. Built on the Zscaler Zero Trust Exchange, a cloud-native platform designed for performance and scalability, Zscaler Zero Trust SASE is part of Zscaler’s ongoing efforts to provide comprehensive, cloud-based security solutions. Between 2019 and 2023, Zscaler acquired Appsulate (browser isolation), Edgewise Networks (application-to-application communications security), Trustdome (cloud infrastructure entitlement management), Smokescreen (deception technology), ShiftRight (security workflow automation), and Canonic Security (SaaS application security).

Zscaler Zero Trust SASE comprises a comprehensive suite of security solutions (including CASB, FWaaS, SWG, and ZTNA) designed to provide secure, fast, and reliable access to applications and services. It’s powered by the Zscaler Zero Trust Exchange (ZTE), a cloud-native, globally distributed platform providing direct-to-cloud connectivity via over 150 PoPs and industry-leading third-party SD-WANs (Note: On January 23, 2024, Zscaler announced its own branch connector solution, Zscaler Zero Trust SD-WAN, as an alternative to traditional SD-WANs).

Zscaler Zero Trust SASE incorporates three services:

  • Zscaler Internet Access (ZIA) is a cloud-native security service that provides safe, fast internet and SaaS access. Offering comprehensive cyber-threat defense, data protection, and access control, ZIA uses AI-powered capabilities to eliminate threats such as ransomware, malware, and other advanced attacks, providing robust protection against botnets, advanced threats, and zero days.
  • Zscaler Private Access (ZPA) applies the principle of least privilege to enforce application, IoT, and OT access based on context (device type, location, application, and content), using microsegmentation to limit lateral movement and inside-out connections to make applications invisible to unauthorized users. ZPA is available in three editions: ZPA Professional Edition, ZPA Business Edition, and ZPA Transformation Edition.
  • Zscaler Digital Experience (ZDX) provides digital performance and experience monitoring by leveraging unparalleled visibility into tunneled traffic through the ZTE cloud platform. An integrated service providing a unified view of application and endpoint performance metrics, ZDX correlates network traces from the user to the Zscaler cloud, Zscaler cloud to the user, and Zscaler cloud to the application to deliver a complete end-to-end view of the actual traffic path taken between the user and application.

In addition, Zscaler Zero Trust SASE includes Zscaler Advanced Threat Protection, Zscaler Bandwidth Control, Zscaler Cloud Firewall, Zscaler Cloud Sandbox, Zscaler Data Protection, and Zscaler DNS Security, providing a comprehensive, cloud-based security solution.

Strengths
Zscaler Zero Trust SASE is a cloud-native, multitenant platform that reduces IT cost and complexity by consolidating network and security services into a single, cloud-delivered platform, making it easy to deploy and manage. Managing connections at internet exchanges in real time and optimizing connections to cloud applications and services, Zscaler Zero Trust SASE connects users and IoT/OT devices to applications—not networks—providing full TLS/SSL inspection at scale for complete data protection. Additionally, it includes application analytics via Zscaler Digital Experience, enabling organizations to monitor the application experience and identify and resolve performance issues. Addressing different aspects of network security and connectivity, Zscaler for Users, Zscaler for Workloads, and Zscaler for IoT/OT work together under the Zscaler SASE platform.

Challenges
Despite boasting an extensive global network, Zscaler has multiple unconnected access zones and extra access fees, while it lacks performance in certain regions since not all services run on every node and data center in Zscaler’s network, and access for customers is often limited to 40 to 60 data centers (out of 150). Furthermore, instead of operating its own SD-WAN, Zscaler partners with leading SD-WAN providers—including Cisco, Fortinet, HPE Aruba Networking, and VMware—for connectivity, adding another layer of cost and complexity and, in reality, positioning Zscaler primarily as an SSE player. On January 23, 2024, Zscaler announced Zscaler Zero Trust SD-WAN, an alternative to traditional SD-WANs, to securely connect branches, factories, and data centers without the complexity of VPNs, ensuring zero-trust access between users, IoT/OT devices, and applications based on business policies. However, with so many different components, Zscaler’s product portfolio is challenging to navigate, and users report that deployment, configuration, and integration with existing IT infrastructure can be complex and time-consuming, requiring extensive customization.

Purchase Considerations
Available on Azure Marketplace in Professional, Business, and Transformation editions, Zscaler Zero Trust SASE pricing is based on an annual subscription model, with costs varying depending on deployment size, options, and modules. In addition, there are bundled plans like Zscaler for Users that combine ZIA, ZPA. and ZDX in a single package at a lower cost.

Zscaler Zero Trust SASE is designed for various use cases, including secure access to public internet and private applications, cloud and web security, and IoT/OT security. It provides a comprehensive cloud-native security platform for application control, URL filtering, sandboxing, antivirus, data leak prevention, and cloud browser isolation, and is particularly suitable for businesses undergoing digital transformation, requiring secure and optimized connectivity between users and applications across different locations.

Radar Chart Overview
Zscaler is a Challenger in the Innovation/Feature Play quadrant. Zscaler Zero Trust SASE is a strong contender in the SASE market, offering a comprehensive set of security features, a positive user experience, and on-demand scalability and performance that ensures a reliable and efficient service for users. Moreover, despite the recently announced Zscaler Zero Trust SD-WAN, Zscaler Zero Trust SASE’s historic reliance on third-party SD-WAN solutions negatively impacts customers with traditional SD-WAN solutions due to the increased cost, effort, and lack of end-to-end control.

6. Analyst’s Outlook

The SASE landscape is changing rapidly as vendors compete to integrate acquired and home-grown technologies, with mixed results. However, despite such challenges, SASE is seen as a game-changing framework, especially for businesses undergoing digital transformation.

Several vendors have established themselves as Leaders in the space with fully integrated SASE solutions running over a global, SLA-backed private backbone with a single policy engine, single-pane-of-glass management, and a unified data lake. Others have aggressive roadmaps for developing new capabilities and integrating acquired technologies with the goal of releasing a complete, fully integrated SASE solution during 2024. Still, others appear to be doing very little, marketing multiple point products under the SASE umbrella so as to establish a presence in the market.

To ensure that a SASE vendor is a good fit, prospective customers should take the following steps:

  1. Understand your needs: Identify the specific use cases and requirements that are most relevant to your organization, including the need for improved network performance, enhanced security, cost savings, or simplified management.
  2. Evaluate the vendor’s understanding of your business needs: The vendor should understand the specific needs of your organization and be able to cater to them.
  3. Ask the right questions: Ask potential vendors about their successful SASE deployments, the use cases their solution addresses, and how they can cater to your specific needs.
  4. Evaluate the vendor’s offerings: Assess the vendor’s SASE architecture, scalability, ease of deployment, management and monitoring tools, cost-effectiveness, and customer support.
  5. Consider integration and compatibility: The SASE solution should be able to integrate with your existing IT infrastructure, coexist within any ecosystem, and be compatible with your organization’s current and future technology needs.
  6. Consider the vendor’s flexibility: The vendor should offer a flexible consumption model and be able to support a hybrid approach if needed based on your existing networking and security investments.
  7. Consider the vendor’s maturity: The vendor should have a proven track record and the ability to deliver the full benefits of SASE in your industry sector.
  8. Check the vendor’s track record: Look for a vendor with a proven track record and the ability to deliver the full benefits of SASE. Check customer reviews and case studies.
  9. Assess the vendor’s long-term vision and viability: The chosen SASE vendor should have a long-term vision and the agility to incorporate new technologies and rapidly adjust to new market requirements—or a corporate acquisition.
  10. Evaluate cost effectiveness: The solution should provide value for the investment and be cost-effective, with no hidden surprises.

By considering these factors in the light of the information provided in this Radar report, organizations can ensure that they choose a SASE vendor that can effectively meet their network security needs and support their business objectives into the future.

To learn about related topics in this space, check out the following GigaOm Radar reports:

7. Methodology

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Ivan McPhee

Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.

An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2024 "GigaOm Radar for Secure Access Service Edge (SASE)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.

Interested in more content like this? Check out GigaOm Research Reports Subscribe Now