Table of Contents
1. Executive Summary
Designed to address the evolving needs of modern enterprises as they navigate the complexities of cloud adoption, remote work, and digital transformation, security service edge (SSE) is a transformative cybersecurity framework. SSE is part of the broader secure access service edge (SASE) framework but focuses exclusively on the security services aspect, which aligns with market preferences for separating security and networking services. This shift toward a more integrated and cloud-centric security posture is in response to the increasing sophistication of cyberthreats and the growing adoption of cloud services.
At its core, SSE converges multiple cloud-delivered security services, including cloud access security broker (CASB), firewall as a service (FWaaS), secure web gateway (SWG), and zero-trust network access (ZTNA) into a unified, cloud-based platform that ensures secure access to the web, cloud services, and private applications. By shifting security closer to users and devices, SSE enhances protection, reduces latency, and ensures secure access to cloud-based resources.
Furthermore, the importance of SSE stems from its ability to adapt security measures to where workloads, devices, and users are at any point in time, enhancing protection and ensuring secure access to resources regardless of location in today’s remote work and cloud-centric landscape—where traditional perimeter-based security models fall short. Moreover, by addressing the basic security concerns associated with cloud transition, digital business enablement, and remote work, SSE is evolving as an essential element for constructing cloud and networking security that can accelerate digital transformation by securing enterprise cloud services, private applications, and software as a service (SaaS).
As the SSE market evolves, we expect to see significant growth driven by demand for more agile, scalable, and integrated security solutions that can support the dynamic needs of businesses. Key trends shaping the future of SSE include the integration of advanced AI/ML technologies for better threat detection, the emphasis on zero-trust principles, and the need for solutions that offer seamless integration with existing IT infrastructures. In preparation, organizations must understand the SSE vendor landscape, evaluate integration capabilities, and adopt phased implementation strategies to ensure a smooth transition to these more advanced security models.
This is our first year evaluating the SSE space in the context of our Key Criteria and Radar reports. This GigaOm Radar report evaluates 16 of the top SSE solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading SSE offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.
GIGAOM KEY CRITERIA AND RADAR REPORTS
The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.
2. Market Categories and Deployment Types
To help prospective customers find the best fit for their use case and business requirements, we assess how well SASE solutions are designed to serve specific target markets and deployment models (Table 1).
For this report, we recognize the following market segments:
- Cloud service provider (CSP): Providers delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
- Network service provider (NSP): Service providers selling network services—network access and bandwidth—provide entry points to backbone infrastructure or network access points (NAPs). In this report, NSPs include data carriers, ISPs, telcos, and wireless providers.
- Managed service provider (MSP): Service providers delivering application, IT infrastructure, network, and security services and support for businesses on customer premises, in the MSP’s data center (hosting), or in a third-party data center.
- Large enterprises: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.
- Small to medium-sized businesses (SMB): Small businesses (fewer than 100 employees) to medium-sized businesses (100-999 employees) with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.
In addition, we recognize the following deployment models:
- Private cloud: Used exclusively by one enterprise or organization, private cloud computing resources are physically located in an on-premises data center or hosted by a third-party colocation service provider. Tailored to meet specific requirements, private clouds offer compliance, control, and flexibility.
- Public cloud: Owned and operated by a third-party cloud service provider and delivered over the internet, public cloud providers offer cost-effective, scalable, and reliable on-demand resources for enterprises and SaaS vendors.
- Hybrid cloud: Enabling data and apps to move seamlessly between two environments, a hybrid cloud combines private, on-premises infrastructure with a public cloud. A hybrid cloud allows compute resources to be brought closer to the edge where data resides—reducing latency and increasing reliability—while still meeting regulatory compliance and data sovereignty requirements.
- Multicloud: Comprising multiple public cloud services performing different functions, a multicloud deployment allows organizations to take advantage of various public cloud capabilities or geographies. Multicloud deployments may include private clouds, resulting in cloud deployments that are both hybrid and multicloud.
- On-premises: Consisting of software, hardware, or services installed, run, and managed on an enterprise’s physical, in-house infrastructure, usually in a data center or colocation facility. In an on-premises setup, the enterprise is responsible for the system’s operation, maintenance, and security.
Table 1. Vendor Positioning: Target Market and Deployment Model
Vendor Positioning: Target Market and Deployment Model
Target Market |
Deployment Model |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor |
CSP | NSP | MSP | Large Enterprise | SMB | Private Cloud | Public Cloud | Hybrid Cloud | Multicloud | On-Premises |
Broadcom | ||||||||||
Cato Networks | ||||||||||
Cisco | ||||||||||
Cloudflare | ||||||||||
Forcepoint | ||||||||||
HPE Aruba Networking | ||||||||||
iboss | ||||||||||
Juniper Networks | ||||||||||
Lookout | ||||||||||
Netskope | ||||||||||
NordLayer | ||||||||||
Palo Alto Networks | ||||||||||
Skyhigh Security | ||||||||||
Twingate | ||||||||||
Versa Networks | ||||||||||
Zscaler |
Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).
“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.
3. Decision Criteria Comparison
All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:
- Integrated security functions
- Global service-level agreement (SLA)-backed cloud platform
- Cloud-native security services
- Identity-based security and access control
- Centralized security management and policy enforcement
Tables 2, 3, and 4 summarize how each vendor included in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.
- Key features differentiate solutions, outlining the primary criteria to be considered when evaluating an SSE solution.
- Emerging features show how well each vendor is implementing capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.
- Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.
These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating SSE Solutions.”
Key Features
- Single policy engine: A single policy engine is a unified system that manages and enforces security policies across all integrated security functions. It simplifies the security architecture, reduces operational complexity, and ensures consistent security policy enforcement across an organization’s network, regardless of the geographical location of users and devices.
- Policy orchestration and automation: Policy orchestration and automation is a process that streamlines and enhances policy-based security through integration, coordination, and automation. It plays a crucial role in coordinating and enforcing policy updates across multiple security systems based on identity and context, ensuring consistent security enforcement, reducing manual tasks, and improving response times to security incidents.
- Real-time traffic and file inspection: Real-time traffic and file inspection involve the continuous monitoring and analysis of network traffic and files to identify and block potential threats. This is crucial, as it allows organizations to enforce security policies, detect malicious activity promptly, and protect sensitive data, enhancing their overall security posture and reducing the risk of data breaches.
- Cloud browser isolation: Cloud browser isolation provides an additional layer of security by creating an air gap between users and the web, preventing web-based malware or compromised sites from infecting local devices and networks. This protection is critical in today’s threat landscape dominated by web-borne attacks like drive-by downloads, weaponized documents, and sophisticated phishing.
- Cloud sandboxing: A cloud sandbox is a virtualized, isolated environment that allows users to execute and test applications, programs, files, or network traffic securely. It provides a safe space to analyze the behavior of untrusted code without risking harm to production systems or the underlying network.
- Advanced data protection: Safeguarding data from threats, SSE solutions ensure that data in transit is protected by using end-to-end encryption protocols, such as IPsec or TLS, and stringent access controls, while cloud data loss prevention (DLP) technologies monitor and control data transfer to prevent data leaks and unauthorized data exfiltration, ensuring compliance and enhancing the overall security posture of an organization.
- Advanced threat protection: Offering a holistic approach, advanced threat prevention integrates a robust set of security measures with real-time threat intelligence to address various cyberthreat vectors to ensure secure, optimized connectivity across the network. It safeguards data and systems from unauthorized access, malware, and other advanced threats and ensures secure access to applications and services regardless of user location.
- Industry-specific compliance: Industry-specific compliance includes mandatory government regulations and voluntary frameworks and guidelines established by industry bodies and associations. Considering compliance helps prospective buyers determine if a vendor can address an organization’s specific regulatory needs when selecting an SSE solution.
Table 2. Key Features Comparison
Key Features Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
Emerging Features
- Cloud-native application protection platforms (CNAPP): CNAPPs consolidate various cloud security services into a single offering to streamline protection across complex environments. CNAPP and cloud security posture management (CSPM) solutions are complementary, with CNAPP combining multiple functionalities like CSPM, cloud infrastructure entitlement management (CIEM), and cloud workload protection (CWP) into a single offering, while CSPM alone has a narrower scope on cloud configuration and compliance. Moreover, with cloud adoption accelerating, CNAPPs will likely play a bigger role in securing cloud workloads in a scalable and effective way, hence their inclusion as an emerging capability within SSE solutions.
- Digital ecosystem exposure management: Digital ecosystem exposure management identifies, assesses, and mitigates risks in an organization’s digital ecosystem, which encompasses its interconnected network of digital technologies, platforms, partners, and services. As businesses expand their digital footprints through cloud adoption, internet of things (IoT), and bring-your-own-device (BYOD) policies, comprehensive digital exposure management and risk mitigation capabilities will likely be key areas of innovation and differentiation for SSE vendors.
- Next-generation deep packet inspection (NG-DPI): NG-DPI goes beyond traditional DPI to address key challenges like encrypted traffic, sophisticated cyberattacks, and cloud-based solutions, using techniques like machine learning (ML) and encrypted traffic classification to maintain visibility into encrypted traffic, detect advanced threats, and provide the performance needed for cloud environments. Despite the lack of network perimeter visibility, as threats grow more sophisticated, NG-DPI will likely play an increasingly important role in SSE to provide the advanced traffic intelligence and visibility needed for CASB, SWG, and ZTNA functions.
- User and entity behavior analytics (UEBA): UEBA solutions apply advanced analytics and ML to vast amounts of data to establish baselines for normal behavior, then flag deviations that could signify insider threats, compromised accounts, or emerging external attacks. This reduces false positives and enables analysts to focus on real threats instead of sifting through noise. Leading SSE vendors are rapidly incorporating UEBA, often via partnerships, to add advanced threat detection to their solutions.
Table 3. Emerging Features Comparison
Emerging Features Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
Business Criteria
- Configurability: Configurability enables users to customize and tailor a system or solution to meet specific needs, environments, and use cases through user-driven configuration options. For SSE, high configurability allows the security architecture to be adapted for an organization’s unique requirements and infrastructure, ensuring effective alignment, interoperability, and policy enforcement across complex hybrid environments.
- Interoperability: Interoperability gives SSE solutions the adaptability and extensibility to secure diverse infrastructures and access patterns, which is increasingly important in complex hybrid environments. As threats grow more advanced, the ability to rapidly adopt and integrate new security innovations will be key. As a result, interoperability is essential for modern, future-ready SSE solutions.
- Manageability: Manageability allows SecOps to centrally control and oversee the entire security lifecycle, including configuration, management, scaling, and upgrades. This is crucial, as it enables organizations to efficiently administer security policies, automate tasks, orchestrate workflows, and maintain a robust security posture across diverse and distributed digital environments, all from a single point of control.
- Observability: Going beyond traditional monitoring by identifying unexpected risks and providing deep visibility into the performance, health, security, and behavior of systems, observability refers to the ability to infer the internal state of a system by observing its external outputs, including metrics, logs, traces, and profiling. Observability systems can leverage this rich data to enhance proactive risk detection and robust system analysis.
- Performance: Performance is crucial for SSE solutions, as it directly impacts the efficiency and productivity of an organization. High-performance SSE solutions ensure fast and reliable access to applications, reduce latency, optimize bandwidth usage, and enhance the user experience, particularly for latency-sensitive applications and services.
- Resiliency: Resiliency is vital for SSE solutions, as it ensures the ability to withstand unpredictable threats or changes. A resilient SSE solution can adapt to ever-changing business and technical requirements, mitigate emerging threats, and maintain the integrity of business operations, reducing the risk of service disruptions and enhancing overall security posture.
- Support: Support refers to the ongoing services provided by the SSE vendor to ensure the smooth operation, security, and performance of the SSE platform, including tasks such as system updates, patching, troubleshooting, and hardware replacement. These services are crucial, as they allow IT teams to focus on strategic tasks while the vendor ensures the reliability, security, and performance of the solution.
- Cost: Deploying SSE can be cost-effective by retiring old systems, consolidating technologies, transitioning from CapEx to OpEx, and adopting vendor-neutral solutions. However, the actual cost savings will vary depending on factors such as the size and complexity of the network, the existing infrastructure, and the specific SSE solution.
Table 4. Business Criteria Comparison
Business Criteria Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
4. GigaOm Radar
The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for SSE
As you can see in Figure 1, Cato Networks, Cloudflare, Forcepoint, Lookout, HPE Aruba Networking, Netskope, and Versa Networks are Leaders based on their high scores across the decision criteria evaluated in this report. In addition, Cato Networks, Forcepoint, HPE Aruba Networking, Netskope, and Versa Networks are recognized as Outperformers based on their rate of progress compared to the industry in general.
It should be noted that Maturity (that is, being positioned in the top two quadrants) does not exclude Innovation. Instead, it identifies the solution as being proven in a production setting compared to a newer solution undergoing rapid, ongoing innovation in-house or through acquisitions. In addition, the color of the arrow (Forward Mover, Fast Mover, or Outperformer) is based on customer adoption and execution against roadmap and vision (based on vendor input from the previous report and/or in comparison to improvements across the industry in general).
Furthermore, a position in the Maturity/Platform Play quadrant indicates that the vendor has a proven, fully integrated solution—usually built from the ground up—comprising CASB, FWaaS, SWG, ZTNA, and complementary components—such as DLP and remote browser isolation (RBI)—integrated at both functional and management levels, while placement in the Innovation/Platform Play quadrant indicates that the vendor is in the process of either developing or enhancing functions in-house or integrating acquired technologies with the goal of releasing a complete, fully integrated SSE solution by the end of 2024. As would be expected, the Leaders in this space are positioned in the Maturity/Platform Play quadrant. However, as vendors execute an aggressive roadmap to deliver fully integrated SSE solutions, we expect additional vendors to move into the Maturity/Platform Play quadrant in the 2025 report.
Placement in the Maturity/Feature Play quadrant indicates that the vendor has proven networking and security point products—CASB, FWaaS, SWG, and ZTNA—managed via a common UI and marketed as an SSE solution but lacks integration at the functional level. The Innovation/Feature Play quadrant indicates that the vendor either focuses on specific use cases or is marketing an SSE solution managed via a common UI but with varying degrees of integration.
HPE Aruba Networking and iboss are two vendors to watch. Both are executing aggressive roadmaps to deliver highly competitive SSE solutions.
In addition, some established networking and security vendors are positioned as Challengers rather than Leaders. Though many of these vendors have well-known point products recognized as leaders in their respective categories, this report evaluates all capabilities in the context of a robust SSE solution, with security convergence and functional integration considered crucial factors in establishing leadership. Moreover, the speed at which vendors enhance their capabilities varies considerably, affecting their position as Leaders or Challengers.
When reviewing solutions, it’s important to remember that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.
INSIDE THE GIGAOM RADAR
To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.
Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.
For more information, please visit our Methodology.
5. Solution Insights
Broadcom: Symantec Network Protection
Solution Overview
Acquired by Broadcom in 2019 and operating under the Symantec brand, Symantec’s comprehensive cloud, email, endpoint, and network security portfolio includes several acquired technologies with various levels of functional and management integration.
Evolving over time as a key component of Symantec’s broader endpoint security offering, Symantec Enterprise Cloud, Symantec Network Protection provides network-layer protection against malware and cyberthreats trying to access endpoints like laptops, desktops, and servers. Core management components include a management server and a centralized console, while lightweight client software agents enable centralized visibility, monitoring, and policy configuration across endpoints in a seamless fashion, irrespective of user location.
Symantec Network Protection offers core CASB capabilities, including application visibility and control, shadow IT control, and core SWG capabilities such as on-premises SWG, cloud-delivered SWG as a service, reverse proxy, content analysis, cloud firewall service, secure sockets layer (SSL) inspection, and centralized management. Advanced security features include advanced malware analysis and sandboxing, full web isolation, ZTNA, in-line DLP (data in motion), and hosted reporting with one year of storage.
The cloud-native architecture of Symantec Enterprise Cloud ensures that security policies and advanced threat intelligence are consistently enforced across endpoints. It is built on an advanced, edge-optimized network architecture that uses Google’s public cloud infrastructure, ensuring hyperscale, reliability, and high performance. The solution is closely peered with nearby content delivery networks (CDNs), internet service providers (ISPs), and application providers, delivering fast, direct-to-net access for an enhanced user experience and avoiding costly backhauling.
Strengths
Built upon a cloud-native architecture supporting fast, direct-to-net access via GCP to deliver a better user experience while avoiding costly backhauling, Symantec Network Protection extends security capabilities to web, public, and private cloud applications. All licensed users have access to ZTNA technology that enables secure access to private applications from any managed or unmanaged device, eliminating the need for a virtual private network (VPN). Users are protected from threats with full browser isolation, advanced cloud sandboxing, and deep content inspection. In addition, the Symantec Global Intelligence Network (GIN) boosts security with one of the industry’s broadest and deepest sets of threat intelligence, leveraging AI-enabled insights derived from over 175 million endpoints, 80 million web proxies, and 126 million attack sensors.
Challenges
While Symantec has all the core technologies, Symantec Network Protection is not a fully integrated solution with a single policy engine and unified data lake, requiring multiple agents (SSE and Endpoint DLP for data in use) managed from different consoles connected via single sign-on (SSO). Moreover, not all products enjoy the same level of integration at a functional level, hence the need for Symantec Enterprise Cloud to correlate events from Symantec and third-party point products. While Symantec Network Protection offers deployment flexibility, allowing for on-premises, hybrid, or all-cloud deployment, tailoring the deployment to specific needs can be challenging. Furthermore, Broadcom’s acquisition strategy has been characterized by cost-cutting and focusing on profitable areas of the businesses it acquires, creating customer uncertainty with many different products focused on specific capabilities, product names changing, and pricing models that are challenging to navigate.
Purchase Considerations
Broadcom offers per-user, per-year subscription-based licensing or via Broadcom’s portfolio license agreement (PLA), providing comprehensive access to a range of security services across on-premises and cloud environments to maintain a complete edge proxy footprint at no additional license cost.
Symantec Network Protection is a versatile solution that addresses the security challenges of digital transformation and cloud migration. It supports flexible deployment strategies for hybrid environments and provides advanced security features across network, web, and cloud applications.
Radar Chart Overview
Broadcom is a Challenger in the Maturity/Feature Play quadrant. Symantec Network Protection is a flexible solution for network security, offering a wide range of capabilities with flexible deployment options to secure network, web, and cloud applications. However, it is not a fully integrated solution, requiring multiple agents (SSE and Endpoint DLP for data in use) managed via different consoles and lacking a single policy engine and unified data lake.
Cato Networks: Cato SSE 360
Solution Overview
Founded in 2015, Cato Networks extends security and networking everywhere using a global private backbone, offering full inspection and optimization of multiple-gig traffic streams, and providing 360-degree visibility and control of all traffic. Cato’s architecture aligns with various maturity models—including the one provided by the Cybersecurity and Infrastructure Security Agency (CISA)—to help facilitate zero-trust maturity.
Released in July 2022, Cato SSE 360 is a comprehensive SSE platform designed to provide organizations with total visibility, optimization, and control over their WAN, internet, and cloud traffic. Built on Cato’s Single-Pass Cloud Engine (SPACE), Cato SSE 360 delivers a cloud-native service integrating multiple security functions, including CASB, DLP, FWaaS, SD-WAN, SWG, and ZTNA, and advanced threat prevention (domain name system or DNS security, IPS, next-generation antimalware, and real-time AI/ML engines). This convergence ensures that all traffic is fully inspected and secured, regardless of whether applications are hosted on-premises, in the cloud, or accessed over the internet.
The platform’s DLP offers customizable rules, enabling organizations to protect sensitive data across various business applications. In addition, Cato SSE 360’s ML capabilities monitor and understand data behavior, enhancing the platform’s ability to prevent data loss and unauthorized data transmission. This is part of Cato’s broader approach to providing a single, converged platform for both SSE and SASE, allowing IT leaders to transform their security operations and optimize application access globally.
Cato SSE 360 leverages the scalability, resiliency, and global footprint of the Cato SASE Cloud, which is built for high availability and real-time policy enforcement. The platform’s global private backbone ensures optimized access and minimizes latency, while Cato’s continuous enhancement of cloud-delivered capabilities allows IT teams to focus on strategic business activities rather than maintenance. This provides a seamless path to full SASE deployment and minimizes the enterprise attack surface.
Strengths
Built on Cato’s SPACE architecture to ensure efficient traffic processing and security effectiveness, Cato SSE 360 is a cloud-native SSE platform with a converged security stack integrating CASB, DLP, FWaaS, IPS, SWG, ZTNA, and advanced threat prevention into a single platform. Leveraging a global private backbone, Cato SSE 360 optimizes connectivity and minimizes latency, provides 360-degree visibility, optimization, and control of all traffic, users, and applications, and aligns with zero-trust principles to enhance security posture and network efficiency. The platform’s scalability, high availability, and continuous updates reduce IT workloads related to maintenance, while ML-powered real-time threat detection and response bolsters defense against advanced threats, collectively improving security, reducing costs, and increasing business agility.
Challenges
While Cato SSE 360 is designed to be a comprehensive solution, it may not cover all potential traffic generated by enterprise edges such as app-to-app traffic, IoT, and most WAN traffic, potentially leaving some areas of the network exposed. In addition, some users have noted that its functionality can be limited in certain areas compared to other solutions, such as not offering the same level of granularity or manageability of features and capabilities. Some users have also suggested that the UI could be more intuitive or user-friendly, particularly in terms of logging for troubleshooting purposes.
However, it’s important to note that these potential challenges may not be significant for all users, and the overall effectiveness of Cato SSE 360 will depend on the specific needs and context of the organization using it. Moreover, Cato is making significant progress in these areas, including being the first vendor to add native extended detection and response (XDR) capabilities to its SASE/SSE solutions.
Purchase Considerations
Cato offers per-site bandwidth-based (10 Mbps and 10 Gbps) subscription licensing with premium security add-ons and remote access based on the number of named users. In addition, Cato and its partners offer co-managed and fully managed service options, with Cato responsible for maintaining the underlying platform so customers do not need to upgrade, patch, or otherwise maintain the Cato SSE 360 platform.
Cato SSE 360 provides a unified security solution to simplify the security infrastructure, enhance visibility and control, protect sensitive data, provide comprehensive protection against a wide range of threats, and optimize network performance.
Radar Chart Overview
Cato Networks is a Leader in the Maturity/Platform Play quadrant. Offering a robust approach to network security and optimization, Cato SSE 360 offers total visibility, optimization, and control of all traffic across WAN, the internet, and the cloud, addressing the limitations of traditional SSE solutions that often focus only on SaaS and web traffic. In addition, the integration of SSE with a global private backbone provides a seamless migration path to full SASE deployment.
Cisco: Cisco Secure Access
Solution Overview
Founded in 1984, Cisco designs, manufactures, and sells IP-based networking and security products for the communications and information technology industry. Cisco’s acquisitions of Isovalent (December 21, 2023), Splunk (September 21, 2023), and other companies are expected to strengthen its security offerings by integrating advanced technologies and capabilities into its security platform.
Released in September 2023, Cisco Secure Access is a cloud-delivered SSE solution running on Amazon Web Services (AWS) that integrates multiple security functions—including CASB, DLP, FWaaS, RBI, SWG, VPNaaS, ZTNA, device health and posture, DNS-layer security, and AI security elements—to provide secure access to applications and resources for users, regardless of location. Built on zero-trust principles, Cisco Secure Access ensures access is granted based on continuous verification of identities and device health rather than implicit trust based on network location, offering a comprehensive security posture that is both user-friendly and effective against threats.
Part of the Cisco Security Cloud, Cisco Secure Access benefits from a unified policy and management framework. Utilizing new high-efficiency protocols (MASQUE and QUIC) and zero-trust access (ZTA) relay technology enables hyper-granular zero-trust control, bidirectional obfuscation, and improved performance while reducing resource exposure and protecting the full spectrum of private applications. In addition, fully integrated digital experience monitoring (DEM) proactively tracks the health of network connections and core SaaS applications, enhancing protection across the hybrid workforce by facilitating faster issue detection and resolution.
Cisco Secure Access simplifies security management for IT teams through a centralized, cloud-managed console and a single policy engine, providing unified policy creation and aggregated reporting to reduce manual tasks and improve visibility into end-user activity. In addition, the solution ingests threat intelligence from Cisco Talos, using advanced statistical and ML models to identify new attacks and automate responses across multiple security products, accelerating threat investigation and remediation.
Strengths
Leveraging Cisco’s broad product portfolio, Cisco Secure Access provides a robust, integrated security solution that aligns with zero-trust principles, simplifies security management, enhances user experience, and offers flexible packaging to meet diverse organizational needs. It simplifies and automates operations for security and IT teams through a single cloud-managed console, a unified client for both VPNaaS and ZTNA, centralized policy creation, and aggregated reporting, while DEM tracks the health of network connections and SaaS applications for faster issue detection and resolution. This reduces manual tasks and improves operational efficiency. The solution receives real-time proactive threat updates from Cisco Talos intelligence, providing a secure onramp to the internet and the first line of defense and inspection.
Challenges
The zero-trust architecture of Cisco Secure Access requires the continuous verification of identities and device health across various devices and locations, which demands a shift from traditional network security approaches. In addition, relying on a cloud-delivered solution introduces a dependency on Cisco’s cloud infrastructure. While AWS has a strong track record, any downtime or performance issues on the cloud platform could impact the availability and effectiveness of security services. Furthermore, the solution is built around Cisco’s product lines, which can make it challenging to implement in non-Cisco environments without a large IT department or support from a managed service provider. As open network and security vendors accelerate innovation, users looking for alternatives may find themselves locked into different code bases and an aging product portfolio.
Purchase Considerations
Cisco offers a flexible and scalable subscription-based pricing model with tiered pricing: Cisco Secure Access Essentials and Cisco Secure Access Advantage. Each tier supports two use cases: Secure Internet Access (SIA) and for both ZTNA and VPNaaS (SPA) purchased as part of a single subscription and delivered as a single unified dashboard and service.
Cisco Secure Access can be used in various scenarios to provide secure remote access to applications and resources, act as a secure onramp to the internet, interconnect sites, monitor digital experiences, implement zero-trust security, and transition to a SASE architecture.
Radar Chart Overview
Cisco is a Challenger in the Maturity/Feature Play quadrant. Cisco Secure Access offers comprehensive and integrated security capabilities leveraging a zero-trust cloud-native architecture with flexible deployment and pricing, making it a compelling choice for organizations seeking to navigate the complexities of securing access in a hybrid workforce environment.
Cloudflare: Cloudflare One
Solution Overview
Founded in 2009, Cloudflare operates one of the world’s largest networks, reaching about 95% of the world’s population in over 310 cities across more than 120 countries with sub-50 ms latency. In early 2022, Cloudflare acquired Area 1 Security (email security) and Vectrix (SaaS security), boosting its SSE capabilities with the integration of Vectrix’s API-driven CASB and Cloudflare One.
Launched in October 2020, Cloudflare One leverages Cloudflare’s global network to deliver converged security services, including in-line CASB, DLP, FWaaS, RBI, SWG, ZTNA, AI/ML-powered threat intelligence, and DEM, working in concert to secure internet access and protect applications, data, and devices across an organization without compromising performance. The platform’s cloud-native architecture ensures unified connectivity and security using adaptive access control that continuously verifies context-based user identity and device posture to adapt security policies dynamically.
Implemented through identity and device verification, least-privilege access controls, and continuous monitoring, Cloudflare One is built on zero-trust principles, which dictate that no entity—inside or outside the organization’s network—is trusted by default. Cloudflare One integrates seamlessly with identity providers and endpoint protection solutions, allowing for granular access policies based on user identity and device posture. This integration facilitates secure, conditional access to applications and data, effectively reducing the attack surface and mitigating the risk of data breaches.
Furthermore, Cloudflare One provides a single pane of glass for centralized control and visibility over security policies, traffic, and threats across the entire organization. This approach simplifies the administration of security measures, ensuring consistent policy enforcement and visibility into all interactions via robust logging, sensitive data detection tracking, and granular insights into user experiences. In addition, Cloudflare One’s global network ensures that security services are delivered with minimal latency, maintaining user experience while enforcing robust security measures.
Strengths
Cloudflare One offers a comprehensive suite of security services, all delivered on a global, SLA-backed cloud platform. Leveraging Cloudflare’s globally distributed network to accelerate end-user connectivity from the moment they connect to the internet, security services are delivered with high availability and low latency, contributing to a seamless user experience. Cloudflare One partners with top identity providers and endpoint protection platforms to offer a zero-trust VPN replacement backed by threat intelligence from Cloudforce One, Cloudflare’s dedicated threat research team. Offering ease of management with a unified control plane and API support, Cloudflare One’s cost efficiency, supported by a fixed-rate pricing model, makes it an accessible and scalable choice for organizations aiming to streamline their security services.
Challenges
While Cloudflare One offers a comprehensive suite of security services, integration with existing IT infrastructures and third-party services can be complex. Support for hybrid deployments—such as running services as an agent, a Kubernetes sidecar, or in a containerized environment—is limited, which could be a drawback for companies with specific architectural needs or those in the process of transitioning to the cloud. In addition, its feature set, while comprehensive, may lack certain advanced capabilities offered by specialized CASB and firewall vendors, including DLP, more granular policy controls, or specialized threat protection mechanisms. Furthermore, customers have expressed a desire for more robust email notifications and a broader range of third-party integrations, especially for device posture checks.
Purchase Considerations
Cloudflare One’s tiered pricing and plan options are structured to provide flexibility and scalability, catering to the specific needs of different types of organizations. The free plan allows up to 50 users at no cost, while the pay-as-you-go plan costs $7 per user per month. For larger teams that require maximum support and security controls, there are custom-priced contract plans with optional add-ons. Cloudflare does not charge for increased bandwidth, number of app connectors, or volume of threats mitigated.
Cloudflare One supports a broad range of security and connectivity needs for modern businesses, including branch office connectivity, composability and expansion, SaaS security, secure internet traffic, visibility and compliance, and ZTA control.
Radar Chart Overview
Cloudflare is a Leader in the Maturity/Platform Play quadrant. Providing cloud-based security, performance, and control managed via a single user interface, Cloudflare One delivers robust security services at scale to any application, location, or user delivered via a global, SLA-backed cloud platform. The platform’s adaptability allows enterprises to select specific SSE features to strengthen their security posture over time, providing flexibility in deployment and scalability.
Forcepoint: Forcepoint ONE SSE
Solution Overview
Founded in 1994 and acquired in January 2021 by Francisco Partners (a leading global investment firm that specializes in partnering with technology and technology-enabled businesses), Forcepoint is a cybersecurity company developing data protection and user security solutions. Launched in February 2022, Forcepoint ONE is an all-in-one microservices-based cloud security platform providing a centralized management plane distributing enforcement to the edge.
Forcepoint ONE SSE is a comprehensive cloud-native security platform built on the AWS hyperscaler network, ensuring enterprise-level reliability, scalability, and performance with a verified uptime of 99.99%. Designed to protect a hybrid workforce and the information they access, whether in the cloud or through private applications, it integrates four foundational gateways—CASB, FWaaS, SWG, and ZTNA—to form a unified defense system. A cloud-based firewall capability, Forcepoint ONE | Firewall is available as an add-on feature to all Forcepoint ONE SSE licenses that include Forcepoint ONE SWG.
Enabling consistent visibility for compliance and streamlining the adoption of zero-trust principles, the platform simplifies security management by allowing organizations to manage one set of policies in one console connected to one endpoint agent. Operated entirely in the cloud, the zero-trust framework implements a strict perimeter-agnostic security posture demanding ongoing validation of each interaction, resource usage, and data transfer, with SmartEdge Agents enabling fine-grained control over routing rules governing client communications between local networks and external destinations.
The platform’s modular approach allows specific components to be deployed as needed, offering greater versatility during the implementation phase. Forcepoint ONE SSE also includes the Insights Analytics platform, which visualizes the economic value created from thwarted cyberthreats in real-time, allowing organizations to see the impact of their data security program across cloud, web, and private app channels.
Strengths
Forcepoint ONE SSE is a cloud-native security platform featuring an integrated stack of CASB, SWG, and ZTNA services built on a zero-trust foundation to validate transactions continually and enforce least privilege access. In addition, the platform includes RBI, content disarm and reconstruction (CDR), and robust DLP capabilities. Forcepoint ONE SSE enhances productivity by streamlining security management, reduces costs by eliminating outdated hardware and simplifying licensing, and ensures low-latency connections through a global network hosted in over 470 AWS PoPs worldwide, including data centers on AWS GovCloud. It scales easily on demand and provides extensive visibility and compliance controls while seamlessly integrating with popular business applications.
Challenges
While Forcepoint ONE SSE offers a comprehensive security solution, organizations must navigate initial setup complexities, ensure seamless integration with existing systems, and maintain vigilant ongoing management to mitigate technical challenges and risks. In addition, some features, such as Forcepoint ONE | Firewall, require an add-on license, are not fully integrated, and are accessed via a drop-down menu in Forcepoint ONE SSE. Moreover, some gaps exist compared to leading SSE solutions, especially regarding advanced threat protection, such as deception technology and insider threat detection. Furthermore, configuring Forcepoint ONE SSE to control access to various cloud applications via SSO and APIs requires a detailed understanding of each application’s authentication and API mechanisms.
Purchase Considerations
Forcepoint offers a CASB Edition, Web Edition, ZTNA Edition, and an All-in-One Edition, each with varying levels of features and support in a subscription-based pricing model, but specific costs are not publicly listed and are likely customized based on the specific needs of the customer. In April 2023, Forcepoint introduced its managed security service provider (MSSP) program for service providers, distribution partners, and resellers to provide multitenant pay-as-you-go SSE services.
Forcepoint ONE enforces policies across the cloud, edge, and endpoint, provides secure access to private applications, delivers visibility and control over data in any application, and protects data at rest or in motion between users and managed SaaS apps.
Radar Chart Overview
Forcepoint is a Leader in the Innovation/Platform Play quadrant. Converging CASB, SWG, ZTNA, and zero-trust technologies from multiple acquisitions into a unified cloud platform, Forcepoint ONE offers advanced threat protection across web, cloud, and private applications with or without agents. However, Forcepoint is still in the process of integrating all of its security functions into a single product accessible via a single console.
HPE Aruba Networking: HPE Aruba Networking SSE
Solution Overview
Founded in 2002 and acquired by Hewlett Packard Enterprise (HPE) in 2015, HPE Aruba Networking operates as the “Intelligent Edge” business unit of HPE, encompassing HPE’s networking and security-related operations and acquisitions. The company acquired Axis Security, a cloud security provider, in April 2023, expanding its edge-to-cloud security capabilities as part of a broader SASE architecture.
HPE Aruba Networking SSE is a robust connectivity-as-a-service platform designed to provide secure access to applications, devices, and networks. It integrates several key security technologies, including CASB, DLP, FWaaS, SWG, ZTNA, and DEM, into a single, user-friendly interface. This integration facilitates seamless and secure access for all users (employees, third parties, and customers) across any device (managed or BYOD) and to all applications (private, SaaS, or internet-based), regardless of their location.
The operation of HPE Aruba Networking SSE is centered around continuous monitoring and adaptation of security policies based on changes in identity, location, and device health. This ensures that zero-trust principles are applied consistently for every access event, minimizing the risk of unauthorized access and data breaches. The platform intelligently routes all traffic through the fastest path across a multicloud backbone comprising over 500 edge locations (including AWS, Azure, GCP, and Oracle)—with new PoPs spun up on demand—to reduce latency and increase redundancy for IT operations, enhancing the user experience while maintaining high security standards.
The platform incorporates advanced security features, including DNS filtering provided by SWG, advanced SSL inspection, URL filtering, malware scanning, threat intelligence, and secure connectivity to SaaS applications mediated by CASB. DEM further enhances the platform by offering in-depth monitoring of device, app, and network performance (including the hop-by-hop network path), enabling the rapid identification and resolution of connectivity issues.
Strengths
HPE Aruba Networking SSE is a unified, cloud-based platform that integrates CASB, DEM, FWaaS, SWG, and ZTNA to provide secure access to applications, devices, and networks. Smart routing across a multicloud backbone reduces latency and increases redundancy, ensuring a reliable and smooth user experience, while leveraging zero-trust principles ensures robust security by continuously adapting policies based on user identity, location, and device health. These technical strengths translate into significant benefits for organizations, including simplified security management, robust protection across distributed environments, and an improved user experience, making HPE Aruba Networking SSE a comprehensive solution for modern enterprise security. Moreover, the integration with the HPE Aruba Networking EdgeConnect SD-WAN portfolio facilitates the adoption of a unified SASE platform.
Challenges
HPE Aruba Networking has all the key technology pieces in its portfolio but needs to bring them together under a single policy engine. Moreover, integration is ongoing, with additional functions and capabilities to simplify secure application connectivity for branches, devices, and users due for release based on an aggressive roadmap. This includes an out-of-band API CASB initially supporting Microsoft 365 and Salesforce and a universal ZTNA engine integrating the SSE policy engine with HPE Aruba Networking LAN/WLAN/WAN resources. Furthermore, while HPE Aruba Networking SSE does not currently leverage advanced AI/ML capabilities, the platform uses a single data lake to provide telemetry, insights, and performance data. The data lake is being normalized and additional dashboards developed to provide insights into compliance, DLP, shadow IT, ZTNA adoption, and an “ask me anything” AI-enabled tool for network operations center (NOC) and security operations center (SOC) teams.
Purchase Considerations
HPE Aruba Networking offers tiered, per-seat subscription-based licensing for HPE Aruba Networking SSE. Four functionality-based licenses are available: Foundation, Foundation Plus, Advanced, and Advanced Plus.
HPE Aruba Networking SSE enforces universal least-privilege access to applications, protects against malware and data leakage, modernizes and secures branch networks, and enables hybrid working by securely connecting users from any location or device.
Radar Chart Overview
HPE Aruba Networking is a Leader in the Innovation/Platform Play quadrant. Having acquired Axis Security in April 2023, HPE Aruba Networking has all the key technology pieces in its portfolio for a comprehensive SSE solution with a single data lake and a smooth transition to a SASE architecture with minimal disruption to existing operations. However, it needs to bring them together under a single policy engine.
iboss: Zero Trust SSE
Solution Overview
Founded in 2003, iboss specializes in providing cloud security services for organizations and their employees on any device and from any location through a security-as-a-service cloud platform, eliminating the need for traditional firewalls and web gateway proxies. The purpose-built, containerized cloud architecture is backed by over 230 issued and pending patents, more than 100 global PoPs, and industry-leading SLAs.
iboss Zero Trust Security Service Edge (SSE) is a comprehensive cybersecurity solution designed to protect organizations from breaches and data loss by making applications, data, and services inaccessible to attackers while allowing only trusted users to securely connect to protected resources. Providing integrated security capabilities—including CASB, DLP, ZTNA, malware defense, and microsegmentation—aligned with the NIST Risk Management Framework and NIST SP 800-207 Zero Trust principles, the platform goes beyond authentication, authorizing every transaction using multiple factors.
The iboss platform creates an inventory of all resources within an enterprise, whether on-premises or in the cloud, labeling and categorizing them based on security objectives and impact levels (low, moderate, high) defined by FIPS199: confidentiality, integrity, and availability. Each resource is then connected to the iboss Zero Trust SSE, which acts as a policy enforcement point, ensuring that they are completely private and inaccessible directly. The platform continuously monitors interactions between users, assets, and resources to provide visibility into organizational risk.
Delivered as a cloud service requiring no on-premises infrastructure, iboss Zero Trust SSE integrates with platforms such as CrowdStrike Falcon. It automatically grants or denies access to applications, data, and services based on the risk scores provided by those platforms, ensuring that access to sensitive applications and data can be automatically terminated when a device becomes infected or identified as high risk.
Strengths
Acting as a cloud-delivered policy enforcement point to enable zero trust by strictly controlling access to resources based on dynamic trust levels, iboss Zero Trust SSE is a cloud-native security platform leveraging the zero-trust model to enhance organizational security and risk management. It requires strict verification for every access attempt, continuously evaluates and logs interactions, and adheres to NIST SP 800-207 principles. Key features include inventorying resources, continuous authorization of access attempts using multiple factors, enforcing security policies aligned to objectives like confidentiality and integrity, logging all activity, and denying unauthorized access. In addition, iboss Zero Trust SSE is scalable, integrates seamlessly with third-party clouds, and can handle high traffic volumes without performance degradation.
Challenges
iboss Zero Trust SSE is a cloud-native solution, with performance and availability relying heavily on the underlying cloud infrastructure, which could pose challenges in regions with limited cloud infrastructure or in scenarios where organizations have strict data residency requirements. However, iboss offers private cloud deployments to address these concerns. In addition, while the platform offers a modern approach to network security, integrating it with existing legacy systems and infrastructure could be complex. Organizations with deeply entrenched legacy systems might find it challenging to seamlessly adopt and integrate iboss Zero Trust SSE without significant adjustments. Moreover, while iboss Zero Trust SSE offers a robust feature set and the potential to deliver a highly competitive solution, the pace of innovation and the breadth of capabilities might not match those of its leading competitors.
Purchase Considerations
iboss offers a tiered, per-user subscription pricing structure with optional add-ons, enabling organizations to select the package and add-ons that best fit their security needs and budget. Zero Trust Core provides essential features to implement zero-trust resource access, Zero Trust Advanced adds integration and malware protection for enterprises at scale, and Zero Trust Complete includes complete DLP.
iboss Zero Trust SSE is designed for secure access management, providing inventory and classification of resources, fast user access without traditional VPNs, and continuous transaction inspection and authorization. Moreover, the platform is particularly useful for organizations implementing zero-trust architectures, requiring granular access control, and seeking to secure network traffic in cloud environments like Azure.
Radar Chart Overview
iboss is a Challenger in the Innovation/Platform Play quadrant. iboss Zero Trust SSE is a comprehensive cloud-native security platform that replaces traditional network security appliances like VPNs, proxy appliances, and virtual desktop infrastructure (VDI) with a single SaaS offering. However, organizations with embedded legacy systems may find adopting and integrating iboss Zero Trust SSE a challenge.
Juniper Networks: Juniper Secure Edge
Solution Overview
Founded in 1996, Juniper develops high-performance network infrastructure. In February 2022, Juniper acquired WiteSand, a provider of ZTNA control (network access control or NAC) solutions, and announced Juniper Secure Edge, a cloud-delivered SSE solution managed by Security Director Cloud. Closing in late 2024 or early 2025, HPE’s acquisition of Juniper is anticipated to enhance the capabilities of Juniper Secure Edge, leveraging HPE’s resources and strategic focus on networking and AI-driven innovation.
Juniper Secure Edge is a comprehensive security solution designed to protect access to on-premises, SaaS, and web applications, ensuring users have consistent and secure access regardless of their location. An integrated suite of security services—including CASB, DLP, FWaaS, SWG, ZTNA, and advanced threat prevention—work together to inspect user and device traffic once and apply security policies uniformly, providing fast, reliable, and secure access to data and resources, enhancing the user experience.
Central to Juniper Secure Edge’s operation is its cloud-native, single-stack software architecture, which minimizes latency by ensuring traffic is inspected and policies are applied in one configured service. This architecture supports seamless visibility across the network, allowing security teams to leverage existing investments while transitioning to a SASE architecture at their own pace. In addition, the solution’s design facilitates unified management and visibility across all architectures, simplifying operations for teams and enabling them to manage security policies that follow users, devices, and data anywhere via a single user interface.
Juniper Secure Edge is managed by Security Director Cloud, which offers centralized security management, network-wide visibility, analytics, and unified policy orchestration. Policies can be created once and applied everywhere, simplifying the management of complex security architectures and enabling organizations to secure their network from the edge to the data center, applying consistent security policies across all environments.
Strengths
Juniper Secure Edge is a comprehensive SSE solution that integrates essential security functions like CASB, DLP, FWaaS, SWG, ZTNA, and advanced threat prevention into a single, cloud-native platform, ensuring that user and device traffic is inspected once and applied in one configured service, providing fast, reliable, and secure access to data and resources. Its technical strengths include a full-stack security capability, a cloud-native single-stack software architecture for low latency and seamless visibility, and unified management through Security Director Cloud for enhanced operational efficiency. In addition, Juniper Secure Edge integrates with any identity provider, and its proven security effectiveness (validated by over 99% effectiveness rate against malware and command-and-control traffic) ensures consistent security enforcement regardless of user, device, or application location.
Challenges
Considering that HPE Aruba Networking is investing heavily in its own SSE solution, the future of Juniper Secure Edge will largely depend on how HPE integrates Juniper’s products and technology post-acquisition. In addition, Juniper Secure Edge includes third-party components, which may further complicate things. Ensuring compatibility and enabling seamless integration with the current network environment can be challenging, especially for organizations with complex or legacy systems. Some users have reported difficulty integrating Juniper Secure Edge with existing infrastructure or other third-party solutions, which can be a source of frustration. Moreover, the cost of implementation, licensing, and ongoing support for Juniper Secure Edge may be a concern for some organizations, with users reporting difficulties in justifying the investment, especially if the costs exceed initial expectations.
Purchase Considerations
Juniper Networks offers tiered (Standard and Advanced) one- and three-year subscription licensing based on the number of users, which includes a free fixed allotment of cloud data consumption. Out-of-band CASB-DLP-SSPM and Secure Remote Access are licensed as optional add-ons.
Juniper Secure Edge use cases include secure remote workforce access, campus and branch security, cloud migration and SaaS adoption, advanced threat detection and mitigation, and a seamless transition to full-stack SASE.
Radar Chart Overview
Juniper Networks is a Challenger in the Innovation/Feature Play quadrant. Juniper Secure Edge is a full-stack SSE solution providing comprehensive security capabilities to protect web, SaaS, and on-premises applications. However, potential customers should proceed with caution based on its reliance on third-party components and uncertain future following the acquisition by HPE.
Lookout: Lookout Cloud Security Platform
Solution Overview
Founded in 2007, Lookout offers a range of data-centric cloud security services designed to safeguard data across devices, apps, networks, and clouds. Following the acquisition of CipherCloud in March 2021, Lookout integrated CipherCloud’s SASE technologies with its own Mobile Endpoint Security platform to create the Lookout Cloud Security Platform, which was announced on January 25, 2023, and runs on over 40 AWS PoPs spanning six different AWS regions across Canada, the US, and Europe.
Providing a unified agent and a single control plane for both mobile and cloud security services, Lookout Cloud Security Platform is a data-centric cloud security solution that moves security controls closer to the users, apps, and data they aim to protect, providing organizations with a unified vantage point to protect sensitive data in transit or at rest across apps, networks, and clouds. Leveraging more than 212 technology and product patents, with an additional 42 patents pending, the platform monitors the risk posture of users and devices to provide granular ZTA based on the sensitivity levels of apps and data, protecting employees, devices, applications, and data from unauthorized access and internet-based threats regardless of their location or device.
The platform integrates several key security services, including Lookout Secure Private Access (a ZTNA solution that connects users to applications rather than the network), Lookout Secure Internet Access (a SWG that includes FWaaS to protect against internet-based threats), Lookout Secure Cloud Access (a CASB solution that ensures seamless security across all cloud and SaaS apps), and Lookout Mobile Endpoint Security (which protects mobile devices against threats like phishing and malicious apps).
The Lookout Cloud Security Platform also offers advanced threat protection from phishing and zero-day threats through integrations with RBI and cloud sandboxing. In addition, the platform has been enhanced with more granular security and access policies, expanded data classification and protection capabilities, and the ability to secure traffic and enforce policies on guest networks and IoT devices.
Strengths
The Lookout Cloud Security Platform is a unified cybersecurity solution that integrates CASB, SWG, and ZTNA to protect data across apps, networks, and clouds. Its technical strengths include a data-centric approach, advanced threat protection with AI and ML, and a unified policy engine for consistent policy enforcement. Furthermore, the platform’s cloud-native architecture ensures scalability and resilience, while its granular ZTA control adapts to the risk posture of users and devices. These features provide the benefits of streamlined security management, effective protection against modern threats, and the ability to support a hybrid workforce with dynamic security needs.
Challenges
Despite having significantly simplified the deployment experience, integrating Lookout’s platform with existing security infrastructure and workflows can be challenging in complex environments, especially if there are numerous legacy systems involved or if the organization uses a wide array of third-party tools. Moreover, while the Lookout Cloud Security Platform offers a range of security capabilities, there may be limitations in terms of customization and flexibility compared to other solutions that offer more granular control over security policies and configurations. Furthermore, while Lookout aims to minimize latency, network performance and latency can be a concern, especially since the Lookout Core Service (LCS) is currently available on a limited number of AWS PoPs. However, with the actual performance varying based on geographic distribution and the specific network conditions of the customer, Lookout will be leveraging GCP and AWS Local Zones to expand the Lookout Edge Service (LES) footprint to more locations during 2024.
Purchase Considerations
Lookout offers per-user pricing with multiyear and multiservice discounts and the option to purchase Premium support if needed. In addition, Cloud Sandbox and RBI are optional add-ons, as they can incur high costs based on usage and may not be of interest to all organizations.
Lookout Cloud Security Platform is designed to address a variety of use cases critical for modern enterprises managing the security of their data across diverse environments. These include connecting and securing remote workers, securing confidential information on endpoints, ensuring secure data sharing, identifying and protecting sensitive information, and extending zero-trust protection.
Radar Chart Overview
Lookout is a Leader in the Innovation/Platform Play quadrant. Lookout’s cloud-native architecture, combining endpoint and cloud security, is unique in the market, allowing Lookout to consolidate security management while providing a unified, data-centric threat response across devices, networks, and the cloud. Continuous innovation and a focus on emerging security needs position Lookout as a key partner for organizations adopting hybrid work models.
Netskope: Netskope Intelligent SSE
Solution Overview
Founded in 2012, Netskope is a global cybersecurity vendor applying zero-trust principles to deliver real-time data and threat protection while accessing cloud services, websites, and private applications. The company acquired WootCloud (IoT device security) in June 2022, Infiot (cloud-managed intelligent access) in August 2022, and Kadiska (DEM) in September 2023, extending Netskope’s SSE capabilities. In addition, Netskope partners with BT, FIS Global, Halo Global, Hughes Network Systems, and Telstra International to deliver fully managed SSE services.
Netskope Intelligent SSE is a cloud-native security platform providing comprehensive security services to protect enterprise data and users in a cloud-centric world. Built on the Netskope Security Cloud (powered by the Netskope NewEdge network, one of the world’s largest high-performing private security clouds, with data centers in over 70 regions), it offers enhanced visibility and real-time data and threat protection for users accessing cloud services, websites, and private applications from any location and on any device.
The platform’s capabilities include advanced threat protection, multimode CASB, advanced DLP, cloud firewall (CFW), RBI, cloud-native next-gen SWG, UEBA, and ZTNA within a single-pass policy architecture, delivered from a single platform, managed by a single console, and driven by a single zero-trust policy engine offering up to 10x policy simplification. In addition, closed-loop flow analytics collect user service-level expectations (SLEs); detect anomalies, app risks, and unauthorized data movement; predict SLA violations; and resolve policy violations.
Netskope Intelligent SSE’s security capabilities are further enhanced by its deployment flexibility, supporting a range of methods from API connectors for managed apps to inline options for real-time protection. The Netskope Client and Mobile Client extend protection to users’ web, cloud, or private app access—whether in office or working remotely—and to mobile devices, ensuring ongoing data protection during mobile app use.
Strengths
Netskope Intelligent SSE is a cloud-native security platform that offers comprehensive data and threat protection across cloud services, websites, and private applications. Its technical strengths include deep visibility, real-time controls, and a unified architecture that integrates CASB, DLP, FWaaS, SWG, and ZTNA. Powered by the high-performance NewEdge cloud infrastructure, it ensures secure low-latency access globally. A key benefit is its ability to manage risks associated with generative AI applications, preventing sensitive data exposure while enabling their use. The platform’s cloud-native design and adaptive zero-trust approach provide dynamic, context-aware security, making it an option for organizations navigating digital transformation.
Challenges
The initial setup and configuration of Netskope Intelligent SSE can be time-consuming, especially for organizations new to the platform. It requires a thorough understanding of the various components and their integration with existing infrastructure. Moreover, integrating Netskope Intelligent SSE with an organization’s existing security tools, network infrastructure, and cloud services can be complex, requiring careful planning and execution. Administrators new to the platform may face a learning curve in understanding the unified management console, policy configuration, and overall administration of the solution.
Despite these challenges, Netskope’s cloud-native architecture supported by the high-performing NewEdge infrastructure, over 70 ready-to-use plug-in integrations, a Cloud Confidence Index (CCI) profiling over 80,000 apps and websites, and adaptive zero-trust approach leveraging ML-based automation mitigate risk by providing resilient, efficient security measures tailored to modern enterprise needs, including real-time coaching to users during business transactions.
Purchase Considerations
Netskope offers flexible one-, three-, or five-year subscription-based licensing based on various factors, including the specific services and features required, with some features available as an add-on service. However, prices are not published, and it’s recommended to contact Netskope directly for the most accurate and up-to-date pricing information.
Netskope Intelligent SSE secures web and cloud application usage, detects and mitigates advanced threats, enables secure remote workforce connectivity via ZTNA, and protects sensitive data across digital environments. It is particularly adept at managing security risks associated with the use of generative AI applications, ensuring compliance, and preventing data loss while facilitating the safe adoption of cloud services and applications across a distributed workforce.
Radar Chart Overview
Netskope is a Leader in the Maturity/Platform Play quadrant. Netskope Intelligent SSE is designed to empower safe collaboration and balance trust against risk with adaptive, granular controls that adapt to environmental changes. The company’s commitment to innovation and customer success, combined with its strategic partnerships—such as with BT—to enhance global service delivery, positions it as an influential player in the evolving SSE market.
NordLayer: NordLayer
Solution Overview
Founded in 2019 as a subsidiary of Nord Security, a technology company that develops and provides VPN services, NordLayer develops privacy and security tools that operate on a zero-trust architecture, providing protection for hybrid and remote workers. Based on NordVPN, a VPN service provider for private customers, and initially released in 2019, NordVPN Teams was rebranded to NordLayer during the transition to a SASE framework.
Available via private gateways in over 60 countries and shared gateways in over 30 countries, NordLayer is a network access security service designed to streamline remote network access administration. Utilizing NordLynx, a protocol based on WireGuard, to deliver superior VPN performance without compromising security, the service employs military-grade tunnel encryption to secure traffic and online activity from external observation, ensuring that sensitive data remains confidential.
The platform enables centralized implementation and enforcement of security policies across an organization, supporting biometric, multifactor, and SSO authentication, simplifying service administration and reducing the time required for network access management. NordLayer’s control panel provides a comprehensive overview of network connections and user activities and allows for the monitoring and export of detailed reports.
NordLayer’s ThreatBlock feature offers robust protection against malware, ransomware, and viruses, while custom DNS settings enhance server reliability and provide phishing protection. The auto-connect feature ensures that devices automatically connect to a VPN server upon detecting an internet connection, while AES 256-bit encryption protects data in transit. Additionally, NordLayer enables organizations to set up virtual locations through dedicated IPs, facilitating secure remote access and file sharing among users.
Strengths
NordLayer offers a comprehensive network access security solution emphasizing military-grade AES 256-bit encryption, advanced tunneling with NordLynx based on WireGuard, and ThreatBlock for malware protection. Compared to hardware firewalls and intrusion protection software, NordLayer offers a cost-effective security option that requires less maintenance and no firmware updates. Its custom DNS settings enhance server reliability and phishing defense, while centralized management via a control panel simplifies security policy administration, making it user-friendly for IT teams. NordLayer’s flexibility enables easy scalability and compatibility with legacy systems, providing a cost-effective and efficient security solution. Furthermore, outsourcing management to NordLayer saves time for security teams and reduces support costs compared to in-house alternatives.
Challenges
While NordLayer offers a range of features to enhance network security, the technical challenges and risks associated with its deployment and management must be carefully considered and addressed to ensure a secure and efficient operation. Implementing NordLayer can require significant modifications to existing infrastructure, which may create temporary security gaps and disrupt productivity and collaboration during the transition. Manual management of user accounts can lead to dormant or misconfigured accounts, increasing vulnerability to insider threats and outsider attacks. Integrating user management systems like System for Cross-Domain Identity Management (SCIM) with NordLayer can help mitigate these risks by automating account management and reducing human error. However, while NordLayer provides a strong set of SSE features, it may not offer the depth of security capabilities found in some other SSE solutions and does not provide a path to a single-vendor SASE solution.
Purchase Considerations
NordLayer offers a flexible subscription-based model designed to cater to businesses of varying sizes and security needs. The pricing structure is based on a per-user, per-month basis, with the option to choose between monthly or annual billing. Four different plans (Lite, Core, Premium, and Custom) offer different features, and businesses can upgrade their plan at any time directly from the control panel.
NordLayer addresses today’s business challenges, such as network modernization, remote work security, and scalable business growth, without compromising security. Designed for businesses of all sizes, the cloud-native solution provides granular network segmentation, advanced security features, and global accessibility, making it ideal for secure, efficient network management and access.
Radar Chart Overview
NordLayer is an Entrant in the Maturity/Feature Play quadrant. NordLayer embodies the principles of zero-trust security, streamlining hybrid and multicloud security through prioritizing user, device, and connection authentication. However, NordLayer is not a typical SSE solution but rather a dynamic and evolving platform that incorporates key aspects of the SSE framework while also extending its capabilities with unique features.
Palo Alto Networks: Prisma Access
Solution Overview
Founded in 2005, Palo Alto Networks provides a range of cybersecurity solutions, including next-generation firewalls, intrusion detection and prevention, ransomware protection, attack surface management, and incident case management. In September 2021, it launched Prisma Access as part of its broader suite of security solutions. In November 2023, it acquired Dig Security, a cloud data specialist, and announced its intent to acquire Talon Cyber Security, an enterprise browser startup.
Purpose-built in the cloud for scalability, Prisma Access provides a comprehensive suite of security services, including CASB, FWaaS, SWG, and ZTNA 2.0, that use a single-pass architecture to protect application traffic without compromising performance. It offers a common policy framework with single-pane-of-glass management, ensuring that organizations can maintain a consistent security posture across their entire digital footprint while delivering exceptional user experiences backed by industry-leading SLAs.
The platform supports a variety of connection options, including IPsec and SSL VPN, and offers advanced features like split tunneling based on application risk and bandwidth utilization. Additionally, Prisma Access employs advanced analytics and ML for DNS security and threat prevention and integrates with a wide range of user identity repositories for identity-based security policies.
Prisma Access leverages Palo Alto Networks’ extensive global cloud footprint—with over 100 PoPs in 77 countries—to deliver security services closer to users, ensuring fast and secure access to applications. Mobile users can connect through the GlobalProtect app, which establishes an IPsec/SSL VPN tunnel for security policy enforcement, while remote networks can connect over standard IPsec VPN tunnels using common IPsec-compatible devices.
Strengths
A cloud-delivered SSE solution, Prisma Access provides comprehensive security for all application traffic, securing both access and data to reduce the risk of data breaches. It offers a common policy framework and single-pane-of-glass management, ensuring a consistent security posture across the entire digital footprint. Prisma Access supports various connection options—including split tunneling based on access route and application type—for secure access to applications and data. It delivers a range of security services, including CASB, FWaaS, SWG, ZTNA, DNS security, threat prevention, and Panorama (a centralized management solution for Palo Alto Networks firewalls) security management for centralized administration. The solution operates on a global cloud infrastructure, ensuring on-demand and elastic scalability of comprehensive networking and security services. Furthermore, Prisma Access offers a smooth migration path to Palo Alto Networks’ full SASE solution, Prisma SASE.
Challenges
While Prisma Access offers robust security, it also has several known issues, such as long login times, issues with Panorama management, and certificate validation failures without internet connectivity, which can impact deployment and management. Before deploying Prisma Access, a decision must be made on the management interface—Panorama or Strata Cloud Manager—as it is not possible to switch interfaces once deployment begins. In addition, the granularity of security policies in Prisma Access and how it recognizes different areas or zones within the network can be a concern for administrators seeking to enforce detailed security controls. Certain configurations, such as policy-based forwarding rules or explicit proxy deployments, may have limitations or require specific workarounds.
Purchase Considerations
Palo Alto Networks offers tiered (Business, Business Premium, Enterprise, and ZTNA/SIG) per Mbps and per-user subscription-based pricing for Local and Worldwide Prisma Access locations. In addition, users must license the Cortex Data Lake (for logging data and running reports) and Panorama. Customers can also purchase optional add-ons, including Autonomous Digital Experience Management (ADEM), Enterprise DLP, IoT Security, Next-Gen CASB, SaaS Security Inline, and ZTNA Connector.
Prisma Access provides secure access services for various scenarios, including hybrid workforces, connecting remote networks over IPsec, securing branch-to-branch and branch-to-HQ traffic, and providing consistent security services and access to cloud applications, including public cloud, private cloud, and software as a service.
Radar Chart Overview
Palo Alto Networks is a Challenger in the Innovation/Platform Play quadrant. Despite Prisma Access’s advanced capabilities, Palo Alto Networks’ reliance on acquisitions to deliver critical capabilities and the complexity, scope, and size of its portfolio prevent it from delivering a fully integrated, standalone SSE solution and keeping pace with other vendors building SSE solutions from the ground up.
Skyhigh Security: Skyhigh Security Service Edge
Solution Overview
Founded in 2011 as Skyhigh Networks, the company was acquired by McAfee in January 2018. Subsequently, in March 2021, McAfee sold its enterprise business to private equity firm Symphony Technology Group (STG). In March 2022, STG launched Skyhigh Security as a dedicated cloud security company, bringing its SSE portfolio from McAfee Enterprise.
Skyhigh Security Service Edge (SSE) is a comprehensive, cloud-native security platform that converges a set of security solutions, providing complete visibility and control over data from a unified console, no matter where it resides. It includes Skyhigh SWG, Skyhigh CASB, Skyhigh Private Access, Skyhigh Cloud Firewall, DLP, and RBI. Skyhigh SSE’s seamless integration and unified approach to data protection make it a powerful solution for securing cloud-based applications and data.
Positioned as a security fabric that delivers data, threat protection, and other information to any location, enabling secure direct-to-internet access for a distributed workforce, the platform converges connectivity with security to reduce cost and complexity while increasing speed and agility for the workforce. Skyhigh SSE provides real-time data and threat protection against advanced and cloud-enabled threats, safeguarding data across all vectors, including web, cloud, email, and private applications.
Skyhigh SSE’s unified approach to data protection gives complete control and visibility from the device to the cloud, allowing for unified data protection policies, incident management, and cost savings. One of Skyhigh SSE’s standout features is its ability to seamlessly integrate with various cloud-based applications and data, as well as industry-leading SD-WAN solutions, providing a fast and secure path to unified SASE.
Strengths
Skyhigh SSE is a comprehensive, cloud-native security platform that converges multiple security solutions, including CASB, DLP, FWaaS, RBI, SWG, and ZTNA. It offers comprehensive security, real-time data and threat protection, seamless integration with cloud applications and SD-WAN solutions, unified data protection, and customization options. In addition, Skyhigh Security collaborates closely with customers to identify opportunities for enhancing the platform, ensuring that it continues to evolve and meet the unique needs of each organization. Furthermore, Skyhigh SSE’s cloud-native architecture delivers a fast, secure, and scalable path to a unified SASE solution, reducing complexity and increasing agility.
Challenges
Deploying and managing Skyhigh SSE can present several technical challenges and risks. Integration complexity may require significant resources to ensure compatibility with existing infrastructure, impacting network performance if not properly configured. Moreover, with the convergence of multiple security solutions, organizations must carefully plan, define, and manage security policies across the entire platform, since inconsistent or improperly configured policies can lead to security gaps or unintended consequences, such as blocked legitimate traffic or increased false positives. Skyhigh Security helps streamline the process with unified data classifications that can be leveraged across all Skyhigh SSE products. Organizations can also create custom classifications to suit their specific needs. Managing Skyhigh SSE requires specialized skills, potentially necessitating investment in training or personnel. Furthermore, as with any comprehensive security solution, organizations may face the risk of vendor lock-in when deploying Skyhigh SSE. This can limit flexibility and make it more difficult to adapt to changing security requirements or integrate with other solutions in the future.
Purchase Considerations
Skyhigh SSE follows a packaged subscription-based pricing model, with the complete package currently available on the AWS Marketplace for $160 per user. However, custom pricing and private offers may be available through direct contact with Skyhigh Security or their consulting partners.
Skyhigh SSE addresses multiple use cases, including secure remote access, cloud application security, web security, ZTNA, DLP, and threat protection.
Radar Chart Overview
Skyhigh Security is a Challenger in the Innovation/Platform Play quadrant. Skyhigh SSE is a comprehensive and effective cloud-native security platform that addresses multiple security use cases and integrates well with existing infrastructure. Despite its higher price point compared to some other SSE solutions, customers report that Skyhigh SSE delivers value for its threat protection performance and data protection capabilities.
Twingate: Twingate
Solution Overview
Founded in 2018, Twingate offers a ZTNA solution that enables organizations to easily provision secure remote access to corporate resources without compromising the user login experience. A replacement for legacy VPN solutions, Twingate offers enterprise-grade security and a user-friendly interface, enabling businesses to set up a robust software-defined perimeter.
Replacing traditional VPNs by establishing a software-defined perimeter that is invisible to the public internet, Twingate is a modern remote access solution that leverages the principles of zero-trust security to ensure secure remote access to internal applications and services. Unlike traditional VPNs that grant broad network access, Twingate ensures that every request to access a network resource is authenticated and authorized, with every decision confirmed by a second—or even a third—component depending on the sensitivity of the decision being authorized.
Twingate’s architecture consists of three main components: the Client, the Connector, and the Controller. The Client is installed on user devices and is responsible for initiating secure connections, while the Connector is a lightweight software component deployed within the network environment to serve as the access point for internal resources without being directly exposed to the public internet. A central orchestration service hosted by Twingate, the Controller manages access policies, authentication, and the overall state of the network.
Twingate’s technical architecture is designed to support scalability and reliability, addressing the needs of growing organizations. It uses TLS v1.2 for encrypted data transport, ensuring secure and efficient data routing, and integrates with major SSO and identity providers. For organizations concerned about service reliability, Twingate’s split tunneling feature optimizes network performance by routing only the traffic destined for protected resources through its infrastructure, thereby reducing latency and congestion.
Strengths
Designed to replace traditional VPNs, Twingate operates as a software-only model, enabling easy deployment and integration into existing systems and networks. The platform supports least-privilege access across on-premises and cloud environments at the application level, reducing the attack surface and improving security, with centralized management and logging. Moreover, Twingate offers granular access controls, making it suitable for organizations in highly regulated industries. The solution also includes detailed user activity logging and security features such as Twingate Secure DNS and Twingate DNS Filtering. Twingate’s intuitive interface requires little specialized technical knowledge, making it accessible to organizations of all sizes and technical capabilities, and integration into existing IT infrastructure is streamlined and nondisruptive, with organizations able to deploy Twingate alongside their existing VPN solutions, enabling a phased rollout with minimal impact to users during the evaluation and migration phases.
Challenges
Twingate lacks many of the advanced features of other SSE solutions, focusing instead on secure access control and network visibility within a ZTNA framework. Twingate requires integration with third-party identity providers like GitHub and Google for authentication, which could be a limitation for organizations wanting to keep authentication fully in-house. Moreover, while parts of Twingate can run on-premises, the core controller is managed by Twingate, which may be prohibitive for organizations with strict on-premises requirements compared to solutions providing that option. In situations where peer-to-peer connections fall back to using Twingate Relays, throughput may be limited to 200-250 Mbps, impacting high-bandwidth use cases compared to alternatives with more optimized relays.
Purchase Considerations
Twingate offers a tiered (Starter, Teams, Business, and Enterprise) per-user flat fee pricing model with different plans based on the number of users and features required. The free Starter plan is available for those who want to try the service or have a limited amount of infrastructure to secure, while the Enterprise plan offers custom pricing for organizations with more than 500 employees, with no limits on users, admins, or remote networks.
Twingate provides secure remote access to a wide range of corporate and personal resources while improving security posture and meeting compliance requirements. Its use cases span from enterprise VPN replacement to IP-based access to secure remote access to home networks and services.
Radar Chart Overview
Twingate is an Entrant in the Innovation/Feature Play quadrant. Twingate is a modern, zero-trust-based alternative to VPNs offering granular security controls, ease of use, and compliance enablement for cloud-native SMBs and mid-market organizations, particularly those with DevOps and IT teams looking to streamline secure remote access. However, it lacks the robust CASB, FWaaS, and SWG capabilities of many competitive solutions.
Versa Networks: Versa Security Service Edge
Solution Overview
Founded in 2012, Versa Networks provides solutions enabling large enterprises and service providers to transform their wide area networks and branch networks to achieve unprecedented business advantages. Versa Security Service Edge (SSE) is part of the Versa Unified SASE Platform, which the company began delivering several years before SASE became an industry term, culminating in its release in April 2020.
Versa SSE is a cloud-native technology that establishes network security as an integral, embedded function of the network fabric. Combining disconnected security products (including CASB, DLP, SWG, and ZTNA) into a single software platform centrally managed and controlled, it allows organizations to define once and consistently enforce a unified set of security policies and functions to protect devices, sites, apps, and workloads without compromising performance. The Versa SSE solution can be orchestrated through a single management console called Versa Concerto, which provides a unified interface to manage components, deploy policies, and gain visibility across the SSE fabric.
Comprising Versa Secure Private Access (VSPA) and Versa Secure Internet Access (VSIA), Versa SSE applies security policies based on the communication session and can take into consideration the identity of both the user and the device. Security policies are applied at the dynamic logical edge of the network rather than at the physical edge, enabling robust security services based on the user’s identity in addition to device, network, or location-based controls.
Delivering a broad set of security functions with flexible deployment options, Versa SSE can operate on-premises or in a private, public, or hybrid cloud. Moreover, Versa’s unified data lake and AIOps capabilities enable the real-time identification of threats and anomalous behaviors, with tight integration of security and network attributes enabling improved threat identification accuracy through correlated identity, device, and network context.
Strengths
Versa SSE converges critical security functions into a unified, cloud-delivered platform that consistently protects and connects enterprise resources everywhere, powered by identity awareness and AI-driven threat detection capabilities. Versa’s single-pass scanning architecture applies multiple security services in parallel, reducing latency compared to chaining point products, while AI-driven path selection and always-on connectivity further optimize the user experience. Moreover, Versa SSE applies security based on the communication session, taking into account the identity of both the user and the device, enabling granular, least-privilege access control in line with zero-trust principles to improve the organization’s security posture. Furthermore, the entire Versa SSE solution can be orchestrated through Versa Concerto, a single management console with centralized policy configuration and enforcement that greatly reduces complexity versus managing disparate point products.
Challenges
Deploying Versa SSE requires addressing the complexity of migration and integration, skill set gaps, ensuring comprehensive coverage, potential performance impact, shared responsibility model, and vendor lock-in. While Versa SSE consolidates multiple security functions, organizations need to carefully evaluate if it fully meets all their security requirements across diverse users, devices, locations, and workloads, since any gaps in coverage could increase risk exposure and deploying additional point products where needed increases cost and complexity. In addition, with security delivered as a service from the cloud, organizations need to clearly understand Versa’s shared responsibility model and ensure that SLAs meet their business requirements for availability, data privacy, and compliance. Transitioning from legacy point security products to a unified SSE platform like Versa’s requires significant planning and effort, while integrating Versa SSE with existing security tools, identity systems, and network infrastructure can pose challenges, especially in complex multivendor environments.
Purchase Considerations
Versa offers tiered per-user or bandwidth-based subscription licensing based on features and scale, with additional costs for hardware appliances if required. Versa also offers a free trial for up to 100 users.
Versa SSE caters to the security needs of the modern distributed enterprise by providing unified threat protection, access control, and network optimization capabilities to secure remote workers, cloud applications, branch locations, and the WAN edge.
Radar Chart Overview
Versa Networks is a Leader in the Maturity/Platform Play quadrant. Versa SSE is a versatile and robust choice for enterprises navigating the complexities of securing distributed networks and cloud environments, with advanced features like AI-driven insights and microsegmentation demonstrating a forward-thinking approach that aligns with the needs of modern enterprises for dynamic and intelligent security solutions.
Zscaler: Zscaler for Users
Solution Overview
Founded in 2008, Zscaler provides a security-as-a-service platform that detects data breaches and protects any connected device from cyberattacks. Zscaler acquired ShiftRight (closed-loop security workflow automation) in November 2022 and Canonic Security (SaaS application security) in February 2023, and is in negotiations to acquire Avalor (a source of truth for security-related data points).
A core component of Zscaler’s efforts to provide comprehensive, cloud-based security solutions, Zscaler for Users is a cloud-native zero-trust platform designed to securely connect users to applications, regardless of their location or the devices they use. It is part of the Zscaler Zero Trust Exchange, which applies advanced cyberthreat and data protection policies while optimizing the end-to-end digital experience. The platform is built to support a secure hybrid workforce, enabling secure and reliable access to apps and data without the need for traditional VPNs, firewalls, or siloed management tools.
Zscaler for Users comprises three components: Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), and Zscaler Digital Experience (ZDX). ZIA acts as a SWG replacement, providing full SSL inspection, URL filtering, and cloud application visibility and control. ZPA offers secure access to private apps, replacing VPNs and enabling clientless access with advanced threat prevention, and ZDX monitors digital experiences, providing unified monitoring of end-user experience, application, device health, and network performance.
Zscaler for Users leverages a comprehensive suite of security services to reduce the attack surface, prevent compromise, halt lateral movement, and stop data loss. It employs zero trust principles, ensuring that users and devices are authenticated and authorized before accessing applications. The platform also includes data protection services with full TLS/SSL inspection and a policy framework for inline web protection, as well as cybersecurity services such as advanced threat and antivirus/malware protection.
Strengths
Zscaler for Users, built on the Zscaler Zero Trust Exchange, offers a comprehensive security solution by directly connecting users to applications, not networks, thereby reducing the attack surface and preventing lateral threat movement. It leverages zero-trust principles and AI-powered security to protect against cyberthreats and data loss while ensuring a seamless user experience from anywhere without traditional VPNs or firewalls. The globally distributed platform ensures fast, local connections through over 150 data centers, providing full traffic inspection for enhanced visibility and control. Key benefits include device flexibility, improved IT-user relationships through better visibility and performance tracking, and reduced IT complexity and costs, thanks to its automated, scalable, cloud-delivered service.
Challenges
Despite boasting an extensive global network, Zscaler has multiple unconnected access zones and extra access fees, and it lacks performance in certain regions since not all services run on every node and data center in Zscaler’s network, with customer access often limited to 40 to 60 data centers (out of 150). Managing policies across different Zscaler services, such as ZIA and ZPA, can be complex, especially since they may require administration in different consoles (although integrated via SSO). In addition, some users have found the logging and search capabilities to be slow and poor, hindering the ability to track and analyze security events effectively. Furthermore, Zscaler’s ongoing acquisition strategy results in a platform in a constant state of flux, with users reporting that deployment, configuration, and integration with existing IT infrastructure can be complex and time-consuming, requiring extensive customization.
Purchase Considerations
Zscaler offers a tiered (Business, Transformation, and Unlimited) subscription model based on deployment size, selected options, and modules, with each subsequent level offering more advanced features. However, obtaining detailed pricing information can be challenging, as it often requires consultation with Zscaler’s sales team, which can be a barrier for organizations trying to evaluate the cost implications of the service.
Zscaler for Users provides secure, seamless access to applications and data, applies advanced cyberthreat and data protection policies, and optimizes the digital experience for a secure hybrid workforce.
Radar Chart Overview
Zscaler is a Challenger in the Innovation/Feature Play quadrant. Zscaler for Users is a cloud-based zero-trust platform that helps secure digital transformation initiatives and support remote and hybrid work models. Its comprehensive feature set, tiered offerings, and integration with major cloud platforms make it a strong contender in the market. However, the platform is not fully integrated, and the ongoing acquisition and integration of new technologies create deployment and management challenges.
6. Analyst’s Outlook
The SSE landscape is characterized by rapid growth and strategic importance within the cybersecurity industry. As a result, organizations should consider a comprehensive approach to ensure that an SSE solution is a good fit. This approach should encompass understanding their specific security challenges, evaluating the technical and operational capabilities of SSE solutions, and considering the long-term strategic fit with their business objectives.
Prospective customers should take the following steps:
- Understand Your Security Needs
- Identify specific challenges: Understand the unique security challenges your organization faces. This includes the types of cyberthreats most relevant to your industry, compliance requirements, and the specific vulnerabilities of your IT infrastructure.
- Security goals and strategy: Outline a plan that includes defined security goals and a strategy. This helps in determining whether an SSE model fits into your security architecture, especially in the context of supporting remote work, cloud usage, and externalization of IT resources.
- Vendor consolidation: Consider consolidating vendors to streamline and simplify the security landscape, increasing coordination of threat detection and response and simplifying management via centralized approaches.
- Consider Operational and Strategic Fit
- Support and managed services: Given the sophistication of SSE, look for providers that offer comprehensive support and managed services. This includes technical, business, and project management expertise to help you focus on strategic objectives rather than maintaining the solution.
- Cloud-native versus premises-based: Understand whether solutions are cloud-native or require on-premises support. Cloud-native architectures offer benefits in agility, synchronization, and automation.
- Phased deployment and risk mitigation: Consider a phased deployment approach, allowing for incremental implementation, testing, and validation of SSE components in specific network segments or departments. This approach helps mitigate potential risks associated with SSE adoption.
- Migration path to SASE: Assess each provider’s ability to support a seamless transition to SASE, allowing you to move security functions to the cloud while maintaining existing network infrastructure.
- Evaluate Functional and Nonfunctional Requirements
- Comprehensive security features: Look for solutions that offer a broad range of integrated security services, including CASB, DLP, FWaaS, RBI, SWG, and ZTNA.
- Scalability and flexibility: Look for solutions that are scalable and flexible enough to adapt to changing business needs. This is crucial for both small businesses and enterprises as they grow or shift their operations.
- Simplified management: Consider solutions that simplify the management of security services by consolidating them into a single, cloud-based platform that can reduce complexity and cost.
- Performance and latency: Solutions should improve network performance and reduce latency, ensuring that security services do not disrupt business operations.
- Visibility and control: Enhanced visibility into network activity and greater control over network access and usage are essential for identifying potential vulnerabilities and responding to threats effectively.
- Compare Vendors and SSE Solutions
- Product assessment: Evaluate vendors, products, and feature sets based on this report and the companion Key Criteria report. Your company’s security model will dictate which features are required and the implementation strategies necessary.
- Vendor evaluation: Thoroughly vet potential SSE vendors, considering the vendor’s reputation, the quality of customer support, the product-development roadmap, and the vendor’s ecosystem (for factors such as the solution’s ability to integrate with other tools, its scalability, and so on).
- Architectural simplicity: Look for solutions that offer architectural simplicity, minimizing technical debt and accelerating business processes. The solution should be born in the cloud with best-in-class resilience and optimal user experience.
Choosing the right SSE solution requires a careful evaluation of your organization’s specific security needs, the capabilities and strategic fit of potential solutions, and the support and services offered by vendors. By following these steps, both small businesses and enterprises can select an SSE solution that effectively protects against cyberthreats while supporting their business objectives.
To learn about related topics in this space, check out the following GigaOm Radar reports:
- GigaOm Radar for Secure Service Access
- GigaOm Radar for Secure Access Service Edge
- GigaOm Radar for SD-WANs
7. Methodology
*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.
For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.
8. About Ivan McPhee
Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.
An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.
9. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
10. Copyright
© Knowingly, Inc. 2024 "GigaOm Radar for Security Service Edge (SSE)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.