Compare 5 single-vendor SASE providers
The days of a fixed perimeter to safeguard IT assets are in the distant past. As enterprises evolve from a centralized, contained infrastructure to a highly distributed and virtualized organization, traditional ways of managing and securing enterprise resources are inadequate.
Over the last decade, the cloud became a dominant technology consumption model, and operating environments became more complex and difficult to manage. The movement toward hybrid and multi-cloud operating environments prompted security and networking professionals to examine how they protected communications.
Security needs to be an integral part of connectivity. Organizations require an approach that recognizes this point, which initially led to the rise of zero-trust architecture. This multilayered security framework operates under the principle that trust isn’t inherent. Zero-trust architecture authenticates and authorizes any entity before it accesses any IT asset.
Secure access service edge borrowed from zero-trust concepts and applied them to both security and network services. SASE quickly rose to prominence as a promising new technology in network security.
Single-vendor SASE customer criteria
SASE architecture provides a cloud-based service that connects and secures enterprise endpoints across the network. It’s a multipronged approach to secure communications. Without a standard SASE model, however, each SASE vendor took a different approach to the technology.
Some customers opt for multivendor SASE, integrating networking and security capabilities from multiple providers. In contrast, single-vendor SASE is available as a single product or ties together multiple products from a vendor’s portfolio to build a SASE architecture. Most customers prefer single-vendor SASE.
Enterprises expect core capabilities in a single-vendor SASE offering, including the following:
- Software-defined network architecture with virtualized security controls to protect end-user and software application transactions.
- Secure web gateways as either on-premises or delivered via the cloud. Secure web gateways filter internet traffic and execute corporate policies.
- Cloud access security brokers (CASB) for cloud-based services that monitor and protect communications between end users and cloud applications.
- Firewall as a service (FWaaS) to deliver next-generation firewall controls. Controls include advanced threat protection, intrusion prevention and domain name security.
- Zero-trust network access (ZTNA) to create a software-defined perimeter that supports secure connectivity between remote users and internal applications.
- Central connectivity management and security elements critical for effective SASE deployment.
Prospective customers should lay out their criteria and understand the best SASE architecture for their needs. Enterprises must look beyond minimum security capabilities to more advanced security features, such as user and entity behavior analytics that automatically detects and responds to risky activity.
Security and networking professionals should also consider the vendor’s SASE architecture. The following questions are helpful for enterprises to determine the right architecture:
- Does the vendor have its own private backbone or access to a secure third-party network to protect communications and guarantee low latency?
- Does the offering have central management?
- Does the vendor apply a transparent and predictable pricing model?
Based on the essential criteria, a handful of single-vendor SASE options emerge as standouts. These providers are a cross between networking- or security-centric vendors. That said, vendor focus on networking or security is blurring as integrated security becomes a crucial differentiator for many providers.
The following SASE vendors were selected based on their market share and single-vendor SASE capabilities, including software-defined architecture, security functionality and centralized management. User reviews and analyst reports were also taken into consideration.
The vendors are listed in alphabetical order and are not ranked.
Cisco Secure Connect and Cisco Secure Access
Cisco Secure Connect is a managed cloud-based service that acts as Cisco’s primary SASE option. Cisco also offers Cisco Secure Access, which focuses more on zero trust and self-managed security service edge (SSE).
Cisco Secure Connect streamlines network security and management across campus, branch, public and cloud environments. It can connect up to 5,000 sites and support 50,000 users. IT administrators can use the cloud-based portal to track activity and manage resources. Through this interface, they can simultaneously stand up multiple Cisco Meraki SD-WAN networks.
Cisco promotes its cloud security and native SD-WAN capabilities, with the option to import Cisco Meraki SD-WAN policies for both Secure Connect and Secure Access. Meanwhile, customers can use Cisco Umbrella Secure Internet Gateway to deliver secure internet connectivity for both branch and remote end users. Branch users receive secure access to internal applications via Cisco Secure Interconnect. IT staff can apply policies for branch offices and remote users through its unified cloud-delivered firewall. They can export remote access reporting and analytics logs from the Secure Connect console.
The Cisco Umbrella cloud architecture peers with over 1,000 cloud providers to reduce latency and improve connectivity between clients and cloud services. Cisco doesn’t have its own private backbone, so customers must either rely on public backbone resources or arrange for private connections.
Cisco is historically known as a networking vendor. However, the company is investing in security, primarily through acquisition.
Fortinet FortiSASE
Fortinet offers its cloud-based FortiSASE with AI-backed security services via FortiGuard. Fortinet’s heritage as a network security vendor differentiates its security service.
FortiSASE includes a secure web gateway, ZTNA, CASB, FWaaS and data loss prevention (DLP). Fortinet delivers SD-WAN connectivity via the cloud. The vendor guarantees 99.999% uptime with latency assurance for security inspections.
Fortinet has a global presence with hundreds of security points of presence (PoPs) and augments its network presence with a Google Cloud partnership to expand its reach. FortiSASE has a user-based model, which requires a minimum of 50 licenses.
Netskope SASE
Like other SASE providers, one of Netskope’s primary objectives is to eliminate traditional security infrastructures. Netskope combines its Intelligent SSE and Borderless SD-WAN for a comprehensive SASE platform. It integrates all infrastructure elements together, rather than use multiple distinct products. IT administrators can track and manage the environment from a consolidated dashboard.
Netskope delivers SASE directly to clients and sells it through managed service providers. Advanced threat intelligence capabilities bolster Netskope’s secure web gateway, CASB, ZTNA and FWaaS. It also protects website, cloud service and internal application access from any device. Netskope SASE relies on a zero-trust engine for telemetry collection to assess user behavior, device, application and data risk.
Netskope also operates NewEdge, a private security cloud with a PoP footprint across more than 70 regions. The company touts ultrafast end-to-end round-trip cloud and web traffic transactions.
Palo Alto Networks Prisma SASE
The cloud-based and cloud-built Prisma SASE boasts a SASE-native Autonomous Digital Experience Management. ADEM tracks performance and security from the end-user perspective and integrates AIOps directly into SASE. AI-based troubleshooting and predictive analytics help automate difficult processes that usually require human intervention. Automation lowers mean time to resolution.
IT administrators can tap into holistic observability via a central console, where they can get a consolidated perspective of the entire environment’s security and performance. This includes remote and branch users, network applications and the IT infrastructure. The interface also provides machine learning-based anomaly identification and automated event correlation. Prisma SASE can perform root cause analysis and automate remediation. The dashboard’s analyzer query interface automates event investigations across domains. IT administrators can also use it for predictive capacity planning.
Prisma SASE brings security to branch locations via Prisma SD-WAN. Palo Alto Networks is a security-centric vendor by nature and acquired SD-WAN through purchasing CloudGenix in 2020. Palo Alto Networks doesn’t have a private backbone, so customers must use a public backbone for site-to-site connectivity. Several licensing options based on the client’s access and security requirements are available.
Zscaler Zero Trust SASE
Like Prisma SASE, Zscaler built Zero Trust SASE on cloud-native architecture. Zscaler touts its SASE offering as the first developed applying zero-trust principles for user authentication. Only authorized users and entities have access to the resources they have rights to. The offering uses Zscaler’s Zero Trust Exchange network to give users and IoT/OT devices application access without using routed overlays.
Zscaler touts a seamless end-user experience and a straightforward management experience. Zero Trust SASE is built on AI proxy-based architecture able to meet challenging threat protection and DLP requirements at scale. The Zscaler offering includes a comprehensive set of cybersecurity capabilities, such as threat protection through secure web gateway, FWaaS, DNS security, sandbox and browser isolation, as well as data protection via CASB and DLP.
Zscaler peers with all major application and service providers. With 150 worldwide PoPs located near popular internet exchanges, Zscaler quickly carries out security services and analysis.
Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As a principal analyst at GlobalData, she covers managed security and cloud services.