The SASE wave: Why cloud-native edge security is gathering huge momentum

Secure Access Service Edge (SASE), commonly pronounced “sassy,” is less than two years old and is already moving the needle when it comes to forging a new market. SASE brings network and security capabilities to the edge, making it possible for distributed workforces to access corporate applications and resources with the same ease and security as they would have at a central office.

Of course, the massive shift to working from home — and learning from home — during the pandemic has been a major driver of SASE adoption and deployment.

SASE enables network security tools to transition away from private data centers into the public cloud or global cloud network. As a result, all users, regardless of physical location, have the same access and network flow efficiency. This means that remote user traffic no longer has to be backhauled to the corporate LAN, resulting in decreased network traffic. And this reduction in traffic can result in lower costs by allowing companies to downsize corporate Internet broadband and private WAN throughput capacity.

SASE platforms are designed to provide exceptionally granular organization-wide defense that considers factors such as user location, user identification, resources used, sensitive data patterns, and any other environmental aspects that impact security integrity. In essence, SASE changes the security spotlight from traditional site-centric models to an agile user-centric approach.

We’re seeing a lot of enterprises considering and adopting SASE platforms. Concurrently, we’re seeing cloud providers and communications service providers investing more in delivering SASE capabilities.

Where SASE came from

To understand the SASE market, you have to know a bit about the Software-defined Wide Area Network (SD-WAN) market, since SD-WAN is typically a key SASE component. SD-WAN is a virtual WAN architecture that enables organizations to administer any combination of transport services, including MPLS, 4G/5G, and broadband Internet connectivity to securely connect users to applications. The SD-WAN uses a centralized control function to intelligently and securely direct traffic across the WAN.

SD-WAN is well-suited to extending enterprise VPNs to remote sites, especially where MPLS VPN is unavailable or is too costly. So SD-WAN helps organizations connect remote sites, including work-from-home locations, on the VPN wherever MPLS could not work.

SASE expands the SD-WAN mission in a couple of ways. First, it brings a very granular level of security to SD-WAN. Second, it is fully cloud-native, whereas many SD-WAN solutions can require a physical presence. As such, SASE forms a logical complement to emerging network-as-a-service (NaaS) offerings that deliver personalized network-slice services to customers on an on-demand basis.

Adoption gathers steam

We concur with market data that supports SASE’s market momentum in 2021 and beyond. Gartner, for example, projects that by 2024 at least 40% of all enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018. In addition, the global SASE market is expected to reach a compound annual growth rate of 10.8% by 2026 (according to Market Insight Reports). Such data points suggest SASE is the real deal and will avoid the marketing hype that frequently accompanies the emergence of new technologies, markets, and innovations.

Ongoing standards-development initiatives by key industry bodies such as the MEF are also proving crucial in advancing and fortifying SASE acceptance across the ecosystem.

Specifically, the MEF SASE security reference architecture includes:

• MEF 117 SASE Service Definition that prescribes a SASE-based, distributed security service where security functions transition from CPE and the data center (MEF 88) to edge clouds.
• MEF 118 Zero Trust Framework specifies a dynamic means of continuously assessing access to cloud-hosted apps and data using a zero trust model.
• MEF 88 Application Security for SD-WAN defines security functions applied to SD-WAN implementations.

The inclusion of SASE services in the MEF standards is vital to fulfilling the open-source priorities of communications service providers, cloud service providers,, and enterprises. Without such standards-backing near its inception, SASE likely would face limited traction or would take longer than anticipated to achieve market impact.

It’s all about easy, integrated security

SASE creates less complex management and reduces costs of multiple separate services when an organization has various networking security solutions that are integrated into one service. A single suite of security capabilities managed by a single unified solution can also deliver better threat detection and data protection. In addition, an integrated solution helps organizations to unify identity management and authentication policies across all their locations.

SASE enables organizations to activate, manage, monitor, and enforce policies across all applications, devices, locations, and users though a single portal, mitigating the need to run around administering disparate policies for separate solutions.

SASE relies substantially on the zero-trust network access (ZTNA) approach, which denies users access to data and applications until their identity has been verified, including internal users inside the perimeter of a private network. When establishing access policies, the SASE model takes more than an entity’s identity into account by also factoring in security facets such as enterprise security requirements, user location, time of day, and continuous assessment of trust/risk factors.

Organizations are adopting and evaluating SASE to improve the performance of any service where latencies diminish the user experience, such as conference collaboration tools, video monitoring/surveillance, and AR/VR training. SASE mitigates latency by routing traffic across a global edge network designed to assure traffic is processed as close as possible to where it will be used. It uses routing optimization to find the fastest network path based on network traffic conditions and other factors.

Since SASE merges single-point security solutions into a single cloud-based service, organizations reduce integration overhead and implementation complexity. This can result in savings related to phasing out manual configuration and maintenance of traditional network and security infrastructure.

SASE rising: The competitors

Communications and cloud service providers are expanding their SASE offerings to increase revenues and boost customer retention as organizations look to impose network-wide security and data-traffic policies across their headquarters, branch offices, and remote workforce.

There is growing enterprise interest in combining SD-WAN with private backbones, primarily to avoid the hacker pitfalls and security breaches that pervade the public internet. Enterprises are also increasingly interested in transitioning away from their existing MPLS VPN services, which are typically more restrictive and expensive than SD-WAN.

SASE blends the functions of network and security point solutions into a unified, ubiquitous cloud-native service. As such, the SASE market segment is attracting a wide variety of competitors, including players with broad SD-WAN/security/networking portfolios, such as Cisco, HPE/Silver Peak, Oracle, Juniper/128T, and Nokia/Nuage; SD-WAN/cloud portfolios such as VMware, Cloudflare and zScaler; and SD-WAN/security suites such as Fortinet, Versa, and Palo Alto Networks.

Additional high-profile players with security portfolio acumen that are targeting the SASE market include Akamai, Forcepoint, McAfee, Mushroom Networks, Netskope, Proofport, and Symantec. Clearly the SASE competitive stakes are sizzling on the supplier side.

Who is standing out right now?

The competitors that stand out at this early stage of the SASE market all offer solutions aimed at simplifying the SASE adoption process. They include a top-tier networking supplier (Cisco), a content delivery network specialist (Cloudflare), a SASE-oriented startup (Cato Networks), and a broadband network gateway supplier (Benu Networks).

Cisco. Among the established network infrastructure suppliers, we see Cisco gaining a competitive edge in the early SASE market. The company already has the SD-WAN, security, and cloud portfolio assets (e.g., the new Cisco Plus hybrid cloud solutions) to directly address the SASE space. What makes Cisco stand out are the SASE-related announcements it made at the 2021 Cisco Live event.

Cisco offers its SASE package as a single, unified bundle available on a subscription basis, making it easy to procure, activate, and manage through an intuitive cloud dashboard. The package includes Cisco’s Meraki and Viptella SD-WAN software packages, Duo and Any Connect remote access, Umbrella security, the newly available Duo zero trust security, and additional security components.

Cato Networks. Among new players, Cato looks like it will compete successfully long-term in the SASE market segment. Cato Cloud provides a clearly differentiated SASE solution by purpose-designing SD-WAN, network security, and ZTNA into a worldwide, cloud-native offering. Cato connects and secures the full range of enterprise edges, including sites, cloud-resources, and mobile users, with a single worldwide cloud-native platform that is distributed across more than 60 points of presence (PoPs), a clear differentiator.

As testament to Cato’s ability to stand out in the nascent SASE market, the company raised $130 million in November 2020, bringing its total funding to $332 million. So it is in a good position to fund strategic business objectives such as building more PoPs and broadening ecosystem partnerships.

Cloudflare. Cloudflare also combines SASE with private IP backbones to strengthen its security credentials. Its SASE model extends to both Cloudflare for Infrastructure and Cloudflare for Teams, both of which are backed by one worldwide network that services approximately 25 million internet properties. Cloudflare’s experience as a content delivery network (CDN) network provider gives the company the global network resources key to driving SASE adoption. Already, Cloudflare offers a platform of integrated network and security services across each of its 200+ distributed cities in multiple regions, mitigating the need for organizations to purchase and manage a complex collection of point solutions in the cloud.

Cloudflare’s annual 2020 revenues were $431 million and its market cap is registering at $22.3 billion during April 2021, suggesting the company’s SASE proposition is boosting its market momentum.

Benu Networks. Benu recently upgraded its BNG portfolio, bringing integration of SASE and 5G Access Gateway Function (AGF) capabilities to its Virtual Broadband Network Gateway (vBNG). vBNG fulfills the burgeoning carrier demand for cloud-native edge solutions. As a result, service providers can swiftly deploy SASE services to their subscribers and provide a unified experience across both mobile and fixed network environments.

Benu Networks’ support of SD-defined SASE services, designed to run inside a carrier network, is a clear differentiator by giving operators the comprehensive control and ability to run organization-wide security across business sites, branch offices, and the distributed work-from-home workforce under a unified policy. Through Benu’s implementation of SASE at the service edge, carriers avoid VPN clients, use existing WiFi access points (APs), avoid low performance tunnels, and can support all devices across a distributed network.

This approach takes direct aim at SD-WAN/SASE solutions that entail customer on-premise implementations such as Juniper’s 128T session-aware routing technology, which requires the deployment of the 128T Session Smart Router at the customer site.

Moreover, Benu offers the combination of SASE with SD-LAN, enabling 5G-like services for fixed connections, device-level network slicing, and streamlinedcustomer premise equipment management. In tandem, Benu’s SD-Edge Platform and vBNG solutions provide the 5G Wireless-Wireline Convergence (WWC) capabilities required to unify the use experience across fixed and mobile implementations, assuring consistent treatment of business traffic through application prioritization and holistic security policies. 

The takeaway

Overall, the SASE market is showing tangible, long-term momentum in just its second year as a new technology segment. SASE is changing the way enterprises evolve their security implementations, emphasizing cloud-first highly automated solutions that overcome the limitations and costs of traditional security approaches. Service providers of all typesare prioritizing SASE as a key capability to expand their influence across the digital ecosystem and win more enterprise business. Competition across the SASE realm is intensifying, with clearly differentiated solutions already available on the market.

For enterprises, adopting the SASE approach provides long-term assurances for unified security across the entire organization including the distributed WFH workforce. Through SASE, enterprises gain built-in benefits such as positive return on investment from streamlining complex security and WAN implementations and assimilating user-centric security frameworks while also taking advantage of enduring ecosystem-wide support, including industry-wide standards backing and fast expanding service provider and supplier investments in SASE. It will be exciting to watch this market continue to develop in 2021 and beyond.

Daniel Newman is the principal analyst at Futurum Research, which provides research, analysis, advising, and/or consulting to high-tech companies in the tech and digital industries.

Ron Westfall is a Senior Analyst at Futurum Research.