- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Buyer’s guide: Secure Access Service Edge (SASE) and Secure Service Edge (SSE)
The company focuses on mid-size enterprises and managed service providers.
Check Point’s Perimeter 81 unit: Perimeter 81’s SASE product, the Cybersecurity Experience Platform, was developed in-house and includes ZTNA, FWaaS, and SWG. Perimeter 81’s cloud-delivered ZTNA was recently recognized by Forrester as a Zero Trust leader. The analyst firm called it the best option for smaller enterprises that need a ZTNA service because they can sign up quickly and onboard dozens of applications in less than a month using its self-service portal.
Cloudflare: Cloudflare began as a content delivery network provider. Its Cloudflare One solution offers ZTNA, SWG, and FWaaS along with remote browser isolation, Domain Name Service (DNS) filtering, DDoS protection, and other threat and data protections using a single management interface.
Iboss: Iboss offers a containerized Zero Trust service that’s deployed in more than 100 PoPs globally. It provides SWG, CASB, ZTNA, FWaaS, remote browser isolation, antimalware, and antiphishing features. It doesn’t offer SD-WAN but says it integrates with all major SD-WAN solutions.
According to the company, its Zero Trust platform differs from that of other vendors because it covers both internet-facing and internal network edges with the same security edge, while other companies have different edges for internet and private connections, resulting in different levels of protection and visibility.
Gartner says Iboss SASE customers automatically receive a license for the ZTNA product, instead of having to pay separately for the Zero Trust feature.
Lookout: Gartner says Lookout appears less frequently on shortlists but has strong data security capabilities and a strong sales strategy for a relatively small vendor. Lookout’s SASE offering is called Lookout Security Platform, and the company partners with Broadcom VMware, HPE, and Versa for its SD-WAN.
The Lookout Security Platform has CASB, ZTNA, SWG, user and entity behavior analytics, DLP, and enterprise digital rights management. FWaaS is not offered.
Netskope: Netskope is considered a leader in Gartner’s Magic Quadrant for SSE and appears frequently on clients’ shortlists. Netskope’s SASE offering is called the Netskope Intelligent Security Service Edge.
Netskope Intelligent SSE offers security components including SWG, CASB, ZTNA, cloud security posture management (CSPM), FWaaS, DLP, and user and entity behavior analytics. SaaS security posture management and remote browser isolation were also introduced in the last year. Netskope doesn’t offer SD-WAN, but it says it can integrate with SD-WAN technologies.
Zscaler: Zscaler is a leader in Gartner’s Magic Quadrant for SSE and is frequently seen on shortlists. In 2022, it improved its CASB offering by introducing API integrations with more SaaS applications, integrating remote browser isolation, and improving data security features. Zscaler offers SWG, CASB, FWaaS, and ZTNA, and it has a global presence through more than 150 of its data centers. The company is missing the SD-WAN piece but offers it through partners including Silver Peak, Viptela, and VMware. According to Gartner, it has stronger partnerships with tighter integrations than other vendors.
What to ask before buying SSE and SASE
Because every enterprise is different, you need to get a clear grasp on your specific needs, capabilities, and resources before engaging prospective vendors and then choosing specific solutions for SSE and SASE.
10 questions to ask prospective SSE vendors
- What is your SASE strategy? “SSE is but one side of the coin,” says Mauricio Sanchez, research director for networking, security, and SASE/SD-WAN at Dell’Oro Group. “The other side is networking, which, unfortunately, still tends to be overlooked too often. An SSE vendor should have a strategy for taking their customers on the complete SASE journey.”
- What integration points do you support into the larger third-party technology ecosystem? SSE is a small part of a larger technology landscape, so an SSE vendor should be able to show integrations with client security (EPP/EDR), identity and access management (IAM), and security management (SIEM/SOAR/XDR) tools, as well as integration with the cloud hyperscalers, says Sanchez.
- What is your track record for scalability, reliability, and performance? Sanchez points out that SSE vendors are responsible for keeping the network running smoothly, while processing encrypted traffic at scale for threat detection purposes, which he describes as “a computationally intensive process.” He adds, “I’ve heard horror stories of enterprises burned by SSE clouds that underperform and generate more headaches than they solve.”
- Does your global delivery network align with my business needs? Multinational companies need to make sure that the SSE vendor has points of presence that correspond to their locations. Be sure to ask where the PoPs are, what the roadmap is for adding more, what the plan is for covering gaps, and what the plan is for surviving an outage, says David Holmes, a senior analyst at Forrester.
- How many agents do I need to install on end user devices and what is the cost per device? Holmes recommends that prospective buyers pin vendors down on whether a single agent can handle virtual private networking (VPN), ZTNA, SWG, etc., or whether more than one agent is required. And in today’s bring-your-own-device (BYOD) world, with users connecting to the network on multiple devices, what operating systems and mobile devices are covered? Is there an extra charge per device, or is the service per user?
- What are your strength and weaknesses? Ask the vendor for an honest assessment of which technology in the SSE smorgasbord is their strongest, and make sure that aligns with your requirements. If they say it’s SWG but your main driver is CASB, then Holmes says it might make sense to “continue your search.”
- What can you do with ZTNA? What can you do? Holmes recommends that prospective buyers ask the vendor what ports and protocols they cover; how they handle VoIP/SIP and UDP protocols. Can they integrate with multiple identity providers concurrently? “Not all can,” says Holmes, “and this is an important management feature for larger organizations that want to give partners Zero Trust access to their applications.”
- What is the management setup? Winckless says organizations need to implement SSE in a way that is seamless for administrators to configure and monitor. Will I have fewer consoles? Or more?
- How easy is it to apply security policies? Organizations need to make sure that they retain the ability to apply the same rules across multiple channels, says Winckless.
- What is the customer experience? All that back-end technology is great, but organizations need to make sure that the SSE delivers a smooth and seamless user experience. That last thing you want, says Winckless, is to disrupt the way the company does business.
10 questions to ask prospective SASE vendors
- Does the vendor offer all the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses, and priorities?
- How well integrated are the multiple components that make up the SASE? Is the integration seamless?
- Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor’s approach in terms of building capabilities internally or through acquisition? What is the vendor’s track record integrating past acquisitions? If building internally, what is the vendor’s track record of hitting its product release deadlines?
- Whose cloud is it anyway? Does the vendor have its own global cloud, or is it partnering with someone else? If so, how does that relationship work in terms of accountability, management, SLAs, and troubleshooting?
- Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements? Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application, or the data.
- How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection?
- Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting? Is policy enforced consistently for all the possible access scenarios — individual users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged?
- Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Because the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand.
- Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs.
- One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time?