Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth, I'm the director of the Practice IAM here at KuppingerCole Analysts. My guest today is John Tolbert. He is the Research Director for Cybersecurity here at KuppingerCole Analysts. Hi, John. Good to see you.
Hi Matthias, good to talk to you again.
Great to have you. And we want to talk about a topic which has become a buzz word right now. We want to talk about SASE (Secure Access Service Edge) and the bigger picture of SASE, so SASE integration suites. You did a Leadership Compass on that just right now. So our document of comparing products and vendors and services within one market segment and this time it's SASE. So to start out, of course, the obvious questions, how do you define this market segment of SASE?
Well SASE is an interesting and new, sort of emerging topic. It's one that hasn't been around for that long, just a couple of years. And it's really about combining networking and security. On the networking side, it's been sometimes difficult and often costly to connect remote offices, remote facilities together. So using SD-WAN (Software Defined Wide Area Networking) has been something that has helped companies decrease their costs around connectivity. But SD-WAN didn't really have a whole lot to say around security except for, transport level encryption. So SASE brings together that networking and security element, plus unified management. So it's really about bringing these things together. For Edge. Edge is another word that we've been hearing a lot about for the last few years, as opposed to cloud. So we see things like SASE coming around to provide this secure access piece to these different computing locations, too. SASE is also designed to target these networking and security shortcomings, simply connecting things or using products doesn't necessarily give the deployers the big picture of what's going on. And it may make it difficult to enforce different security policies with consistency across all the different properties that they may have. So along comes SASE. In the last couple of years, SASE vendors say, by packaging different security technologies together, which we'll look at in a minute, this helps to improve the end user experience, makes it easier to run your IT operations and provide a more consistent security policy enforcement across all the different domains, while at the same time moving the security as much as possible to sort of a cloud native architecture.
Right. And when we're talking about SASE in that context and when there is a new market emerging right now, there must be a set of problems, issues, challenges for organizations that these solutions address. So what are these typical use cases when it comes to SASE? Why are people looking into this market?
You know, I think there are two main drivers for that. First of all, there are these remote facilities and the costs associated with connecting those to, let's say, corporate headquarters or cloud hosting resources. Again, some of the older style technologies like MPLS require a bit more to install and maintain as well as just being more expensive. So the SD-WAN part of SASE helps to decrease the costs, use standards based protocols and more common equipment and lines to connect these remote facilities. This can include things like branch offices, but also, thinking about operational technology, you've got remote manufacturing sites or production sites, warehouse facilities that can be scattered anywhere. On the operational technology side, too, you've got things like power generating equipment and substations, conference facilities and then even partners. If you have employees working onsite with partners, different stores, different shops that might make up a big brand and even kiosks in different locations. So all these kinds of places need connectivity and, prior to the advent of something like SASE, that was very difficult and time consuming for network professionals to try to connect all these different kinds of locations together. And then on the other side, we've got work from anywhere, work from home, as a result of the pandemic. You've got individuals out working in many different locations. Typically, they have been using VPN, but VPN, sometimes doesn't scale that well and up until the pandemic, many companies were just relying on username password and they found that that was a way in for bad actors often. So, there is a need to put better security and scalability together for a better VPN experience for remote workers wherever they are.
Right. When we look at that market and the problem is understood and you said it already, it's the combination of this network technology, so SD-WAN plus so cybersecurity component services added to that. When we look at the market, then it should be an easy picture to say, okay, we have the traditional providers of these SD-WAN solutions and we have providers of cybersecurity from the cloud, in the cloud, for the cloud. So they join forces and create products. Is it that easy? So how does that market segment look like?
You know, it's I think from a vendor perspective, it depends on the overall size and what's already in the portfolio, on a vendor by vendor basis. And, that's kind of what I've seen in terms of the research, too. So you've got some large vendors that have many of the components already. Many may have even had SD-WAN and they also go out and look for partners. You know, let's say if your company is predominately been a security vendor, then they will partner up with SD-WAN vendors, there have been some acquisitions. And then vice versa, if you're on the SD-WAN side, then you need security partners. It's growing, the two sides are growing together, but I think there's a lot of room for additional growth as well as improvement.
Right. And it comes to maturing. I take from what you say that this is still an emerging field. This is still in flux and in progress. And SASE is a term to trying to cover all these different types of products and services.
Yeah, I think it's sort of a good umbrella to put, many different components into. And I think there's a real advantage for customer organizations to get it that way. Like I said, it's only been around for a couple of years. It's not really a whole lot of brand new technologies. It's, linking together and offering often as a package, a variety of different security technologies, especially. Some of the large stack network security providers were some of the first ones to enter the field because they had most of the components all upfront. And that was just a matter of sort of figuring out how they fit together in a consumable package. But we also do see, some companies that were more of the SD-WAN specialist adding on the security. And since they're kind of, still somewhat early in the game, although it is a maturing field, what SASE is offering depends on what a particular vendor that you're talking to says it is at the moment, which is based on what they have in their portfolio or what they can extend with partner integrations. But I think this is a huge potential growth area, I can see this is something that not only large enterprises need, even small new businesses that have a distributed workforce or maybe multiple sites. This is something that can benefit companies and organizations of many different sizes across many different industries.
You've mentioned that already, we're early in the game. This is a term that is around for two or three years maybe, and it's gaining traction right now. So we're at the beginning of 2023. You've just completed your research for this new Leadership Compass. What are the trends? What are you looking forward to see more and more in the products in the upcoming time and what have you have you realized during your research now? What are the trends?
Well, as I was kind of hinting about a minute ago, what you see in terms of products often has a lot to do with what a given vendor already has. Plus, what do their customers say? What are their customers asking for, these vendors do tend to respond to customer demand. So whatever target market they're serving, they will add in feature requests as dictated by their market and it's a really big mix of technologies as we’ll see. And it's I think it's got a pretty high cost of entry. So this is going to be something that more of the larger vendors will be able to bring in components as necessary. It's not something that would be all that easy for a startup to get into, without a pretty large capital investment. You know, the way I've defined it, I've included, some additional areas in SASE that maybe not all vendors have lined out is something that's a core component yet. So it's important for those vendors to be able to use standards for interoperability or have partnerships such that it's easy to integrate to get these other functionalities. Things like DLP (Data Leakage Protection) and CASB which is Cloud Access Security Brokers and Remote Browser Isolation are areas that some of the vendors need to improve on. They're currently in SASE. Others, one of the areas that I think should be focused on is around endpoints that includes like Endpoint Protection, Detection and Response and Unified Endpoint Management. That's something that I predict, that bigger companies are going to want to see, especially in SASE because each of these requires a separate endpoint client. And I think most would like to manage all in one where possible. But this is not something that most of the vendors have today, many of them have the partnerships with EPDR and UEM vendors. But it's, these require separate software installations.
Right. And you've mentioned that already. how you define this market, how you look at the criteria that need to be looked at. So when we look at this document type Leadership Compass, you need to apply a set of criteria. Maybe you can explain a bit more what you applied for this upcoming market of SASE. Where do you look at when you are in the end creating these nice little spider graphs? Where people and the audience can compare these products with each other. What was important for you?
You know, as part of our standard Leadership Compass criteria, we look at these nine areas: security, product security; functionality; deployment, which can include how easy is it to deploy, where can it be deployed and how can it be deployed; interoperability, which is, mostly standard support and being able to work with other products; usability; how innovative is a given vendor solution and then some other common things like their financial strength, market position and ecosystem. Ecosystem being what are their implementation partners and support partners like, where they are geographically distributed, what kind of services do they offer. And then looking specifically at the functional criteria for SASE, I'm looking at connectivity. How do they do SD-WAN? Do they have it built in? Is this something that they've partnered with others to do? What is involved with that? What kinds of TCP optimization or traffic management capabilities are built in for that? Zero Trust Network Access is something that we've been talking about for years as well, and we're happy to see this being realized in different products and services today. It's about authenticating and authorizing every access. So I think this is really important for SASE. Endpoint, I described endpoint security, endpoint management, network security. This would be, firewall services, intrusion protection services, things like that. Web security, that includes like secure web gateway functionality, remote browser isolation. Then we have data protection, which is the DLP and CASB components. Administration, I look at, how easy or how difficult is it to set up and administer on a day to day basis? And then lastly, what kind of end user support packages are available, which can vary quite widely between vendors as well.
Right? This is quite, quite a list of criteria to apply. And we always try to highlight the importance of the fact that these Leadership Compasses come with a final rating. But this does not mean that the product, the service, the vendor in the upper right corner is necessarily the best for use, but that readers, the audience really should make sure that they understand the requirements that they need to apply to the services provided. And that's the reason why you provide for each vendor, for each service a detailed analysis with insight into all these different aspects. All this apart, when we look at the leadership for this Leadership Compass, for SASE platforms, which names would you mention? Not to endorse them, as I said, we need to identify what we really need, but what are the players in the market that you would like to highlight?
Well, we do break these graphs up into four major categories. I’ll show two of them today. So the Overall Leader, this is the combined product innovation and market. And we see kind of a range here. Palo Alto Networks and Versa Networks and Cisco and Check Point, Lookout and Cloudflare have all made it into the overall leaders section of the graph here. Then we also see, Cato Networks, Aryaka networks, Ericom and Open Systems. So then, Product Leaders, and this is a plot of products versus the overall, so the overall that we just saw. This is product measures, the functionality, the deployment, the usability, interoperability, all those different categories kind of roll into the final product leader graph here. And we see it's kind of divided into thirds. And again, the distribution is pretty good. I think it shows differences in implementation and features and service and support capabilities.
Right, and you've mentioned trends and all of this is also reflected in one graph that I know of, which is the graph of innovation. So that would be the products that are most forward looking, most innovative, in the best way of the on the best sense of the word. Where are the leaders here?
Again, we see a pretty good distribution and we look at things that we define as the basic set of capabilities. So an innovation score will include those who are offering features that are over and above that basic set, but then also how do they implement the standard list of functionality? And it's entirely possible to be innovative in a way in how you deliver the expected functionality as well as the new bells and whistles. And this kind of applies to all the different Leadership Compass topics that we cover. In some cases, a vendor may be missing one or two pieces, but they may have highly innovative features in other areas or they may have things that others in the field have not considered. So they may have an advantage because of the particular types of technology that they've included with their offering they may be over and above what others see in the market.
Right. Thank you. So I think that's a really impressive overview of the market and also description of the market and an outlook on how this market evolves. I have one question that is in my mind because I did a presentation on SASE and how to look at that two years ago, one and a half years ago. And one of the most striking drawbacks or dangers or risks that were highlighted to me more than once, was the risk of the lock-in risk. So if you choose one platform, if you choose one vendor, you are likely to stay with that vendor, which might be stable and beneficial in many aspects. But it keeps you with that vendor. But you also mentioned on the one hand, standards and standard compliance for the interoperability and interoperability in general for these standard evaluation criteria. Has this changed or is there still a bit of an issue when choosing one vendor to having it difficult to move away from that, to change strategies to change complete platforms?
You know, that's always a concern that we have with large stack solutions. Do you want to take sort of the best of breed approach and select the products that you think perform the best for your company or your organization? Or, for the sake of management and cost control, do you prefer to say, buy a complete package that has most everything that you want? I think SASE is an attempt to bring many different kinds of technologies together to make it easier to consume. So you're absolutely right. There will be a tendency toward vendor lock-in which has pros and cons that we've known that for many years, too. And, on the other side, with standard support and, and most of the vendors do support the standards that you kind of expect in the security and identity spaces to different degrees. And you can read about that in the report. I tried to call that out because we believe interoperability and standards are important. But, because of that standard support, it is possible in many cases to use other products to fill certain functional gaps or functional areas. If you'd rather use a different vendor solution. But it is something you have to dive into. Look at the technical details on each of these vendor products and then figure out what's right for you.
Absolutely. And this is really what I recommend also to the audience, to our readers, please head over to kuppingercole.com - redesigned website. Have a look at that and identify the newly published Leadership Compass on SASE that you John have just provided. Thank you very much for this huge amount of work that you spent on that, but also for being my guest today and for talking about that also on the maybe a bit more critical aspects when it comes to to interoperability and to the lock-in risk. But nevertheless, this is a great approach for many organizations to very quickly improve their security posture and to connect to sites that they couldn't connect to earlier. Thanks again, John, for being my guest today.
Thanks, Matthias.
Okay. Looking forward to having you soon. Bye bye.
Bye.
