UNIFIED SASE: CONSIDERATIONS FOR

SINGLE-VENDOR SASE

WHITE PAPER
Document Date: September 2023
Author: Mauricio Sanchez, Senior Research Director

Modern enterprise IT architecture has experienced significant upheaval in the last

three years as the Covid-19 pandemic shattered the traditional, centralized IT
model for users, data, and applications. The current view among technologists
assumes that even in the post-pandemic era, users, data, and applications must
be highly distributed for an enterprise to be competitive. The evolution from a
centralized to a distributed enterprise has required IT teams to embrace a cloud-
and mobile-first IT strategy. The traditional hub-and-spoke architecture anchored
by discrete, on-premises network and security appliances is ill-suited to address
today's requirements. This paper looks at an approach for solving this problem,
secure access service edge (SASE), and in particular unified SASE, which offers
numerous benefits.
 White Paper | Unified SASE: Considerations for Single-Vendor SASE

WHAT IS SASE?

In mid-2019, SASE arrived, changing the thinking about WAN connectivity and network security
technologies for branches and remote users. Instead of connectivity and security being treated as
separate tools, the focus became developing an integrated enterprise WAN connectivity and
network security service platform.

SASE is a service-centric, cloud-based solution that provides network connectivity and enforces
security between users, devices, and applications (Figure 1). SASE accomplishes these tasks with
five core components that span hardware, software, and centrally controlled, Internet-based
networks with built-in networking and security-processing capabilities. SASE aims to address the
shortcomings of the legacy hub-and-spoke architecture and improve on recent solutions by bringing
networking and security into a unified service that increases network scalability, agility, and security
to address the needs of cloud- and mobile-first enterprises.

Figure 1 SASE Architecture

SASE is based on a combination of two technologies that predate it. The first is SD-WAN, which
arose nearly ten years ago to replicate the robustness and security of the more costly multiprotocol
label switching (MPLS) with commodity Internet links. The second technology is cloud-based
network security, which started to be developed around the same time as SD-WAN to replace
traditional web gateway appliances and, more recently, provide advanced protection for Internet-
based SaaS applications. These cloud-based network security technologies have lately started to
be called security service edge (SSE). Unlike its precursors, SASE can apply network and security
policy on the north-south (users to Internet applications) and east-west (WAN site-to-site) traffic
flows.

© 2023 www.delloro.com | Page 2

 White Paper | Unified SASE: Considerations for Single-Vendor SASE

TWO PATHS TO SASE: DISAGGREGATED VS. UNIFIED

We have identified two approaches to implementing SASE: disaggregated and unified. The disaggregated
approach stitches separate network (SD-WAN) and security (SSE) solutions into a complete SASE deployment.
The network and security technologies might come from the same or different SASE vendors.

Conversely, in the unified approach, the SD-WAN and SSE technologies are implemented by a single vendor
as one tightly integrated product platform. Two distinguishing factors that set unified SASE apart are its policy
model and its SASE cloud network. The policy model in unified SASE interweaves network and security
constructs so that it is possible to enforce both network and security policy across all traffic, regardless of
source (user, device, location) and destination (on-premises or cloud).

The SASE cloud network, which performs network and security functions, is a vendor-owned network
accessible from many points on the Internet. In unified SASE, the SASE cloud network does both networking
and security in the same network, whereas disaggregated SASE relies on individual networking and security
clouds.

Unified SASE Benefits

Unified SASE has numerous benefits compared to the disaggregated approach. These benefits span the
technological and economic spectrum:

 Less operational burden: By unifying network and security policy into a single policy repository,
unified SASE avoids the manual and sometimes difficult policy reconciliation associated with
disaggregated implementations. Network or security policy changes that might be straightforward
in a unified SASE implementation can place extraordinary demands on staff in the disaggregated
implementation. In a tight labor market that leaves many enterprises short-staffed, anything that
relieves staff burdens and reduces administrative complexity is attractive.

 Improved security posture: While disaggregated solutions may offer richer functionality, they
have greater configuration complexity. Dealing with separate network and security policies
increases the likelihood of misconfiguration and, thus, of an administrator inadvertently
introducing a security hole.

 Deeper analytics: Unifying the security plane with the underlying networking in unified SASE
allows for deeper analytics than are otherwise possible when both are separate. Only in unified
SASE can network indicators—such as source/destination IP addresses, geographic location, and
user/device/application information—be brought together with security event information to
improve overall security analytics.

 No finger-pointing between vendors: When problems arise, unified SASE eliminates the
possibility of the painful and time-consuming finger-pointing that sometimes occurs between
vendors in disaggregated SASE.

 Improved IT team productivity and effectiveness: SASE requires five major networking and
security components to work together. In unified SASE, these components are all provided by the
same vendor as a tightly integrated and validated technology stack. Conversely, disaggregated
solutions typically require IT teams to integrate and maintain ongoing interoperability because the

© 2023 www.delloro.com | Page 3

 White Paper | Unified SASE: Considerations for Single-Vendor SASE

components usually come from different vendors or release schedules. The extra time IT teams
spend on the care and feeding of disaggregated solutions is lost productivity.

 Clearer SLAs (service level agreements): SLAs associated with single-vendor unified SASE are
not muddled by the complexities of dealing with multi-vendor SLAs in disaggregated SASE.

 No performance-robbing traffic processing replication: Because disaggregated SASE

consists of entirely separate network and security technology stacks, compute-intensive tasks
(such as decryption/encryption and deep packet processing) are likely to be replicated, reducing
total performance.

 Reduced total cost of ownership (TCO): Typically, the TCO of unified SASE solutions is lower
than that of disaggregated SASE due to the greater simplicity of the technology stack and the need
to deal with just one vendor.

While unified SASE has numerous benefits, it comes with several tradeoffs:

 Some unified SASE solutions are relatively new: Most unified SASE solutions have been on
the market for less time than disaggregated equivalents, which in many instances, are more
mature solutions.

 Feature richness may not match disaggregated solutions: Generally, unified SASE's richness
and new feature offerings typically do not match the network and security capabilities associated
with disaggregated SASE. However, most enterprises likely need only 80% of a full-featured
solution, so the “good enough” concept usually applies.

 Integrating third-party SASE technologies could be difficult: The tight integration of

networking and security in unified SASE enables better simplicity, usability, and performance. But
that tightness can also lead to challenges if an enterprise needs to integrate third-party SASE
technology. Fortunately, as unified SASE maturity and feature breadth improve, the need for third-
party SASE technologies will decline.

We believe that both forms of SASE implementations will co-exist in the market long-term because neither is
a "one size fits all." However, we see a bright future for unified SASE.

Unified SASE Vendor Landscape and Market Direction

At Dell’Oro Group, we have been tracking the SASE market since 2019. Our most recent research (SASE &
SD-WAN Quarterly Report 1Q23) estimated that revenue from unified SASE solutions grew a robust 144%
year-over-year (Y/Y) in 1Q23, while disaggregated solutions rose 23% Y/Y. Still, on an absolute revenue basis,
disaggregated SASE revenue was nearly 10x higher than unified SASE due to the low number of unified SASE
vendors in the market: just four vendors as of 1Q23 (Figure 2).

© 2023 www.delloro.com | Page 4

 White Paper | Unified SASE: Considerations for Single-Vendor SASE

Figure 2: SASE Vendor Landscape - Unified versus Disaggregated

In our 5-year forecast, we expect unified SASE growth to remain stronger over the forecast horizon than
disaggregated SASE and, by 2027, to rise to nearly $3 B, representing about a quarter of total SASE revenues
(Figure 3).

Figure 3: Unified SASE 5-Year Forecast (Source: Dell’Oro SASE & SD-WAN July 2023 5-Year Forecast Report)

While the SASE market is still emerging, we believe the differences between unified and disaggregated SASE
will remain.

© 2023 www.delloro.com | Page 5

 White Paper | Unified SASE: Considerations for Single-Vendor SASE

United SASE Vendor Consideration

Because of the great interest in SASE in the last three years, many vendors have begun to promote their SASE
solution offerings. While our research only identified four unified SASE vendors, various disaggregated SASE
vendors are evolving towards becoming unified because of its benefits. We believe there are four
considerations in choosing a unified SASE vendor:

 Ability to engage the customer in their journey: Many enterprises take an incremental
approach toward SASE by completing either the security or network transformation and then
undertaking the other transformation to manage overall change and risk. Vendors that are flexible
and can help their customers regardless of their starting point and take them through the network
and security transformation will stand out from those that cannot.

 Performance and reach of SASE cloud network: Underlying the SASE network is a backbone
network. SASE vendors differ in their approach to and the attributes of their backbone networks.
Some build on a public cloud service provider, while others take a more customized, bottom-up
approach. However, the backbone network is implemented, a common goal of all SASE vendors is
to provide many points of presence (POPs) on the Internet. With the Internet servicing the last
mile between the SASE network and endpoints, SASE vendors aim to reduce the number of public
Internet hops for performance and security reasons.

SASE vendors may also differentiate themselves by instantiating SASE network and security functions at each
POP in a single-pass traffic processing approach. Doing so generally improves the performance of the SASE
network because the networking and security decisions are made close to where the traffic originates rather
than being backhauled deeper into the SASE network to be processed by chain-of-service functions.

 Diversity of network and security services: With a primary tenet of SASE being the delivery
of networking and security as a cloud service, SASE vendors are rapidly innovating and delivering
a growing diversity of SASE functions—the network and security features —on top of their SASE
networks. As a result, the breadth and depth of their SASE functions are a clear point of
differentiation between vendors.

 Track record of success: Fundamentally, SASE vendors are not in the appliance business but
rather in the cloud services business, in particular, networking and security services hosted in the
SASE cloud network. Vendors that can show robust investment in their SASE cloud networks and
employ strong operational acumen will lead to satisfied customers.

As we enter the post-pandemic era, enterprises are increasingly embracing a cloud- and mobile-first IT
strategy. Traditional approaches relying on legacy hub-and-spoke architecture and assuming a clear network
perimeter will no longer work. The path forward consists of network and security being interwoven in the style
of SASE. The simpler, single-vendor unified SASE should appeal greatly to the many enterprises burnt out on
overly complex, multi-vendor or multi-product solutions.

© 2023 www.delloro.com | Page 6

 White Paper | Unified SASE: Considerations for Single-Vendor SASE

About Author

Mauricio Sanchez joined Dell’Oro Group in 2020. At Dell’Oro Group, Mr.

Sanchez leads research at the intersection of enterprise networking and security.
This research has accelerated during the pandemic towards mobile and cloud-
first secure networking solutions, including SASE/SD-WAN/SSE, Cloud Workload
Security/Cloud Native Application Protection Platforms [CNAPP], and Distributed
Cloud Networking/Multi-Cloud Networking Software [MNCS]. Additionally, Mr.
Sanchez contributes to shaping the coverage of next-generation enterprise
networking architectures and service models. His research and analysis have
been widely cited in leading trade and business publications. Furthermore, Mr.
Sanchez is a frequent speaker at industry conferences and events.

Email: mauricio@delloro.com

About Dell’Oro Group

Founded in 1995 with headquarters in the heart of Silicon Valley, Dell’Oro Group is an independent market
research firm that specializes in strategic competitive analysis in the telecommunications, security,
enterprise networks, and data center IT infrastructure markets. Our firm provides world-class market
information with in-depth quantitative data and qualitative analysis to facilitate critical, fact-based business
decisions. Visit us at https://www.delloro.com.

About Dell’Oro Group Research

To effectively make strategic decisions about the future of your firm, you need more than a qualitative
discussion – you also need data that accurately shows the direction of market movement. As such, Dell’Oro
Group provides detailed quantitative information on revenues, port and/or unit shipments, and average
selling prices – in-depth market information to enable you to keep abreast of current market conditions and
take advantage of future market trends. Visit us at www.delloro.com/market-research.

Dell’Oro Group
230 Redwood Shores Parkway
Redwood City, CA 94605 USA
Tel: +1 650.622.9400
Email: dgsales@delloro.com
www.delloro.com

© 2023 www.delloro.com | Page 7