Professional Documents
Culture Documents
Unified Sase Considerations For Single Vendor Sase
Unified Sase Considerations For Single Vendor Sase
SINGLE-VENDOR SASE
WHITE PAPER
Document Date: September 2023
Author: Mauricio Sanchez, Senior Research Director
WHAT IS SASE?
In mid-2019, SASE arrived, changing the thinking about WAN connectivity and network security
technologies for branches and remote users. Instead of connectivity and security being treated as
separate tools, the focus became developing an integrated enterprise WAN connectivity and
network security service platform.
SASE is a service-centric, cloud-based solution that provides network connectivity and enforces
security between users, devices, and applications (Figure 1). SASE accomplishes these tasks with
five core components that span hardware, software, and centrally controlled, Internet-based
networks with built-in networking and security-processing capabilities. SASE aims to address the
shortcomings of the legacy hub-and-spoke architecture and improve on recent solutions by bringing
networking and security into a unified service that increases network scalability, agility, and security
to address the needs of cloud- and mobile-first enterprises.
SASE is based on a combination of two technologies that predate it. The first is SD-WAN, which
arose nearly ten years ago to replicate the robustness and security of the more costly multiprotocol
label switching (MPLS) with commodity Internet links. The second technology is cloud-based
network security, which started to be developed around the same time as SD-WAN to replace
traditional web gateway appliances and, more recently, provide advanced protection for Internet-
based SaaS applications. These cloud-based network security technologies have lately started to
be called security service edge (SSE). Unlike its precursors, SASE can apply network and security
policy on the north-south (users to Internet applications) and east-west (WAN site-to-site) traffic
flows.
We have identified two approaches to implementing SASE: disaggregated and unified. The disaggregated
approach stitches separate network (SD-WAN) and security (SSE) solutions into a complete SASE deployment.
The network and security technologies might come from the same or different SASE vendors.
Conversely, in the unified approach, the SD-WAN and SSE technologies are implemented by a single vendor
as one tightly integrated product platform. Two distinguishing factors that set unified SASE apart are its policy
model and its SASE cloud network. The policy model in unified SASE interweaves network and security
constructs so that it is possible to enforce both network and security policy across all traffic, regardless of
source (user, device, location) and destination (on-premises or cloud).
The SASE cloud network, which performs network and security functions, is a vendor-owned network
accessible from many points on the Internet. In unified SASE, the SASE cloud network does both networking
and security in the same network, whereas disaggregated SASE relies on individual networking and security
clouds.
Less operational burden: By unifying network and security policy into a single policy repository,
unified SASE avoids the manual and sometimes difficult policy reconciliation associated with
disaggregated implementations. Network or security policy changes that might be straightforward
in a unified SASE implementation can place extraordinary demands on staff in the disaggregated
implementation. In a tight labor market that leaves many enterprises short-staffed, anything that
relieves staff burdens and reduces administrative complexity is attractive.
Improved security posture: While disaggregated solutions may offer richer functionality, they
have greater configuration complexity. Dealing with separate network and security policies
increases the likelihood of misconfiguration and, thus, of an administrator inadvertently
introducing a security hole.
Deeper analytics: Unifying the security plane with the underlying networking in unified SASE
allows for deeper analytics than are otherwise possible when both are separate. Only in unified
SASE can network indicators—such as source/destination IP addresses, geographic location, and
user/device/application information—be brought together with security event information to
improve overall security analytics.
No finger-pointing between vendors: When problems arise, unified SASE eliminates the
possibility of the painful and time-consuming finger-pointing that sometimes occurs between
vendors in disaggregated SASE.
Improved IT team productivity and effectiveness: SASE requires five major networking and
security components to work together. In unified SASE, these components are all provided by the
same vendor as a tightly integrated and validated technology stack. Conversely, disaggregated
solutions typically require IT teams to integrate and maintain ongoing interoperability because the
components usually come from different vendors or release schedules. The extra time IT teams
spend on the care and feeding of disaggregated solutions is lost productivity.
Clearer SLAs (service level agreements): SLAs associated with single-vendor unified SASE are
not muddled by the complexities of dealing with multi-vendor SLAs in disaggregated SASE.
Reduced total cost of ownership (TCO): Typically, the TCO of unified SASE solutions is lower
than that of disaggregated SASE due to the greater simplicity of the technology stack and the need
to deal with just one vendor.
While unified SASE has numerous benefits, it comes with several tradeoffs:
Some unified SASE solutions are relatively new: Most unified SASE solutions have been on
the market for less time than disaggregated equivalents, which in many instances, are more
mature solutions.
Feature richness may not match disaggregated solutions: Generally, unified SASE's richness
and new feature offerings typically do not match the network and security capabilities associated
with disaggregated SASE. However, most enterprises likely need only 80% of a full-featured
solution, so the “good enough” concept usually applies.
We believe that both forms of SASE implementations will co-exist in the market long-term because neither is
a "one size fits all." However, we see a bright future for unified SASE.
In our 5-year forecast, we expect unified SASE growth to remain stronger over the forecast horizon than
disaggregated SASE and, by 2027, to rise to nearly $3 B, representing about a quarter of total SASE revenues
(Figure 3).
Figure 3: Unified SASE 5-Year Forecast (Source: Dell’Oro SASE & SD-WAN July 2023 5-Year Forecast Report)
While the SASE market is still emerging, we believe the differences between unified and disaggregated SASE
will remain.
Ability to engage the customer in their journey: Many enterprises take an incremental
approach toward SASE by completing either the security or network transformation and then
undertaking the other transformation to manage overall change and risk. Vendors that are flexible
and can help their customers regardless of their starting point and take them through the network
and security transformation will stand out from those that cannot.
Performance and reach of SASE cloud network: Underlying the SASE network is a backbone
network. SASE vendors differ in their approach to and the attributes of their backbone networks.
Some build on a public cloud service provider, while others take a more customized, bottom-up
approach. However, the backbone network is implemented, a common goal of all SASE vendors is
to provide many points of presence (POPs) on the Internet. With the Internet servicing the last
mile between the SASE network and endpoints, SASE vendors aim to reduce the number of public
Internet hops for performance and security reasons.
SASE vendors may also differentiate themselves by instantiating SASE network and security functions at each
POP in a single-pass traffic processing approach. Doing so generally improves the performance of the SASE
network because the networking and security decisions are made close to where the traffic originates rather
than being backhauled deeper into the SASE network to be processed by chain-of-service functions.
Diversity of network and security services: With a primary tenet of SASE being the delivery
of networking and security as a cloud service, SASE vendors are rapidly innovating and delivering
a growing diversity of SASE functions—the network and security features —on top of their SASE
networks. As a result, the breadth and depth of their SASE functions are a clear point of
differentiation between vendors.
Track record of success: Fundamentally, SASE vendors are not in the appliance business but
rather in the cloud services business, in particular, networking and security services hosted in the
SASE cloud network. Vendors that can show robust investment in their SASE cloud networks and
employ strong operational acumen will lead to satisfied customers.
As we enter the post-pandemic era, enterprises are increasingly embracing a cloud- and mobile-first IT
strategy. Traditional approaches relying on legacy hub-and-spoke architecture and assuming a clear network
perimeter will no longer work. The path forward consists of network and security being interwoven in the style
of SASE. The simpler, single-vendor unified SASE should appeal greatly to the many enterprises burnt out on
overly complex, multi-vendor or multi-product solutions.
About Author
Email: mauricio@delloro.com
Founded in 1995 with headquarters in the heart of Silicon Valley, Dell’Oro Group is an independent market
research firm that specializes in strategic competitive analysis in the telecommunications, security,
enterprise networks, and data center IT infrastructure markets. Our firm provides world-class market
information with in-depth quantitative data and qualitative analysis to facilitate critical, fact-based business
decisions. Visit us at https://www.delloro.com.
To effectively make strategic decisions about the future of your firm, you need more than a qualitative
discussion – you also need data that accurately shows the direction of market movement. As such, Dell’Oro
Group provides detailed quantitative information on revenues, port and/or unit shipments, and average
selling prices – in-depth market information to enable you to keep abreast of current market conditions and
take advantage of future market trends. Visit us at www.delloro.com/market-research.
Dell’Oro Group
230 Redwood Shores Parkway
Redwood City, CA 94605 USA
Tel: +1 650.622.9400
Email: dgsales@delloro.com
www.delloro.com