Table of Contents
Secure service access (SSA) represents a significant shift in the way organizations consume network security. Replacing multiple point products with a single integrated platform offering full interoperability and end-to-end redundancy, SSA shifts security consumption from either data center- or edge-centric to ubiquitous and user-centric. Leveraging cloud-native, layered security functions, SSA meets each organization’s unique needs irrespective of network architecture, cloud infrastructure, user location, or device.
However, while some vendors deliver a single integrated platform offering full interoperability and end-to-end redundancy, others are repackaging existing point products or developing a common UI and going to market with an SSA solution. In addition, many vendors are incorporating framework acronyms into their product names, either limiting solution features and functionality or creating further confusion as additional capabilities are added or new frameworks emerge.
Representing features and capabilities widely adopted and well implemented in the industry, the following table stakes are the minimum required for solutions to be included in the GigaOm Radar for secure service access.
- Cloud-native convergence: Networking and security are converged into a single cloud-native platform. Services are available in the cloud as a software as a service (SaaS) offering independent of specific hardware requirements. Cloud-native refers to platforms specifically designed to take advantage of a cloud delivery model to increase speed, scalability, and agility.
- Location-independent service delivery: Services are independent of user location and available to any user using any device anywhere in the world. With the shift toward a distributed workforce, remote users must have the same access to resources and services as if they were physically located in a corporate office.
- User-centric policy enforcement: Policies are enforced based on the identity and behavior of the user (application, device, or human) accessing the resource. Therefore, well-designed, converged network and security systems should enable the user journey, providing authenticated users with authorized access to resources and services as easily and quickly as possible.
- Distributed policy enforcement: Instead of the enterprise data center being the access gateway to the network, policies are enforced, and threats are detected and eliminated at multiple data touchpoints. Ideally, defense-in-depth should be implemented within multiple layers of the OSI model, with Layer 3 and 4 firewalls filtering traffic at the packet level and Layer 7 firewalls filtering content for granular protection.
- Standardized software-defined architecture: SSA depends on the availability of a ubiquitous cloud-native software-defined architecture supporting a broad range of use cases and scenarios across a shared infrastructure. Running over the existing private, public, or managed networks via global POPs, software-defined applications accelerate time-to-value by eliminating the need to deploy and commission hardware.
Once the table stakes are met, each solution is scored on key criteria and evaluation metrics. Key criteria are the basis on which organizations decide which solutions to adopt for their particular needs, while evaluation metrics determine the impact the solution may have on the organization.
This GigaOm Radar report provides an overview of notable SSA vendors and their available offerings. The corresponding GigaOm report “Key Criteria for Evaluating Secure Service Access Solutions” outlines critical criteria and evaluation metrics for selecting an SSA solution. Together, these reports offer essential insights for enterprise security initiatives, helping decision-makers evaluate solutions before deciding where to invest.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.
2. Deployment Types and Operations Models
To better understand the market and vendor positioning (Table 1), we assess how well a vendor’s SSA solution supports different target markets and deployment models. For SSA, we recognize five target markets:
- Cloud service providers (CSPs): Providers delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
- Network service providers (NSPs): Service providers selling network services—network access and bandwidth—provide entry points to backbone infrastructure or network access points (NAP). In this report, NSPs include data carriers, ISPs, telcos, and wireless providers.
- Managed service providers (MSPs): Service providers delivering managed application, communication, IT infrastructure, network, and security services and support for businesses at either the customer premises or via MSP (hosting) or third-party data centers (co-location).
- Large enterprises: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.
- Small-to-medium businesses (SMBs): Small (<100 employees) to medium-sized (100 to 1,000 employees) businesses with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.
For SSA, we recognize various deployment models, including private cloud, public cloud, multicloud, edge cloud, and hybrid cloud:
- Private cloud: Used exclusively by one enterprise or organization, private cloud computing resources are physically located in an on-premises data center or hosted by a third-party colocation service provider. Tailored to meet specific requirements, private clouds offer compliance, control, and flexibility.
- Public cloud: Owned and operated by a third-party cloud service provider and delivered over the internet, public cloud providers offer cost-effective, scalable, and reliable on-demand resources for enterprises and SaaS vendors.
- Multicloud: Comprising multiple public-cloud services performing different functions, multicloud allows organizations to take advantage of various public-cloud capabilities or geographies. Multicloud deployments may include private clouds, resulting in cloud deployments that are both hybrid and multicloud.
- Edge cloud: Comprising storage and compute assets located at the edge and interconnected by a scalable, application-aware network, edge clouds enable data to be processed as close as possible to the point of origin. Edge clouds reduce latency and increase responsiveness for time-sensitive applications.
- Hybrid cloud: Enabling data and apps to move seamlessly between two environments, a hybrid cloud combines private, on-premises infrastructure with a public cloud. A hybrid cloud allows compute resources to be brought closer to the edge where data resides—reducing latency and increasing reliability—while still meeting regulatory compliance and data sovereignty requirements.
Table 1. Vendor Positioning
|CSPs||NSPs||MSPs||Large Enterprises||SMBs||Private Cloud||Public Cloud||Multicloud||Edge Cloud||Hybrid Cloud|
|Palo Alto Networks|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
3. Key Criteria Comparison
Following the general criteria introduced in GigaOm’s report “Key Criteria for Evaluating Secure Service Access Solutions,” Tables 2, 3, 4, and 5 summarize how well each vendor included in this research performs in the areas we consider differentiating and critical for the sector.
- Key criteria differentiate solutions based on features and capabilities, outlining the primary criteria to be considered when evaluating a Private LTE and 5G solution, including assurance, observability, and roaming.
- Evaluation metrics provide insight into the impact of each product’s features and capabilities on the organization, reflecting fundamental aspects including client support, ecosystem support, and total cost of ownership.
- Emerging technologies and trends identify the most compelling and potentially impactful technologies emerging in a product or service sector over the next 12 to 18 months.
- SSA capabilities differentiate one secure service access solution from another based on the specific functionality required to reduce the attack surface, detect threats, and mitigate risk.
The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.
Table 2. Key Criteria Comparison
|Defense in Depth||Identity-Based Access||Dynamic Segmentation||Unified Threat Management||ML-Powered Security||Autonomous Network Security||IoT Support||Integrated Solution|
|Palo Alto Networks|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
Table 3. Evaluation Metrics Comparison
|Ease of Use||Performance||Interoperability||Redundancy||Visibility, Monitoring, & Auditing||SSA as a Service Support||Pricing & TCO||Vendor Support||Vision & Roadmap|
|Palo Alto Networks|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
Table 4. Emerging Technologies and Trends Comparison
|Edge Platforms||IoT Security||Open Platform||Digital Experience Monitoring & Management|
|Palo Alto Networks|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
Table 5. SSA Capabilities
|Cloud Access Security Broker||Domain Name System Security||Endpoint Detection & Response||Extended Detection & Response||Network Detection & Response||Zero-Trust Network Access||Secure Web Gateway||Software-Defined WAN||SSA as a Service||Firewall as a Service|
|Palo Alto Networks|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
By combining the information provided in the tables above, the reader can understand the technical solutions available in the market.
4. GigaOm Radar
This report synthesizes the analysis of key criteria and their impact on evaluation metrics to generate the GigaOm Radar in Figure 1. The chart is a forward-looking perspective on all the vendors in this report based on their products’ technical capabilities and feature sets.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—Maturity versus Innovation and Feature Play versus Platform Play—while the length of the arrow indicates the predicted evolution of the solution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for Secure Service Access
As seen in Figure 1, there are four vendors in the Leader’s circle (Cato Networks, Palo Alto Networks, Versa Networks, and Zscaler), thirteen Challengers (Ananda, Broadcom, Check Point, Cisco, Citrix, Cloudflare, Dispersive, Fortinet, Netskope, Perimeter 81, Skyhigh Security, Tempered, and VMware), and three New Entrants (Elisity, Ericom Software, and Forcepoint).
It should be noted that being positioned in the top two Maturity quadrants does not exclude innovation. Instead, it identifies the solution as being proven in a production setting compared to a newer solution undergoing innovation to achieve customer acceptance and adoption. In addition, the length of the arrow (Forward Mover, Fast Mover, or Outperformer) is based on customer adoption and execution against roadmap and vision (based on vendor input from the previous report and in comparison to improvements made across the industry in general).
Furthermore, positioning in the Platform-Play quadrants indicates that the vendor has a fully integrated solution—usually built from the ground up—at the functional level, even if not all SSA capabilities are currently present or the vendor is focused on a limited set of use cases. In contrast, solutions from vendors positioned in the Feature-Play quadrants may have all of the capabilities but currently lack integration at a functional level due to the following reasons:
- The vendor has acquired SSA technology that has not yet been fully integrated.
- The solution has a common UI, but the underlying products are not integrated.
- The vendor is in the process of integrating existing point products.
- The vendor is marketing a collection of point products as an SSA platform.
In addition, some established networking and security vendors are positioned as New Entrants or Challengers rather than Leaders. Though many of these vendors have well-known point products recognized as leaders in their respective categories, this report evaluates all capabilities in the context of an overarching SSA solution, with networking and security convergence and functional integration being crucial factors in establishing leadership. Moreover, the speed at which vendors integrate point solutions or acquired functions into their SSA platforms varies considerably—with smaller vendors often able to do so faster—affecting their position as a Leader or a Challenger.
New additions to the list of vendors are Check Point, Elisity, Ericom Software, Forcepoint, Perimeter 81, and Skyhigh Security (previously McAfee). In addition, Broadcom is included based on its acquisition of Symantec. Masergy has been removed from the 2022 GigaOm Radar. Although it provides a managed SSA service built on Forcepoint and Fortinet software, it does not develop any software and, therefore, does not meet the table stakes for this report.
Cato Networks, Cloudflare, Ericom Software, and Zscaler are recognized as Outperformers. Cato Networks, Cloudflare, and Ericom Software are gaining traction based on innovation, while Zscaler continues to extend its capabilities to meet the needs of its large installed base. At the same time, we’re waiting to see how Broadcom’s acquisition of VMware and Skyhigh Security’s being spun off from McAfee affects their respective roadmaps, as well as how Check Point, Cisco, Forcepoint, and Fortinet will leverage new acquisitions and repositioning to gain ground on the competition.
Since publishing the 2021 Radar for Service Access Solutions, Cato Networks has moved from being a Challenger to a Leader and an Outperformer due to its innovation and execution against its roadmap. Slipping from a Leader to a Challenger, Citrix was acquired by two private equity firms and its overall strategy and roadmap remains unclear. Vendors to watch include Elisity, Ericom Software, Forcepoint, Skyhigh Security, and Perimeter 81.
Inside the GigaOm Radar
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.
5. Vendor Insights
Founded in 2019, Ananda Networks exited stealth mode in August 2020 with the goal of replacing centralized virtual private networks (VPN) appliances and proprietary points of presence (PoPs) with ultrafast distributed communications with identity-based routing spanning all network nodes and eliminating the cost and complexity of backhauling massive volumes of traffic through third-party infrastructure. Acting primarily as a cloud-based control plane, Ananda Secure Global LAN (SG-LAN) is a cloud-managed, software-defined overlay network built from the ground up to enable enterprises to create and customize their own superfast private networks in a matter of minutes with end-to-end security and Slack-like ease of use.
Figure 2. Ananda Networks at-a-Glance
Converging network and security orchestration into a distributed network fabric requiring zero hardware deployment, SG-LAN directly—and optimally—connects any two users, servers, IoT devices, or cloud services located anywhere in the world. Eliminating most traffic backhaul caused by forcing traffic to pass through gateways or PoPs, SG-LAN delivers speeds up to 25x faster than competitive solutions and legacy VPNs. If required, Ananda leverages AI-based route and protocol optimization, dynamically spinning up multicloud-based Nitro relays or waypoints—available in hundreds of locations globally—to maximize link speed and quality.
Replacing legacy networks and point products—including firewalls, MPLS, NAC, SD-WAN, and VPNs—SG-LAN enforces tight security with authentication and authorization, contextual access rules (including geofencing and time restrictions), end-to-end encryption, native microsegmentation, and zero-trust at the network level (Layer 3), blocking any type of network access or attack by any unauthorized node. In addition, SG-LAN provides distributed firewall functionality supporting both east-west and north-south traffic. Each user or node can only “see” other authorized nodes based on its private network membership and contextual access rules. Mediated by the Ananda control plane, end-to-end security from individual containers, devices, or servers to the destination is assured, with best-of-breed content filtering, real-time inspection, sandboxing, and browser isolation provided via partner solutions.
Managed from the public cloud as a multitenant service, administrators simply deploy agents on endpoints and servers or deploy gateways on private or public cloud instances to connect remote users and devices to applications on-premises or in the cloud. By eliminating the need for hardware infrastructure and multiple point products, Ananda Networks claims network and security savings of 90% or more compared to legacy MPLS-based solutions and over 50% compared to competitive SD-WAN or SSA solutions.
Strengths: Ananda SG-LAN offers a unique unified approach to accelerating, orchestrating, and securing network traffic, with several patent-pending networking protocol and route selection innovations expected to boost network speeds and quality. Ananda requires no fixed infrastructure and offers setup times of as little as 15 minutes, simplifying network design, deployment, and management, resulting in significant cost savings. Ananda also supports connectivity to SaaS applications—including G-Suite, Microsoft Office365, and Salesforce.com—with a private SG-LAN tunnel protecting traffic and accelerating access to the service.
Challenges: Ananda provides real-time traffic monitoring and basic analysis, but since it’s an overlay network, troubleshooting SG-LAN issues can be challenging, with third-party security information and event management (SIEM) products required for in-depth analysis. SG-LAN also relies on third-party integrations for ensuring device posture, browser isolation, content filtering, real-time inspection, and sandboxing. A tiered solution providing management for multiple organizations from a single console is under development for very large enterprises or MSPs. Prospective clients should be aware of their needs and work with Ananda to ensure comprehensive threat coverage.
Acquired by Broadcom in 2019, Symantec’s enterprise security product portfolio is recognized as an industry leader in endpoint protection and threat detection. Comprising multiple security solutions, Symantec’s portfolio includes Symantec SASE (Cloud Secure Web Gateway, CloudSOC CASB, Data Loss Prevention, Encrypted Traffic Management, and Web Isolation), Symantec XDR (Cloud Workload Protection, Endpoint Security Complete, Information Centric Analytics, Integrated Cyber Defense Exchange, Secure Web Gateway, and Security Analytics), and Symantec Zero Trust Security (Secure Access Cloud). Additionally, assuring compliance for corporate assets, Symantec’s Integrated Cyber Defense Exchange (ICDx) provides centralized event collection, normalization, and archiving for multiple Broadcom, Symantec, and third-party solutions, forwarding event data to SIEM and security orchestration, automation, and response (SOAR) tools as required.
Figure 3. Broadcom at-a-Glance
Utilizing a platform approach, user traffic is steered to Symantec Integrated Cyber Defense (ICD) via the closest PoP, where key security capabilities are applied. The core of the Symantec solution, Symantec Web Protection, delivers a broad set of advanced capabilities—including antivirus scanning, data loss prevention (DLP), email security, sandboxing, an SWG, software-defined perimeter (SDP), and web isolation—and makes them available from the cloud. Symantec Web Protection runs on Google Cloud Platform (GCP) to take advantage of its global, edge-optimized private network backbone, enhancing the speed and scalability of Symantec’s service delivery. Moreover, in countries where Amazon Web Services (AWS) has a local presence, Symantec uses the platform to meet regulatory data governance requirements.
Symantec also provides customer access to its Global Intelligence Network (GIN)—one of the world’s largest civilian threat collection networks—via embedded integration with Symantec’s flagship product, Endpoint Security Complete. A comprehensive endpoint security solution, Endpoint Security Complete includes active directory defense, endpoint detection and response, threat hunting, and other advanced technologies for complete protection. In addition, Symantec offers solutions for protecting workloads running in AWS, Microsoft Azure, GCP, and Oracle Cloud Infrastructure, and in Docker containers running on-premises and across public and private clouds.
Symantec’s comprehensive portfolio includes several acquired and licensed technologies with various levels of functional and management integration. For example, acquisitions include Blue Coat Systems in 2016 (SWG), Luminate Security in February 2019 (ZTNA), Bay Dynamics in December 2019 (user and entity behavior analytics [UEBA]), and AppNeta in 2021 (digital experience monitoring).
Strengths: Symantec’s comprehensive security portfolio offers a broad set of critical security capabilities. Providing cross-control-point visibility and correlated threat intelligence, ICDx collects, normalizes, and archives events from endpoints and Symantec and third-party solutions, forwarding event data to SIEM and SOAR tools for automated response. In addition, the Symantec Global Intelligence Network (GIN) boosts security with one of the industry’s broadest and deepest sets of threat intelligence, leveraging AI-enabled insights derived from over 175,000,000 endpoints, 80,000,000 web proxies, and 126,000,000 attack sensors.
Challenges: Symantec’s broad portfolio and pricing models are challenging to navigate, with many different products focused on specific capabilities. The acquisition of VMware with its own SSA solution will only complicate the situation. Moreover, not all products enjoy the same level of integration at a functional level, hence the need for ICDx to correlate events from Symantec and third-party point products. Symantec’s portfolio also lacks strategic SD-WAN partnerships and end-to-end, integrated data protection spanning cloud, email, endpoint, internet, and network. In addition, the acquisition by Broadcom appears to have created some disruption, with the responsibility for sales and support devolved to regional distributors and partners.
Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service. Developed in-house from the ground up, Cato SASE Cloud connects all enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure, cloud-native service. Delivering low latency and predictable performance via a global private backbone, Cato SASE Cloud optimizes on-premises and cloud connectivity, enabling secure remote access via client and clientless options. In addition, Cato SASE Cloud’s cloud-native security engine enforces granular corporate access policies across all on-premises and cloud-based applications, protecting users against security breaches and threats.
Figure 4. Cato Networks at-a-Glance
A geographically distributed service level agreement (SLA)-backed network, Cato SASE Cloud runs over a global private backbone of more than 70 PoPs interconnected by multiple Tier 1 network service providers. The backbone’s cloud-native software provides defense-in-depth with full encryption, distributed policy enforcement, automated load balancing, dynamic route selection, self-healing capabilities, and built-in cloud and WAN optimization for maximum end-to-end availability and throughput. Connected across IPsec connections or through virtual sockets, Cato PoPs are located in the same physical data centers as leading cloud providers, providing fast onramps to cloud instances at no additional cost. In addition, Cato’s edge SD-WAN device, the Cato Socket, provides last-mile redundancy using application-based dynamic path selection based on quality of service (QoS) policies and provider link performance, packet loss, and jitter.
Each Cato PoP comprises multiple compute nodes running the Cato Single Pass Cloud Engine (Cato SPACE), a converged, self-healing software stack that extracts context from the traffic flow, applies specific user policies, and runs all Cato’s access, network, and security engines in parallel. Each Cato SPACE can handle up to 3 Gbps of encrypted traffic from one or more edge tunnels distributed within the Cato SASE Cloud and across Cato SPACEs to adapt to changes in the overall load.
Embedded in the Cato SPACE architecture, Cato Security as a Service is a fully managed suite of agile, enterprise-grade network security capabilities, including CASB, FWaaS, SWG, ZTNA, and DLP. Self-service management, monitoring, and analytics are provided through the intuitive Cato Management Application, enabling users to configure policies directing SaaS traffic from any PoP to egress from the PoP closest to the SaaS instance, enhancing the user experience and improving security via a single interface. In addition, Cato offers client or clientless browser access options, with the Cato SDP/ZTNA Client providing secure connections for remote users to enterprise applications.
Since 2015, Cato claims to have onboarded over 1,200 enterprises in more than 150 countries, connecting nearly 11,000 data centers (physical and cloud), offices, and branches encompassing some 250,000 remote SDP and zero-trust users. Cato continuously enhances and extends the software stack with additional features—such as remote browser isolation (RBI)—leveraging the Cato SASE Cloud’s global footprint, resiliency, scalability, and self-healing capabilities. In addition, Cato and its partners offer managed service options, including site deployment, network and security policy configuration, intelligent last-mile monitoring, and managed detection and response (MDR).
Strengths: Cato SASE Cloud is a converged cloud-native, single-pass platform connecting end-to-end enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure global service. Leveraging a global SLA-backed network of over 70 PoPs, Cato’s global private backbone includes WAN optimization and is self-healing. Based on existing case studies, customers using Cato SASE Cloud have increased network availability, capacity, performance, and security with the same network spend.
Challenges: As a relatively new entrant, Cato is rapidly evolving its capabilities, with CASB, DLP, and RBI features recently added or about to be released. However, Cato needs to improve its tiered support capabilities and provide integrations with third-party monitoring platforms. In addition, Cato needs to execute on its strategy for adding PoPs closer to customers to further improve performance and resiliency.
Founded in 1993, Check Point Software Technologies is a leading provider of hardware and software security solutions with an installed base of over 100,000 enterprise and government customers. A multilevel security architecture, Check Point Infinity provides consistent, real-time threat protection against fifth and sixth generation cyberattacks spanning clouds, endpoints, and networks—all managed via a single dashboard. Leveraging Check Point SandBlast, an advanced network threat prevention solution comprising over 30 different technologies, Infinity combines CPU-level detection with sophisticated OS-level sandboxing techniques for advanced AI-based threat prevention and zero-day protection.
Figure 5. Check Point at-a-Glance
A cloud-native service, Harmony Connect comprises multiple network security products offering a choice of remote application- or network-level access to cloud and on-premises applications. Enforcing an identity-centric, zero-trust access policy to secure any internal corporate application residing on-premises or in private or public clouds, Harmony Connect includes advanced threat protection, DLP, an intrusion prevention system, a next-generation firewall, a secure web gateway (SWG), and zero-trust network access (ZTNA).
Harmony Connect integrates with identity solutions to provide single sign-on and multifactor authentication (MFA) access. In addition, Harmony Connect offers clientless application-level access and client-based network-level access deployed side-by-side via the same interface to accommodate different use cases and personas.
- Clientless application-level access provides agentless Layer 3 or Layer 7 access for business and third-party users, complete visibility and granular in-app controls for administrators, privileged access management (PAM), and automated server onboarding for DevOps.
- Client-based network-level access provides Layer 3 network connectivity from any managed device based on customizable, zero-trust access policies. Offering increased flexibility in supporting applications and protocols, this option includes embedded cloud DLP and industry-leading IPS to protect applications from the latest vulnerabilities.
Tightly integrated with third-party SD-WAN services, Check Point claims that Harmony Connect can be deployed within minutes, applying zero-trust policies combining client- and cloud-based protection to deliver enterprise-grade security with less than 50 ms latency and 99.999% uptime. Supplementing Harmony Connect’s device posture validation, CloudGuard Posture Management also visualizes and assesses an enterprise’s security posture across multiple clouds, detecting misconfigurations, automating and enforcing policies, and mitigating insider threats. In addition, Check Point offers managed detection and response (Infinity MDR) and network detection and response (Infinity NDR) services, leveraging Check Point ThreatCloud’s real-time threat intelligence and AI-based analytics tools to detect, hunt, isolate, and remediate attacks.
Check Point capabilities have resulted from targeted acquisitions over the last three years, with functional integration progressing at different rates. Check Point’s recent acquisitions include ForceNock (ML-powered behavioral and reputation-based security) in January 2019, Cymplify (embedded security for IoT devices) in November 2019, Protego (security and visibility for serverless applications) in December 2019, Odo Security (cloud-based, clientless SASE technology) in September 2020, Avanan (inline protection email security) in August 2021, and Spectral (fast code scanning for infrastructure as code) in February 2022.
Strengths: Check Point offers a comprehensive, award-winning security portfolio with over 100 US patents issued or pending. Offering clientless application-level access and client-based network-level access, Check Point claims that Harmony Connect can be deployed within minutes, applying zero-trust policies combining client- and cloud-based protection to deliver enterprise-grade security with less than 50 ms latency and 99.999% uptime.
Challenges: While Check Point Infinity provides a multilevel security architecture spanning clouds, endpoints, and networks, the rate at which Check Point acquires companies may result in delays before end users can benefit from fully integrated capabilities at a functional level. In addition, Check Point solutions are sold, integrated, and supported by a global network of certified partners, with expertise and experience varying significantly between partners.
Founded in 1984 and the largest SD-WAN solution provider globally with over 30,000 customers, Cisco has developed an SSA strategy combining networking with a broad set of security functions in the cloud and end-to-end observability, allowing customers to expand their existing on-premises and cloud capabilities. Incorporating Cisco AnyConnect, Cisco SD-WAN (powered by Meraki and Viptela), Cisco Umbrella, Cisco Secure Access by Duo (also referred to simply as Duo), and Cisco ThousandEyes, Cisco’s SSA architecture combines client connectivity, networking, security, observability, and control point products packaged as a single offering.
Figure 6. Cisco at-a-Glance
Providing a wide range of security services from any device, Cisco AnyConnect is a security endpoint agent comprising various functions such as remote access, web security features, roaming protection, and posture enforcement. Offering a predictable user application experience, Cisco SD-WAN is a cloud-delivered overlay WAN architecture connecting branches to headquarters, data centers, and multicloud environments with centralized network analytics, management, and policies. Acquired by Cisco in 2012, Meraki combines all aspects of SD-WAN configuration, monitoring, and management in a single cloud-based controller available on a subscription basis. In contrast, Viptela, acquired in 2017, is an on-premises solution with individual appliances dedicated to different functions entailing high upfront deployment costs and ongoing in-house maintenance.
As the name suggests, Cisco Umbrella unifies multiple security capabilities within a single cloud-delivered service utilizing a microservices-based architecture, reducing the time, money, and resources required to deploy, configure, manage, and protect distributed locations, devices, and users. Providing global coverage via Cisco SD-WAN and over 1,000 of the world’s top internet service providers (ISPs), content delivery networks (CDNs), and SaaS platforms, Cisco Umbrella incorporates integrated DNS-layer security, CASB functionality, a cloud-delivered firewall (CDFW), a full proxy SWG, and threat intelligence solutions into a single cloud service. The CDFW monitors Layer 3, 4, and 7 activity, blocking unwanted traffic using IP, port, and protocol rules, and utilizes signature detection to recognize applications before taking appropriate action.
Duo (acquired in 2018) provides centralized ZTNA controls to verify user identity and device health, establish trust, enforce policies, and ensure continuous visibility to reduce the risk of data breaches and meet compliance standards. Duo also offers single sign-on (SSO), MFA, remote access with or without VPN, adaptive policies, and complete device visibility. Performing root cause analysis and pinpointing the source of issues across application providers and internal, service provider, and cloud networks, ThousandEyes (acquired in 2018) provides end-to-end visibility of every dependency and deep insights for monitoring and managing digital experiences.
In addition, Cisco Umbrella takes advantage of threat intelligence from Cisco Talos, one of the largest commercial threat intelligence teams available globally, utilizing advanced statistical and machine learning models to identify new attacks and automate responses across multiple security products, accelerating threat investigation and remediation. In addition, Cisco SecureX (included with all Umbrella subscriptions) helps accelerate threat investigation and remediation.
Strengths: Cisco’s product portfolio includes a broad range of robust capabilities, with advanced observability capabilities and digital experience monitoring and management (DEMM) with ThousandEyes. Offering one-click integration and automated deployment options, Cisco offers a combined Cisco SD-WAN and Umbrella package, quickly connecting users with hundreds of remote applications monitored via a consolidated, cloud-based dashboard with simplified management and consistent policy control.
Challenges: Despite Cisco Umbrella “unifying”—or bundling—security products and packaging them as a single, easy-to-use cloud service in keeping with market trends, the underlying point products are not as tightly integrated as customers may wish. In addition, Cisco’s SSA portfolio is not yet available as a single-subscription service, with customers having to enter license agreements for each point product. Finally, as “open” network and security vendors accelerate innovation in this space, Cisco users may find themselves locked into different code bases and an aging product portfolio.
Founded in 1989 and with products used by over 100 million users in more than 400,000 organizations (including 98% of the Fortune 500), Citrix is an established player in the security and user experience market. Leveraging and enhancing Citrix’s digital workspace solution, Citrix Workspace, the Citrix SSA solution unifies SD-WAN, zero-trust access, and comprehensive, cloud-delivered security in a single, centralized architecture integrated with third-party identity and authentication solutions and SIEM providers, including Azure Sentinel and Splunk. On January 31, 2022, Citrix announced that it had been acquired by two private equity firms, Elliott Investment Management LP and Vista Equity Partners, and that Citrix’s secure digital workspace and application delivery suite would be combined with TIBCO’s real-time intelligent data and analytics capabilities.
Figure 7. Citrix at-a-Glance
Available as a single-pass architecture with data packets decrypted and inspected only once and used by all policy engines, Citrix’s SSA solution incorporates Citrix Secure Internet Access (SIA), Citrix Secure Private Access (SPA), Citrix SD-WAN, Citrix Analytics for Security, and Citrix Cloud Console.
All five products are integrated at the source-code level, both in the data plane and in the management plane, with data plane integration enabling automation with built-in resiliency, unique performance optimizations, and analytics sharing. The integration of the management plane is evidenced by the unified console available on Citrix Cloud. In addition, the licensing structure for SSA has been aligned with Citrix’s flagship product, Citrix Workspace, making it easier for both existing and new customers to adopt a holistic solution. Moreover, each service can be deployed standalone and unified over time to provide an end-to-end SSA solution, depending on the requirements of the enterprise.
Citrix SIA provides comprehensive cloud security (SWG, FW, DLP, CASB, malware protection, remote browser isolation, and sandboxing). Offering full security functionality for consistent protection irrespective of location, Citrix SIA has over 100 PoPs deployed globally, reducing application latency. At the same time, direct internet access provides secure access without backhauling traffic to an on-premises data center. There is no hardware to deploy, no software updates or patches required, and an inherent, built-in ability to scale. Enabling compliance with local and global regulations, Citrix SIA’s multitenant, instance-based architecture offers complete data segregation and sovereignty, along with IP addresses retained and extended into the cloud for upstream integration with SaaS providers as required by law.
Incorporating adaptive authentication and adaptive access, Citrix SPA offers ZTNA (MFA, RBI, and SSO for SaaS and VDI applications) via a cloud-delivered architecture, allowing IT teams to set security policies based on where and how apps are used. SPA also enforces contextual access control policies driven by continuous assessment and verification of the end user’s identity, geolocation, device posture check, and user risk score, with end-to-end visibility across sanctioned applications and users.
Managed from the same unified Citrix Cloud management console as CPA, Citrix SD-WAN also offers deep integration with Citrix SIA, automating the setup of resilient tunnels to Citrix SIA points of presence. In addition, Citrix Analytics for Security automates security enforcement based on user behavior and anomalies, compiling personalized risk scores for each user and built-in machine learning to assess, detect, and prevent threats in real time.
Strengths: Citrix is trusted by 100 million users across 400,000 organizations, including 98% of the Fortune 500. Leveraging its long-standing reputation as a leading digital workspace provider, Citrix offers converged networking and security services that allow vendor consolidation. Delivered via a “thin branch, heavy cloud” architecture, Citrix provides fast, secure access to the internet, SaaS apps, and Citrix Workspace with DIA connections.
Challenges: While Citrix integrates several networking and security capabilities at the source code level and unifies them under a common cloud console, integrating them to create a seamless administrator experience with a bundled acquisition model is ongoing. Moreover, the acquisition of Citrix and combination with Tibco adds some uncertainty for customers with regard to product roadmaps and future strategy.
Founded in 2009, Cloudflare debuted Cloudflare One, a zero-trust, network as a service (NaaS) platform, in 2020. Cloudflare One dynamically connects remote users, offices, and data centers and the resources they need with identity-based security controls delivered at the edge. A component of Cloudflare One, Magic WAN replaces MPLS links and SD-WAN deployments with a single network comprising global, cloud-based zero-trust security, performance, and control via a single user interface. Cloudflare One gateways are available in more than 270 cities, spanning over 100 countries, interconnecting over 10,000 networks globally, and providing consistent, standardized services with single-pass traffic inspection and routing to ensure a consistent user experience.
Figure 8. Cloudflare at-a-Glance
Delivering security at the edge and single-pane management, Cloudflare One offers secure remote access, SWG (including recursive DNS, HTTPS proxy, remote browser isolation, and a connectivity client for major OSes), DDoS protection (including FWaaS for Layer 3 and 4 networks), and traffic acceleration. Moreover, in February 2022, Cloudflare announced the acquisition of Area 1 Security and Vectrix. Working seamlessly with any email solution, Area 1 Security’s cloud-native platform preemptively discovers and stops phishing attacks before inflicting damage in a corporate environment. In addition, Vectrix’s API-driven CASB extends the security of Cloudflare One to data stored in SaaS applications, providing zero-trust control of both data-at-rest and data-in-transit.
Encompassing data centers in over 270 cities located around the globe, Cloudflare claims its Anycast network is one of the most available, extensive, and interconnected, with global uptime SLA of 100% and PoPs located less than 50 ms from 95% of the internet-connected population in the developed world. Running every security service at every Cloudflare data center, Cloudflare One uses a serverless computing platform (Cloudflare Workers) deployed at the edge, enabling the rapid delivery of innovations to improve performance, enhance security, and increase reliability. In addition, intelligent routing accelerates customer traffic from any user to any resource, while policy changes and threat intelligence updates are propagated from users to every PoP worldwide within 500 ms.
Cloudflare One provides onramps to connect users, devices, or locations to Cloudflare’s edge (agents for endpoints and IP transit or network interconnects). At the same time, filters shield networks from attacks (Magic Transit), inspect and isolate traffic for threats (Cloudflare Gateway), and apply least-privilege rules to data and applications (Cloudflare Access). In June 2021, Cloudflare announced new integrations with Datadog, Microsoft Azure Sentinel, Splunk, and Sumo Logic to make it easier for businesses to connect and analyze key insights across their infrastructure.
Cloudflare offers a free zero-trust plan for up to 50 users in three network locations, with additional capabilities available through a pay-as-you-go model or annual enterprise contracts.
Strengths: Delivered across Cloudflare’s infrastructure and available in over 100 countries, Cloudflare One can be purchased both directly by enterprise customers and through a range of channel partners. With every Cloudflare data center running every security service, Cloudflare One enables customers to enforce zero-trust security policies at the edge, rationalizing complex deployments and improving security, performance, and cost efficiency across users, offices, and data centers for on-premises applications, SaaS applications, and internet connections.
Challenges: Despite an impressive array of capabilities and partners, Cloudflare lacks the visibility of some of its larger competitors. In addition, Cloudflare has an ambitious roadmap for rolling out new features (Cloudflare launched more than 550 products or features in 2020 and 161 in Q1 2021), with rapid iteration and development core to Cloudflare’s strategy. However, while this approach offers new capabilities and testing at scale, regular upgrades can cause disruption, and customers may have difficulty effectively implementing new features.
Founded in 2021 with technology incubated since 2010, Dispersive provides a programmable, self-healing, and resilient network for mission-critical solutions with deep obfuscation of control elements. Inspired by battlefield-proven wireless radio techniques, the DispersiveFabric offers a radically different software approach to delivering security, reliability, and performance across networks, creating virtual active/active multipath mesh networks with rolling encryption keys and granular access controls across any user, IoT device, location, cloud, infrastructure, or service edge. Designed primarily for SMBs, DispersiveCloud is a hosted solution leveraging the same high-performance, next-generation network fabric as DispersiveFabric, but is easier to deploy and manage by providers deploying the service on their own hosted cloud architecture.
Figure 9. Dispersive at-a-Glance
A software-defined overlay network deployed on physical network devices, in containers, or as virtual appliances throughout the network, DispersiveFabric leverages a microservices architecture with built-in segmentation, aggregating all available connections to maximize bandwidth before dispersing application traffic across encrypted channels. Guaranteeing packet delivery, DispersiveFabric intercepts packet data on edge devices, splitting session-level IP traffic into multiple independent and individually encrypted packet streams, then transfers each stream using a different path across the internet. Finally, the authenticated destination reassembles the split packet, with missing packets re-requested to ensure packet delivery.
With built-in acceleration offering up to a 10x performance improvement over SD-WAN and VPN-based solutions, DispersiveFabric monitors every connection and adapts to changing conditions, including BGP, DoS, DDoS, and man-in-the-middle attacks. If traffic congestion or an attack anomaly is detected, DispersiveFabric dynamically deflects packets away from degrading paths or threats in real-time, maintaining QoS levels by reducing overall latency and packet loss. Easier to provision and administer than many other solutions, Dispersive end points only call out to the deflects, eliminating IPv4/6 challenges and NAT issues. In addition, Dispersive applies the same controls and administrative abilities to IoT devices, gateways, and cloud solutions.
Red team tested—simulating a realistic cyberattack employing recently used methods and techniques for real-world attacks against businesses—and field-proven under military-grade attacks, DispersiveFabric has established a reputation for resilience and network reliability within the United States Federal Government. A subscription-based product functioning as a platform, Dispersive supports partner integrations via a REST API. In addition to DispersiveCloud and DispersiveFabric, Dispersive offers DispersiveCloud SaaS, a fully managed solution with rearchitected web and API-based provisioning tools supporting increased granularity and simpler management.
Strengths: Easy to provision and administer, Dispersive maximizes bandwidth by aggregating all available connections into one large logical pipe, allowing ad hoc networks to be deployed in a fraction of the time compared to most other solutions. Spread-spectrum IP obfuscates source destination relationships, traffic patterns, and data payload dispersal, securing data in transit against nation state threat actors and supply chain attacks. Supporting autonomous networking, blockchain, and IoT, DVN increases performance and detects and defends against security attacks with a self-healing, resilient network.
Challenges: Initially targeting government and military sectors, Dispersive lacks buyer awareness in the enterprise space. As a network-focused company, it needs to forge strong partnerships with security partners to fill gaps in its portfolio while simultaneously expanding its AIOps, containerization, and IoT capabilities.
Founded in 2018 by Cisco veterans, Elisity delivers centrally-managed, zero-trust access security to protect corporate data and critical assets from malicious lateral movement across the network. Built on the principle of cognitive trust—a new approach to network access enabling secure connectivity at the asset level based on contextual knowledge collected over time—Elisity Cognitive Trust enables organizations to quickly gain visibility into network assets and traffic flows and begin building policies to protect critical assets based on a combination of identity, location, permissions, and behavior.
Figure 10. Elisity at-a-Glance
Effectively untangling security from underlying network constructs, Cognitive Trust secures hybrid infrastructure environments with a ubiquitous policy fabric that follows assets irrespective of location. Integrating with user identity and device telemetry providers, the platform continuously gleans identity and telemetry data to derive applicable policies at a granular level. It then presents options to the administrator for enforcing identity-based microsegmentation and least-privilege access for users, applications, and devices (managed and unmanaged) on-premises and in the cloud, including IoT devices and previously unmanaged rogue devices.
A cloud-native, cloud-delivered solution, Elisity Cognitive Trust leverages existing investments to enforce policies on multiple OSI levels (L2, L3, and L4) as close to the assets as possible, turning Cisco, Dell, Extreme, and other vendor switches into intelligent policy enforcement points. The cloud-based control plane can be layered across existing WAN and SD-WAN infrastructure or deployed as an overlay on a managed WAN/SD-WAN service to support both brownfield and greenfield environments. In edge locations where compute resources are not available, Cognitive Trust makes use of hypervisors.
Built from the ground up, Elisity Cognitive Trust supports a range of identity-based microsegmentation and least privilege access use cases, including securing operational technology (OT and IIoT) at industrial plants, medical devices (IoMT) at healthcare facilities, IoT devices on campuses and branches, and different users and user groups on-premises.
Elisity Cognitive Trust comprises Elisity Cloud Control Center and Elisity Virtual Edge.
- Elisity Cloud Control Center is a centralized, multitenant administration platform for visualizing identities, flows, policies, and anomalies. In addition, the cloud-based portal abstracts and centralizes security access policies and provides analytics.
- Deployed as a container or VM on a hypervisor to support other platforms, Elisity Virtual Edge turns existing assets into SDP gateways, enabling transactional segmentation.
Strengths: Elisity Cognitive Trust simplifies licensing, deployment, and operations by leveraging existing infrastructure investments as policy enforcement points with no additional hardware required other than SSD drives for switches. The company claims that Elisity Cognitive Trust can be deployed in one-third of the time compared to competitors and at one-fourth of the cost. In addition, the platform integrates with each customer’s existing identity provider solutions for identity and telemetry data.
Challenges: Founded and managed by Cisco veterans, Elisity Cognitive Trust was initially designed to support Cisco environments. While this niche is potentially lucrative, Elisity is adding support for a broader set of vendor devices, including Arista. Furthermore, Elisity needs to improve policy visualization, management, and optimization and use AI/ML models to automate policy recommendations based on asset behavior. In addition, the company currently does not have a ZTNA agent to support a hybrid workforce but is looking for a best-of-breed partner to fill the gap. Finally, as a startup, Elisity lacks visibility and a robust support structure but is ramping up its in-house and partner support resources.
Founded in 1993, Ericom Software develops application virtualization, remote browser isolation, remote desktop, and terminal emulation technologies available on-premises or as a cloud service. In 2021, Ericom released ZTEdge, an all-in-one cloud security platform built from the ground up, leveraging the isolation core and global cloud platform capabilities supporting Ericom’s RBI service. Designed specifically for small businesses and midsize enterprises, the elastic, scalable, and IaaS-agnostic ZTEdge architecture enables resilient, high-performance delivery of the platform’s broad security services. Leveraging modern cloud architectures and technologies and a compact, unified code base, ZTEdge provides dedicated, purpose-built zero-trust controls over a private cloud backbone that runs on public cloud services offered by Tier-1 cloud infrastructure partners and regional providers.
Figure 11. Ericom Software at-a-Glance
Eliminating the threat of credential theft, phishing, ransomware, and other cyberattacks, ZTEdge offers robust access control, data security scanning and policy enforcement, and threat prevention across all critical network traffic flows. Multiple built-in zero-trust technologies deliver defense-in-depth, including antivirus; content, disarm, and reconstruction (CDR); DLP; firewalls with IPS; microsegmentation; monitoring and traffic analysis; RBI; SWG; and ZTNA. Moreover, unlike most SSA platforms, ZTEdge provides identity and access management (IAM) as a built-in platform component. Eliminating the need for third-party IAM solutions, ZTEdge includes Automatic Policy Builder, a patent-pending ML-assisted technology for zero-touch granular user-level access policy creation and enforcement.
ZTEdge delivers identity-based segmentation for north-south and east-west traffic based on users, groups, location, time of day, and other contextual factors. IP-based controls and ZTNA capabilities hide applications and data assets from unauthenticated and unauthorized users and unsanctioned IP addresses attempting to access IT resources. ZTEdge also provides isolation-based application access security controls for unmanaged and managed devices via its Web Application Isolation (WAI) module.
In addition to connecting branches to data centers over a private cloud backbone, ZTEdge Cloud Area Network (CAN) enables secure, policy-based peer-to-peer connectivity spanning users, devices, and endpoints irrespective of location via a software agent. Built on a microservices architecture, ZTEdge CAN enables secure, high-performance peer-to-peer connections between endpoints in any location, leveraging globally dispersed tenant instances for exceptional portability. Each customer is provided their own tenant on the cloud backbone instance, reducing latency and delivering on-demand, optimized bandwidth. PoPs can be stood up in any IaaS environment, reducing latency for edge applications. Auto-scaling capabilities allow Kubernetes-based containers to be spun up or down within the cloud as utilization increases or decreases for optimal efficiency and performance.
All ZTEdge capabilities are developed in-house except for GateScanner, an optional content disarm and reconstruction feature Ericom OEMs from Sasa Software for customers without an existing CDR solution. In addition, several Ericom MSSP partners deliver ZTEdge as a managed service.
Strengths: Built from the ground up as a single unified platform for medium-sized businesses leveraging a high-availability cloud-first architecture, ZTEdge provides advanced isolation capabilities, autoscaling, built-in IAM and MFA, and robust ML-assisted policy generation, management, and traffic monitoring via a single console. ZTEdge CAN enables secure, high-performance peer-to-peer connections between endpoints. ZTEdge WAI provides a clientless isolation-based solution for unmanaged device application access security. In addition, ZTEdge is available as a managed service from certified MSSP partners.
Challenges: As a new entrant focused currently on medium-sized businesses, Ericom lacks some capabilities that may be requested by larger customers, including advanced SD-WAN capabilities such as application acceleration, XDR functionality, and network traffic analysis for improved visibility into packet flows traversing the ZTEdge Cloud Area Network. Since much of the core functionality is already in place, we expect Ericom to release these types of features over the next 12 to 18 months.
Founded in 1994, Forcepoint is a cybersecurity company delivering DLP technology and risk-adaptive protection (RAP) to ensure the trusted use of critical data and systems. Launched in February 2022, Forcepoint ONE is an all-in-one microservices-based cloud security platform providing access services, advanced threat protection, and data security. Evolved from Bitglass technology following its acquisition by Forcepoint in October 2021, Forcepoint ONE integrates multiple security capabilities under a single umbrella, allowing security teams to manage one set of policies covering all attack vectors through a single console. When combined with Secure SD-WAN, Forcepoint ONE’s distributed architecture provides a centralized management plane while distributing enforcement to the edge.
Figure 12. Forcepoint at-a-Glance
Unifying CASB, CDR, RBI, SWG, and ZTNA, Forcepoint ONE integrates with the company’s advanced threat protection and DLP capabilities to keep malware out and protect sensitive data across business applications and BYOD devices, eliminating the need for fragmented products. Forcepoint ONE enables security teams to manage a unified set of policies spanning all applications from a single cloud-based console connected to endpoint agents. Forcepoint One also provides agentless support for unmanaged devices.
In addition to integrating with third-party intrusion detection and prevention systems (IDPs), Forcepoint ONE applies login policies based on user group, user behavior, device posture, device location, and time of day to control access to the web, cloud, and private applications and data. A single set of DLP policies also protects against downloads and uploads of sensitive data and malware for managed SaaS apps and websites and detects and manages sensitive data and malware stored in managed IaaS and SaaS.
Forcepoint’s distributed architecture is designed specifically for hybrid environments, with the management of policies, analytics, and dashboard visualizations centralized in the cloud, with distributed enforcement at the endpoint for maximum performance and in the cloud for maximum depth of inspection (and soon at the network edge). Forcepoint ONE is deployed in AWS with more than 300 PoPs worldwide, providing low-latency connectivity and 99.99% uptime SLAs. In addition, elements of Forcepoint ONE can be deployed in Microsoft Azure and other leading cloud platforms. Forcepoint Secure SD-WAN is often deployed on private cloud stacks such as VMware.
Many Forcepoint ONE technologies are available as standalone products, including CASB, RBI, SWG, and ZTNA. In addition, annual per-user subscriptions allow customers to choose an all-in-one edition for web, cloud, and private app security, or start with the web-security edition and add support for cloud and private apps later. All subscriptions include centralized cloud management, unified policies with DLP, automated access via a unified endpoint agent, and comprehensive reporting. Additional advanced threat protection capabilities are expected later this year. Forcepoint ONE also provides zero-day threat protection through integrations with best-of-breed vendors, including Bitdefender, CrowdStrike, and Cylance.
Adding to Forcepoint’s DLP capabilities, Forcepoint’s comprehensive portfolio includes several acquired technologies with varying levels of functional integration available via a unified console. In addition to the Bitglass acquisition in October 2021, providing the core functionality (CASB, SWG, and ZTNA) for Forcepoint ONE, Forcepoint also acquired Cyberinc (RBI) in May 2021 and Deep Secure (CDR) in July 2021.
Strengths: Forcepoint claims that unlike competitors bundling portfolios of products, Forcepoint ONE uses an authentic, services-based architecture that enables multiple gateways, threat protection, and data security mechanisms to be powered from a single platform, a single set of policies, and a single console. In addition, the company claims that Slack’s product team reported that Forcepoint ONE CASB is the only solution with sufficiently low latency providing consistent managed access for Slack.
Challenges: While Forcepoint claims that Forcepoint ONE is fully integrated, the process is ongoing. Capabilities such as DLP and RAP still need to be integrated to enforce enterprise DLP policies and risk-based automation across CASB, SWG, and ZTNA channels to complement the endpoint, network, and email channels supported by Forcepoint’s enterprise DLP solution. In addition, integration with the management of Forcepoint Secure SD-WAN is needed to simplify operations further.
Founded in 2000, Fortinet offers a comprehensive product portfolio supporting hardware, software, virtual machines, containers, and cloud-based deployment options. The Fortinet Security Fabric is a broad, integrated, and automated platform encompassing over 30 orchestrated products spanning five key areas: zero-trust access, security-driven networking, dynamic cloud security, AI-driven security operations, and its alliance ecosystem. Fortinet acquired OPAQ Networks in July 2020, combining OPAQ’s purpose-built and patented zero-trust, multitenant network solution with Fortinet’s on-premises or data center Fortinet Security Fabric to create FortiSASE.
Figure 13. Fortinet at-a-Glance
A cloud-delivered security service designed for securing remote users, FortiSASE combines cloud-delivered security services with flexible deployment options in a security-as-a-service model. Traffic is forwarded or redirected to the nearest FortiSASE data center using either a FortiClient agent or a PAC file with an explicit proxy for SWG use cases. FortiClient detects that the user is outside the network and tunnels the traffic to the FortiSASE service where corporate security policies are enforced, eliminating the risk of unprotected corporate-managed devices accessing the internet.
Intuitive to deploy and manage, FortiSASE provides a single integrated system delivering consistent security and user experience across all edges. Powered by FortiOS and FortiGuard Labs AI-driven threat intelligence, FortiSASE provides next-generation firewall and SD-WAN capabilities, CASB, multicloud workload protection, advanced endpoint identity and MFA, browser isolation, web security, sandboxing, and web application firewall capabilities.
Highly scalable and elastic, FortiSASE is delivered in two primary form factors: FortiSASE Remote and FortiSASE Thin Edge.
- FortiSASE Remote offers up-to-date real-time protection to terminate client traffic, scan traffic for known and unknown threats, and enforce corporate security policies for users anywhere. Incorporating FWaaS, IPS, DLP, DNS, SWG, sandboxing, and natively-integrated ZTNA, FortiSASE Remote delivers high-performance, always-on threat protection through the cloud to remote off-network users via a FortiClient Agent or explicit proxy setup. Mitigating the risk of unprotected corporate-managed devices, FortiClient detects when the user is outside of the enterprise network, rerouting traffic through the FortiSASE Remote for off-net service via tunneling to ensure the enforcement of security policies.
- Designed for organizations looking for a simple edge solution requiring fewer appliances, FortiSASE Thin Edge provides the same high-performance, always-on, cloud-delivered threat protection as FortiSASE SIA, but to thin edge users via a FortiExtender appliance. In addition, FortiSASE Thin Edge can be deployed over 5G/LTE using FortiExtender, enabling security administrators to deploy and scale security as a service (SECaaS).
FortiSASE leverages AI-enabled FortiGuard and FortiSandbox Cloud capabilities to protect against unknown attacks, using dynamic analysis to identify threats and create new signatures to block future attacks for automated mitigation. FortiSandbox Cloud analyzes suspicious files to see what they do when executed. If they are malicious, FortiSandbox Cloud creates a new signature so firewalls can stop future attacks immediately. Fortinet has over 30 PoPs but relies on peering relationships with partners to deliver connectivity via private backbones.
Strengths: Regardless of a user’s location, FortiSASE enforces unified firewall, networking, and security policies at all network edges by extending on-premises policies to remote users and their devices. The solution supports managed security services provider (MSSP) multitenancy deployment with delegated access for end customers while providing centralized visibility and management.
Challenges: Navigating Fortinet’s comprehensive portfolio of over 30 solutions—each providing different capabilities and supporting different deployment models—can be challenging. Fortinet currently lacks an SSA as a service offering. And while pricing varies according to each company’s needs, prospective clients should be aware that Fortinet’s portfolio targets large enterprises handling sensitive data and is priced accordingly.
Founded in 2012 by security and networking architects and engineers from Cisco, Juniper Networks, Palo Alto Networks, and VMware, Netskope claims to be the most well-connected network for cloud-native data security. Powered by data centers in over 40 regions—and burst capacity to 130 data centers if needed—with new data centers being added monthly, Netskope NewEdge is a carrier-grade, private cloud network reserved exclusively for Netskope customers. Running on top of it, Netskope Security Service Edge (SSE) is a data-centric, cloud-native security solution providing adaptive access and advanced data and threat protection. Netskope SSE offers complete visibility and real-time protection across cloud services, private apps, and websites, irrespective of location or device.
Figure 14. Netskope at-a-Glance
Netskope claims to be the only vendor combining a world-leading CASB, next-generation SWG capabilities, cloud-based security posture management, ZTNA, and advanced machine learning to detect unauthorized data exfiltration and advanced threat protection. Additional capabilities include advanced threat protection, DLP, a cloud firewall, remote browser isolation, user/entity behavior analytics, and advanced network analytics in a single-pass architecture, delivered from a single platform, managed by a single console, and driven by a single policy engine.
Leveraging patented technology called Netskope Cloud XD, Netskope SSE converges network and security delivered as a service to eliminate blind spots with a granular, data-centric approach, enabling fine-grain control of IaaS and SaaS cloud services and websites. With complete control from within Netskope SSE, Cloud XD takes into account content and context to increase detection efficiency and accuracy, providing 360° data protection using a combination of big data analytics and advanced DLP capabilities.
Applying zero-trust principles to hybrid and multicloud architectures, Netskope’s continuous adaptive controls manage access, threat protection, and data movement. Explicit granular access controls across applications, application instances, and application activities reduce the attack surface against primary threat vectors, including risky cloud applications, cloud phishing, and data loss through personal or sanctioned corporate applications. Combining Cloud XD rich context of over 41,000 cloud applications with trust scores for applications and users, Netskope SSE enforces data movement policies and threat prevention, providing inline user coaching and step-up challenges for unintentional or unapproved access or data movement to or between applications.
The Netskope SSE runs on Netskope NewEdge, which deploys full compute at every service point for real-time, inline traffic processing, eliminating performance trade-offs. With zero reliance on public cloud infrastructure or virtual points of presence (vPoPs), NewEdge can achieve sustained, single-digit millisecond latency. In addition, the platform offers direct peering with cloud, SaaS, and web providers—including Apple, Amazon, Google, Microsoft, Rakuten, Salesforce, and Tencent—in every location to deliver a secure, high-performance application experience.
Strengths: With over 80 patents, numerous awards, and more than 25% of the Fortune 100 as customers, Netskope is well-established as a leading cloud security provider. Converging networking and security within a single architecture and a single console, Netskope SSE offers advanced, fully cloud-native, real-time data policy enforcement with cloud performance and scale.
Challenges: Netskope SSE lacks DNSS, EDR, XDR, NDR, SSAaaS, firewall support for Layer 7 application controls, and agentless protection. Netskope continues to expand its security capabilities through “silent” acquisitions but lacks many of the features available in other solutions. While those acquisitions will benefit customers in the long run, in the interim, customers can expect to see some disconnect between different products, including complex licensing models and the need to install agents on users’ devices to achieve maximum value.
Palo Alto Networks
With over 80,000 customers in more than 150 countries, Palo Alto Networks has been an established player in the market since 2015. In October 2021, the company launched Prisma SASE, combining the functionality of Prisma Access and Prisma SD-WAN with CASB, FWaaS, SD-WAN, SWG, and ZTNA 2.0 in a single offering—with end-to-end visibility and autonomous digital experience management (ADEM) and remediation. A next-generation CASB helps organizations enable the safe use of thousands of SaaS applications with proactive visibility, real-time data protection, and comprehensive security, while integration with the Cloud Identity Engine (CIE) provides unified policy and identity with frictionless authentication and simplified setup for hybrid workforces. In addition, integration of Prisma Access with Okyo Garde provides enterprise-grade cybersecurity for work-from-home employees and small businesses, segmenting corporate and personal networks to reduce the threat of east-west attacks.
Figure 15. Palo Alto Networks at-a-Glance
Providing the security foundation for Prisma SASE, Prisma Access is a scalable, low-latency network leveraging the combined infrastructures of AWS and GCP, with over 100 service access points across 76 countries. This combination enables Prisma Access to provide ultra-low latency backed by industry-leading SLAs to ensure a great digital experience for end users. Built from the ground up, Prisma Access provides a consistent cloud-native global services edge delivering comprehensive security coverage.
Formerly known as CloudGenix, Prisma SD-WAN leverages AIOps and ML to simplify network and security management, combining deep application visibility with Layer 7 intelligence for network policy creation and traffic engineering. Facilitating application-defined policies improves the end-user experience and enables the secure, cloud-delivered branch. In addition, Prisma SASE’s ADEM capability provides visibility into cloud infrastructure performance and internet, cloud SaaS, and data center application performance across mobile and branch users with traffic monitoring and end-to-end path trace analysis. In addition, Prisma SASE integrates with Palo Alto’s cloud-delivered DLP and IoT security solutions.
In February 2022, Palo Alto Networks introduced Prisma SASE enhancements for MSPs to simplify management and support of security and SD-WAN services for their customers, including an open API framework for MSPs to seamlessly integrate with their back-end infrastructure to automate Day 0 and Day 1 workflows. Supporting fully-managed or co-managed lifecycle services, a cloud-based management portal provides hierarchical multitenancy and flexible service creation with sophisticated role-based access control for segmenting customers while ensuring control using granular sets of permissions. In addition, the portal offers insights into networking and security metrics while highlighting critical issues across all managed tenants.
Strengths: Palo Alto Networks’ ZTNA 2.0-capable Prisma Access provides consistent cloud-delivered security for remote users. Accessed via a common management interface supporting all use cases, it adds simple and intuitive policy-based workflows to streamline configuration, automate continuous configuration assessments, and make security recommendations based on best practices. It also offers comprehensive visibility into all users, applications, and threats to improve security posture and reduce risk.
Challenges: The incumbent in many enterprise and mid-market accounts, Palo Alto Networks is aggressively moving to the cloud by acquiring the necessary building blocks and investing in integration with security vendors so customers don’t have to rip and replace when deploying an SSA solution. However, due to the complexity, scope, and size of its portfolio, the company’s ability to maintain the pace of innovation required to deliver a fully integrated SSA platform may lag compared to other vendors building SSA solutions from the ground up.
Founded in 2018, Perimeter 81’s mission is to simplify secure network access for the distributed workforce. Built in-house as a single integrated platform, Perimeter 81 unifies a range of network and security solutions, providing a consolidated, user-centric network with granular policy management for enterprises of all sizes managed and delivered through the cloud. Perimeter 81 is built on an innovative microservices architecture and serverless platform, allowing easy scaling and high performance. Features offered by the platform include DNSS, FWaaS, SWG, network segmentation, device posture security, an application-layer (Layer 7) firewall, a VPN, and both agent and agentless access.
Figure 16. Perimeter 81 at-a-Glance
Built on a framework composed of a single agent, a single management console, and a single cloud edge network, Perimeter 81’s approach to SSA is to provide essential functionality and add additional capabilities over time. After building a baseline platform comprising the network, agents, and management console, Perimeter 81 developed its ZTNA capability and agentless application access, providing end users with remote access to corporate resources, followed by the addition of a proxy-based SWG in February 2022. In addition, CASB and endpoint security will soon be integrated, with Perimeter 81 currently partnering with SentinelOne and SonicWall for endpoint protection.
Developed from the ground up as a zero-trust solution, Perimeter 81 includes strong context-aware segmentation policies and firewall rules to segment the network, with users authenticated through user-password or MFA alongside a device posture check and integration options with leading identity providers. In addition, the zero-trust agentless application access feature combines multiple policies to verify the user’s identity, allowing administrators to limit users to a specific resource without exposing the network.
Owned and managed by Perimeter 81, the multiregional network provides a comprehensive set of secure converged network capabilities delivered and managed over a multitenant cloud with a global footprint of over 50 PoPs, with interconnected gateways to which users connect. Designed to reduce latency and provide the optimal user experience, Perimeter 81 claims that users may experience, at most, a minimal additional latency of 10 to 20 milliseconds when deploying Perimeter 81.
Perimeter 81’s transparent scale-as-you-grow pricing model is subscription-based and contains four types of plans: Essential, Premium, Premium Plus, and Enterprise, with implementation support included with even the lowest-level plan. In addition, the Premium, Premium Plus, and Enterprise plans include a dedicated customer success engineer available to optimize the customer’s network.
Strengths: Perimeter 81 has been built as a single integrated platform from the ground up. It can be deployed in less than 20 minutes and scaled instantly to meet customers’ needs. The intuitive interface enables clients to create and configure networks and onboard team members quickly, with security policies managed from a single dashboard. In addition, Perimeter 81 provides 24/7 hands-on support with dedicated assistance from solution architects and customer service engineers.
Challenges: Perimeter 81 does not currently include a CASB or integrated endpoint security. While partnerships with SentinelOne and SonicWall provide endpoint protection, it is not fully integrated and uses a separate user interface for management. In addition, while the platform’s DNS filtering and FWaaS capabilities provide a level of protection, IoT security is not yet included on the roadmap.
Created in 2022 when McAfee Enterprise split in two, Skyhigh Security’s portfolio is underpinned by technology acquired with Skyhigh Networks in January 2018. Incorporating CASB, DLP, FWaaS, RBI, SWG, ZTNA, and a cloud-native application protection platform (CNAPP), Skyhigh Security’s solution—known as Security Service Edge (SSE)—provides fast, direct-to-internet access between the workforce and their resources with data and threat protection performed at every control point in a single pass to reduce security costs and simplify management.
Figure 17. Skyhigh Security at-a-Glance
A cloud-native security fabric connecting users to WAN infrastructure, cloud services, and the web, Skyhigh Security SSE’s architecture comprises advanced threat protection, multivector data protection, and a data-centric approach for managing data access, storage, sharing, and modification. Converging SD-WAN and ZTNA, Skyhigh Security utilizes a scalable global cloud footprint and cloud-native architecture with over 90 PoPs peered with content providers at global Internet Exchange Points (IXPs), minimizing inefficient traffic backhauling with intelligent, secure direct-to-cloud access to deliver 99.999% availability and ultra-low latency.
Advanced threat protection provides unified data classification, policy enforcement, and incident management with pervasive DLP across endpoints, cloud, and web, with real-time collaboration control, adaptive risk-based enforcement for over 30,000 applications, and a guided policy advisor. Skyhigh Security leverages UEBA to identify malicious behavior, RBI to contain web browsing activity inside an isolated cloud, and a gateway anti-malware (GAM) engine with real-time emulation sandboxing. UEBA monitors cloud activity and correlates millions of events to identify anomalies and threats. These anomalies are linked to DLP incidents, cloud configurations, and app vulnerabilities to create a prebuilt view of cloud-native attacks using the MITRE ATT&CK framework.
Skyhigh Security’s multivector data protection provides data protection and eliminates data visibility gaps. Centralized policy management allows policies to be set once and applied across endpoints, networks, and web and cloud applications, with each control point enforcing shared data protection policies and unifying incident management between control points with no increase in operational overhead. Incident event information is visualized through a cloud management dashboard, providing a single view of the data protection environment. In addition, data anomalies are correlated across all vectors, enabling administrators to identify signs of potentially serious attacks.
As part of Skyhigh Security’s SSE portfolio, Skyhigh Private Access secures access to private applications from any location and device. It controls data collaboration with integrated DLP performing a continuous risk assessment of the connected devices to derive enhanced posture information and provide least-privileged access. Extending NGFW capabilities to remote users through a cloud-delivered service model, Skyhigh Cloud Firewall includes a sophisticated policy engine offering contextual awareness and a next-generation IPS.
Strengths: Skyhigh Security provides advanced, multivector data protection with tightly integrated services, including DLP and RBI. An intuitive management dashboard correlates incident event information from all control points, providing a consolidated view enabling administrators to identify signs of potentially serious attacks.
Challenges: In transitioning its focus from consumers to enterprises, Skyhigh Security lacks the transparency previously available when it was known as McAfee Enterprise, with pricing tiers and features no longer available on its website. In addition, multiple changes in ownership and brand have contributed to its falling behind some of its competitors in terms of market perception and product development.
Founded in 2012, Tempered takes a radically different approach to security by addressing one of the root causes of internet attacks—the visibility of network devices to bad actors. Securing every endpoint in your network—from local data centers to global infrastructure—Tempered’s zero-trust, SDP solution, Airwall, makes everything on the network invisible to protect against cyberattacks. In addition, using gatekeepers—known as Airwall Gateways—in front of any IP-connected device protects critical physical infrastructure while allowing secure global connectivity and mobility. Requiring no change to the underlying network, Airwall is a comprehensive solution extending to cloud, virtual, and physical environments.
Figure 18. Tempered at-a-Glance
Eliminating the need for VPN solutions, Airwall uses the Host Identity Protocol (HIP)—an open, standards-based network security protocol—to create an end-to-end encrypted overlay fabric spanning existing network infrastructures, removing the ability to orchestrate complex routing topologies and WAN connections. As a result, HIP-enabled private networks can generally traverse any firewall and seamlessly move among private, public, and mobile networks. First deployed within the aerospace and defense industries, HIP is a cost-effective, scalable way to mitigate threats without implementing complex security policy management.
Airwall creates a secure overlay network using an encrypted identifier that cloaks vulnerable infrastructure, rendering it undetectable to unauthorized users and bad actors. Delivering defense-in-depth, Airwall comprises a software-defined network, an SDP, microsegmentation at every endpoint, MFA, and zero-trust access. While Airwall is generally deployed as a software solution, an easy-to-deploy hardware gateway is available if required.
Airwall includes an intuitive centralized graphical management console, enabling user devices to be added or removed from a trusted list using a drag-and-drop interface. Modern policy objects enable real-world management of user groups and network assets. A complete API suite allows network security teams to automate all aspects of network configuration and user provisioning, and includes a fully auditable configuration history.
To provide a more secure, rapid response approach against industrial-grade network attacks, a partnership with Nozomi Networks integrates Nozomi’s network visibility, threat detection, and incident response system with Airwall’s policy enforcement and centralized SDP management console. Nozomi Guardian unlocks visibility across IT, IoT, and OT for accelerated security and digital transformation, with physical or virtual appliances monitoring network communications and device behavior to deliver instant awareness of your OT/IoT network and its activity patterns.
Strengths: Building secure connections directly between two communicating systems whenever possible, Airwall’s HIP-based solution reduces the attack surface and ensures protection by cloaking vulnerable infrastructure. An easy-to-use GUI makes Airwall easy to deploy, manage, and troubleshoot networks at scale. In September 2021, Johnson Controls, a leader in building automation, chose Tempered Networks to provide secure communications and network management for its OpenBlue services.
Challenges: Since traffic is sent over end-to-end encrypted HIP tunnels, commercially available traffic analysis solutions are “blind” in a Tempered environment. However, Tempered provides several options for increasing visibility, including securely bypassing Airwall HIP tunnels or backhauling bypass traffic to a remote Airwall for analysis. In addition, AirSPAN enables the secure mirroring of any Airwall port to a different Airwall, enabling security administrators to inspect overlay traffic.
Founded in 2012, Versa claims to be the only vendor delivering a fully integrated, converged SSA solution deployed either on-premises or in the cloud—or as a hybrid combination of both—in a single software stack built on a single-pass parallel processing architecture. Versa SASE offers a converged, integrated, and scalable solution encompassing security, networking, SD-WAN, multitenancy, and analytics in a single, scalable operating system, the Versa Operating System (VOS). Available on-premises, cloud-delivered, or hosted by Versa-powered service providers, it simplifies and streamlines the management of networking and security policies and services.
Figure 19. Versa Networks at-a-Glance
Running on on-premises appliances or in the cloud—using distributed Versa Cloud Gateways running in over 90 regions—Versa SASE can be deployed on-premises, in the cloud, or as a combination of both, enabling consistent security, networking, business, and analytic policies anywhere in the world. In addition, Versa SASE can be deployed in a private cloud offering complete control while delivering the performance, services, and capabilities of a cloud-native solution without the need for service chaining, multiple software stacks, multiple VNFs, multiple VMs, or separate boxes to achieve that same level of functionality.
Versa SASE leverages the single-pass parallel processing architecture found in VOS. A multiservice, multitenant software solution built on cloud principles, VOS provides automation, programmability, and segmentation at scale. Touching each packet only once for both networking and security, VOS’s unique architecture increases performance and mitigates security vulnerabilities and exposure. In addition, Versa SASE takes advantage of the Versa Traffic Engineered Protocol to steer traffic between Versa Cloud Gateways across the private backbone, eliminating jitter, reducing latency, and minimizing packet loss.
Comprising a comprehensive set of services in a single solution, Versa SASE includes a CASB, DLP, IPS, IDS, NGFWaaS, RBI, SD-WAN, SWG, ZTNA, UEBA, and other functions such as analytics, automation, and multitenancy to allow granular roles and segmentation. In addition, Versa’s intuitive GUI, Versa Concerto, provides configuration, deployment, orchestration, and management, with Versa Global Zero-Touch Provisioning (GZTP) available for new VOS implementations. Providing a subset of Versa SASE’s cloud-native services, Versa Titan addresses the needs of smaller, lean IT organizations lacking in-house security or network-focused architects, engineers, and technicians.
Providing flexibility for hosting multiple customers, lines of business, or functions per instance—while maintaining separation between each customer’s traffic—Versa SASE is a multitenant solution with built-in, native segmentation and role-based access control. Supporting up to 256 separate tenants, Versa SASE provides each tenant with multiple virtual routing and forwarding tables (VRFs), VLANs, and service chains with complete separation at the controller, data, management, and analytics level.
Strengths: Built from the ground up, Versa SASE delivers cloud-native security and consistent security policies across branches, remote offices, and individual users, eliminating security gaps and vulnerabilities introduced when connecting multiple security solutions. Customers deploying Versa SASE also report significant increases in business and application performance and security for multicloud and on-premises deployments.
Challenges: While boasting a competitive offering, numerous awards, a healthy roadmap, and over 5,000 SD-WAN customers, Versa Networks still lacks end-user awareness in the SSA space, appealing mainly to existing Versa SD-WAN customers. Despite Versa’s “one architecture fits all” philosophy, Versa SASE lacks the flexibility and some of the niche controls and policies available in some alternative solutions.
Founded in 1998 and an established player in the networking and security space, VMware’s cloud-native VMware SASE Platform combines CASB, SWG, ZTNA, NGFW, and SD-WAN integrated with VMware Workspace ONE technology for endpoint protection of branch edges, campuses, mobile users, and IoT devices. Announced in September 2020, VMware SASE provides global, end-to-end network and application performance visibility by leveraging a software-defined architecture with a cloud-hosted management platform centralizing policy creation, distribution, and control.
Figure 20. VMware at-a-Glance
With varying degrees of integration, all components comprising the VMware SASE Platform and endpoint security are from VMware’s portfolio, including VMware SD-WAN Gateway, VMware Secure Access, VMware Cloud Web Security, and VMware NSX Cloud Firewall.
- VMware SD-WAN Gateway delivers multitenant gateway services and policy control points over a global footprint of more than 4,000 gateways, providing scalable application access and performance supported by VMware and its partners.
- VMware Secure Access is VMware’s ZTNA offering and can be deployed with either a standalone endpoint client or the Workspace ONE UEM client for accessing VMware SD-WAN and/or VMware Cloud Web Security services. Workspace ONE also integrates with VMware Carbon Black and other mobile threat detection products, including Checkpoint, Lookout, and Zimperium.
- Technology OEM from Menlo Security, VMware Cloud Web Security integrates CASB, SWG, DLP, RBI, and URL filtering, deploying them natively on each VMware SASE PoP to provide secure, direct, and optimal access to SaaS and internet web access.
- VMware NSX Cloud Firewall integrates VMware’s NSX NGFW with advanced security functionalities—such as DPI, IDS, and IPS—to enforce identity-based access for on-premises applications from any location.
Serving as an onramp to SaaS and other cloud services, VMware’s approach to SD-WAN includes over 150 PoPs hosted by VMware or service provider partners worldwide, providing less than 10 ms latency from 80% of the world’s population and less than 5 ms latency from AWS, Azure, and GCP. This footprint gives VMware a global presence for launching new networking and security services and integrating them with best-of-breed security partners.
Available as a web-based user interface, VMware SASE Orchestrator provides centralized, enterprise-wide installation, configuration, and real-time monitoring of VMware SASE Platform services and is responsible for orchestrating the data flow throughout the cloud network. In addition, VMware Edge Network Intelligence leverages ML and AIOPs capabilities to manage end-user and IoT device performance, security, and self-healing.
Strengths: Encompassing several solutions, the VMware SASE Platform converges networking and security delivered as a cloud-hosted service. It enables reliable, secure, and efficient access to any on-premises, SaaS, or virtual application by users located anywhere in the world while protecting users and infrastructure against internal and external threats. As an alternative, VMware Secure Access provides mobile and remote users with secure access to cloud and data center-hosted applications. In January 2022, BT announced the launch of VMware SASE as a global managed service, combining BT’s extensive networking capabilities and in-depth security expertise with VMware technology.
Challenges: VMware is in the process of filling gaps in its portfolio, investing in areas such as DNS security and FWaaS. However, integrating various in-house, acquired, and OEM products at a deeper level will take time, with tighter FWaaS integration coming in 2H 2022. Moreover, despite the widespread adoption of VMware products, customers should recognize the VMware SASE Platform for precisely what it claims to be—a SASE platform—and not yet a fully integrated SSA solution. In addition, the acquisition of VMware by Broadcom may further delay product innovation and integration.
Founded in 2008 and boasting an impressive list of Fortune 2000 customers, Zscaler promotes a best-of-breed platform over best-of-breed point products. Its flagship services, Zscaler Private Access (ZPA) and Zscaler Internet Access (ZIA), combine to create fast, secure connections between users and applications, irrespective of device, location, or network. Used in over 185 countries, Zscaler operates the world’s largest cloud security platform, processing over 240 billion transactions, preventing over 7 billion policy violations and security incidents, and applying over 200,000 unique security updates daily as customer traffic traverses more than 150 data centers across six continents.
Figure 21. Zscaler at-a-Glance
A cloud-native platform, Zscaler Zero Trust Exchange (ZZTE) delivers fast, seamless, and secure access across the entire business ecosystem irrespective of where users are located. Built from the ground up for performance and scalability, ZZTE relies on four foundation components: Zscaler Client Connector (a lightweight edge application automatically forwards user traffic to the closest Zscaler Service Edge), Zscaler Agentless Access (for agentless access on unmanaged devices), ZPA App Connector (lightweight virtual machines to broker security connectivity between authorized users and named apps), and ZPA Service Edges (security and access policy enforcement). Within the exchange are four solutions: Zscaler Internet Access, Zscaler Private Access, Zscaler Cloud Protection, and Zscaler Digital Experience.
- Zscaler Internet Access (ZIA) is a secure internet onramp and web gateway delivered as a service from the cloud. Comprising Cloud Firewall, Cloud IPS, Cloud Sandbox, Cloud DLP, CASB, and Cloud Browser Isolation, ZIA provides an integrated gateway for inspecting all ports and protocols, even across SSL. Whether connecting via a router tunnel to the closest Zscaler data center (for offices) or forwarding traffic via the lightweight Zscaler Client Connector (for mobile users), users enjoy full inline content inspection. By default, ZIA uses basic Layer 3 and Layer 4 firewall policies, but customers can upgrade to an NGFW for Layer 7 application control, advanced DNS, user and group policies, and full logging. ZIA is available in three editions: ZIA Business, ZIA Transformation, and ZIA Enterprise License Agreement (ELA).
- Zscaler Private Access (ZPA) applies the principle of least privilege to give users secure, direct connectivity to private applications running on-premises or in the public cloud while eliminating unauthorized access and lateral movement. The service enforces application access based on context and uses inside-out connections to make applications invisible to unauthorized users. In addition, as the internet becomes the enterprise’s new transport network, microsegmentation connects users to specific apps, limiting lateral movement. ZPA is available in three editions: ZPA Professional Edition, ZPA Business Edition, and ZPA Transformation Edition.
- Zscaler Cloud Protection (ZCP) reduces the risk of moving workloads to the cloud while reducing operational complexity. Incorporating cloud security posture management (CSPM), secure user-to-app access, secure app-to-app communication across clouds, and identity-based microsegmentation, ZCP eliminates lateral threat movement within VPCs/VNets and extends comprehensive protection to public cloud assets with zero-trust capabilities for workloads.
- Zscaler Digital Experience (ZDX) provides unparalleled visibility into tunneled traffic through the Zscaler Zero Trust Exchange cloud platform. An integrated service providing a unified view of application and endpoint performance metrics, ZDX correlates network traces from the user to the Zscaler cloud, Zscaler cloud to the user, and Zscaler cloud to the application to deliver a complete, end-to-end view of the actual traffic path taken between the user and application.
Most customers use Zscaler Public Service Edges hosted in over 150 exchanges worldwide. However, Private Service Edges hosted at the customer site and managed by Zscaler provide on-premises users with shortest-path access to on-premises applications without leaving the local network.
Strengths: The Zscaler best-of-breed platform architecture helps accelerate cloud adoption by removing network and security friction by consolidating and simplifying IT services. Peering at the edge with leading application and service providers, Zscaler optimizes traffic routing to provide a frictionless and transparent experience for users across all locations. In May 2021, Zscaler acquired Smokescreen Technologies, a leader in active defense and deception technology, to detect the most sophisticated, highly targeted cyberattacks, lateral movement attempts, and ransomware.
Challenges: Despite boasting an extensive global network, not every service runs on every server and data center in Zscaler’s network. Zscaler lacks advanced ML-powered cloud and security capabilities. As Zscaler increases its market share in the converged networking and security sector, it is being targeted aggressively by competitors offering best-of-breed replacement point products based on price or differentiating features.
6. Analyst’s Take
With new attack vectors opening up due to the marked shift to remote working and learning in response to the COVID-19 pandemic, many enterprises are reinforcing their security capabilities to protect themselves against the threat of data breaches, major IT outages, and ransomware attacks. Robust secure service access solutions meet each organization’s unique needs irrespective of network architecture, cloud infrastructure, or user location and device, enabling them to replace multiple security products with a single integrated platform offering full interoperability and end-to-end redundancy.
However, the SSA landscape is becoming increasingly blurred with incumbent vendors repackaging and repositioning legacy products as integrated platforms, acquiring new technologies, or making strategic alliances to fill the gaps in their portfolios. And to make it even more challenging to navigate, several new entrants are emerging with innovative approaches in an increasingly competitive—and hot—market.
As a result, customers need to carefully consider: (1) the vendor strategy that best meets the needs of the business based on required features and functions; (2) each vendor’s ability to deliver an integrated solution over the next 18 to 36 months; and (3) the availability of in-house expertise versus the need for managed SSAaaS.
Depending on your comfort level, the different vendor strategies to be explored include:
- An end-to-end SSA platform from a single vendor
- Multiple best-of-breed point products integrated and delivered by a single provider
- Multiple best-of-breed point products deployed and managed in-house
- Managed SSAaaS based on strict availability and security SLAs
As you explore SSA, use this report to evaluate your current and future needs based on these approaches before creating a shortlist of vendors supporting your target market, deployment model, and use case. With the emergence of new entrants and exciting innovation, don’t just settle for your incumbent vendor’s solution. Instead, explore all your options before creating a shortlist based on features, integration, as-a-service capabilities, and in-house skills. When talking to vendors, verify the level of integration between individual SSA capabilities. Ensure that their vision is aligned with yours and their roadmap includes the features and integration you need.
7. About Ivan McPheeIvan McPhee
Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.
An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.