Market Overview: Secure Access Service Edge (SASE)

I'm John Tolbert, lead Analyst and director of cybersecurity research here at Cooper and Coal. And I'm gonna start off this part of the track by looking at a recent leadership compass that I published on Secure Access Service Edge. We call it Sassy. So I'll just jump right in. I only have 15 minutes and I'll try to be on time. So first up, let's talk about why, what Sassy is for.

Again, it stands for Secure Access Service Edge. The two major use cases are around connecting remote facilities, whether they be branch offices or you know, distributed warehouses your organization may have or shops or kiosks. Just depends on the kind of business that you're in. And then also work from anywhere. That's something that, you know, we've been doing via VPN for 20 years now, but got a lot more important about three years ago and I think it will remain so for the foreseeable future. So Sassy really involves looking at, you know, three different areas.

You've got the endpoint, which includes, you know, thinking about what operating systems people are gonna be coming in from the network, your own networks on-premise networks that is in the cloud. So typically people have been defining SASSI as kind of the union of networking technologies such as SD WAN and security. So let's kind of take a look at some of the major components of, of the networking side.

So you have SD WAN microsegmentation, this is something that we've been hearing about quite a bit today in this track in Zero Trust is something that's, you know, one of the, the goals of zero trust. It has to be able to support 4G and 5g, not just, you know, traditional network but wireless. Most of these vendors have traffic acceleration and or TCP optimization technologies built in. The idea there is you have people maybe on different continents doing work and the more, the closer you get the points of presence to them, the better performance they're gonna have.

You need path redundancy back in the maybe not so good old days of things like mpls. You know, you might have a single link between sites. That site goes down, then you're in trouble until you get that link back. So you need path redundancy and things like smart routing to, you know, choose the, the best path quality of service, you know, with a lot of the vendors you can, you can pay for additional quality of service. It can also provide DDoS and DNS protection, even though DDoS doesn't make the news as much anymore. It certainly happens quite a bit every day.

Sassy's often touted as being a VPN replacement, but I don't think I'd call it a VPN replacement. It's kind of a VPN upgrade. I mean there's, most of the vendors are still using IP sec, but they're also using newer technologies like wire Guard. But what I think by, they mean by a VPN replacement is adding on, you know, the zero trust network access piece, multifactor authentication.

Also on the networking side, there's gateway appliances to sort of bundle up all your traffic, you know, from your data center, your networks that you're physically responsible for and get it onto the vendor's backbone through the edge pops. The points of presence, that's a good thing to look at when you're selecting a sasi vendors. Figure out where they've got points of presence and how close are they to your, all your potential users, whether they be customers or contractors. Link status, dashboards and reports. I've seen some of these in the demonstrations.

These are really handy for network operating centers to be able to see, you know, what the status is of, of any given link. And also many of them have some pretty innovative customer experience monitoring capabilities that you can see in these dashboards too, which is really helpful for kind of getting a picture of what's going on with the end user, what kind of latency are they having to deal with. And most of these vendors offer these as managed services as well. So on the security side, there's firewalls as a service or next gen firewalls that can be built into these gateway appliances.

Network detection and response looking for, you know, potentially nefarious traffic going across your network on the way to the cloud. Secure web gateway is essentially a reverse proxy, again with sort of zero trust network access layered on top to make sure the right users can get to the right kinds of resources. Browser isolation, this is a, a really interesting technology designed to help prote protect endpoints from malware.

So instead of running, you know, directly from, you know, the, the end user's endpoint machine having, you know, farms of browser isolation services where it actually goes out, grabs whatever content the user's looking for and then sort of renders it and brings back a harmless view of it. That way if they're, you know, find themselves on a malicious site, it's actually protecting the end user's desktop from that in more endpoint security. This is kind of a stretch goal I thought that more of the vendors would have built in, but they don't quite have that yet.

I think in the long run, companies are gonna wanna buy something with just a single agent, you know, so it should have TR traditional endpoint security built in, but that's, it's not quite there yet. Same with Unified Endpoint Management, being able to know where your assets are, you know, what, what state they're in, what their patch levels are. These kinds of things are important for the device posture checks that most of the sassy services run.

There are integrations from most of the major vendors for third party endpoint security and UEM products, DLP and casby, this is the data protection piece. There's various levels of sophistication that you can find in the sassy vendors for how they can protect your corporate data. I've been talking about Zero Trust quite a bit.

User behavioral analysis, looking at things like geolocation impossible travel, but also, you know, some of the more complex implementations can look at, you know, is, are these files that a user would normally access services that a user normally might access and be able to apply AI to make runtime decisions about those access control requests. You need to be able to plummet into your SIM and source and ITSM for ticketing. So it really should be part of your overall IT and security infrastructure.

And they also generally have multiple sources of cyber threat intelligence that they can look at and use for, you know, try to detect threats on the network. And again, just like on the networking side, most of these capabilities can be delivered as services from these vendors too. So the pros, you know, it can provide more coverage than individual point solutions.

You can see performance gains, there should be a potential for cost savings that, that hopefully should be something that could be negotiated into a sassy contract reduction in the numbers of agents, I think, you know still, you know, minimum would be two cuz you're gonna need to run endpoint security as well, which none of them actually have that built in. I mean some of the vendors have adjacent products, they'll talk about that in a second.

But you get simplification of your software maintenance and contract management and I think the organizations are gonna see the most benefit or big enterprises, you know, with complex architectures that you know currently include things like both on-premises cloud assets and of course your remote workforce. But where there are pros, there are cons.

You know, you don't get the best of breed approach if you go with a single vendor sassy solution. You know, for some kinds of enterprises, if you migrate everything to the cloud, you may not see as much of a need for something like Sassy. All of them are sort of incomplete, you know, based on the, the extended rigorous definition I gave it when I started the research. But I think most of 'em are sort of growing in that direction and that'll be reflected in the graphs you see in a minute. And of course the biggest potential con is vendor lock in.

So sassy and zero trust aren't really in any conflict. Zero trust, as you can see is kind of an important part of sassy. So I think it's easy to say that we need both. So in this leadership compass report, these are the major categories that I looked at. You'll see these reflected in the spider graphs at the end here. Connectivity, this is the SD WAN portion, how they do zero trust network access. Some of them have, you know, some limited IAM capabilities of their own.

Most of them integrate with other things like AD or you know, other LEP directories endpoints since they don't have endpoint security. I was mostly looking at what operating systems they cover, network security, web security, fairly self-explanatory data protection.

This is, you know, different levels of capabilities for data protection. And I try to reflect that in the, in the both the write-ups and the the spider graphs. Then administration, what's it like to administer it and also what kinds of end user support do they have. Because if you're gonna farm out all this kind of work, it would be nice to have somebody else who could handle those end user requests when you know, I can't get in for whatever reason or another.

So how we conduct our research, we start off by looking at all the vendors that we could find in the field, get briefings, demonstrations, talk to customers, then we generate these huge technical questionnaires and ask hundreds upon hundreds of questions. We get that information back, we write up a draft, we show them the ratings, we ask for fact check. Sometimes a few months might go by. So we have to, you know, get an update, see what's new. And then once all that's done, then we publish. We have nine major categories of things that we look for in every leadership.

Compass security, this is about internal product security functionality, you know, does it have everything that we think it, it should have to be in this space. Integration or deployment, you know, does it depend on multiple products and if so, how integrated are they? Where can it be deployed? Interoperability, what kind of standards does it support? How well does it integrate with other parts or interoperate with other parts of your infrastructure like the SIM and SOAR and i TSM systems, usability.

In this case it's about what both the end user, what would an end user like trying to log in via vpn, what's that like? Also, what's it like to be an administrator of the system? So that's what we try to evaluate with usability. Then there's innovation. How innovative is, is it market size, which also has a lot to do with not only how many customers do they have, how big are the customers, but where they're distributed ecosystem is, you know, how many partners do they have to help deploy it. And then overall financial strength. So this gets rolled up into four major categories.

Product leadership, market leadership, innovation and overall, I'll show you the graphs here in just a second. Here are the vendors that we're in this first edition of our SASSI integration Suites Leadership. Compass. Won't read through the names but here are the graphs. These are usually the things that people like to see the most. You can see the overall leaders here are primarily your large network security stack vendors. There are some networking specialists and some that are kind of, you know, new getting into sassy, but it is very big and complex kind of product and or service.

So it's, I think the, the cost of entry to the sassy market can be quite high. Next up, the product leaders, again the categories are connectivity, zero trust, endpoint network, web, data protection administration, and end user support. You can see a pretty good range or a distribution across the, the graphs here. Innovation, this one deserves a little explanation.

So the, what I saw as most innovative and sassy at this point is what kinds of traffic optimization do they use? You know, some have fairly basic methods, others have, you know, pretty sophisticated techniques that I think probably do provide really good performance gains for, for the customers. Advanced D DLP and casb, I think you really need both, especially operating and you know, the work from anywhere kinda world today.

And you know, some have pretty good capabilities on the CASB side as far as not being able to, or you know, preventing employees for example, from uploading proprietary data to, to a website or you know, out via email. But not so much on the, the traditional DLP side where you would want to try to block, you know, somebody copying proprietary information to a USB drive or something like that. Malware protection. There are a couple of different techniques that are used for browser isolation. So that's reflected here. Also the sophistication of IAM integration available.

Like I said, some of the vendors have some IAM capabilities built in. Others, you know, allow various degrees of integration with other IM systems. The ability to do some automated responses, let's say it detects, you know, what could be malicious traffic on the network. So being able to shut that down, notify the stock, take action, not all of 'em have connections for SIM and I t sm. I think that is unfortunately still would be considered kind of innovative at this point for some of the sassy vendors that are out there.

And we always like to see certifications for ISO 27 0 0 1 and SOC two type two for cloud delivery services. And not all of them have that yet either. So the market leaders are mostly, like I said, the network security stack vendors and sassy specialists. Some of the challengers that you see here in some cases are more regionalized in their sales and marketing, but I think there's a lot of opportunity for growth. And just one representative spider chart to show you how the categories are rated. And I have two seconds left.

So you, I encourage you to read the, the whole report. It's on our website and if you have any questions, feel free to contact me here or later.