I’m speaking with 5 SASE vendors and I have generic questions to ask them such as what they provide, PoP locations, pricing model, and long term plans.
For those of you who have gone through this process, is there questions you wish you asked the vendors prior to choosing the one you went with?
How many peeps I gonna need to maintain this shit adequately?
Which of our current processes and investments become redundant with this deployment?
How does the solution secure ALL traffic? User, non-user, internet bound, ingress (public facing resources), wan bound…I think that if you can get these answers clear you’ll have a better idea of what technologies you currently own can be replaced. Of course, once you know that, you’ll also have a clearer idea of whether or not things will actually get easier for you to manage and maintain…or harder (which would be a bit counterintuitive, frankly).
I always hear that but it’s almost 95 percent an answer of “less than it will take you to manage multiple ipsec tunnels and advpn solution proper fail over and weights for multiple isps and disparate VPN solutions for a large environment”. As always it depends on environment size but you can either announce your routes over bgp for all sites , or buy swan. You can set up firewalls in tons of countries for a global VPN network with say forticlient or global protect, or you can jse someone else’s network who has done this for global access. It’s almost a trade off but typically sase solutions cost money so they reduce the need to be as technical and infrastructure costs depending on needs and some of company.
Good one, we are already struggling ourselves to keep up with our tools.
APIs and automation would be a good question I can ask too. Thanks for bringing this up!
So far all 5 vendors have pushed AI/ML. I haven’t had to ask it, seems automatic in all presentations by vendors now. I’d for sure ask this if they did not mention it, that’s all my c-suites talk about as well without really understanding it.
This is good, I will really need this info prior to going with any vendor. The more we can consolidate the better. We will still likely keep certain tools. I can’t see us getting rid of Crowdstrike for whatever EDR they push.
Thank you for this. Agreed, I need the details for all traffic. I had thought about this in broad terms, but narrowing down on this will be key for me and our infrastructure team to help plan out the deployment. Hoping this makes things easier.
Well, if you’re looking for easy to deploy and manage, hopefully Cato Networks made your 5 vendor lineup. There are other great solutions out there, but nobody gets to the easy button feel better than Cato and still not lose on sophistication and completeness. Other solutions deliver completeness as well, but the path to that is generally a lot more complicated.
It did! The 5 vendors are Cato, Palo Alto, Netskope, Zscaler, and Cloudflare. So far it looks like Cato, Netskope, and Zscaler are moving on to the next round.
Good lineup. I’ll give you my take.
Cato - best end to end networking solution (their Cloud/PoPs span 80+ markets around the globe) and only solution of the 3 that optimizes networking for both Internet and WAN traffic with an actual backbone. The other two do not optimize for WAN traffic and don’t have a backbone. Most complete network security solution with a single shared context model and a real single pass architecture - full security inspection (even ATP) for all directions of traffic. You can easily walk away from your traditional firewalls with their solution. Easiest full SASE stack to deploy and manage. Not as mature on Cloud App Security as Netskope but covers 95% of all use cases.
Netskope - best cloud app security solution. They lack advanced security capabilities for WANbound traffic. You’ll have to keep your existing firewalls to provide WAN protection if that’s relevant to your use case. Forward proxy architecture means limited security inspection options for traffic that isnt HTTP, DNS and/or FTP. For example, you want your security stack to be able to detect things like Spambots running over SMTP or detect ransomware exploiting SMB…youll likely need another firewall solution to do that for you. Both Zscaler and Netskope might counter that ppint with “thats why you have good EPP/EDR”, but with all the endpoint protection evasion going out there, its important to consider those protections inline in the network where they are immutable…layered approach, right? Good performance for public SaaS.
Zscaler - decent SWG, decent Cloud App security solution. Newcomers to networking and from all accounts thus far their adaption of SDWAN capabilities are very rudimentary by contrast to the rest of the market. They advertise a pretty massive Cloud but the reality is that only a portion of it services Internet Access and another portion services private access…and another portion service fed government. In the end, relative to the end customer, it’s not quite as vast…but still pretty big. If you’re looking for their full stack, I wouldn’t really qualify them as easy to use. They operate probably 7 different UIs in total now…oh, maybe 8 now with the acquisition of Airgap. They used to be easy and simple to use when they were just a good SWG. Like Netskopes forward and reverse proxy architectures, you have the same kind of security considerations. If you have a WAN use case, you’re likely still holding onto your existing firewalls for full ATP protection. ZeroTrust capabilities are nice and all, but their solution doesn’t actually inspect WAN traffic for threats…again, similar to the limitations of Netskope.
All of this you should take care and verify yourself. I’m sure each supplier has their own thoughts on these arguments and probably have mud to throw at each other in one form or another. If you can’t get clear answers when you challenge them on the “How” they accomplish what they claim to do…then maybe that’s a red flag.
Thanks for sharing. Great independent analysis of Netskopes capabilities, but I would argue that this doesn’t really reflect SASE at all. I think this is where there is so much confusion in the market. Consumers are confused because supliers are confusing and blurring the values in distinctions with their marketing. Even their own platform engineers are brainwashed by the marketing (no offense intended…its not your fault). This analysis seems totally SSE centric (a component of SASE). Netskope is certainly strong in their SSE offering. In respect to SASE, its still only half the story. The analysis seems to focus exclusively on public SaaS. SDWAN is a core component of SASE. Where is the analysis on WAN traffic and performance? WAN security?What about last mile risk mitigation to public SaaS using SDWAN? I admit I did not read the full report and apologize if I may have missed where this was covered.
Enterprises still have private colos/Datacenters, public data centers (IaaS), private branch to branch use cases for real time services like voice, etc. We aren’t 100% public SaaS yet. I would argue that for at least some use cases we might never be totally public SaaS oriented. Digital Transformation doesn’t mean everything will go to public SaaS.
I’ve talked to so many engineers across the industry and many are either oblivious to the full story or have been drinking too much from the same punchbowl as their marketing and sales peers. Happy to know that science still holds a place in your heart. 
SASE isn’t meant to answer every call, but there should still be a solid definition of what calls it should answer and it should be evaluated first on whether or not it actually delivers on the promises of that definition vs comparing acronym checklists.