SASE Breakdown: A Deep-dive And The Key Players To Watch In 2023

Breaking down Zscaler, Cloudflare, Palo Alto Networks, Netskope and Fortinet's SASE Ambitions

Apr 01, 2023

Welcome to all the readers who’ve joined since our last viral post on the Rise of Palo Alto Networks!

Today’s piece is an exploration into the fastest-growing category within cybersecurity. We’re going deep on everything you need to know about Secure Access Service Edge (SASE). This technology affects everyone. SASE is the underlying technology that allows you securely access the internet and protects you from malicious websites when working from home. The next largest security companies will be built around SASE. This piece focuses on evaluating the technology and the key players to watch. It’s an extensive piece, so here is a rundown: (Recommend opening it outside of your email client for the best viewing experience)

The Basics: The Pre-SASE Era
Definition of SASE
Components of SASE
Implementation of SASE
The Key Players to Watch
Summary: Who Wins The Final Prize?

Actionable Summary:

The #1 Trend In Security: Recent reports from Gartner, McKinsey, and Forrester have identified zero trust and SASE (Secure Access Service Edge) as top technological trends for organizations and the cybersecurity industry in the next five years. At its core, SASE is a cloud-based solution that combines networking (internet) and cybersecurity into one cloud-delivered solution.
Every Enterprise will be ‘SASE’d’: Gartner predicts that by 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services, and private application access using a SASE/SSE architecture, up from 20% in 2021. They also estimate that by 2025, 50% of organizations will have explicit strategies to adopt SASE, up from less than 5% in 2020. Usually, Gartner bets on a trend happening over a decade, but these are remarkable trends happening within a short time frame.
The fastest growing security category: The market is currently growing north of >30% based on two reports from Gartner and Dell’Oro group. Organizations can’t get their hands around SASE quickly as more employees are working from home than pre-pandemic. Dell O’ro, a SASE research firm, said the security part of SASE experienced a 38% growth YoY in 2022.
The driving forces: SASE is experiencing massive traction because it combines five critical technological trends into one solution. First, the transition of workloads to the cloud. Secondly, a pandemic-induced shift to hybrid work for many companies. Thirdly, an increasing threat landscape driving zero-trust architecture; fourth, the need to manage the rising SaaS tool sprawl; and finally, the cost constraints driving organizations to consolidate multiple technologies with fewer vendors. According to a recent survey by Palo Alto Networks and Gartner, 77% and 92% of organizations are planning to consolidate security vendors.
The battle amongst CEOs: Palo Alto Networks, Fortinet, Cloudflare and Zscaler all discussed the momentum they’re experiencing from customer demand in SASE on their most recent earnings call. Palo Alto mentioned that it was their fastest-growing business, and they booked over $1 billion in SASE within the last 6 quarters. Cloudflare has recently used aggressive guerilla spats against Zscaler to build momentum for their new SASE products. The trend is real.
Cybersecurity Industry: The security industry continues to remain a key priority for CTOs amidst the macro slowdown. Recent Battery enterprise spending survey and Gartner reports show security, particularly network security, as a top priority for executive investment in 2023. IDC’s March report shows cybersecurity is projected to grow 12% to be a $219 billion industry in 2023, driven by the threat landscape, nation-state attacks, and increasing regulatory requirements.
The Key Players: No company has ever started as a SASE company since Gartner coined the term in 2019. This makes it interesting as companies race to win this category. We’ve seen many of the leading security and networking vendors approach it from their core competencies or through acquisitions. This report explores each of these dynamics and largely focuses on Zscaler, Cloudflare, Palo Alto Networks, and Fortinet.

To keep up with everything happening within the cybersecurity and data infrastructure world for public and private software companies, subscribe below.

Why SASE

SASE plays a critical role in our everyday use of the internet. Whether you’re an employee at a large company working from home or having to make an online order from your favourite franchise in another city. SASE will soon become the underlying technology behind your internet provider.

This report is a deep-dive exploration into SASE, its adjacent technologies and an evaluation of the key players pursuing this major prize. If Palo Alto can book a billion in SASE within 6 months and Zscaler, a $16B company, has been built around this technology framework, then many more companies will emerge from SASE.

CIO spending survey from ETR (Enterprise Tech Research) shows that Executives from over 1400+ companies are planning on either increasing or maintaining their current spending on these SASE vendors in 2023. The Net score aggregates the total score from executives who indicate they plan to spend more (green) on a vendor. Meanwhile, a negative (red) means companies are either planning to reduce spending on these providers. Hence, I’ve focused extensively on going deeper into Zscaler, Cloudflare, Netskope, Fortinet and Palo Alto Networks’ SASE solutions than the other players.

I’ve begun the piece by exploring the history of enterprise networking and how the internet works. This historical review helps lay the groundwork for understanding SASE, which primarily combines multiple technologies into one central framework. This report is written from an investor and operator perspective, with the goal of breaking technical concepts into a digestible format for the average reader. It’s detailed, but feel free to skip to key sections.

The Basics: The Pre-SASE Era

As we’ll learn soon, SASE is a combination of networking and security. However, it’s critical to begin by exploring the history of Networking. For my non-tech nerds, networking at the core is connecting multiple devices and systems through the internet to facilitate communication and information sharing across distances. Network security, like SASE, is subsequently the practice of protecting computer networks over the internet from unauthorized access, misuse, or potential breaches. Let’s look closely at LAN and WAN.

History of Networking

Local Area Networking (LAN):

LAN is simply a connection for one network. I’d say think about the internet connection for your home. LANs typically consist of a group of connected computers and devices, such as laptops, desktops, and printers, that are able to communicate with each other through an Ethernet or WiFi in one location. Each unit is a LAN and cannot communicate with each other.

Wireless Area Network (WAN):

A wide area network (WAN) is created when two local area networks (LANs) communicate with each other. If you want to extend the same network to multiple buildings within the same state or geographic area, you utilize a WAN. Multiple LANs or smaller networks are usually created through leased lines (private network setup), satellites, or public internet. Examples of Telcos or large companies providing WAN services in the US could include Verizon or Cisco. These networks typically cover large distances, up to thousands of miles, and allow for the transfer of large amounts of data between multiple locations. In the early 1990s, during the rise of the internet, companies would either use a telco ISP to provide dedicated leased lines for access to broadband internet or purchase the infrastructure needed. This was popularly referred to as an International private leased circuit (IPLC). If you’re somewhat old like me, do you remember landlines?? There you go.

Building on our understanding of WANs, historically, companies would contact AT&T to help them set up a leased line, a dedicated network built on broadband internet for point-to-point locations. For example, a large Grocery franchise shop in San Francisco wants to expand to New York. Verizon or Cisco would ship a ‘box or appliance’ and set up underground lines for the bakery owner to install at each location to make the network connections work. Companies usually use a VPN (virtual private network) to secure information.

Using An MPLS - WAN

In the late 2000s, as the internet evolved, companies such as Verizon developed Multi-Protocol Label Switching (MPLS). This system replaced leased lines like IPLCs. As these telcos expanded their geographic internet presence with more cables either across the US or globally, it allowed them to offer internet services for multiple locations where the telco covered. MPLS allowed telcos to bundle separate point-to-point lines between multiple locations into one large controlled system.

Organizations like banks or franchises often used MPLS when they had multiple remote branch offices across the country or around the world that needed access to a data center or apps at the organization’s HQ or another branch location. As you can see, this layout worked well in a 100% in-office setting. This worked well since no encryption was needed, resulting in strong and protectable service quality. An analogy would be a major highway in California where the government created a dedicated lane to bypass traffic. Similarly, telcos created a VIP lane (MPLS) for companies to achieve high availability and low latency regardless of congestion.

💡 The Covid Moment: However, as companies grew their footprint globally or users started working from home, this approach didn't work. Imagine when a user tried to log in remotely (using a VPN) to access the company’s resources on the cloud or internet; they had to be verified with data going through the MPLS to the HQ data center (for security inspection with firewalls) before being sent back to the user to access the internet. Inspecting data in your data center and then sending it back again before the user can access the internet hurts the end-user experience and requires more bandwidth, especially if employees are far from the HQ data center. This is exactly what happened during Covid for many companies using this legacy infrastructure. The worst part is that these MPLS are highly expensive because of the large infrastructure setup by the telco or WAN provider.

SD-WAN (Software-driven Wide Area Network):

Starting in 2015 (obviously during Covid), SD-WAN became increasingly popular to centrally use software (SD) to optimize networking performance (WAN) rather than relying on the telco’s provisioning hardware appliances (MPLS or IPLC) at each branch location. Instead of depending on one telco for all their needs, companies could now use software to access the internet directly using three options:

Utilizing broadband internet like Wi-Fi, Ethernet or,
Cellular networks like 4G LTE/5G,
Augment it with a smaller MPLS or WAN (if they already had one with the telco)

SD-WAN enabled end-to-end enterprise connectivity over large geographical distances. With SD-WAN, only one software was needed to give users in remote offices access to corporate applications (HQ), cloud services and workloads. It bypassed the need to always go through a company’s HQ data center before giving you access to internet. For more on this topic, Muji at hhhypergrowth also has a good breakdown of SASE and the MPLS dilemma in his report titled “What are SASE Networks.”

SD-WAN package optimized for the best latency, path selection, SaaS route acceleration and it had light firewall security features embedded. SD-WAN were provided by either enterprise networking companies like Cisco, VMware, or wireless companies. The benefit is clear - it’s faster, cheaper, and more protectable since there are fewer routes to be taken. This solution was great but needed more security features that incorporated a cloud-based architecture. This finally leads us to SASE.

Definition of SASE

SASE, pronounced as "SaaSy," is a framework for securing an organization's internet network connection. It was coined by Gartner in 2019. SASE (Secure Access Service Edge) merged enterprise security and networking (internet traffic above) delivered over an edge-based cloud platform.

As discussed, the traditional method of using an MPLS system relied on the data center for managing internet traffic using a VPN was no longer working. This was further catalyzed by the fact that post-Covid, the world moved to a hybrid workforce. The image below shows the complex architecture that many companies use today to manage a network for a hybrid workforce.

SASE aims to provide a simpler and scalable architecture that natively embeds security and networking into one architecture. The vision is to provide better visibility for users, traffic, and data accessing a corporate network working from anywhere

Optional Reading Sections:

💡 What is Zero-Trust? All the historical analogies discussed above, such as MPLS and WAN, required using a VPN to access company apps and the internet. However, when given access to a VPN, users have full and unfettered access to a company’s network. This is popularly referred to as the ‘castle and moat’ architecture.
However, zero-trust architecture is built on the premise that trust is never assumed, and all connections could potentially be fraudulent. This means that all company users must be given least privileged access to a company’s resources. Only give users access to the applications they need, not the entire corporate network. Doing so ensures that if an attacker somehow gains access to the network (the castle), they cannot move laterally across the network in search of valuable data or they would be limited in how much damage they can cause to the company. Most SASE deployments are predicated on a company having a zero-trust architecture and framework. Zero-trust SASE provides direct-to-cloud connectivity to SaaS apps and the internet, thereby improving latency and the user experience.

You’ll often hear some companies use SSE instead of SASE; below is a brief explainer

💡 - What’s the difference between SASE vs SSE? Secure Service Edge (SSE) is essentially SASE, but without the SD-WAN component. It is defined as a solution that enables secure access to the web (SWG), access to private applications (ZTNA), and cloud services and apps (CASB), and is a subset of SASE. The role of SD-WAN is to optimize a company's network across branch offices and use software to define how traffic moves across the network. However, if a company is fully remote or hosts all of its applications on the public cloud (with maybe only <10% of the data center), there is no need to purchase SD-WAN components. This leaves you with an SSE solution. Providers may refer to it as SSE or SASE interchangeably.

Components of SASE:

As discussed, SASE acts as an intermediary for providing secure access for remote or WFH users accessing the internet, SaaS or the cloud.

As recommended by Gartner, for a company to provide SASE, they need to have these five core network and security functions:

Software Defined Wide Area Network (SD-WAN): We’ve discussed it at length above. The sole focus is to control internet traffic to optimize for speed and efficiency. The ultimate goal is to enable high availability, low latency, and high bandwidth without the need for paying high tickets to MPLS or IPLC. It sends information along the fastest and least congested internet routes.
Secure Web Gateway (SWG): The focus is to protect and inspect website traffic rather than to optimize for speed like SD-WAN. The role here is similar to that of a traffic light, which screens and regulates traffic. SWG protects users from malicious content on the internet or websites, such as cyber threats or breaches, by filtering unwanted content from web traffic, blocking unauthorized user behaviour, and enforcing company security policies.
Firewall as a Service (FWaaS): This is a virtual firewall delivered in the cloud. It acts as a middleman, offering protection over VPN connections between endpoints and network edge devices in the cloud. It conducts filtering and inspection over network tunnels. Note that FWaaS can control all port connections and deliver more comprehensive security beyond simply checking internet connectivity when compared to SWG.
- Just a side note: A port within network security refers to a connection point in a computer network that is used to send or receive data, such as HTTP traffic. Network security often involves configuring firewalls to block or allow traffic based on the ports being used.]
Cloud Access Security Broker (CASB): This focuses on protecting SaaS applications such as Salesforce and Oracle. Their primary goal is to prevent data leaks and unauthorized app downloads (shadow IT), enforce data privacy and regulatory compliance and provide visibility into how users are using cloud apps and services, including public clouds (IaaS).
- There are two types of CASB solutions: There is In-line and out-of-line CASB. Basically, In-line CASB inserts policies for internal applications. Meanwhile, out-of-line CASB protects the company when dealing with external people from the network against sharing links with external people and emphasizes read-only policies.
Zero-Trust Network Access (ZTNA): The focus is on enforcing identity for access to private company resources. Think of it like an immigration officer verifying your identity before you enter a new country. This person primarily verifies remote users when they are outside the company's headquarters or branch before providing access to internal company applications. It limits access to only the resources the user is eligible to access. Built on zero-trust principles.

After breaking down each part of SASE, everything results in the following below:

CASB protects SaaS application access.
SWG and FWaaS protect you when you access websites on the internet.
SD-WAN and ZTNA protect you when you access internal company apps either on the cloud or within the data center.

If you want to go deeper into SASE beyond the five core technologies outlined above. Gartner also outlines 8 additional recommended technologies. Based on my research and talking to experts, the most important are Digital Experience Management (DEM), Next-gen Remote browser isolation (RBI) and elements of endpoint security. Many companies utilize partnerships to develop these solutions.

Side Note: Many companies have been built around each of these five technologies. Each segment is a large market in it of itself growing at almost 30% to reach $15B by 2025. Many of the providers of SASE generally start from one of these areas and eventually provide the full package for a complete SASE solution.

Implementation of SASE:

In order to develop a thorough understanding of the key companies competing within SASE, we need to briefly understand how SASE is delivered and address some terminologies. If we recall, SASE is broken down into two key words:

Secure Access: It verifies user access to either the internet or internal apps. (Most SASE vendors partner with identity providers like Okta or Azure Active directory to ensure user access to permitted resources).
Service Edge: SASE is deployed over a cloud or edge network. This is part I’ll explain below.

Edge networks are the foundational elements powering SASE and many of the providers

💡 - Why Are PoP Locations and Edge Networks Important? - First, lets understand what a PoP stands for. A "Point of Presence" - PoP location refers to a data center or smaller network access point where a network providers has infrastructure like routers set up to provide connectivity to their networks. These PoP are smaller in nature and are placed at strategic geographic locations to optimize internet traffic, improve network performance and reduce latency. Internet service providers (ISPs), content delivery networks (CDNs), and telco network providers use these PoPs to interconnect with one another and provide faster connectivity for their customers.

Edge networks are networks (powered by PoPs) that are located close to the end-users, instead of being centralized in a data center. SASE vendors use PoP locations to inspect and check network packets from users to the internet or SaaS apps.

There are two ways to implement and deliver SASE for customers:

Build your global infrastructure and partner with ISP Telcos
Buy services and partner with the cloud providers

Build your infrastructure and partner with ISPs

A potential SASE company can decide to build out their own data centers and PoPs in major continents equipped with servers, cloud services, and networking features. The company would develop peering agreements and partner with local Internet Service Providers (ISPs) around the world for the transfer of data end-to-end across regions.

💡An analogy is that of Amazon vs UPS. Amazon (the major SASE vendor) owns distribution and warehouse facilities (Data center and PoPs) across the globe. However, in some local regions, they need UPS or a local carrier (these are Tier 1 - ISPs like AT&T) to help with the delivery of those services. The partnership with ISP telco providers to gain access to the entire internet or locations where they lack a presence.

Buy and Partner with the cloud providers:

This is pretty straightforward. The company partners with the hyperscalers and leverages their infrastructure. In some cases, SD-WANs allow enterprises to buy a direct private connection to their private VPC (virtual private cloud) leveraging AWS DirectConnect, Azure ExpressRoute, or GCP Direct Interconnect.

The Key Players to Watch

Zscaler

Zscaler is considered a key market leader. They were founded in 2007 as a multi-tenant cloud security and secure web gateway (SWG) platform. Multi-tenant in the context of them providing security to multiple clients using a shared infrastructure.

Leadership with SWGs catalyzed early success:

Zscaler started as a company that helped companies transition to cloud-native secure web gateway (SWG) (a system for monitoring web traffic) from the existing on-prem appliances used during that period. At the time when the company was founded, Blue Coat and Symantec were the on-prem market leaders. A big part of Zscaler’s’ success has been the fact that it was one of the only cloud-native network security solutions built for distributed traffic flows.

In recent years, the market share has continued to outpace the market, particularly during Covid significantly. This has further helped its rapid growth over the last five years.

Infrastructure Advantage and Architecture

The company uses a proxy-based architecture (called Zero Trust Exchange, ZTE) to deliver Secure Access Service Edge (SASE) solutions. A proxy acts as an intermediary between users and bad actors, shielding users from direct access. Proxies can inspect all traffic, including encrypted packets, to identify and isolate threats. Legacy companies typically provide architectures that used firewalls to hold traffic for a verdict before delivery to a destination. Zscaler provided instant access.

Zscaler has built out a global footprint with over 150+ data centers and PoP worldwide. It leverages ISPs to allow customers to connect to the internet and offload web security to the internet backbone, reducing the need for on-premise VPN or tough MPLS. Once traffic reaches the Zscaler cloud, it applies its malware detection engines to all content, regardless of reputation or entitlements. Zscaler's core products for SASE are ZIA and ZPA. These two products provide ZTNA, SWG, Identity, and cloud security in a Secure Access Service Edge (SASE) solution.

Zscaler Internet Access [ZIA] (Internet-focused): ZIA is the company's main product, which sits between an organization's employees and the internet. It inspects traffic to protect against web threats. User traffic flows through Zscaler's cloud platform before flowing to and from internet websites, SaaS apps, and other resources, providing protection for employees whether they are on the company network or connecting remotely. This product gained traction primarily after it evolved from their cloud-delivered SWG.
Zscaler Private Access [ZPA] (Application-focused): ZPA is the product for organizations that want security integrated into their in-house applications. It provides remote access to internal applications. ZPA utilizes policy-based controls to provide remote access on a per-application basis, without exposing the internal network. It was born out of their ZTNA example earlier. Zscaler ZPA connects the correct user directly to authorized applications, not to the corporate network. This approach is different from legacy network security approaches that require users to access the network to connect to an authorized application.

Go-to-Market and Customer Traction:

Zscaler utilizes a top-down, high-touch joint sales model. Due to the large implementation of SASE projects, Zscaler's internal sales teams develop relationships directly with customers and work with channel account partners and systems integrators for implementation. The company's success has been predominantly based on its ability to win large deals within the US Government and the largest US companies with a global presence. Today, they have over 378 customers paying $1M in annual recurring revenue (ARR). They have over 2337 enterprises with ARR greater than $100k, including 40% of Fortune 500 and 30% of the Global 2000. Over 90% of their sales are driven by a channel partner, such as system integrators or channel partners like Verizon. Within the mid-market, they sell through value-added resellers (VARs) and IT partners. To better understand the role of channel partners in cybersecurity, read more in this blog by Venture in Security.

ZS had a couple of GTM advantages versus appliance-based vendors. Firstly, as a cloud-delivered vendor, they made deployment and security management far easier for enterprises. Secondly, they didn’t need to use the traditional distributors (like Ingram Micro), and hence could provide larger rebates to downstream VARs while still being a cost leader in the eyes of the end customer. - Convequity

For more on the current developments with Zscaler as at last month's most recent earnings reports, visit hhhypergrowth’s deep-dive on their product updates and report.

Federal Credibility:

Zscaler has achieved the Federal FedRAMP Highest Authorization for both ZIA and ZPA, making it the only cloud security service provider to have two products certified at the highest level of FedRAMP. Furthermore, ZPA is the only Zero Trust solution that has obtained Department of Defense (DoD) IL5 certification. The company began investing in the federal market around 4 or 5 years ago, recognizing the need for critical certifications like FedRAMP and StateRAMP to succeed in government contracts. This has been an integral factor in their sustained growth.

At the MS TMT Conference, Zscaler highlighted their leadership in certifications, stating:

We have the most certifications at the highest level compared to any other vendor. In fact, out of the six companies that have achieved the highest level certification in the entire IT ecosystem, Zscaler is the only cyber company in that space. Additionally, 12 out of the 15 cabinet-level agencies are Zscaler customers.

Areas To Monitor:

Zscaler doesn't have a wide variety of products breadth. They’ve got depth in SWG, SSE and a decent amount of cloud-native, zero-trust security products but lack a strong presence within the WAN edge networking layer, endpoint/device and identity layers of security. Their new product category, like CNAPP products, only contributes around 14% of revenue to the company. This is relatively small for a company at this stage. It would be interesting to see if they fill some of these gaps with M&As over the next year.
Zscaler doesn’t have a good mix of customer breadth and GTM motion. They can expand down-market to commercial organizations but don’t have enough products to sell into this category, especially since most of the margins are built around premium/high ACV products. They’ve historically just focused on the high-end of the market. It will require adapting their GTM to capture more of these mid-level market opportunities.
Zscaler doesn’t own its global private network. They appear content in delivering SD-WAN via partnerships with external providers. This has its advantages in the short-term, though longer-term, as networking and security become further entwined, companies will likely favour likely a more complete vendor with native networking strengths. This dependence on many providers also limits their network performance compared to companies like Cloudflare who own their networks. Some of the limitations were correctly highlighted here.

Summary:

At the customer and market level, Zscaler dominates the market. Zscaler has been a leader with Gartner for 10-yrs straight in SWG. Since Gartner and other firms like Dell’Oro and GigaOm started publishing leading vendors in SASE (or SSE), Zscaler consistently ranks as a leader with these firms. The company has the largest market share and install base with over 6500+ customers, providing them with further expansion opportunities. Upsells and dollar net retention has exceeded 125% since October 2020. The company's NPS score among customers is 80%, demonstrating high levels of satisfaction compared to the average SaaS company.

At the infrastructure layer: With over 150 data centers worldwide, Zscaler has a specialized edge security platform with a difficult-to-replicate infrastructure footprint. The company's network scale and partnerships have created a competitive advantage enabling it to connect users with applications within a short distance, reducing latency and limiting application performance issues. The company has global peering agreements with the largest ISPs and manages over 280 billion security transactions/traffic. However, they need to expand their product and customer breadth to maintain market leadership.

Cloudflare

Cloudflare was founded in 2010 with a mission to build a better internet based on the premise of improving the security, reliability, and performance of websites. This mission translated into the company becoming a content delivery network (CDN) solution for SMBs, with added DDoS protections. As a CDN platform, Cloudflare aims to improve website performance for end-users, regardless of their location. In pursuit of this goal, the company made an architectural decision to build PoPs around the globe over the years to further enhance its network performance.

💡 For instance, if a user in New Zealand wants to stream a concert in New York, the website does not need to go through a US data center to collect and send the information to NZ. Instead, the user's website can leverage a local server (on the edge) in NZ to watch the stream. This approach has the benefit of content being delivered rapidly from a nearby server, rather than traversing the web to the US on the origin server. As a result, the website experience is faster, with lower latency and bandwidth requirements.

Cloudflare PoPs were built to route traffic efficiently to different physical locations and individual machines as a single network. Every time a new server or location is added, the entire network's performance improves because it serves as an extra hub for Cloudflare to route its traffic. This is because content delivery platforms like Cloudflare, Akamai etc utilize a variety of global servers around the world. This decision made in their early days has served as a key advantage in security.

Infrastructure Advantage and Architecture

Large Global Presence: The company currently operates in over 275 cities, including mainland China, and is one of the only providers in this region (key advantage!). The company has over 11,000 networks directly connected to them, including ISPs, cloud providers, and large enterprises. Its network spans across 95% of the world's population within ~50 milliseconds, is distributed across more than 100 countries, and has 155 TBs of network edge capacity. The benefit of this global network is faster internet network performance for end customers.
Software-Defined Networking (SDN) Architecture: Cloudflare’s platform was built around an SDN architecture which now provides them with strong advantages in SASE. If we step back briefly, recall we discussed the benefits of SD-WAN earlier. The process by which software helps multiple remote locations connect to one corporate network. However, SD-WAN leverages an SDN infrastructure.
SDN is a software architecture that provides a central point for the control of network traffic. In the past, network administrators had to manually configure each network device independently, which was time-consuming and error-prone. However, SDN was introduced as a way to separate the control plane from the data plane to provide a one central point for network flow. A control plane is the brain or ‘manager’ of the network, its responsible for making decisions about how traffic should be forwarded through a network. The data plane is the ‘employee’ who follows the instructions and carries out the task. By separating the control plane from the data plane, SDN allows for an ‘HQ’ or centralized control of the network that can see the big picture and decide automatically which path is best for network traffic. This optimizes for faster internet performance.
Cloudflare was one of the first companies to introduce SDN utilizing its Edge PoPs, and it has now been able to leverage this network to embed security products much faster than competitors. In recent years, the resulting density of their network is what makes them faster than Zscaler here. Since the key feature of SASE is processing security at the edge or as close to users as possible, Cloudflare has a key advantage in SASE here.
Cloudflare’s Global Private Network vs. Internet: Cloudflare’s global network gives companies a private tunnel to manage traffic end-to-end on a secure network using Cloudflare's magic transit and network interconnect, rather than relying on the public internet. Cloudflare’s network was also built as a reverse proxy for companies’ web applications compared to Zscaler, which was built as a forward proxy for the user. While there is no flaw in either approach, the benefit of being a reverse proxy is that since Cloudflare sits behind many of the world’s websites, its developed a core competency in optimizing web network traffic through caching or load balancing and natively protecting a company’s web apps from DDoS attacks. Additionally, Cloudflare's focus as a cross-WAN Internet accelerator gives them some advantages in rapid network communication and makes their network more performant. Many of these features have been highlighted in this blog, here.
Networking Network Effects: Due to the points mentioned above, Cloudflare benefits from a ‘network’ networking effect. This architecture has allowed the company to manage its network efficiently and helps provide the capacity for Cloudflare to offer its free tier of service. In turn, the free tier of service has helped the company generate global scale, making Cloudflare a more attractive partner to ISPs.
Pricing and margin benefits due to Infrastructure: Due to many of the infrastructure benefits we discussed above, there could be pricing and margin benefits that could accrue to Cloudflare offering SASE at a better price than the larger companies. This will need further investigation on my part, but it is something that experts that shared with me.

Core products

They offer SASE through their Cloudflare One suite. The individual products include Cloudflare Gateway (SWG), Cloudflare Access (Traditional VPN and Zero Trust Network Access), Cloudflare CASB and Cloudflare Teams (zero trust services) for enabling users into a specific application rather than the entire network. Cloudflare Magic firewall is their version of an NGFW for port-blocking, packet inspection and IPS. For a detailed overview of many of Cloudflare’s new SASE products, see Muji at hhhypergrowth’s report on Cloudflare’s CIO week, titled A maturing SASE. There was also another report looking at their security week.

Traction

The zero-trust portfolio in Cloudflare One is smaller than that of its competitors, given that the company is a new entrant to the market. Based on the product attach rates provided at its investor day, the business is estimated to represent only 15% or $150 million of the total company revenue base of ~$1 billion this year. Zero Trust, which is a competing product to Zscaler, represents less than half of Cloudflare One's revenue (<$100 million). By comparison, Zscaler's total revenue is over $1 billion. According to my conversation with Ivana Spear at Spears Invest, an investor who has spoken with Cloudflare’s Mgmt,

“There is a significant opportunity for Cloudflare to grow its Cloudflare One business from its small scale. If the underlying market is growing at a 20%+ compound annual growth rate (CAGR), Cloudflare can grow at a 50%+ rate in this business and add more than 10% to the company's total growth.”

I also spoke to Convequity, who have studied Cloudflare’s SASE products and acquisition; they believe

“Cloudflare’s acquisition of Area 1 Security could be the catalyst for future SASE success versus the competition. Area 1 is a next-gen email security startup which is very easy and flexible to deploy and manage. Most importantly, Area 1 is proving to be more effective than incumbent solutions at detecting and stopping the latest advanced phishing attacks such as BEC (Business Email Compromise), which is a type of cybercrime costing orgs billions of dollars per year. The low friction deployment combined with the high efficacy, could make Area 1 a very popular entry sale for Cloudflare, and give them opportunities to land subsequent SASE deals.”

Areas To Monitor:

Cloudflare lacks strong ecosystem partnerships to implement large, up-scale SASE projects. They don’t have the GTM motion for large enterprises and will need to develop a high-touch, top-down sales model to be truly successful at SASE. This process will take years to build out, which runs at the expense of other key players who have a strong market presence. Today, they have over 2042 customers paying more than $100k, 222 customers paying more than $500k, and 85 customers paying more than $1M as at Q4 2022. This still pales to Zscaler or some of the large SD-WAN providers. According to the Gartner peer insight survey, Zscaler has over almost 700 ratings compared to 50 for Cloudflare and other providers showing a low mind share within key top-down buyers like CISOs and CEOs.

Security is new to Cloudflare. The company has historically been a developer and content delivery platform that sold to a different enterprise department. Their security product features were rapidly developed over the last two years, so they lack the credibility of the big players. Features such as Cloudflare’s DEM were only released a couple of quarters ago compared to Zscaler, which has had this product for many years. They only got certifications like FedRAMP and ISO27001, and SOC2 by Dec 2022.

Summary:

Cloudflare has leveraged its SDN infrastructure as a content delivery network (CDN) to expand into security. Their high density of global PoPs, connectivity with public cloud providers, and recent products like SWG, CASB and ZTNA provide them with a strong technological edge to offer SASE over many of the incumbents.

One key consideration is whether Cloudflare's dominant global network and negotiating power with ISPs provide pricing and go-to-market benefits. Would this allow them to scale easily and gain more market share quickly? This would be the key component to watch over the next few years.

Palo Alto Networks

Palo Alto offers SASE through a combination of Prisma Access and Prisma-SD-WAN. They acquired CloudGenix, an SD-WAN startup, for $420M at the height of the pandemic in March 2020. Subsequently, renamed CloudGenix SD-WAN to Prisma SD-WAN. Acquiring CloudGenix, further bolstered their networking strengths for helping companies interconnect with branch offices.

Architecture:

Palo Alto has chosen to leverage Google's GCP infrastructure to deliver SASE. They developed a partnership with Google and, secondarily, AWS to use their data centers rather than build their own via colocation arrangements. Unlike Zscaler and Cloudflare’s decision to build their global infrastructure, PANW is one of the few players leveraging partnerships for SASE. The same network that GCP uses to power YouTube globally, PANW believes it would work for them. In most cases, it is all delivered using AWS DirectConnect, and GCP Direct Interconnect.

PANW’s architectural decisions are very aligned to its overall business DNA. Compared to others, PANW doesn’t spend big on capex nor make real estate investments. Often, they also choose to acquire rather than build capabilities in-house. Taking this into account, you get the picture that PANW’s business is designed for flexibility and being able to quickly adapt to changing requirements. However, the flexibility comes at a cost because they don’t have as much control compared to some rivals. - Convequity

Product Features:

To deliver their SASE solution, Palo Alto has consolidated multiple of their point products, including ZTNA, Cloud SWG, Next-Gen CASB, FWaaS, and SD-WAN into one. Some of PANW’s key features in their SASE solution are their SWG and ZTNA 2.0, which provide inline deep learning capabilities that shrink the time required to detect and stop unknown threats to near zero seconds. They also incorporate SaaS Security Posture Management (SSPM) into their CASB solution.

Palo Alto’s biggest bet in their SASE is their AIOps for SASE and AIOps for Autonomous Digital Experience Management (ADEM). The ADEM delivers an optimized experience for every user and application with detailed performance insights and provides end-to-end observability across their network. A full list of the latest features of their SASE strategy can be read here.

Traction

According to their last earnings report, they have over 4500 customers. They have the second largest customer base compared to Zscaler’s 6500 customers. The business is showing great traction. Palo Alto Networks is now recognized as a leader in the 2020 Gartner WAN Edge Infrastructure Magic Quadrant, 2022 SD-WAN Magic Quadrant leader, Gartner peer insights voice of customer survey and Frost sullivan SD-WAN company of the year. Industry researchers rank PANW’s SD-WAN stronger than the competition.

Areas To Monitor:

Costs: In the interim, PANW is able to absorb the cost of paying a fee to GCP to deliver SASE. However, over the long term, tradeoffs might come from not owning their infrastructure for SASE delivery, especially as demand scales. PANW is also known as one of the more expensive firewall vendors. This is likely the case with their SASE solution. If this is the case, this will limit their market presence in the mid-level aspect of the market.
Lack of control and flexibility: Ultimately, because they don’t have their infrastructure, PANW's destiny would always be tied to GCP. Google is as reliable as anyone, so not a bad one necessarily. However, since GCP utilizes primarily large data centers, most of their traffic has a longer path to deliver content.
Lack of large ecosystem partners: I have also heard anecdotes that Palo Alto’s SASE does not provide many integration options and doesn’t leverage much of the ecosystem.

Summary:

In summary, compared to many of the vendors discussed above, Palo Alto's biggest advantage is that it would be much easier to upsell SASE into their broad network security customer install base. Gartner published a report on the benefits of a single-vendor SASE provider. Palo Alto already has a large install base (over 60,000 customers) across the world who have procured firewalls from the company in its early days. It is significantly easier to sell SASE to a company that uses your firewall or network security product than starting with a company from the ground up. During a period of vendor consolidation, they stand to benefit from companies that want to consolidate multiple products into one central architecture.

They also benefit from customers that want hybrid architecture. Many large companies who purchase SASE products include the likes of financial institutions or hospitals with large branch presence. Due to the heavy regulatory requirements for these companies, many still maintain on-prem workloads. Palo Alto’s strong competency across the on-prem firewalls and cloud provides them with a better advantage for deploying hybrid solutions for these companies when competing on deals.

Netskope

Netskope can be considered one of the leading players within SASE. The company was founded in 2012 by Sanjay Beri and Ravi Ithal. Both founders had experience working on network security products from Juniper Networks and Palo Alto networks before starting Netskope. [VeloCloud (Acquired by VMW)

Netskope offers SASE but primarily brands itself as an SSE provider while separating its SD-WAN solution. They offer Borderless SD-WAN, a solution that provides remote employees and devices secure connectivity to cloud applications, branch offices, and other company locations such as factories and retail outlets. They released this product in August 2022 after completing the acquisition of Infiot, an SD-WAN provider.

Netskope was the first pioneer of the out-of-band CASB market and subsequently introduced very effective inline security solutions, such as its NG-SWG. As SaaS applications began gaining prominence, they saw the need to develop data loss prevention (DLP) security solutions to secure users’ access to these cloud-based applications. As a result, over the past decade, they have built a core competency in this category than many of the providers above, primarily in CASB.

Netskope was the first pioneer of the out-of-band CASB market and subsequently introduced very effective inline security solutions, such as its NG-SWG. As SaaS applications began gaining prominence, they saw the need to develop data loss prevention (DLP) security solutions to secure users access to these cloud-based applications. As a result, over the past decade they have built core competency in this category than many of the providers above primarily in CASB.

Architecture: The company’s architecture is primarily based on building PoP leveraging strong partnerships with ISPs. They have these ISP peering relationships with high-speed internet access.

Netskope’s strength lies in the breadth of cloud applications that it can assess and audit. The company offers a database known as the Cloud Confidence Index (CCI), which consists of over 54K third-party cloud apps, their enterprise readiness levels, and risk scores. Organizations use the CCI score to determine the threat levels present in SaaS apps and set the appropriate policies to mitigate the threats. In discussions with Convequity, they see the following as the company’s advantage:

“Netskope has developed a core capability at conducting security on data-at-rest and real-time security on data-in-transit. Due to the different skillsets, it is very difficult for a vendor to excel in both, but Netskope has achieved this. Netskope’s other differentiator is its long-term focus on being a data-centric security provider. It has the leading DLP solution and is constantly working to improve its capabilities with ML-based techniques. As data volumes increase exponentially, this strategy positions Netskope to remain a key player amongst peers.”

Traction:

From all of my conversations with industry experts, Netskope is a consistent name in the market. It has customers across the mid-market and enterprise companies within large sectors like financials. They have over 2K customers including 25% of Fortune 100 companies as of November 2022 and generating around $300M in ARR as at the Fall of 2022. They have also achieved the FedRAMP authorization, allowing it to win government contracts. In my research evaluating a number of vendors with ETR research, they show that Netskope is gaining momentum in spending amongst a number of cloud security vendors.

Summary:

Netskope has one of the most comprehensive CASB and SWG products. Its built around their NewEdge infrastructure which allows software-driven networking overlay enabling users to be routed via the most optimal path to their application for the best connectivity possible. To learn more about Netskope, visit Contrary Research and read the full memo on Netskope.

The company doesn’t have the capital and vast infrastructure like the major players. However, it has a great technology over the last 10 years. However, it still needs to expand its GTM to win more large enterprise deals. With their recent $410M funding, seeing their evolvement over the next few years will be interesting.

Fortinet

Fortinet started as a firewall security company and built a strong competitive advantage over the years as an enterprise networking company. Fortinet’s platform has built strong core competencies in Network Security (firewalls), Networking, and unified communication, like offering wireless, WiFi services, and SD-WAN services. They are leveraging this core strength to offer a converged SASE for those appliances that provide those networking services.

Architecture and ASIC Chip Advantages: Fortinet’s architecture is built around a cybersecurity mesh architecture (CSMA), an operating system that runs every Fortinet service. According to research from Convequity, “The company has historically been an upstream vertically integrated company that produces every component of their cybersecurity products down to manufacturing their ASIC chips. They also have core competences in the hardware appliance market and developing ASIC chips with strong computing and networking processors. This vertical integration has enabled them to develop custom silicon to deliver SASE features - networking and security into a single compact appliance box like a router. This way organizations can buy and install one appliance to get the benefits of SASE both on-prem, at home office, and at the branch office.”

They are investing heavily into developing the necessary global network via colocation data centre partnerships and building out its own data centers. Since Fortinet also has the hardware advantages, the company now intends on going a step further than Cloudflare and Zscaler’s colocation data centre partnerships, and actually owning its PoPs outright. This is the best way to truly maximise the power of their ASIC and SoC custom silicon and emerge as the most performant SASE provider.

SASE security features: Fortinet acquired a security company called Opaq in July 2020. The goal was to add security services around ZTNA to complement their networking and firewall features. Opad also help them deliver SASE for companies that were fully remote. Later in the year, they further acquired Panopta, a company that provided them with expanding network visibility and Infrastructure monitoring.

Skyhigh Networks (Formerly McAfee)

The long-tenured anti-virus company went private in November 2021. Symphony Technology Group (STG) acquired McAfee’s Enterprise business and later announced it would split it into two orgs —Trellix for EDR and Skyhigh Security for SSE.

Earlier in 2017, McAfee made the smart decision to acquire Skyhigh Networks to provide cloud network security particularly CASB solutions. Over the past six years, they have added more features around SWG, DLP, and remote browser isolation to name a few, to build out a full portfolio of SSE solutions. This earned them a leadership position on Gartner’s 2022 SSE Magic quadrant and was recognized in the 2022 Critical Capabilities for SSE for its MVISION Unified Cloud Edge (UCE) solution.

Architecture: Skyhigh networks leverages McAfee’s 50 PoPs dispersed globally to power their SASE solution. Whereas the high majority of SASE-focused vendors have all internet traffic flow into a PoP for in-line inspection, McAfee inspects data packets either at the endpoint location or the nearest PoP, depending on a variety of attributes of the traffic. An approach that is somewhat similar to what dope security, a company building secure web gateways to run on endpoints instead of the data center.

Cato Networks

This is a notable player worth highlighting because they were one of the first movers into SASE. They offer their solutions through the Cato SASE Cloud. They have a large global presence through owning some PoPs and colocation data centers networks via partnerships with the hyperscalers globally. This allows them to control the end-to-end traffic over a private network backbone.

They have much better availability and comprehensive coverage because virtual appliances, edge routers, and data center routers. They offer a Virtual Private Cloud (VPC) through a SaaS service that runs on the cloud vendor's IaaS and allow their customers to connect to cloud regions directly. All of this is powered by its edge network that interconnects WANs to cloud platforms from the nearest POP.

Other Key Players

I researched several companies but could not provide a full breakdown due to the report's length. However, it would be remised not to discuss some other major SASE and SD-WAN providers.

Cisco provides SASE through its Cisco Umbrella platform. As a networking company, they have core strengths on the SD-WAN networking aspect after acquiring Viptela in 2017. Viptela had a compelling SD-WAN solution with advanced routing, segmentation and security capabilities for interconnecting complex enterprise networks. It further enabled them to deliver more software-centric subscription-led networking model. Subsequently, they acquired an identity security company called Duo security and acquired ThousandEyes in 2020. However, lack the breadth of security features. Cisco announced a new SASE platform in Mar-21.
Hewlett Packard Enterprise (HPE) acquired Aruba Networks in 2017 to provide them with enterprise networking capabilities. They further acquired Silver Peak, a cloud-based SD-WAN provider in late 2020 as the SASE buzz was growing and companies were looking for remote solutions. The acquisition strengthened Aruba ESP (Edge Services Platform), helping to advance their enterprise cloud transformation with a comprehensive edge-to-cloud networking solution. Most recently in March 2023, they acquired Axis Security, a leading SASE provider that had many of security features that HPE lacked.
Honourable Mentions: There are a number of companies, including Citrix for SASE, VMware SASE, Versa Networks, Forcepoint One SSE, Microsoft Defender for cloud apps, Broadcom (Symantec) CloudSOC SASE, and iBoss SSE Cloud. A full list can be seen here Gartner’s Peer Insights - Security Service Edge (SSE).

Summary - Who Wins The Final Prize?

This is an extensive review of all the major players evaluating their products, architecture and go-to-market. I’ve reviewed Zscaler, Cloudflare, Netskope, Fortinet and Palo Alto Networks more deeply due to my reader base. To summarize everything in a few sentences.

Who wins this market is still up for grabs. Each vendor is approaching SASE from either the security side or as an SD-WAN networking player. The market is still early and rapidly growing at over 30%. If the estimates by Gartner that by 2025, 65% of enterprises will have consolidated individual SASE components into one or two explicitly partnered SASE vendors, up from 15% in 2021. This would benefit the players with platform product breadth. It would be interesting to see how things evolve over time.

Zscaler continues to be the leader in SASE with a strong go-to-market motion amongst channel partners and mind share amongst CISOs. However, they need to innovate in newer security categories and move down the market to maintain market share.

Cloudflare has the technical edge for SASE leveraging their strengths with a global network infrastructure. However, as one of the newest entrants, it will take them time to gain meaningful share. If they benefit from better pricing and margins owning their network is something to watch.

Palo Alto Networks and Fortinet benefit from a large install base where SASE could be an easy cross-sell for those wanting hybrid SASE deployments. However, they need to deepen cutting-edge technologies to cross-sell this segment successfully.

Netskope is a company to watch because they not only have a strong technology and product in CASB, but equally have one of the largest market share. With the new funding, they should be watched this year.

Cato networks and Skyhigh networks continue to have some of the best technology infrastructure but need to deepen their GTM presence.

Large incumbents with deep pockets like Cisco, HPE (Aruba networks), VMware, Citrix, Versa Networks and Forcepoint have dominant competencies in SD-WAN and Enterprise networking. They are all approaching the SASE market through acquisitions and hoping to cross-sell into their large install base. Time will tell whether they will be successful, but they shouldn’t be discounted.

There you go with all the 15+ vendors going after the beloved SASE market

Thank you very much for reading if you made it to the end! Special shoutout to good friends at Convequity, Muji at Hhhypergrowth, experts and the companies who spoke with me about their research.

I’ve curated a robust list of 50+ resources for those wanting further to understand SASE, the industry and key players. Visit the resource page.

If you have any feedback or add new information, please comment or reach out at: odumfrancis92@gmail.com for feedback or additional details.

This is part of my project of revamping my newsletter this year. I’ll continue to write more about either emerging technologies or key companies within security and data infra for the non-technical investor or technologist. Feel free to join if interested.

The Software Analyst Cyber Research

Discussion about this post