SASE Vendor Summaries

SASE or Secure Access Services Edge, was introduced by Gartner in 2019.  In a short time, SASE has become a widespread force across the enterprise networking and security industries. 

SD-WAN Experts contacted the vendors that we believe are leaders in SASE, as of the time of writing.  The information provided below was provided directly by these vendors, in response to our questionaire.  Vendors are listed in alphabetic order.

Cato Networks

Open Systems

Palo Alto Networks

Versa Networks

VMware

Cato Networks

Briefly describe your SASE architecture

Cato was architected from the ground up to address all key SASE requirements: convergence of networking and security into a single pass and identity-based engine, cloud-based and cloud-native service, global footprint, and support for all edges

 Cato has the following pillars:    

  • Global Private Backbone: SLA-backed network of 60+ PoPs, interconnected by multiple tier-1 carriers. It provides routing optimization, traffic acceleration, self-healing capabilities and full encryption to all traffic: WAN, cloud, and Internet.   
  • Security as a Service: A fully managed stack of enterprise-grade security capabilities converged into the backbone including NGFW, SWG, NG-Anti-Malware, IPS, and a Managed Threat Detection and Response (MDR) service. Scales up to 2gbps on a single connection with full decryption and deep packet security inspection.
  • Edge SD-WAN (“Cato Socket”): a WAN edge appliance that connects locations to Cato, and between edge devices, over Internet, MPLS, and 4G/LTE. It provides application-based path selection and packet loss mitigation, driven by quality of service policies and real time link performance. 
  • Cloud Acceleration: Cato easily integrates multi-cloud DCs into the network via an agentless configuration or a virtual socket. Cloud application access is accelerated by egressing the traffic via the nearest PoP to the application regardless of source. 
  • Remote Access: Cato SDP/ZTNA connects users on any device to any application. All traffic is optimized and secured in the same way regardless if the user is in the office or at home.    
  • Unified Management: Cato provides customers with one management console for all policies and analytics. The policy is distributed and enforced across all PoPs and seamlessly extends to all enterprise traffic globally.

Do you have any multi-tenant components in your SASE solution?

Cato Cloud was built from the ground up as a multi-tenant architecture. The PoPs dynamically serve tunnels originating from locations or people across multiple enterprises. Tunnels seamlessly migrate to different PoPs to prevent disruption and the enterprise policy is always enforced regardless of which PoP a tunnel is connected to.

Do you provide a private backbone? If so, how many PoPs do you offer in each region (North America, Latin America, EMEA, AP and China)?

Cato has a Global Private Backbone of over 60 physical PoPs. Cato fully controls the datacenters and carriers used in each PoP and can set up a PoP in any location unlike competitors who rely on cloud hyperscalers only. Cato has 21 PoPs in the US and Canada, 18 in EMEA, 19 in APAC (including 3 in Australia, and 3 in China), and 4 in Latin America.

What three features would you point to that allow you to beat competitors?

  • Convergence: of SD-WAN, network security, cloud integration, and remote access that is available globally at any scale with one management console. This is simply unmatched when compared to point solutions and telco bundles.
  • Cost savings: the reduction in complexity, resource offload, and the elimination of legacy products creates a very compelling business case that delivers much more for less. 
  • Rapid Pilot and Deployment: we say what it does, and it does it well and out of the box. If you try it – you buy it.

Describe your pricing model

We are an annual subscription service. Our price is based on last mile capacity of branches connected to Cato ($/Mbps/month), and number of remote users ($/user/month). Prices vary by geographical regions and there is a one-time cost for the Cato Sockets. Security add-ons and managed services are offered as premium options (Anti-malware, IPS, MDR).

Open Systems

Briefly describe your SASE architecture

Open Systems’ managed SASE solutions securely connect an organization’s users to applications,  from branches to clouds anywhere in the world. We protect our customers’ digital assets and  constantly monitor to proactively detect and respond to threats. 

It is entirely built upon the company’s unified, future-proof platform that tightly integrates key  networking and security services – including SD-WAN, app optimization, firewall NG, Secure Web  Gateway, CASB, remote access, etc. With its sophisticated single-pass architecture, stitching of  single technologies is avoided such that policies can be enforced holistically for all types of traffic. A  variety of deployment models support all needs from low footprint (e.g. mobile users) to large  offices, or DCs, up to cloud deployments.  

Additionally, Open Systems features valuable Secure Email Gateway and MDR services, exceeding  the requirements Gartner has specified for SASE. Provided as a managed service, Open Systems’  level 3 engineers monitor 24/7 to protect from and detect, analyze and contain security threats and  issues affecting network performance. 

Do you have any multi-tenant components in your SASE solution?

No, our solution is tailored to the specific needs of every customer. The only shared, customer  facing component is the Open Systems Portal which provides all customers visibility into the  services, from reporting of service health and security incidents, to configuration status and  change/incident management.

Do you provide a private backbone? If so, how many PoPs do you offer in each region (North America, Latin America, EMEA, AP and China)?

No, we do not maintain our own backbone but suggest that our customers leverage some of the  strongest connectivity backbones in the market, such as the ones from Microsoft, AWS, Equinix, etc. 

What three features would you point to that allow you to beat competitors?

  • Our purpose-built platform tightly integrates the network and security functions needed to  connect users to applications, to protect digital assets and effectively detect and respond to  threats.  
  • In today’s fast-changing environments evaluation, integration and operation of technology is  complex, time consuming and expensive. With our managed service, we provide unparalleled support along the entire customer journey. Our 24/7 DevSecOps model ensures that we take  ownership of outcomes and solve issues, rather than simply passing on alerts. 
  • With sophisticated ML and AI algorithms, we provide the predictive insights our customers need  to make effective decisions. 

Describe your pricing model

Our SASE solutions follow a user-based pricing model. It typically includes a one-time setup fee  (OTC) covering the project costs, consulting work, design and architecture, joint workshops and  implementation of the tailored solution. A monthly recurring cost (MRC) then represents the service  fee including software and hardware licenses, life cycle management and most importantly – the 24/7 operations by tier-3 engineers with unlimited change and incident tickets. 

Palo Alto Networks

Briefly describe your SASE architecture

The Palo Alto SASE solution utilizes the Cloudgenix SD-WAN edge with Palo Alto Prisma Access to secure SD-WAN endpoints and mobile users and Prisma SaaS to secure sanctioned SaaS applications.

Do you have any multi-tenant components in your SASE solution?

Prisma Access is a multi-tenant application allowing customers to host multiple instances on a single Panorama appliance.  Prisma Access tenants get their own dedicated instances and they are not shared between tenants.

Do you provide a private backbone? If so, how many PoPs do you offer in each region (North America, Latin America, EMEA, AP and China)?

While Palo Alto does not have a private backbone, we deliver consistent cloud-delivered security from a multi-cloud architecture. With over 100 locations in 76 countries, users are always getting protection that they need with low-latency access to all of their public cloud, SaaS and data center applications. 

What three features would you point to that allow you to beat competitors?

One Security management plane, versus 4 in our competition. All protocols are inspected (over 100), versus just http/https/ FTP, and DNS of our competition. Bidirectional inspection, versus just ingress inspection like that of our competition. 140 POP’s vs 60 of our competition

Describe your pricing model

Current pricing models are based on bandwidth utilization.

Versa Networks

Briefly describe your SASE architecture

Versa SASE is uniquely differentiated in the ability to deliver integrated SASE services both on-premises and via the cloud using the same operating system software within a single software stack, VOS™ (Versa Operating System).  Due to the genuine multi-tenant capabilities, VOS™ delivers these services via the cloud taking advantage of cloud economies of scale while servicing hundreds of thousands of tenants simultaneously.  

Versa SASE is also uniquely available as a private cloud service wherein Enterprises can operate, manage, and host their own private Versa Cloud Gateways wherever they choose. 

Versa SASE enables consistent security policies, network policies, business policies, and application policies seamless between on-premises and cloud services.  The common integrated VOS™ software stack managed by a single management interface and tool creates a ubiquitous experience regardless from where IT decides to provide SASE services (on-premises, cloud, or both). 

Versa SASE runs on VOS™ which is designed using a single-pipeline architecture that combines full-featured SD-WAN, complete integrated security, advanced scalable routing, genuine multi-tenancy, and sophisticated analytics into one software image.  This integration and design methodology dramatically decrease latency, significantly improves performance, and mitigates security vulnerabilities introduced when running multiple software stacks, service chains, or appliances. 

Versa SASE services available on-premises and via the cloud include, but are not limited to, SWG, NGFWaaS, NGFW, WAF / WAAP, RBI (beta), VDI, Sanitized DNS, Network Sandbox (beta), Network Obfuscation (via McAfee), Edge Compute Protection, CASB (beta), Legacy VPN, ZTNA-as-a-Service (Versa Secure Access), ZTNA stand-alone, routing, SD-WAN, analytics.  

Do you have any multi-tenant components in your SASE solution?

Do you provide a private backbone? If so, how many PoPs do you offer in each region (North America, Latin America, EMEA, AP and China)?

All components of Versa SASE are genuinely multi-tenant across orchestration and management, control plane, and data plane. Versa SASE multi-tenancy keeps the policies and configuration and the logs and statistics segregated from that of the other tenants while scaling to service hundreds of thousands of tenants simultaneously. 

All components of Versa SASE are genuinely multi-tenant across orchestration and management, control plane, and data plane. Versa SASE multi-tenancy keeps the policies and configuration and the logs and statistics segregated from that of the other tenants while scaling to service hundreds of thousands of tenants simultaneously. 

What three features would you point to that allow you to beat competitors?

Versa SASE is available on-premises, via the cloud, and as a combination of both while enabling consistent security, networking, business, and analytic policies on-premises and in the cloud to anywhere in the world.  These services may be deployed primarily on-premises, in the cloud, or as a mixture depending on the type, size, or requirements of each organization, individual branch office, or users. Competitors are only able to offer a subset of SASE capabilities in the cloud, do not deliver these services on-premises, are unable to deliver ubiquitous policy across both. 

Versa SASE delivers a comprehensive integrated SASE solution within a single software stack (VOS™) which mitigates the requirement to perform service chaining, cascading, or virtual interconnect between SASE services which is required by other solutions in the market.  Versa SASE is a single-pass pipeline architecture which dramatically lowers latency, significantly improves performance and mitigates security exposure.  Competitive solutions require service chaining, multiple software stacks, multiple VNFs, multiple VMs, or separate boxes to achieve that same level of functionality. 

Versa SASE is available to Enterprises, organizations, and partners to build their own private SASE service on their own premises or in their own private cloud if they choose.  This enables them to completely take control of their service, yet take advantage of performance, services, and capabilities of the leading SASE solution.  Competitors do not allow their SASE solution to be deployed privately by customers. 

 

Describe your pricing model

Versa SASE is available as a subscription service and priced based on features and capabilities required.  

VMware

Briefly describe your SASE architecture

The VMware SASE Platform converges cloud networking, cloud security and Zero Trust Network Access (ZTNA) with best-in-class web security. It is a cloud-first offering that delivers application quality assurance, intrinsic security and operational simplicity and is ideal for enterprises that are especially supporting a work-from-anywhere workforce.

The VMware SASE Platform is architected to leverage the power of the Cloud while minimizing complexity at the edge. The platform is an easy to consume one-stop-shop for security and network services, enabling a unified edge and cloud service model with a single place to manage business policy, configuration and monitoring.

The VMware SASE Platform includes the new VMware Edge Network Intelligence which gives IT teams added visibility and telemetry into the end-user experience as applications are accessed from anywhere and application traffic traverses many different networks.

The VMware SASE Platform addresses significant customer pain points including:

  • Inefficient Cloud/SaaS access, 
  • Poor application quality, 
  • Compromised security, and 
  • Operational complexities and costs.

With 150+ telecom partners and thousands of VARs globally, the VMware SASE Platform can be delivered as a managed service or on a DIY basis using a unique global network of 2,700+ cloud service nodes across 100+ Points of Presence (PoP). These PoPs serve as an onramp to SaaS and other cloud services. This global footprint gives VMware the ability to launch new networking and security services as well as integrations with best of breed security partners. These networking and security services can be delivered in an intrinsic or sequenced manner to branch edges, mobile users, campuses and IoT devices.

In summary, the VMware SASE Platform is architected to deliver flexibility, agility and scale for enterprises of all sizes.

Do you have any multi-tenant components in your SASE solution?

The capabilities of the VMware SASE Platform are no different from that of the VMware SD-WAN Platform. All the components of the VMware SASE solution including VMware SD-WAN Gateways, VMware Secure Access (Zero Trust Service), VMware Cloud Web Security and the VMware Cloud Firewall (Future) are multi-tenant.

Do you provide a private backbone? If so, how many PoPs do you offer in each region (North America, Latin America, EMEA, AP and China)?

VMware does not provide backbone transport, which is provided by our Service Provider partners. However, VMware SD-WAN Gateways, unique to the VMware SD-WAN cloud infrastructure are strategically deployed and highly available cloud devices to provide closest and optimized VMware SASE PoP locations to hand off traffic to allocation tenant locations.

While VMware does not publicly reveal specific locations, its global footprint spans all major continents including North America, EMEA, Asia-Pac, and Latin America.

What three features would you point to that allow you to beat competitors?

VMware’s unique architecture has provided, from the beginning, Cloud Gateways that serve as an on-ramp to SaaS and a network of other cloud services. This global footprint gives VMware a presence to continue to deliver additional integrations and services that customers need.  

 

For customers who want a solution from one vendor, VMware SASE Platform brings together industry leading SD-WAN, ZTNA, CWS and Cloud Firewall in a comprehensive, yet easy to implement package.

VMware also offers customers the flexibility to use 3rd party services if that is the approach they prefer.

In summary, VMware SASE Platform provides flexibility, simplicity, agility and scale to enterprises of all sizes.

Describe your pricing model

VMware employs a subscription-based pricing model for its SD-WAN and SASE services. Subscriptions are offered in different editions packaged for branch office and home office users, with terms of 1 year, 3 years and 5 years. Physical VMware Edge devices can be bought or rented based on customer preference.