Governance & Risk Management , SASE

Palo Alto, Versa, Fortinet, Cato Command SASE Forrester Wave

Providers Build, Buy Their Way Into Native SD-WAN, SSE Capabilities Over Past Year
Palo Alto, Versa, Fortinet, Cato Command SASE Forrester Wave

Palo Alto Networks edged out Versa Networks, Cato Networks and firewall rival Fortinet for the top spot in Forrester's first-ever secure access service edge rankings.

See Also: Zero Trust: Approaches, Use Cases, and Myths Debunked

Leading providers have over the past 18 months built or bought both the networking and security pieces of SASE, so that they no longer have to rely on partnerships to address both sets of needs, said Forrester Principal Analyst Andre Kindness. Getting both SD-WAN and security service edge from the same vendor reduces the work needed to apply networking and security policies as well as the risk of errors, he said (see: Netskope, Zscaler, Palo Alto Lead SSE Gartner Magic Quadrant).

"We almost felt like ZTE or SASE was becoming the killer app to making networking and security integral to each other," Kindness told Information Security Media Group. Forrester calls the market zero trust edge. "You can't do one without the other anymore."

Palo Alto Networks and Fortinet tied for the highest score around secure access service edge strategy. VMware took third, and Cato Networks and Forcepoint tied for fourth. In terms of strength of current offering, Versa Networks edged out Palo Alto Networks for the top score, and Cato Networks, Fortinet and Juniper Networks earned the third-, fourth- and fifth-highest rankings from Forrester.

Kindness said Palo Alto Networks integrated the SD-WAN assets from the CloudGenix acquisition quicker than rivals that made similar acquisitions, and Cato benefited from entering the market recently and not having to work around legacy tools, he said. Versa and Fortinet began in networking and security, respectively, but quickly saw the market need on the other side and built out native capabilities early (see: Fortinet, VMware, Cisco Drive SD-WAN Gartner Magic Quadrant).

"Those four vendors had really created a single interface that was simple, easy to use and consistent," Kindness said. "There weren't two pieces to it where you had to buy a separate software, a separate instance or a separate service. The other companies [in the Wave] either bought somebody or are still integrating product portfolios and bringing them together."

How Market Share Figures Compare to Forrester Ratings

Zscaler, Cisco, Palo Alto Networks and Broadcom, in that order, were the SASE market share leaders in the first quarter of 2023 despite Zscaler and Broadcom having limited SD-WAN capabilities, market research firm Dell'Oro Group said in June. Enterprises are expected to spend nearly $34 billion on single-vendor SASE and $29 billion on multi-vendor SASE from 2022 to 2027, Dell'Oro Group said in August.

For vendors with native capabilities in both SD-WAN and SSE, Cisco, Fortinet and Palo Alto Networks, in that order, were the market share leaders in 2022, Dell'Oro Group said in March. In terms of unified SASE - where networking and security services are integrated into a single platform - Versa Networks, VMware and Cato Networks, in that order, were the 2022 market share leaders, Dell'Oro Group found.

"SASE was becoming the killer app to making networking and security integral."
– Andre Kindness, principal analyst, Forrester

Going forward, Kindness expects SASE providers to go beyond dealing with traditional IT devices such as desktops and laptops and begin addressing IoT devices - as well as multi-cloud and IaaS environments. Kindness anticipates multi-cloud networking firms such as Aviatrix will become popular M&A targets, and he expects SASE tools will become more sector-specific to address needs in healthcare and manufacturing.

"People think, 'Oh, the market is saturated,'" Kindness said. "No way. It's not even close. The number of organizations doing SASE or ZTE is only 12% or 13% at this point because it's a difficult thing. It's not easy to roll out. The Zscalers and Netskopes will probably fill out the rest of their portfolio to match what competitors are doing."

Outside of the leaders, here's how Forrester sees the SASE market:

  • Strong Performers: VMware, Forcepoint
  • Contenders: Juniper Networks, HPE, Cisco, Barracuda Networks

How the SASE Leaders Climbed Their Way to the Top

Company Name Acquisition Amount Date
Cato Networks None N/A N/A
Fortinet None N/A N/A
Palo Alto Networks Sinefa Group $27M November 2020
Palo Alto Networks CloudGenix $402.7M April 2020
Versa Networks None N/A N/A

Palo Alto Doubles Down on AIOps, Digital Experience Management

Palo Alto Networks invested heavily in artificial intelligence and operational simplicity over the past 12 to 18 months to give organizations segment-by-segment visibility into everything happening on their network across both users and applications, said Anand Oswal, senior vice president of network security products. This addresses more than half of IT tickets attributable to issues in the home environment.

The company's investments in AI operations allow for the automation of prevention, detection and remediation activities and make it easier to pinpoint the root cause of abnormal behavior, Oswal said. Palo Alto Networks' use of deep learning rather than signatures and databases for URL filtering allows the company to spot 76% of malicious URLs a day before the competition and thwart zero-day attacks (see: Artificial Intelligence May Change the SOC Forever).

"Customers don't want to buy point products," Oswal told ISMG. "They want to go to a platform. They want to simplify their operations. They want to have a consistent user experience and a consistent admin experience. They don't want to do manual things. This can only be achieved when you simplify the service. And that's what we are working hard every day on."

Forrester criticized Palo Alto Networks for having merely average CASB and DLP capabilities and said the vendor needs to take better care of existing customers and improve customer support. Anand said Palo Alto Networks has taken more of a security-driven approach to DLP rather than the compliance-centric approach favored by legacy firms and has pursued in-line security along with SaaS posture management.

"We are very customer-centric," Oswal said. "We believe that we support our customers really well, and we will always strive to do better."

Versa Networks Addresses Network Performance, Edge Use Cases

Versa Networks has started to address complex SASE use cases by large customers in areas such as network topography, satellite and mobile operators to help organizations optimize and reduce bandwidth, said Chief Marketing Officer Dan Maier. The company has invested in helping businesses automatically pick the best and most optimized path across the network to ensure a high-quality connection, Maier said.

The company can deliver zero trust security in line on the local-area network, wide-area network or cloud edge, rather than directing traffic to a particular location where security is enforced, said CEO Kelly Ahuja. Versa Networks has extended zero trust network access from remote workers to those using hub or branch on-premises networks to ensure consistent polices are applied inside and outside the network (see: Versa Networks Raises $120M to Boost Cloud, Campus Products).

"The best success is really measured by our partners and our customers," Ahuja told ISMG. "Because when they evaluate the different solutions, they end up choosing us because we solve their needs better."

Forrester criticized Versa Networks for lacking specificity in its road map and struggling to get customers to use its security capabilities due to turf wars between the networking and security teams. Ahuja said Versa's enterprise firewall outperforms competing products in terms of scale and throughput, and Maier said Versa has seen a huge attach rate of security capabilities onto its SD-WAN technology.

"What we continue to hear from certain segments of the market is that they can't afford to have too many different players in the space," Ahuja said. "So, they're going to do consolidation, particularly in the midmarket and lower enterprise. They can't afford to have multiple different panes of glass and multiple experts."

Fortinet Enhances ZTNA, Maintains Flexible Deployment Options

Fortinet has doubled down on zero trust network access to accelerate VPN migration by customers and ensure their user experience remains top-notch when accessing apps, said Vice President of Products Nirav Shah. The company allows customers to do ZTNA enforcement through either FortiSASE when remote or through firewalls deployed in the cloud to maximize flexibility and ease of use, Shah said.

The company delivers SASE by tapping into previous organic investments around FortiOS or FortiGate firewalls rather than creating something new or stitching different components together via acquisition, Shah said. Fortinet delivers its security service edge capabilities using a unified agent and allows clients to consume SASE capabilities on-premises, in a multi-cloud environment or on an as-a-service basis (see: Ken Xie on Why Fortinet Is Leaning Into SD-WAN, OT Security).

"Fortinet is uniquely positioned because we have thousands of customers who have deployed a secure SD-WAN solution and now have an opportunity to expand to the SASE or a zero trust edge framework," Shah told ISMG. "Having a really solid networking background with security and providing the best of breed of both is exactly where Fortinet differentiates."

Forrester chided Fortinet for weak DLP, few advanced security capabilities, limited network reach, a management interface that's showing its age and a cloud portal that lacks feature parity. Shah said Fortinet will announce data security innovations soon, focus more on effectiveness than specific security components and take a true "single pane of glass" approach to its management interface.

"Our strategy around point of presence is very unique," Shah said. "Unlike many other vendors, at every point of presence that we have, we provide a full security stack. And that's important to take away. Customers can do every security and networking capability inspection on the PoP, unlike other vendors, which is limited."

Cato Networks Takes on Malicious Domains and Adds CASB, DLP, RBI

Cato Networks has over the past year added cloud access security broker, data loss prevention and remote browser isolation capabilities to its SASE suite while maintaining the same interface and cost of ownership, said Chief Strategy Officer Yishay Yovel. The company packaged and delivered SASE tools using an architecture that doesn't require significant work for the IT department to deploy, Yovel said.

The company also started using artificial intelligence to stop access to malicious domains as soon as it is attempted and prevent compromise, Yovel said. Legacy approaches to this problem relied on a list of known malicious domains, but Yovel said the rate at which cybercriminals rotate the domains they're using makes it tough for defenders to keep pace and spot a malicious domain before an attack happens (see: Cato CEO on Why Single-Vendor SASE Will Dominate the Market).

"We are the only one that actually built the SASE platform from the ground up from day one, which creates the uniqueness of Cato," Yovel told ISMG. "No third-party appliances or anything like that in our cloud. No multiple consoles, no different installs. Everything is totally seamless."

Forrester criticized Cato for having a limited partner ecosystem for third-party management and limited networking or security support and for lacking integrations with EDR vendors and concurrent identity firms. Yovel said Cato has integrated with multiple directory services providers including Azure, Ping and Okta, and a major EDR integration is slated for the next six to 12 months as the company debuts an XDR tool.

"We have leveled the playing field for network and security infrastructure," Yovel said. "It's no longer the case that if you're a big bank, you can protect better than if you're a manufacturing company that is big and global but doesn't have the resources of a bank."

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.