SASE Security Deals: The Risks and Rewards

“SASE” is a recently coined acronym that stands for Secure Access Service Edge, which refers to a network architecture that combines software-defined wide area networking (SD-WAN) and security into a single cloud solution. The service simplifies deployment, improves efficiency, and provides more bandwidth per application for the customer and supplier. This means customers can now (1) consolidate their network and security solutions into a single SASE platform, (2) no longer buy from multiple vendors, and (3) reduce the complexity and cost of acquiring these key solutions.

Businesses are trending to adopt these solutions, and SASE cases here at ClearEdge are on the uptick. IDC research bears out this movement: by 2024, 30% of enterprises are expected to adopt cloud-delivered Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) capabilities from the same vendor, up from less than 5% in 2020. And by 2025, at least 60% of enterprises will have timelines for SASE adoption encompassing user and branch access, up from 10% in 2020.

Panic over widespread security threats are driving this trend, and vendors are responding. In 2020, a flurry of acquisitions occurred to help suppliers quickly provide SASE offerings:

  • Cisco acquired Portshift to extend zero trust and identity-based segmentation strategies into cloud-native applications

  • Palo Alto Networks acquired SD-WAN vendor CloudGenix

  • Fortinet acquired OPAQ for cloud-based security and ZTNA capabilities

  • Check Point Software acquired Odo Security for ZTNA capabilities

  • Zscaler acquired Edgewise Networks to extend ZTNA policies and Cloudneeti to strengthen API-based CASB, cloud security posture management (CSPM) and SaaS security posture management (SSPM) capabilities

  • McAfee acquired Light Point Security

  • Barracuda acquired Fyde for ZTNA capabilities

What is the Problem?

Whenever a customer comes to rely on one supplier for multiple solutions, it vastly increases vendor lock in. This enables the supplier to exercise more leverage over the customer and often results in hefty increases at renewals. A good example of this predatory behavior is Broadcom, which offers multiple security solutions and has been increasing annual pricing by at least 10%. Since acquiring Symantec, some clients have seen their Broadcom maintenance renewals double in price. But because Symantec and Broadcom both pushed multi-year terms and subscription licenses, their customers lack the flexibility to downsize, or jump to another e-mail security provider, such as Proofpoint.

What You Can Do About It

Long before signing on the dotted line, we urge clients to insist on contract language that protects against locking in long-term commitments and costs. We also recommend that buyers include competition in all security deals because rivalries are fierce among the top suppliers, and there are many vendors fighting for market share. This is an effective strategy because none of the suppliers offers the most advanced (or easiest to implement) solution in every product category. For example, we’ve seen clients use Zscaler and Proofpoint to successfully compete against Microsoft, and vice versa. (Customers are already buying from Microsoft, and many like how easily security items can be added to their current bundles.)

Other suggestions include:

  • Create a team of security and network experts with shared responsibility for planning secure access across all of the enterprise’s locations

  • Take inventory of on-prem proxy appliances and network security solutions and determine where you reduce costs and combine security functionality offered in your cloud platform

  • Implement a multi-year phase out of on-premise hardware in favor of cloud-based SASE capabilities

  • Choose SASE solutions that allow control of where inspection takes place, host traffic is routed, what is logged, and where logs are stored to meet privacy and compliance requirements

  • Consolidate vendors as contracts renew for SWG, CASB, Malware Defense, DLP to realize savings on CAPEX and OPEX by reducing hardware, maintenance, and support costs

  • Adopt Zero Trust and increase security by moving to user and role-based model – this applies to all connections regardless of location

  • Eliminate VPN and direct traffic to SASE platform, allowing users to connect faster and more securely to video conferencing, email, and other cloud destinations

For more information on SASE and mitigating risk in your security deals, read our blog titled 2021 Security Buying Trends, or contact your ClearEdge representative.

- Cory Ryan is a Senior ClearEdge Analyst.