When organizations look to modernize their network architecture, they look to vendors that offer Secure Access Service Edge (SASE) solutions that help securely connect their modern distributed enterprise. This article will examine the advantages and disadvantages of the different approaches to modernizing network architecture using two SASE approaches: single-vendor and two-vendor.
Watch the video for an overview of the pros and cons of single-vendor and two-vendor SASE. (If you don’t see the video here, click for the YouTube link.)
To provide some context, for the past few years, organizations have faced new challenges in managing distributed workers and securing their connectivity to on-premises and cloud-based resources while at the same time being mindful of new sophisticated cyber threats that are purposely designed to take advantage of a more distributed attack surface. Organizations today feel pressured to modernize their networks to accommodate the unique demands of distributed users and the growing number of applications that need to be moved to the cloud. They are looking to SASE vendors for help to address the needs and challenges in their organization, but also to stay agile to support future demands.
What is SASE?
For those unfamiliar with SASE, it combines existing networking and security functions that leverage cloud and on-premises technologies with management consolidated into a single cloud-delivered service. All or part of these functions can be delivered as cloud-delivered services to take advantage of the cloud’s availability, elasticity, and scalability.
Instead of being defined as a new technology, SASE can be considered as an architectural framework that combines SD-WAN and Security Service Edge (SSE) solutions, typically encompassing Secure Web Gateways (SWGs), Cloud Access Security Broker (CASBs), on-premises Firewalls (FW) or Firewall as a Service (FWaaS), and Zero-Trust Network Access (ZTNA) technologies. SASE innovations involve integrating these disparate solutions to efficiently deal with the new challenges of a distributed workforce, cloud migration, and evolving cybersecurity threats.
This integration addresses other challenges organizations are mindful of, reducing complexity and cost. It’s nearly impossible for IT to be well-versed and to keep up with the latest advancements in security and networking technologies. SASE vendors know of this challenge and strive to make their integrated solutions simple and easy to manage, because complexity in configuration and deployment can make the organization more vulnerable to cybersecurity threats.
Each SASE vendor takes a slightly different approach to solving the organizational challenges mentioned earlier in this article. The differences come from how these vendors came about their solutions. Most SASE providers evolved from security backgrounds (i.e., antivirus protection, firewall) or networking backgrounds (routing, switching, access points). And a handful of vendors joined the SASE market as new startups aimed to develop full-fledged SASE solutions.
Regardless of how SASE vendors developed their solutions, each vendor generally gets categorized as favoring either a single-vendor SASE approach or a two-vendor SASE approach. However, their priorities typically closely align with their background. Security-centric vendors focus on on-premises security solutions and often need more networking experience and product depth. At the same time, networking-centric vendors are focused on the branch, adapting to a dissolved perimeter with applications hosted in the cloud.
One of the critical decisions organizations face when modernizing their network with SASE is whether to use a single-vendor or two-vendor solution. We’ll now weigh the advantages and disadvantages of single-vendor and two-vendor strategies.
Single-vendor SASE
Vendors that offer single-vendor SASE provide their customers with all the networking and security capabilities, resulting in a complete and integrated solution that includes all the technologies mentioned earlier.
Advantages of single-vendor SASE:
Simplicity and ease of management: single-vendor SASE typically provides a straightforward solution with better interoperability between the technologies involved. Organizations can expect better automation tying the different services together and simplified administration through a single-pane management console. The integration will likely include context-aware policy enforcement across networking, security, and analytics. The solutions integrate ZTNA better, with identity-based access controls to secure sanctioned and unsanctioned applications across internal and external users.
Better performance and optimization: single-vendor offerings are often optimized for performance, with services available in the same Point-of-Presence (PoP) locations. Traffic efficiency is increased with single-pass encryption and optimal routing decisions, which result in better network performance, reduced latency, and better utilization of the available bandwidth.
Improved supportability: consumers of a single-vendor SASE solution have a single point of contact for support and accountability. This makes it easier to troubleshoot issues and resolve problems quickly. A single vendor also has better long-term potential, with continued efforts to improve the integration between the different technologies owned by that vendor.
A lower total cost of ownership (TCO): with a single-vendor solution, organizations typically benefit from discounts, and reduced ownership and operational costs to manage the solution.
Disadvantages of single-vendor SASE:
Limited choice and flexibility: a downside to single-vendor SASE is that solutions often have “gaps” or “weaknesses” in functionality with less flexibility to serve every need of an organization. If an evolving organization has new requirements for SASE capabilities, they may not find what they need in that single vendor.
Vendor lock-in: organizations can find it difficult and costly to switch vendors once they have invested in a single-vendor SASE solution. A miss-step by a single vendor the organization depends on could risk the entire business’s viability.
Lacks best-of-breed: it is often difficult for a single vendor to achieve best-of-breed in networking and security, two very different and complex domains of expertise. Security solutions typically evolve faster to ensure protection against ever-changing cybersecurity risks. In contrast, networking solutions typically evolve more slowly, and are only forced to change due to either user performance complaints or new business requirements. Looking at the SASE landscape, no single vendor can claim best-of-breed in all components that make up SASE. Vendors often focus on their strengths and differentiate by producing vital networking or security capabilities that customers can gravitate towards based on their unique requirements.
Demand for single-vendor SASE tends to come from smaller enterprises lacking siloed networking and security teams to manage disparate solutions, typically because of constrained resources. They usually gravitate towards simple solutions encompassing all the required technologies that serve their specific use cases and, more importantly, don’t require significate time to ramp up on the technology. For enterprises that are not resource constrained, there is another option for consuming SASE and modernizing the network.
Two-vendor SASE
SASE vendors offering two-vendor SASE allow their customers to stitch together solutions from multiple vendors for different functions or capabilities, such as SD-WAN from one vendor and SSE from another vendor. These components are then manually integrated to create a comprehensive SASE solution.
Advantages of two-vendor SASE:
Best-of-breed options: two-vendor solutions allow organizations to diversify by choosing the best-of-breed capabilities from different vendors to create a solution that meets their specific requirements. Vendors specializing in a particular segment can typically be more vigilant in their focus areas. They can adapt and innovate to develop better solutions and quickly evolve with industry requirements.
Greater flexibility: two-vendor solutions offer greater flexibility, as organizations can choose the vendors or solutions that best meet their specific needs. If necessary, it also makes it easier for organizations to switch vendors with minimal disruption to the partnering segment of SASE. It is typically more disruptive to displace a networking solution than it is to displace a security solution.
Better reliability: solutions from multiple vendors mean networking and security component maintenance can be done independently without consulting various departments. Each siloed team independently manages its disparate solution when performing upgrades or configuration changes.
Disadvantages of two-vendor SASE:
More complex: a downside to two-vendor SASE is that solutions often result in complexity that requires more IT resources to manage and maintain. This makes the solution more susceptible to being misconfigured, resulting in improper implementation and increasing the time it takes to deploy. Working with multiple vendors to isolate problems and find root causes can become frustrating and challenging.
Varying levels of interoperability: organizations are responsible for selecting the vendors that best fulfill their requirements. They cannot assume every SSE vendor will interoperate the same way with every SD-WAN vendor. Integration between disparate solutions requires vendors to have a tight partnership and to develop and release software in tandem, which is often more easily said than done.
Disjointed administration: organizations often manage multiple contracts, deal with different service level agreements, and support the solution using two different consoles or management portals. This can add to the administrative burden and make managing the overall SASE solution more difficult.
Higher traffic latency: the required integration between two different services in different vendor PoPs can result in traffic traversing multiple hops to process routing and security decisions. Traffic routing can also put a strain on the available bandwidth, which significantly impacts latency and negatively impacts the user experience.
Higher total cost of ownership: two-vendor SASE solutions often result in a higher cost solution with fewer discounting options and higher administrative costs to employ administrators with expertise in the different component areas.
Two-vendor SASE is generally targeted toward larger enterprises with fewer limitations on IT resources, allowing them to diversify networking and security solutions and avoid compromising on the quality of experience, flexibility, or security. The full benefits of SASE can only be realized with an advanced WAN edge solution combined with comprehensive security services.
Evolving challenges
The SASE market has evolved significantly in recent years with several vendor acquisitions and partnerships. The number of competing vendors has dwindled, changing the vendor landscape. These changes have been driven by the need to provide consumers with comprehensive and integrated solutions that meet their evolving needs. This has created a more competitive SASE market as vendors continue developing and closing networking or security gaps.
Macroeconomic conditions have also recently impacted organizations’ operations and their desired SASE solutions. Where before, two-vendor SASE was the chosen approach by most organizations to diversify against the changing vendor landscape, now single-vendor SASE is the preferred approach with macroeconomic conditions impacting investment in complex projects. Organizations that adapt and respond to changes are more likely to succeed in the long term, as they can better navigate new challenges.
About VMware SASE
VMware is a leading provider of SD-WAN and SASE, enabling cloud, workforce, and application transformation. One of VMware’s fundamental values is customer flexibility and choice. This means that VMware is committed to providing its customers with options and flexibility in deploying and managing their environment. Customers can choose between a single-vendor solution with VMware SASE for a unified network and security experience or a two-vendor solution that pairs leading VMware SD-WAN with third-party security.
VMware’s commitment to customer choice is reflected in its partnerships and integrations with other technology providers to provide two-vendor SASE. For example, VMware has partnerships with major SSE vendors such as Zscaler, Netskope, Palo Alto Networks, Check Point, and Symantec, allowing customers to utilize their desired cloud-delivered security services while using VMware’s best-of-breed SD-WAN technology.
VMware also provides single-vendor SASE, developing cloud-native and cloud-delivered networking and security services for distributed edges. VMware single-vendor SASE offering comprises VMware SD-WAN™, VMware Secure Access™, VMware SD-WAN Client, VMware Cloud Web Security™, and VMware Edge Network Intelligence™. VMware’s commitment to customer choice is a crucial aspect of its value proposition, providing customers with various options and flexibility in deploying and managing their environments. VMware can meet its customers’ diverse needs to help them achieve their business objectives.
