1、11/10/21,7:26 PMGartner Reprinthttps:/ FindingsRecommendationsSecurity and risk management leaders responsible for infrastructure security should develop aroadmap for the adoption of SASE capabilities and offerings:Short term:Licensed for Distribution2021 Strategic Roadmap for SASE ConvergencePublis

2、hed 25 March 2021-ID G00741491-25 min readByNeil MacDonald,Nat Smith,and 2 moreDigitalization,work from anywhere and cloud-based computing have accelerated cloud-deliveredSASE offerings to enable anywhere,anytime access from any device.Security and riskmanagement leaders should build a migration pla

3、n from legacy perimeter and hardware-basedofferings to a SASE model.To protect anywhere,anytime access to digital capabilities,security must become software-defined and cloud-delivered,forcing changes in security architecture and vendor selection.Perimeter-based approaches to securing anywhere,anyti

4、me access has resulted in a patchwork ofvendors,policies,and consoles creating complexity for security administrators and users.Enterprises that consider existing skill sets,vendors,and products and timing of hardware refreshcycles as migration factors will reduce their secure access service edge(SA

5、SE)adoption timeframe by half.Branch office transformation projects(including software-defined WAN SD-WAN,MPLS offload,internet-only branch and associated cost savings)are increasingly part of the SASE project scope.SASE is a pragmatic and compelling model that can be partially or fully implemented

6、today.Deploy zero trust network access(ZTNA)to augment or replace legacy VPN for remote users,especially for high-risk use cases.11/10/21,7:26 PMGartner Reprinthttps:/ term:Strategic Planning AssumptionsBy 2024,30%of enterprises will adopt cloud-delivered SWG,CASB,ZTNA and branch office firewallas a

7、 service(FWaaS)capabilities from the same vendor,up from less than 5%in 2020.By 2025,at least 60%of enterprises will have explicit strategies and timelines for SASE adoptionencompassing user,branch and edge access,up from 10%in 2020.By 2023,to deliver flexible,cost-effective scalable bandwidth,30%of

8、 enterprise locations will haveonly internet WAN connectivity,compared with approximately 15%in 2020.IntroductionCurrent network security architectures were designed with the enterprise data center as the focalpoint for access needs.Digital business has driven new IT architectures like cloud and edg

9、ecomputing and work-from-anywhere initiatives,which have,in turn,inverted access requirements,with more users,devices,applications,services and data located outside of an enterprise thaninside.The COVID-19 pandemic accelerated these trends.1Network security models based on data center perimeter secu

10、rity using a collection of securityappliances are ill-suited to address the dynamic needs of a modern digital business and its distributedInventory equipment and contracts to implement a multiyear phase out of on-premises perimeterand branch hardware in favor of cloud-based delivery of SASE capabili

11、ties.Consolidate vendors and cut complexity and costs as contracts renew for secure web gateways(SWGs),cloud access security brokers(CASBs)and VPN.Leverage a converged market thatemerges combining these security edge services.Actively engage with initiatives for branch office transformation and MPLS

12、 offload in order tointegrate cloud-based security edge services into the scope of project planning.Consolidate SASE offerings to a single vendor or two explicitly partnered vendors.Implement ZTNA for all users regardless of location,including when in the office or branch.Choose SASE offerings that

13、allow control of where inspection takes place,how traffic is routed,what is logged,and where logs are stored to meet privacy and compliance requirements.Create a dedicated team of security and networking experts with a shared responsibility for secureaccess engineering spanning on-premises,remote wo

14、rkers,branch offices and edge locations.11/10/21,7:26 PMGartner Reprinthttps:/ workforce.The legacy perimeter must transform into a set of cloud-based,converged capabilities created whenand where an enterprise needs them that is,a dynamically created,policy-based secure accessservice edge.At the sam

15、e time,enterprises are increasingly pursuing zero trust strategies,but finding meaningfulimplementations of zero trust principles challenging.Delivering a zero trust security posture is anintegral part of emerging SASE offerings.Zero trust networking models replace implicit trust(zeroimplicit trust

16、is the goal)with continuously assessed risk/trust levels(see Zero Trust Is an Initial Stepon the Roadmap to CARTA).They adapt the amount of explicit trust granted for interactions ascontext surrounding the interactions changes.The need to agilely support digital business transformation efforts with

17、a zero trust security posturewhile keeping complexity manageable is a significant driver for the emerging SASE market,primarilydelivered as a cloud-based service(see The Future of Network Security Is in the Cloud).This marketconverges network(for example,SD-WAN)and network security services(such as

18、SWG,CASB,ZTNAand FWaaS;see Figure 1).Figure 1.Secure Access Service Edge11/10/21,7:26 PMGartner Reprinthttps:/ defining the emerging SASE market in July 2019,industry and client interest in SASE hasexploded primarily driven by existing enterprise needs being unmet by existing vendors.But vendorhype

19、complicates the understanding of the SASE market.Since publishing the initial research,thepercentage of end-user inquiries mentioning SASE grew from 3%to 15%when comparing the sametime period in 2019 to 2020 across the total number of end-user conversations on related securitytopics.2 The growth in

20、interest continues in January 2021,with 17%of end-user calls mentioningSASE across the same set of related markets.Significant vendor consolidation,acquisitions andannouncements to build out a complete SASE portfolio have increased,3 with more expected overthe next 12 to 24 months.However,enterprise

21、 transition to a complete SASE model will take time.The reality is enterpriseshave existing investments in hardware that is not fully amortized and in software contracts with timeremaining.Hardware refresh cycles at branch offices average five to seven years.Relationships andstaff expertise with inc

22、umbent vendor offerings is another factor.Complicating SASE adoption isthat most larger enterprises have separate network security and network operations teams.Finally,not every vendor claiming to offer a SASE product currently delivers all of the required andrecommended SASE capabilities(see Note 1

23、).Even then,not all of the SASE vendors capabilities areat the same level of functionality and maturity.By analyzing the gaps between the future and currentstate of SASE offerings,we provide a strategic roadmap,migration plan and implementation advicefor SASE adoption over the next several years(see

24、 Figure 2).Figure 2.Strategic Roadmap Overview for SASE Convergence11/10/21,7:26 PMGartner Reprinthttps:/ StateA more detailed view of the future state of SASE is shown in Figure 3.Figure 3.SASE Detailed View11/10/21,7:26 PMGartner Reprinthttps:/ users and edge devices can be located anywhere and yo

25、ur access network is the internet.These entities need secure access to your data and applications that are spread everywherethroughout the cloud.SASE offerings deliver and protect this future state(i.e.,2024 and beyond;seeTable 1).Table 1:SASE Future StateFuture StateDescription11/10/21,7:26 PMGartn

26、er Reprinthttps:/ oflocation,withsupport forlocal decisionmakingSASE security policy enforcement is dispersed in the cloud.This requires asoftware-based,hardware-neutral architecture deployed across multiple points ofpresence(POPs)with policy enforcement close to the point of consumption.Customers c

27、an choose traffic to be inspected and directed to specific POPs basedon business policy and compliance requirements.A distributed cloud architectureallows some security decisions to be made locally(addressing latency-sensitiveand intermittent access use cases).For branch office and edge locations,sm

28、allhardware or virtual appliances are supported but managed as a part of adistributed cloud and implemented with a thin branch,heavy cloud architecture.Policies are applied consistently whether the user is remote,in a branch location,or in a campus or main office.Ease ofadministrationvia aconsolidat

29、edpolicy controlplaneThe SASE management control plane is decoupled from the enforcement nodes,allowing centralized administration.The administrative interface will allow securityand network policy to be managed from a single console and applied regardless ofthe location of the user,the application

30、or the data.Artificial intelligence(AI)andmachine learning(ML)will be integral to automate policy creation.Full APIenablement allows automation and integration with existing processes and tools.Sensitive-datavisibility andcontrol as wellas threatdetectionSensitive-data visibility and control is a cr

31、itical capability of SASE.This is enabledusing a combination of techniques including local agents,in-line traffic inspectionand API-based inspection of cloud services.Visibility and protection frommalicious content and network attacks is also provided.Consistentpolicyenforcementcovering alltypes ofa

32、ccessSASE offerings provide policy-based access to the internet,SaaS apps andenterprise private apps(on-premises or in IaaS)all at the same time.SASEconsolidates previously disparate network and security access policy enforcementpoints i.e.,SWG,CASB,SD-WAN and ZTNA into a single-vendor cloud-basedof

33、fering.Security policies such as sensitive data and malware inspection areconsistently applied across all access methods.For exposed applications andAPIs,optional web application firewall(WAF)and API protections are provided.11/10/21,7:26 PMGartner Reprinthttps:/ forall types ofentities,includinguse

34、rs anddevices atbranch office,campus andedgelocationsSASE offerings protect the access of users,collections of users(branch offices)and edge devices,as well as managed and unmanaged devices.For manageddevices,agents will be used;however,unmanaged devices are also supportedwhen needed.At branch offic

35、es,a local appliance(typically SD-WAN hardware)acts as an“agent”for the branch for devices without agents(for example printers).This provides traffic prioritization,connectivity failover and local securitycapabilities such as firewalling and segmentation.Single passinspection ofencryptedtraffic andc

36、ontent at linespeedEncrypted network sessions and content are inspected at line speed and supportthe latest versions of SSL/TLS.Rather than scan a given piece of content once formalware/attacks and again using a separate engine for sensitive data,the sessionand its content will be decrypted once and

37、 scanned for malware and sensitive datausing a“single pass”architecture.Highlyavailable,low-latencyservices withcontractuallyenforced SLAsSASE offerings will be built using an elastically scalable,multitenantedmicroservices-based architecture to deliver a high performance and resilientservice that c

38、an adapt to customer demand dynamically.Multiple andgeographically dispersed POPs enable the SASE provider to commit to contractualSLAs for high availability and low latency.Delivers azero trustnetworkingsecuritypostureSASE offerings replace the implicit trust in legacy networking models with explic

39、it,continuously assessed adaptive risk and trust levels based on identity and contextfor all connections remote,on campus,in a branch or in the headquarters.Following the Gartner continuous adaptive risk/trust assessment(CARTA)approach,once connected,the entity,device,session and associated behavior

40、s aremonitored for anomalous or risky behaviors.Based on policy,adaptive actions aretaken such as dynamically modifying access.Transparentand simplifiedend-userexperienceSASE offerings provide exactly the same user and access experience regardless oflocation.SASE offerings will use a unified endpoin

41、t agent that hides the accesscomplexities from the user(e.g.,forward proxy,tunnel creation where needed,device security posture,etc).All common OSs and device types will be supported Windows,Mac,Linux,iOS and Android.End-to-end user-experience monitoring interms of latency and performance will be in

42、tegrated.11/10/21,7:26 PMGartner Reprinthttps:/ StateA mix of legacy perimeter-based security hardware,the use of different vendors for CASB,SWG,ZTNA and SD-WAN functions,and separate organizational structures for networking security andnetworking have created a complex and unmanageable collection o

43、f vendors,agents,consoles andtraffic hairpinning(see Table 2).Table 2:SASE Current StateUnified ITresponsibilityfor accessengineeringIn a SASE model,a single unified IT team has responsibility for access design,selection,engineering and operations,spanning network security and networkingand enabling

44、 secure access for all entities everywhere.Wide-area networkengineering and network security engineering evolve into an emerging compositerole of“access engineering”(a complement to the emerging IT role of platformengineering supporting application creation).Inconsistentpolicyenforcementthat islocat

45、iondependent.Some vendors with a legacy-hardware-based security business have been slow toembrace cloud-based delivery of services.Some SASE offerings are built on one ormore hyperscale IaaS platforms.Other SASE vendors built their own POPs usingcolocation facilities.Some SASE architectures use both

46、 strategies to increasecoverage(see Note 3).Only a few cloud-based SASE offerings provide a locallyinstalled enforcement point for low-latency local decisions in remote locations.None yet support distributed cloud architectures or platforms(see DifferencesBetween AWS Outposts,Google Anthos,Microsoft

47、 Azure Stack and Azure Arc forHybrid Cloud).Complexadministrationusingdisparatemanagementconsoles andpolicies.Some vendors that are integrating SASE capabilities from a set of acquisitionshave different consoles for the different capabilities.Others use service chainingto partners or network functio

48、n virtualization(NFV)for services they dont yet offer,complicating administration and policy management.Some vendors with a legacyhardware business use different architectures on-premises versus in the cloud,with different management consoles and different capabilities.CurrentStateDescription11/10/2

49、1,7:26 PMGartner Reprinthttps:/ nonexistentsensitive-datavisibility andcontrol.Basicthreatdetectioncapabilities.Some offer no sensitive-data discovery capabilities,others partner,while othersoffer only basic pattern matching.Some vendors offer data loss prevention(DLP)and malware scanning for SWG an

50、d CASB access,but not for ZTNA.Very few offeroptional sensitive data scanning for on-premises systems or endpoints.SomeSASE vendors dont own their threat intelligence and detection capabilities andinstead license threat intelligence feeds from third parties.Finally,not every vendorincludes remote br

51、owser isolation(RBI)and network sandboxing capabilities.Immature ornonexistentcapabilities inthe securityparts of theSASEportfolio.Some SASE offerings started with SWG,and later added CASB and ZTNA.Somestarted with CASB,and later added SWG and ZTNA.The result is that even avendor with a full set of

52、SASE capabilities may be immature in some areas,whilebeing advanced in other areas.Not allvendorscurrentlyaddress thefull set ofrequired andrecommendedSASEcapabilitieslisted in Note1.Some SASE offerings only focus on cloud-delivered security edge services,(rightside of Figure 3)and avoid the network

53、ing(left side of Figure 3)and partner forSD-WAN.Likewise,some SASE vendors focus on SD-WAN,and have only basicsecurity capabilities and partner for cloud-delivered security edge services.Fewvendors address Internet of Things(IoT)needs today,and serving edge computingand distributed composite applica

54、tion use cases are embryonic.CurrentStateDescription11/10/21,7:26 PMGartner Reprinthttps:/ multipleinspectionpoints thatignoreencryptedtraffic or incura significantperformancehit.SASE vendors that came from a physical appliance background may havemonolithic architectures in the form of virtual appli

55、ances that have difficultydynamically expanding to support larger throughput connections.SASE vendorshave used different approaches to inspecting encrypted traffic,and enterprisesneed to test this functionality to determine its impact on latency.Basic SLAs,rarely withcontractualpenalties.Several ven

56、dors offer contractual SLAs for availability.SLAs for latency are lesscommon,and,if offered,tend to address only regional access performance or onlyone channel of access(e.g.,SWG).The SLAs should be applied worldwide acrossall access mechanisms and enforcement policies.Basic or noZTNAcapabilitieslac

57、kinginspectionand limitedintegrationinto endpointsecurity andmanagementtools.Some offerings identifying as SASE dont yet include ZTNA.Some SASE vendorsthat have ZTNA dont have the option to remain in-line the entire session,eliminating the capability to do sensitive data and malware inspection on th

58、eseconnections.Some agent-based ZTNA offerings have only basic device securityposture assessment capabilities.A few integrate with local endpoint protectionplatform(EPP),endpoint detection and response(EDR)or master datamanagement(MDM)agents.Many,but not all,offer agent and agentless ZTNA,satisfying

59、 employee and third-party or bring your own device(BYOD)access usecases.Fragmentedandfrustratingend-userexperience.For SASE offerings that provide only a partial set of capabilities or have cobbledtogether from different acquisitions,multiple agents may be required.Somesupport ZTNA for remote users,

60、but dont support this model when remote usersgo on-premises.Some vendors offer agents,but only for Windows/Mac and notLinux or mobile.Very few SASE vendors offer integrated user experiencemonitoring,even as an option.CurrentStateDescription11/10/21,7:26 PMGartner Reprinthttps:/ Analysis and Interdep

61、endenciesThe most significant gaps that will inhibit SASE migration include:Separate andsiloed teamsresponsiblefor securityversusnetworkengineering.Most larger enterprises have separate teams for network security versusnetworking.Some very large enterprises may even have separate teams for SWG,CASB

62、and remote access(VPN and ZTNA).While many SD-WAN implementationssolicit security input,the branch office access transformation decisions are rarelyfrom a unified cross-functional team.CurrentStateDescriptionOrganizational silos,existing investments and skills gaps.These are the biggest gaps that mu

63、stbe considered in migration planning.A full SASE implementation requires a coordinated andcohesive approach across network security and the networking teams.For midsize enterprises,this is an easier problem to address,as a separate security team may not exist.Within largeorganizations,these organiz

64、ational structures,budgeting processes and responsibilities are quiterigid.Some vendors will be replaced and those associated skill sets will need to be repurposedtoward policy creation in collaboration with business process and application owners.Architecture.SASE solutions are cloud-delivered,but

65、vendors vary in the degree of“cloudnativeness”of their architecture.Legacy appliance and virtual appliance architectures need to bebroken down into smaller,scalable components(see Note 2).Use of public cloud IaaS for POPsversus owning POPs is a difference among SASE providers that may impact adoptio

66、n for someregions(see Note 3).Every enterprise has different requirements for compliance,and has privacyrequirements for the inspection of data,storage of logs and routing of traffic.Geographicdispersion and number of enforcement points will also impact the ability of a SASE provider tocommit to ava

67、ilability and latency SLAs.Sensitive-data visibility and control.This is a high-priority capability,but one of the most difficultproblems for SASE vendors to address.Of the vendors converging on the SASE opportunity,CASBproviders have the most experience in dealing with sensitive-data visibility and

68、 control.Even then,gaps remain for example,on-premises data stores and sensitive data stored at endpoints.Sending data to a third party for sensitive-data identification is not a sustainable or cost-effective11/10/21,7:26 PMGartner Reprinthttps:/ PlanBased on the gap analysis,we propose the followin

69、g roadmap and action items over the next severalyears to be used as a template for SASE adoption and migration planning suitable for mostenterprises.While a single-vendor approach for providing everything in Figure 3 may be possible,every enterprise must determine if a fully converged approach makes

70、 sense for its requirements and,if so,in what time frame.Enterprises cant flip a switch and adopt SASE.The vast majority ofenterprise SASE adoption will occur over several years,prioritizing areas of greatest opportunity interms of cost savings,eliminating complexity and redundant vendors,and risk r

71、eduction throughadoption of a zero trust secure posture(see Figure 4).option.This capability must be delivered natively by the SASE offering,and provide options forwhere the sensitive data is inspected.SASE security services capability maturity.For the next several years,SASE capabilities will varyw

72、idely.Enterprises need to prioritize their needs for converged capabilities versus the need forcontinued best-of-breed capabilities until the gaps are closed.Some vendors positioningthemselves as offering SASE to fill gaps with partnerships,but daisy chaining of services and/ornetwork function virtu

73、alization to deliver this is not a sustainable long-term option.Partnershipsare tenuous as markets merge and former partners begin competing directly.Limited number of comprehensive SASE offerings.At the start of 2021,less than 10 SASEofferings provide all of the core capabilities outlined in Note 1

74、.Over the next five years,acquisitions and further market consolidation will address these gaps.As an interim step,evenconverged security vendors that avoid the direct requirements of SD-WAN are being pressured bycustomers to address branch office access needs and could provide a subset of SD-WANcap

75、abilities,such as bandwidth prioritization and content inspection.Figure 4.Strategic Roadmap Timeline for SASE Convergence11/10/21,7:26 PMGartner Reprinthttps:/ this,we have divided the recommendations into high-,medium-and lower-priority sectionsbased on the expected timeline for typical enterprise

76、 SASE adoption.Higher PriorityIn the next 18 months:Engage with digital workforce transformation teams to enable anywhere,anytime access for aremote and mobile workforce via SASE.Adopt a unified vision to enable a“branch office of one”for all remote/mobile workers regardless of location and regardle

77、ss of the location of applications.Form a joint network and security team to develop a three-to five-year roadmap for SASEtransformation covering secure access strategies for users,branches,edge locations and11/10/21,7:26 PMGartner Reprinthttps:/ applications.Map and consolidate zero trust networkin

78、g initiatives within the SASEroadmap:Make sure this team includes the personnel responsible for branch office transformation andWAN redesign for direct internet access and MPLS offload projects.Jointly establish a vision for the secure digital branch of the future that embraces a thin-branch/heavy-c

79、loud architecture.Set a three-to five-year goal to replace 90%of legacy network-level VPN access with zero trustnetwork access over the next five years.Adopt cloud-based ZTNA to augment legacy VPN accessfor higher-risk use cases such as:Contractor and third-party accessUnmanaged device accessCloud a

80、dministrator and developer accessSet a three-to five-year goal to replace 90%of demilitarized zone(DMZ)-based services with ZTNAaccess over the next three years.Begin phasing out DMZ-based services for named user accessand move internet-facing services to public cloud IaaS or colocation facilities.C

81、apitalize on every refresh opportunity of security and branch office hardware to adopt SASE:Where physical SWG,CASB and VPN appliances are used,we advise enterprises move off theseappliances at the soonest refresh possible and shift to cloud offerings.Sign no more than three-year contracts with net

82、new providers that address your SASEroadmap.Set a goal to reevaluate the SASE provider landscape in year two to verify the chosenSASE provider is still aligned with long-term business needs.If a branch refresh occurs in 2021,accelerate deployment of ZTNA for managed devices in thebranch and consider

83、 adoption of FWaaS.Cut costs and reduce complexity by consolidating vendors when renewing SWG,CASB and ZTNA.All three are commonly offered now by a single vendor in a competitive market for security edgeservices(the right side of the cloud services in Figure 2 and Figure 3).Evaluate single vendoroff

84、erings,ideally including remote browser isolation capabilities:Make sensitive-data discovery and protection a high-priority selection criteria when evaluatingconverged offerings.11/10/21,7:26 PMGartner Reprinthttps:/ PriorityOver the next 18 to 36 months(note that the recommendations in this section

85、 may be accelerated tocoincide with hardware refresh cycles and branch office transformation initiatives),enterpriseshould:Favor SASE architectures that inspect traffic only once for malware and sensitive data.Expand SASE RFI/RFP requirements with specific questions on the number and location of POP

86、smapped to enterprise requirements,peering relationships,encrypted traffic inspectionperformance and the ability to scale:Demand contractual SLAs with penalties for SASE availability and latency performance.Midsize enterprises(MSEs)should evaluate consolidated SD-WAN and cloud-based security edgeser

87、vices from a single provider.Larger organizations should evaluate the pros and cons of using asingle vendor for SD-WAN and security services versus a partnership approach,and the timelinefor consolidation.In both cases,consider the time to amortize investments and staff skills,as wellas the maturity

88、 of the providers SASE capabilities in this decision.If multiple vendors are used,require explicit partnerships with console integration and technical support.Reevaluate the SASE architecture and roadmap if multiple vendors are still used.A single-vendor-provided SASE offering is now viable for most

89、 enterprises,although some organizations withseparate network/network security teams will still pursue best-of-breed strategies and targetconsolidation to two providers:Extend the enterprise SASE strategy to include edge computing use cases.If multiple vendors are used,require explicit partnerships

90、with engineering and technicalsupport backing up the integration.Deactivate remaining dedicated SWG,CASB and VPN appliances as they reach their end of life,and replace with cloud-based services.Pilot FWaaS for branch office protection,ideally for inbound and outbound traffic to eliminate theneed for

91、 physical branch office firewalls:Phase out the use of separate physical firewalls at branch offices.Adopt a deny-all/zero trust security posture for branch offices.Phase out the use of MPLS and adopt internet-only access for the majority of branches:11/10/21,7:26 PMGartner Reprinthttps:/ PriorityAt

92、 three to five years out,the SASE future strategic target state is achievable for most organizations a unified strategic approach for branch,edge,campus,headquarters and remote access needs:As part of this,evaluate emerging hyperscale offerings for WAN connectivity for branches asthey become an alte

93、rnative for WAN services.Move beyond initial ZTNA deployments,and implement a systematic and risk-based approach forphasing out all network-level VPN and DMZ-based services:Use ML-based approaches to learn application access requirements to build policies.Expand ZTNA to more use cases,such as cloud

94、application access and IoT/OT access.Use ZTNA agents on managed endpoints when in the branch.Extend ZTNA to include session inspection for threats,sensitive data and unusual behavior.Extend sensitive-data visibility and control to data at rest in public clouds and for cloud-to-cloudservices where th

95、e enterprise has no visibility.Phase out remaining DMZ-based applications and shift to SASE-based access for named users(e.g.,partners and suppliers).Create an“access center of excellence”a standing,single,unified secure access engineeringteam combining team members from network architecture and net

96、work security teams into aunified secure access architecture team.Extend SASE capabilities to include integrated user experience monitoring.Implement a single agent for all access needs(ZTNA,SWG,SASE and CASB).The SASE migration plan should once again be revisited as the market will have matured and

97、 thetechnology is expected to be mainstream.Set a strategic goal of using no more than one or twoSASE providers,using either a single vendor or tightly integrated explicit partnership.Extend the SASE migration strategy to address the needs of distributed composite applications,which have similar net

98、work and network security policy requirements(see Emerging Technologies:Applying SASEs Architectural Model to Secure Distributed Composite Apps).Deliver against defined,measurable SASE goals that were committed to at the beginning.Specificexamples include:11/10/21,7:26 PMGartner Reprinthttps:/ The 2

99、021 Gartner View From the Board of Directors Survey found that boards of directors areprioritizing digital technology initiatives as a response to the COVID-19 pandemic.When asked toindicate what kind of impact COVID-19 had on their digital business initiatives,the most frequentlyselected impact was

100、 an acceleration of digital business initiatives,with 69%of survey respondentsselecting this(n=260;see Survey Analysis:Board Directors Say Pandemic Drives IncreasedInvestments in IT).2 Data was analyzed from Gartner conversations with end-user clients during the time period of 1August 2019 through 3

101、1 December 2019,and compared to the same time period in 2020.This timeperiod was used because the first research on SASE was published in July 2019.For 2021,thedataset analyzed covered 1 January 2021 through 31 January 2021.SASE inquiries are calculated asa percentage of the total number of end-user

102、,security-related inquiries across these related topicareas:SASE,SWG,CASB,ZTNA,SD-WAN,WAF and FWaaS.3 In 2020,multiple acquisitions and announcements demonstrated vendor interest in building outcomplete SASE offerings:90%of network-level VPN access eliminated95%of DMZ services eliminated for interna

103、l and third-party services80%reduction in dedicated MPLS circuit costAdopt internet-only access as the default for most remote location use cases and continue withthe phase out of MPLS.Make dedicated circuits an approved exception.Replace all end-user access(even when on-premises in campus and headq

104、uarter locations)with a ZTNA-based approach.Extend the enterprise zero trust networking strategy“end to end”from the edge to the back end ofapplications to segment service creation based on identities using identity-based,zero trustsegmentation(microsegmentation).Extend sensitive-data visibility and

105、 control to on-premises legacy data stores and to endpointsCreate a single,unified team and role responsible for access engineering that unifies networks andnetwork security policy across all access methods(much like the emerging role for platformengineering with IaaS and DevOps).Barracuda acquired

106、Fyde for ZTNA capabilities.11/10/21,7:26 PMGartner Reprinthttps:/ 1.SASE CapabilitiesCore SASE capabilities:Recommended SASE capabilities:Cisco acquired Portshift to extend its zero trust and identity-based segmentation strategies intocloud-native applications.Palo Alto Networks acquired SD-WAN vend

107、or CloudGenix(see Magic Quadrant for WAN EdgeInfrastructure).Fortinet acquired OPAQ for cloud-based security delivery and ZTNA capabilities.Check Point Software Technologies acquired Odo Security for ZTNA capabilities.McAfee acquired Light Point Security for RBI capabilities.Cloudflare acquired S2 S

108、ystems for RBI capabilities.Zscaler acquired Edgewise Networks to extend its zero trust networking policies into workloadsand Cloudneeti to strengthen its API-based CASB,cloud security posture management(CSPM)and SaaS security posture management(SSPM)capabilities.VMware announced a two-pronged SASE

109、strategy,partnering its VeloCloud SD-WAN offering withZscaler for customers that use both,and an OEM of Menlo Securitys software-based securitystack to build out VMwares own SASE capabilities for customers wanting a single-vendor strategy.SWGCASBZTNASD-WANFWaaS(including intrusion prevention system

110、IPS/intrusion detection system IDS)Sensitive-data and malware inspection capabilitiesLine rate operationRemote browser isolationNetwork sandbox11/10/21,7:26 PMGartner Reprinthttps:/ SASE capabilities:Note 2.Monolithic Versus Microservices ArchitecturesFor example,monolithic virtual appliance archite

111、ctures may have restrictions on the maximumbandwidth that can be inspected on a single connection.The use of virtual appliances may alsoaffect the price/performance of the SASE offering,which may result in higher pricing for customers.SASE providers using public cloud IaaS also incur egress costs fo

112、r traffic,which may result in higherpricing for customers.Note 3.More POPS,More CoverageThe increasing fragmentation of the internet favors providers that can provide local access within acountry(including China and Russia)that may restrict access and data processing outside itsborders.DNS protectio

113、nAPI-based access to SaaS for data contextSupport for managed and unmanaged devicesWeb application and API protectionWi-Fi hot spot protectionNetwork obfuscation or dispersionLegacy VPNEdge compute protection11/10/21,7:26 PMGartner Reprinthttps:/ 2021 Gartner,Inc.and/or its Affiliates.All Rights Res

114、erved.2021 Gartner,Inc.and/or its affiliates.All rights reserved.Gartner is a registered trademark of Gartner,Inc.and itsaffiliates.This publication may not be reproduced or distributed in any form without Gartners prior writtenpermission.It consists of the opinions of Gartners research organization

115、,which should not be construed asstatements of fact.While the information contained in this publication has been obtained from sources believed tobe reliable,Gartner disclaims all warranties as to the accuracy,completeness or adequacy of such information.Although Gartner research may address legal a

116、nd financial issues,Gartner does not provide legal or investmentadvice and its research should not be construed or used as such.Your access and use of this publication aregoverned by Gartners Usage Policy.Gartner prides itself on its reputation for independence and objectivity.Itsresearch is produced independently by its research organization without input or influence from any third party.Forfurther information,see Guiding Principles on Independence and Objectivity.AboutCareersNewsroom PoliciesSite IndexIT GlossaryGartner Blog NetworkContactSendFeedback