The rise of hybrid work has enabled the growth of a security category referred to by Gartner as Secure Access Service Edge (SASE). Rather than being a specific type of solution, SASE refers to a collection of security solutions intended to enable zero trust network access (ZTNA) for employees accessing corporate networks from home or cloud-based apps or services. SASE providers typically bundle services like cloud access security brokers (CASB), secure web gateways (SWG), software defined perimeters (SD-WANs), secure service edge (SSE) and other technologies that are meant to monitor and route employee web traffic to ensure data protection and user access to the appropriate resources.

It can be difficult making sense of the variety of features offered by SASE vendors, which is why we’re going to highlight the features of the best SASE solutions rated by users, to help you make an informed decision about which might work best for your cybersecurity and IT teams to improve your company’s security posture.

Secure Access Service Edge (SASE) Software Overview

1. CATO Networks

Cato Networks’ SASE platform is a versatile solution, designed to deliver both network security and wide area networking (WAN) capabilities in a unified cloud-native service. A key strength of Cato’s offering is its alignment with Gartner’s SASE vision. The platform integrates multiple security and networking services, offering capabilities such as intrusion prevention system (IPS), data loss prevention (DLP), and malware detection. However, at this time, it doesn’t fully provide remote browser isolation or a full cloud access security broker, limiting its comprehensiveness in integrated network security functions. Furthermore, while Cato lacks network sandboxing, it suggests using its advanced antimalware for zero-day threat protection, indicating a degree of zero-trust security approach.

The platform is acknowledged for its scalability, supporting a wide range of network connections and the ability to grow with a company’s needs. In terms of performance, user reviews have indicated some issues, particularly with speed, although this could be due to ongoing network expansion. One of Cato’s core strengths is its ease of management, with a user-friendly, centralized interface, which simplifies IT administration and reduces costs. The adaptability and flexibility of the platform are demonstrated in its ability to integrate well with existing infrastructure and manage diverse network connections. However, the transition to Cato may be challenging for enterprises with large investments in legacy infrastructure. Cato’s support for SD-WAN is well-regarded by users, and the product’s cost-effectiveness compared to traditional WAN solutions is also appreciated. Nevertheless, some users have reported challenges with licensing tiering and fine-tuning across multiple branches and remote sites, indicating areas for improvement in flexibility and adaptability.

Ultimately, Cato Networks’ SASE platform performs well on multiple fronts, providing integrated security functions, scalability, ease of management, and support for SD-WAN. However, some limitations regarding comprehensive network security function integration, performance, and transition ease for legacy systems exist, and the platform’s handling of the zero-trust security approach could be further clarified. As the company matures and expands its network, these areas could be addressed, making Cato an even more comprehensive and robust SASE solution.‍

2. Perimeter 81

Perimeter 81 is a robust Secure Access Service Edge (SASE) platform, offering a comprehensive suite of network security features that make it a strong choice for organizations seeking to secure their network resources. The platform integrates key security functions, including Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG), enabling users to create secure networks and implement secure access and internet rules. Additionally, Perimeter 81’s integration with Identity Providers offers user-centric security, while its monitoring capabilities provide visibility into member activities, active sessions, compliance status, and more.

Despite its strengths, Perimeter 81 is not without its shortcomings. Users have reported issues with downtime that can temporarily lock them out of secure services, although the company has reportedly made recent improvements to its infrastructure to address this concern. Additionally, automatic agent upgrades sometimes fail and require manual intervention. Overall, while Perimeter 81 demonstrates ease of management and adopts a Zero Trust security approach, some aspects may require additional exploration to fully ascertain its suitability for specific organizational needs.‍

3. Twingate

Twingate’s SASE solution exhibits a compelling array of integrated network security functions, notably its zero-trust network access (ZTNA) which validates users and permits them access solely to required resources. This enhances the security resilience of the network. In addition, the solution integrates with a broad variety of identity providers, mobile device management, and endpoint detection and response vendors, thus providing a comprehensive approach to network security. Twingate’s SASE solution is designed to be user-friendly, demonstrating admirable flexibility and adaptability. It supports diverse network connections and efficiently routes requests to appropriate resources, irrespective of the network to which a user is connected. Furthermore, the solution simplifies management by offering a single platform to handle all network and security functions, mitigating the complexity associated with managing separate systems. Limitations, like a limited command line interface (CLI) only accessible from Linux might somewhat detract from the experience however.‍

4. Zscaler

Zscaler’s SASE solution provides an integrated approach to network security, offering functionalities such as secure web gateways (SWG), firewall as a service (FWaaS), data loss prevention (DLP), cloud access security brokers (CASB), and zero-trust network access (ZTNA). This integration covers the range of security functions expected in a SASE solution, delivering a comprehensive and holistic security platform. However, these capabilities are divided across two separate services, Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA), which require separate management and authentication. This could complicate management, detracting from the ideal of a unified SASE platform. In terms of a zero-trust security approach, Zscaler does a commendable job, particularly with ZPA offering zero-trust access to private applications.

Scalability and performance, however, emerge as potential weaknesses of the Zscaler SASE solution. While Zscaler boasts over 150 points of presence (PoPs), access for customers is often limited to 40-60 data centers. This, coupled with the fact that some regions carry surcharges, could pose scalability issues. Performance is also reportedly affected, especially with ZPA. Traffic diversion back to a Zscaler PoP before proceeding to the data center, and the fact that PoPs are essentially VMs running in AWS with limited control over routing or resource scaling, can result in increased latency and capacity issues.

In terms of flexibility and adaptability, Zscaler’s SASE solution supports a variety of network connections, catering to cloud, on-premises, and remote connections. It does, however, lack native SD-WAN support, requiring customers to procure third-party appliances. Therefore, while Zscaler’s SASE solution does offer a variety of network security functions and exhibits a zero-trust security approach, it falls short on scalability, performance, ease of management, and SD-WAN support. This, alongside its divided services, should be taken into account when considering Zscaler for SASE capabilities.‍

5. Cloudflare One

Cloudflare One aims to provide businesses with a comprehensive security package in the realm of Secure Access Service Edge (SASE). It combines a variety of security features and tools into a single platform, offering users a more complete security ecosystem. The platform is built on a zero-trust model, with adaptive controls that scrutinize every request and connection based on their level of sensitivity. Notably, it features DNS filtering, a Secure Web Gateway, network firewall, and tools to control data in SaaS applications. Furthermore, it comes equipped with an isolated browser for handling potentially risky sites, maintaining an impressive balance of robust security and user-friendly functionality. Cloudflare One is also praised for enhancing team performance and speed by utilizing the world’s fastest DNS resolver and smart routing technology, offering a seamless and fast user experience. However, despite its many strengths, Cloudflare One isn’t without its limitations. The platform’s pricing structure has been criticized, with some users calling for improvements. There are also concerns about the lack of direct support for customers on the free plan. Ultimately, Cloudflare One is a robust and feature-rich SASE solution that excels in delivering comprehensive security and optimal performance. However, potential customers, especially those considering the free plan, should consider the implications of its pricing structure and customer support limitations.

{{ promo }}‍

6. Cisco

Cisco’s Secure Access Service Edge (SASE) platform, combining the capabilities of Cisco Umbrella and Cisco SD-WAN, offers a compelling suite of features designed to enhance network security and improve operational efficiency. The platform has been lauded for its effectiveness in hybrid work setups, providing robust protection whether employees are inside the office building or working remotely. Administrators can gain valuable insights into user behavior, their devices, and the sites they visit, facilitating proactive security measures and informed decision-making. Notable features include tenant lock, content filtering, and data loss prevention solutions, as well as DNS layer security that gives administrators a detailed view of blocked content and user browsing habits.

Setting up Cisco SD-WAN is simple, with the ability to stand up a new site or node on the SD-WAN in just a few mouse clicks. Users appreciate its template-based approach, its TLOC and App-aware routing features, and its ability to perform performance analysis through calculated jitter loss latency of the link. Cisco Umbrella has been commended for its fast and effective threat detection and blocking capabilities, courtesy of an AI-based security system that leaves no room for cyber threats.

However, users have noted a few areas for improvement. Some have found it challenging to access support services without leveraging personal contacts within Cisco. There’s also a desire for a more centralized portal where all product statuses and information can be checked without having to navigate through different portals. The rapid development of the cloud-managed service in Cisco Meraki SD-WAN has led to occasional bugs slipping into production, while some users reported unwanted reload incidents in Cisco SD-WAN, leading to version downgrades and network downtime. Despite these hiccups, Cisco’s SASE platform has generally been praised for its comprehensive security features and ease of use, making it a valuable asset for businesses aiming to fortify their network infrastructure​.‍

7. VMware‍

VMware’s Secure Access Service Edge (SASE) platform offers a wide array of integrated network security functions, including secure web gateways (SWG), firewall as a service (FWaaS), data loss prevention (DLP), cloud access security brokers (CASB), and zero-trust network access (ZTNA). This comprehensive suite of features ticks all the right boxes for a SASE platform. In terms of scalability, VMware’s SASE platform has a strong presence with its gateways, which bring SD-WAN traffic closer to an organization’s cloud instances, indicating its ability to support a wide range of network connections and a growing number of users and devices.

However, the platform’s performance and ease of management might be affected by its lack of cohesion. The platform feels like many individual products packaged together, leading to a sense of complexity that can affect its management. This could potentially impact user experience and detract from the ideal of a SASE platform as a unified, easy-to-manage solution.

In terms of flexibility and adaptability, VMware’s SASE platform is seen more as a custom product integration than a converged SASE platform, which may limit its adaptability in today’s dynamic and diverse networking environment.

VMware’s SASE platform supports a zero-trust security approach and has strong support for SD-WAN, both of which are important features of a good SASE solution. Despite its strong feature set, the critique of it being more like a collection of separate services stitched together rather than a unified platform could impact its performance, scalability, and ease of management. Therefore, while VMware’s SASE platform has strong potential, these challenges should be addressed to fully unlock the advantages of a cohesive SASE solution.‍

8. NordLayer

NordLayer’s SASE platform, developed with the advanced technology of NordVPN, presents a cybersecurity solution crafted for businesses of all sizes. The tool comes with a ZTNA-based remote access solution and Security Service Edge services, eliminating the need for hardware. It offers features like Single Sign-On, network partitioning, and Intelligent Remote Access. The interface is uncomplicated and easy to navigate, a crucial attribute for companies with large teams. The platform also boasts compatibility with various other platforms, enhancing its integration capabilities.

However, NordLayer’s SASE platform isn’t without its potential drawbacks. The monitoring controls are not as extensive as some might prefer, and some users may experience slower performance with certain servers. Additionally, while 24/7 customer support is available, it is at an extra cost, which could be a consideration for businesses with tight budgets.

Security is a focus for NordLayer, demonstrated by its use of military-grade AES-256 encryption and a robust logging policy. It’s worth noting that certain user information is collected, including the operating system, IP address, cookie data, and browser information. All in all, NordLayer’s SASE platform is a comprehensive and user-friendly network security solution with a few areas that may benefit from further enhancements.‍

9. Netskope

Netskope’s Secure Access Service Edge (SASE) platform, as an integrated solution, blends several network security functions including its industry-leading Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) capabilities, a next-generation firewall (NGFW), and cloud Secure Web Gateway (SWG). The platform also offers Zero-Trust Network Access (ZTNA) via Netskope Private Access, albeit with a focus on user connectivity, neglecting the need for site-to-site capabilities. The single management console, a pivotal part of the SASE model, is a feature that Netskope has masterfully developed, though it falls short in its lack of a native Software-Defined Wide Area Networking (SD-WAN) device. While the company’s integrated approach to network security is commendable, reliance on third-party devices for SD-WAN connectivity increases deployment complexity and adds management overhead, detracting from the ease of management ideal.

Netskope SASE offers robust scalability, delivering its services from over 50 self-managed data centers distributed across multiple regions. This approach not only underscores the platform’s true multi-tenant service but also facilitates the delivery of service features closer to users in regions of customer significance. However, the platform’s performance does present some limitations. For instance, the throughput for Generic Routing Encapsulation (GRE) and IP Security (IPsec) tunnels are relatively low, potentially causing challenges for data center use cases and office locations requiring higher throughput.

Moreover, the company’s choice to use shared egress IP addresses could increase the attack surface for organizations, inhibiting the implementation of adaptive multi-factor authentication or source IP anchoring policies. Furthermore, while Netskope’s suite of security functionality is comprehensive, its proxy-based inspection engine can only inspect HTTP, HTTPS, DNS traffic, and FTP, limiting its ability to prevent malware. In terms of flexibility and adaptability, Netskope has made strides in offering cloud, on-premises, and remote connections, although its lack of a private backbone may be a drawback for organizations with wide geographical presence and strong performance requirements. In sum, while Netskope’s SASE platform showcases strong capabilities in integrating various network security functions, it exhibits some limitations in performance, flexibility, and the implementation of a zero-trust security approach.‍

10. Palo Alto Networks Prisma

Palo Alto Networks’ Prisma Access SASE platform is a robust offering that leverages the company’s strong security pedigree. The solution integrates a broad range of network security functions, including secure web gateways (SWG), firewall as a service (FWaaS), data loss prevention (DLP), cloud access security brokers (CASB), and zero-trust network access (ZTNA). It also includes a comprehensive SD-WAN feature set, bolstered by the acquisition of CloudGenix in 2020. This impressive array of integrated features provides a comprehensive and adaptive security solution capable of addressing a variety of threats and challenges.

However, the platform is not without its limitations. Despite its range of integrated security features, Prisma Access is not a true cloud service. It processes packets and security in separate appliances, leading to increased latency and potential impact on user experience. Additionally, the platform lacks a private backbone, instead relying on third-party cloud platforms for its points of presence (PoPs), limiting its control over routing and ability to expand geographically. Furthermore, the configuration is not as flexible as some might hope, with complex setup requirements that may hinder adaptability to growing customer needs​.

The strong security features of Prisma Access certainly meet the needs of the zero-trust security approach inherent to good SASE solutions. However, the platform’s issues with performance, scalability, flexibility, and ease of management might give potential users pause. Its complex configuration and dependency on third-party cloud services for PoPs could result in a management burden and limit the platform’s adaptability to dynamic network environments. In summary, while Prisma Access brings Palo Alto’s strength in security to the fore, potential users should consider its limitations in light of their specific requirements and network contexts.