SASE: telecoms operators’ approaches could be weakened by the lack of a long-term vision

Listen to or download the associated podcast

The concept of secure-access service edge (SASE) is highly relevant to telecoms operators.¹ It combines SD-WAN, which is replacing MPLS as the default approach to enterprise networks, with various aspects of security, an area of strong growth for most business operators.

Operators are taking a variety of approaches to SASE solutions. Some are relying on a single vendor for a complete SASE solution, some are building their own platform for multiple vendors, and some are doing both. A multi-vendor platform may meet the needs of larger enterprises, but operators risk missing opportunities for targeting small and medium-sized businesses if they do not offer a simple, single-vendor solution.

This article is based on our recent report Approaches to SASE: 12 operator case studies.

Operators are exploring SASE to help to defend connectivity and increase security revenue

Almost all major operators with a business services division are exploring SASE. Many have launched something that they describe as SASE.

SASE can form part of a defensive strategy; if an operator does not extend its SD-WAN to a more complete SASE offering, connectivity customers could churn. SASE is also part of a growth strategy because it creates a path for operators to sell more cloud-based security and networking features. Our recent enterprise survey showed that nearly all enterprises want to reduce the number of suppliers that they use and that most enterprises would consider purchasing additional services from their telecoms operator.

Operators should find strong demand for SASE solutions, even if that demand takes time to emerge. We saw something similar with SD-WAN – the theoretical benefits have only recently led to strong demand for many operators.

Operators are either relying on a single vendor for SASE, or are creating platforms to support multiple vendors

Telecoms operators have offered SD-WAN alongside security products (such as Zscaler’s SWG solution) for several years. However, simply selling separate SD-WAN and SWG to the same client is not typically thought of as SASE (although the marketing departments of some operators would appear to disagree).

Instead, true SASE has a degree of integration between components. It should be managed through a single portal, be delivered under one contract and, ideally, have a simple pricing plan (for example, per user).

To offer true SASE, operators have two options (Figure 1):

• single-vendor SASE: offer a solution from a single vendor that combines multiple SASE components
• multi-vendor SASE platform: develop a platform that can integrate components from different vendors (for example, SD-WAN from one vendor, SWG from a second and ZTNA from a third).

Operators can pursue these options separately or together. Of the 12 operators profiled in our recent report, three were relying on a single-vendor SASE solution, four were pursuing a multi-vendor platform strategy while the remaining five operators were following both approaches.

Figure 1: Summary of two main approaches to SASE solutions

Source: Analysys Mason, 2022

Most operators accept that in the long term the single vendor approach will be suitable for many, possibly most, enterprises, especially in the mid-market and down (or, roughly speaking, companies with 500 or fewer employees). However, many operators believe that few, if any, vendors yet have a mature solution in all components of SASE.

Cisco, Palo Alto Networks and Fortinet are the most commonly used vendors

Operators have different approaches to SASE, but the vendors being used are similar. Almost all operators are working with Cisco, closely followed by Palo Alto Networks and Fortinet.² VMware and Versa are also popular because their SD-WAN offerings are well-regarded, and their operator customers are starting to take more SASE components. These two vendors are also more flexible in meeting service provider requirements than some of their competitors.

Netskope and Zscaler do not offer SD-WAN but their solutions are commonly used by telecoms operators and often form part of a multi-vendor SASE solution.

SASE should be part of a broader security and networking growth story for operators

SASE is only one aspect of a broader revenue growth story for telecoms operators, but it can be an important element that builds on the success they are having in SD-WAN. SASE will help operators to start offering a wider range of security products, such as endpoint security, and can open new networking opportunities, such as SD-LAN and managed Wi-Fi. Operators that are more advanced in their thinking, such as Deutsche Telekom, have a vision for how these will drive long-term growth.

Operators also need to think carefully about how they put together SASE offerings. Large enterprises, the early customers for SASE, will want ‘best-of-breed’ solutions and so will be receptive to multi-vendor platforms provided by operators.

However, initial demand should not dictate how operators approach the rest of the market. A complete single-vendor solution should be sufficient for smaller enterprises, even if each component is not class-leading.

Operators may dismiss single-vendor solutions as lacking differentiation, but risk missing opportunities if they do not offer them. Orange, Verizon and others offer both a multi-vendor platform for large enterprises and complete solutions from a single vendor for smaller ones.

¹ The products covered by SASE vary, but most definitions include SD-WAN, firewall as a service (FWaaS), secure web gateway (SWG), zero trust network access (ZTNA) and cloud access security broker (CASB).
² For a complete list of partnerships between telecoms operators and SD-WAN vendors, see Analysys Mason’s SD-WAN vendor tracker.
3 For more on the competition between different approaches to SASE, see Analysys Mason's SSE or SASE: vendors need to consider the implications of a failed strategy.