Looking back on some of the most ingenious partnerships in history, you’ll inevitably think of Laurel and Hardy, Beavis and Butthead, John Lennon and Paul McCartney, and, now, David Holmes and Andre Kindness. We’ve just released the industry’s first evaluation of all-in-one Zero Trust Edge (ZTE) solutions, which some vendors call secure software-defined WAN (SD-WAN) and others in the industry call secure access service edge (SASE): The Forrester Wave™: Zero Trust Edge Solutions, Q3 2023.
Whatever you call this architecture, it’s disruptive and transformational. Forrester defines ZTE as:
A solution that combines security and networking functionalities — such as SD-WAN, cloud access security broker (CASB), Zero Trust network access (ZTNA), and secure web gateway (SWG) — that a single vendor can deliver and support in any combination of cloud, software, or hardware components.
Read further into this blog for some specific proofs about ZTE’s disruptiveness, but before that, back to the research.
The Evaluative Research
In our pre-Wave Landscape report, where we list and group vendors but don’t rank them, we documented 22 vendors offering ZTE solutions. Not all of them offer a full suite of security and networking services, including a hardware WAN component, that are managed and monitored from a single cloud-based management and monitoring system. Only a handful of vendors do. Forrester looked at the 10 technology providers that build and offer full ZTE solutions (not management services such as the ones you would find from AT&T, BT, Lumen Technologies, GTT Communications, Telefonica Tech, et al. — that’s coming in a future Wave evaluation).
While not every customer wants or needs to have both elements come from the same vendor, many are asking for it. All-in-one solutions improve efficiency by not requiring teams to duplicate tasks (such as setting policies in two different systems) and increasing trust levels by reducing the chances of misconfiguration.
It is rare to have security and networking analysts working on the same evaluation report together, but it was critical for this Wave, because this pairing is needed for technology organizations selecting and using these solutions. Both networking and security professionals should be approaching this and, to be frank, many digital initiatives as a single team. In our research for this report, we found that 96%(!) of the customer references said that security and networking collaborated to both set the specifications and implement the solution, while 83% worked together to choose the vendor.
We opened this blog by asserting that ZTE is disruptive and transformative, so here’s some proof. In our research for this report, we asked nearly three dozen customer references (by definition, ZTE early adopters) if they kept any of their old networking and security stack when they moved to ZTE. The overwhelming response (76%) was no, they didn’t. And they were emphatic about it, as you can see from their replies when we asked them if they kept anything old:
- “No, nothing.”
- “No, all replaced and consolidated.”
- “Did not keep anything.”
- “No, we replaced them!”
- “No, nothing was kept.”
We further asked them to indicate what got replaced from the networking and security stacks. Firewalls and WAN routers were the most commonly made redundant. These replacements across both networking and firewall stacks are the second-order effect of ZTE. Converging these disciplines and handling them as a service from a global network will, of course, result in consolidation.
One thing that surprised me, but perhaps not my networking partner Andre, was how often networking was the driver for ZTE (it’s why he wrote a blog about ZTE taking over SD-WAN). SD-WAN rollouts were being hampered by a lack of a holistic set of security services (now found in ZTE). SD-WAN was waiting for security, like Andre waited for me to write this blog. Among the top 10 reasons that customers moved to a Zero Trust Edge architecture, the top four are networking-, not security-, related! And of the top 10, six (or seven, depending on how you interpret number 10) are related to networking and performance.
SSE Has Entered The Chat
My next train of research, where I leave Beavis Andre behind for a while, will focus on the cloud-delivered security aspect. The industry has already given this set of techs a name: security service edge (SSE). Of course, all of the vendors in our ZTE Wave evaluation provide these capabilities, but there are many other vendors that specialize only in the security aspect. The resulting SSE Wave will replace the ZTNA Wave from two years ago, as clients have realized that they need more than just ZTNA for their remote workforce; they need something like a cloud-delivered security stack to replace the one that their always-on VPN used to use in the data center.
Forrester clients can schedule an inquiry or guidance session with either myself (security Butthead) or Andre (networking Beavis) to dive deeper into SSE, ZTE, or our ZTE solutions Wave.
Dive Even Deeper Into Zero Trust
I’ll be delivering the opening keynote on the future of Zero Trust at Forrester’s Security & Risk Forum in Washington, D.C., November 14–15. Even though it’s months away, I’m working on delivering the talk of my career. Register, come, and see.