Looking back on some of the most ingenious partnerships in history, and you’ll inevitably think of Laurel and Hardy, Beavis and Butthead, John Lennon and Paul McCarthy and now David Holmes and Andre Kindness. We’ve just released the industry’s first evaluation of all-in-one Zero Trust Edge (ZTE) solutions, which some vendors call secure SD-WAN and others in the industry call SASE.
Whatever you call this architecture; it’s disruptive. It’s transformational. Forrester defines Zero Trust Edge (ZTE) as:
A solution that combines security and networking functionalities — such as software-defined WAN (SD-WAN), cloud access security broker (CASB), Zero Trust network access (ZTNA), and secure web gateway (SWG) — that a single vendor can deliver and support in any combination of cloud, software, or hardware components.
Read further into this blog for some specific proofs about ZTE’s disruptiveness, but before that, back to the research.
The Evaluative Research
In our pre-Wave Landscape report, where we list and group vendors, but don’t rank them, we documented twenty-two vendors offering ZTE solutions. Not all of them offer a full suite of security and networking services, including a hardware WAN component, that are managed and monitored from a single cloud-based management and monitoring system. Only a handful of vendors do. Forrester looked at the 10 technology providers that build and offer full ZTE solutions (not management services, such as the ones you would find from AT&T, BT, Lumen, NTT, Telefonica, et al – that’s coming in a future Wave).
While not every customer wants or needs to have both elements come from the same vendor, many are asking for it. All-in-one solutions improve efficiency by not requiring teams to duplicate tasks such as setting policies in two different systems and increase trust levels by reducing the chances of misconfiguration.
It is rare to have security and networking analysts working on the same evaluation report together, but it was critical for this Wave, because this pairing is needed for technology organizations selecting and using these solutions. Both networking and security professionals should be approaching this, and to be frank, many digital initiatives, as a single team. In our research for this report, we found that 96% (!) of the customer references said that security and networking collaborated to both set the specifications and implement the solution. 83% worked together to choose the vendor.
The Transformation
We opened this blog by asserting that ZTE is disruptive and transformative, so here’s some proof. In our research for this report, we asked nearly three dozen customer references (by definition, ZTE early adopters) if they kept any of their old networking and security stack when they moved to ZTE. The overwhelming response (76%) was no, they didn’t. And they were emphatic about it, as you can see from their replies when we asked them if they kept anything old:
- “No, nothing.”
- “No, all replaced and consolidated.”
- “Did not keep anything.”
- “No, we replaced them!”
- “No, nothing was kept.”
We further asked them to indicate what got replaced from the networking and security stacks. Firewalls and WAN routers were the most commonly made redundant. These replacements across both networking and firewalls stacks are the 2nd order effect of ZTE. Converging these disciplines and handling them as a service from a global network will, of course result, in consolidation.
Why ZTE?
One thing that surprised me, but perhaps not my networking partner Andre, was how often networking was the driver for ZTE (it’s why he wrote a blog about ZTE taking over SD-WAN). SD-WAN rollouts were being hampered by lack of a holistic set of security services (now found in ZTE). SD-WAN was waiting for security like Andre waited for me to write this blog. Among the top ten reasons that customers moved to a Zero Trust Edge architecture, the top four are networking, not security, related! And of the top ten, 6 (or 7 depending on how you interpret #10) are related to networking and performance.
SSE Has Entered The Chat
My next train of research, where I leave Beavis Andre behind for a while, will focus on the cloud-delivered security aspect. The industry has already given this set of techs a name – Security Service Edge (SSE). Of course, all of the vendors in our ZTE Wave report provide these capabilities, but there are many other vendors that specialize only in the security aspect. The resulting SSE wave will replace the ZTNA Wave from two years ago, as clients have realized that they need more than just ZTNA for their remote workforce; they need something like a cloud-delivered security stack to replace the one their always-on VPN used to use in the datacenter.
Forrester clients can schedule an inquiry or guidance session with either myself (security Butthead) or Andre (networking Beavis) to dive deeper into SSE, ZTE or our ZTE solutions wave.
Dive Even Deeper Into Zero Trust
I’ll be delivering the opening keynote on The Future of Zero Trust at Forrester’s Security & Risk Forum in Washington, DC, November 14-15. Even though it’s months away, I’m working on delivering the talk of my career. Register, come, and see.
