Governance & Risk Management , SASE
Fortinet, VMware, Cisco Drive SD-WAN Gartner Magic QuadrantSingle-Vendor SASE Surge Expected to Fuel Convergence of SD-WAN, SSE Capabilities
Perennial leaders Fortinet and VMware and a surging Cisco set themselves apart from the rest of the pack in SD-WAN, according to the latest Gartner Magic Quadrant report.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Platform security giant Fortinet and virtualization behemoth VMware once again took the gold and silver in ability to execute in SD-WAN, with Cisco leapfrogging both Versa Networks and Palo Alto Networks to capture the bronze. Gartner sees a large and growing gap in execution ability between those three and the other vendors it designated SD-WAN leaders: Palo Alto Networks, Versa Networks and HPE Aruba.
"When clients are asking about who's included in RFPs, who's being finalized, who's being selected, there is separation," Jonathan Forest, Gartner senior director and analyst, tells Information Security Media Group. "There is separation by some of the higher market share vendors."
Cisco, Fortinet and VMware, respectively, were the three SD-WAN market share leaders in 2021, with Versa Networks and HPE Aruba capturing fourth and fifth place, market research firm Dell'Oro Group said in March. The worldwide SD-WAN market expanded by 35% in 2021 to more than $2 billion, and the eight largest SD-WAN vendors accounted for more than 80% of revenue last year, Dell'Oro Group found.
From a completeness of vision perspective, Gartner found Palo Alto Networks and VMware were once against neck and neck, with Palo Alto Networks taking the gold this time around. Fortinet leapfrogged Cisco and Versa Networks for the bronze in completeness of SD-WAN vision, with Cisco and Versa falling to fourth and fifth place. HPE Aruba was last among the leaders in both execution ability and completeness of vision.
"There is some stability," Forest says. "There's enough deployments, enough evidence of product deployment capabilities and overall everything we evaluate in the Magic Quadrant to make that assessment on what these vendors have done. So I do believe there's a track record and a certain level of maturity in this market."
Outside of the leaders, here's how Gartner sees the SD-WAN market:
- Visionary: Juniper Networks
- Challenger: Huawei
- Niche Players: Cradlepoint, Barracuda Networks, Nuage Networks, Peplink, Citrix and Forcepoint
"Things can change on a dime," Forest says. "Acquisitions can happen that can change things pretty quickly, as can new development of products and new positions on innovation that disrupt the market. Things can always change."
The Surge of Single-Vendor SASE
Gartner expects the share of organizations procuring both SD-WAN and security service edge from the same supplier will increase from 10% this year to 50% in 2025. Although secure access service edge is today dominated by multivendor solutions with orchestration tying them together, Gartner says single-vendor SASE will simplify sourcing and offer a tighter technical integration and better user experience.
Most organizations today are using different vendors for SD-WAN and SSE due to unique requirements or differences in opinion between the networking and security departments, Forest says. But as refresh cycles occur, smaller vendors without rigid, specific requirements will begin selecting one supplier for both SD-WAN and SSE, and adoption will slowly move upstream to the midmarket and lower enterprise.
Some large enterprises with unique requirements will maintain separate SSE and SD-WAN vendors for the foreseeable future, but Forest believes most customers will eventually converge on a single vendor to reduce complexity and simplify management. The consolidation to date has primarily been driven by SD-WAN vendors, and the leading cloud security vendors are just beginning to buy their way into SD-WAN.
"Clients want less vendors," Forest says. "It's less complexity, which from the security side makes sense because that reduces risk. Cost is part of it but not a driver. It's more about manageability and just reducing the attack surface."
How the SD-WAN Leaders Climbed Their Way to the Top
|Cisco Systems||Viptela||$610M||August 2017|
|Cisco Systems||Meraki||$1.2B||December 2012|
|Hewlett Packard Enterprise||Silver Peak||$925M||September 2020|
|Hewlett Packard Enterprise||Aruba Networks||$2.7B||May 2015|
|Palo Alto Networks||CloudGenix||$420M||April 2020|
|VMware||VeloCloud Networks||$449M||December 2017|
Fortinet Focuses on App Connectivity, SD-Branch
Fortinet's SD-WAN business has focused over the past year on secure application connectivity, SASE use cases, SD-Branch opportunities, and public cloud integration, says Vice President of Products Nirav Shah. The company has built ZTNA enforcement into its SD-WAN offering to ensure adversaries aren't able to move laterally across the customer's entire application landscape in the event of compromise, he says.
The company's SD-Branch investments will address the needs of big retail and healthcare environments by integrating LTE and 5G inside the SD-WAN appliance, providing retail locations with 5G connectivity as well as Dual SIM card, Shah says. And from a SASE perspective, Shah says Fortinet offers customers flexibility by delivering its security and networking capabilities either on-premises or through the cloud (see: Ken Xie on Why Fortinet Is Leaning Into SD-WAN, OT Security).
"We continue to lead the SD-WAN market and continue improving in execution and vision," Shah tells ISMG. "If you compare from last year to this year, we are the only leader to improve in both execution and vision at the same time. No other vendor in the leadership quadrant could do that. So that speaks volumes to how well we are addressing any concern that customers or analysts have."
Gartner criticized Fortinet for an average customer experience, limited mind share in networking and limited third-party SSE integrations. Shah says Fortinet has invested heavily in building its networking practice out and becoming a key player in both wired and wireless LAN. From a partnership perspective, Shah says Fortinet plans to deliver single-vendor SASE and isn't looking to team up with competitors.
"Our SD-WAN is a foundation for SASE because we can do the security and networking convergence that customers want," Shah says. "We want to take advantage of providing a single-vendor SASE architecture. And that's why you will not see Fortinet integrating with the other SSE players out there."
VMware Doubles Down on 5G Integration, Security Services
Over the past year, VMware has enhanced its security capabilities and integrated private 5G services into its SD-WAN offering, says Karl Brown, senior director of product marketing for SD-WAN. Healthcare organizations, manufacturers and retailers want to connect intelligent devices to 5G during their digital transformation efforts to improve service quality, reduce latency and better support branch locations.
The company supports the security needs for cloud and SaaS applications through a bundled offering that allows customers to view analytics around application performance and network traffic and easily apply policies across all applications, Brown says. VMware delivers its cloud web security technology from 150 cities to give users a direct path from where they're located to where their apps are hosted (see: VMware Doubles Down on Multi-Cloud, Lateral Movement Defense).
"We make it extremely easy for our customers to connect their remote branch locations to cloud and SaaS applications," Brown tells ISMG. "We take away the complexity of trying to put appliances in multiple cloud locations and interconnect the users with those applications in the cloud. We make it extremely easy to deliver high-performance SaaS applications."
Gartner criticized VMware for basic on-premises security, product dependency and concerns around the Broadcom acquisition. Brown says Menlo Security's cloud protection offerings are fully integrated and benefit from close collaboration around the road map. VMware wants to extend its on-premises security offering beyond an existing firewall that's often used by customers in branch office locations.
"There is a segment of our customer base and potential customers that would like additional security in the appliance which would augment our cloud-delivered security services," Brown says. "We do fully intend to deliver upon that request from those customers."
Cisco Emphasizes Network Visibility, Public Cloud Partners
Cisco has strengthened its SD-WAN offering by providing more network visibility, deep integrations with public cloud providers, and additional security features and performance, says Jay Chokshi, director of product management for secure SD-WAN and SASE. Cisco has unveiled enhanced firewall capabilities and troubleshooting analysis as well as a Meraki platform with 33% enhanced performance, he says.
Integrating Meraki and Viptela with ThousandEyes gives customers visibility into networks they don't control, allowing them to spot outages and deep breaches across the broader internet sooner, Chokshi says. Cisco also created a robust, secure connection to public cloud that's simple to set up and makes it easy for customers to move applications to the cloud and access data in the cloud, he says.
"The networking and security constructs are becoming increasingly complex," Chokshi tells ISMG. "The networks are becoming very complex. So bringing simpler security to the operations piece is very important. I think that's a big thing."
Gartner criticized Cisco for having multiple platforms, an average product and an average customer experience. Chokshi says Cisco has driven simplified operations across its products by investing in user experience and creating a simple, intuitive workflow experience. Meraki allows Cisco to address SMBs' need for simplicity and lean operations while Viptela offers sophisticated features for enterprises.
"The market is very big. There are different segments of the market that have different needs," Chokshi says. "We have been able to bring a lot of what our customers are asking for by offering both Meraki and Viptela. In addition, many of our customers are leveraging both the portfolios in their network."
Palo Alto Networks Takes 5G, Digital Experience to Next Level
Palo Alto Networks has bolstered its SD-WAN offering with native integrated 5G, autonomous digital experience management and tighter SASE connections, says Kumar Ramachandran, senior vice president for SASE products. Integrating Prisma SD-WAN with Prisma Access' ZTNA capabilities gives customers the flexibility to select what components they want based on their deployment, he says.
Native integrated 5G means customers will enjoy the best possible performance and availability in branch offices while no longer deploying a separate device, Ramachandran says. And autonomous digital experience management provides deep visibility into application experience, network behavior and user behavior, automating application delivery and the resolution of performance issues, he says (see: Why Would Palo Alto Networks Want Startup Apiiro for $600M?).
"Our SD-WAN solution is very focused on delivering the best possible user experience irrespective of the connectivity," Ramachandran tells ISMG. "You get this very, very powerful user experience-based approach."
Gartner criticized Palo Alto Networks for below-average customer experience, below-average sales execution and limited on-premises security with SD-WAN. Ramachandran says the company has focused on bolstering both direct and MSP sales via a managed services partnership with AT&T. The company offers a full-blown firewall in the branch, though he says most clients prefer cloud delivery.
"The cloud offers lots of advantages over taking a different security box and deploying it in the branch," Ramachandran says. "We get the elasticity of the cloud at the branch."
Versa Networks Pursues Simplification Via AI, ML
Versa has created a natural language processing chatbot and anomaly engine for network and security insights to more effectively leverage AI and ML-based technologies around SD-WAN, says CEO Kelly Ahuja. Automating functions helps enterprises go faster, save money and be agile by having machines do the basic work, meaning organizations no longer need an army of employees troubleshooting security issues.
Vera's new chatbot allows users to ask questions in the management console using normal language and applies fixes with the click of a button, greatly simplifying how enterprises interact with Versa's system, Ahuja says. And the anomaly engine examines telemetry wherever software is running, correlates data from all of those places, identifies patterns and reports abnormalities back to customers, she says.
"From a technology standpoint, our solution is head and shoulders above the market, based on what our customers are telling us," Ahuja tells ISMG. "In certain segments and certain geographies, we're actually beating many of the other competitors hands down."
Gartner criticized Versa Networks for product complexity, poor customer experience and less DIY experience. Ahuja says Versa has done a lot of work to simplify its workflows with a well-lit path and said it provides comprehensive capabilities around routing, appliances and security. Most customers are served via Versa's 150 service providers, though many Global 2000 firms run directly on Versa, he says.
"We have the most comprehensive understanding of the market and a full solution that covers both networking and security, which is where the market is heading," Ahuja says. "So we are very, very well-positioned to continue to lead the market and build and grow the business."
HPE Aruba Doubles Down on Single Console, Branch Security
HPE Aruba has worked in recent years to collapse WAN edge functions around routing, firewalls and optimization into a single management console to simplify management and reduce human error, says Derek Granath, senior director of SD-WAN product and technical marketing. The company has teamed up to leverage user and device identity and role-based access control to enable segmentation, he says.
The company has replaced branch firewalls by adding security functions at the branch such as dynamic path control and unified threat management and integrating with Palo Alto Networks and Check Point offerings, he says. HPE Aruba also has increased its intrusion detection capability over the past year with prevention technology, correlation of user identity, and defense and mitigation features that isolate traffic, he says.
"We've always been about improving performance on the WAN," Granath tells ISMG. "We have certain features that we think we do better than anybody, such as our ability to run reliably on the internet, even when it becomes impaired because of congestion."
Gartner criticized HPE Aruba for an incomplete security road map, limited geographic and vertical strategy, and below-average customer experience. Granath said HPE Aruba has customers in every vertical and excels in financial services, technology, manufacturing and retail. From a security perspective, HPE Aruba automates integrations with Zscaler and Netskope to make accessing SSE easier, he says.
"There's no single SASE vendor that can tick all of the boxes for security and all of the boxes for the network," Granath says. "A dual or multivendor solution means customers don't have to compromise on either the security side or the network side."