Cloud Security, Network Security, Security Program Controls/Technologies

Buying SASE: Questions to ask vendors before you commit


Choosing vendors for your secure access service edge, or SASE, solution can be difficult. After assessing your organization's own assets, needs and abilities, you'll need to thoroughly vet potential SASE providers to see how well they can mesh with your company. Here are 10 questions you should ask.

1. Which of the five core components of a SASE solution can the vendor provide?

As defined by Gartner, the five core components of SASE are a cloud access security broker (CASB), a firewall-as-a-service (FWaaS), a software-defined wide area network (SD-WAN), a secure web gateway (SWG) and zero trust network access (ZTNA).

Your organization may not need all these components or may already have some in place. It's hard to find a single vendor that offers them all, so you may need to mix and match among different vendors.

"You have vendors that have almost everything, and vendors that have less, but you have no single vendor that offers all of what Gartner defines as part of SASE," says Boaz Avigad, senior director of product marketing at Perimeter 81.

2. How many of those SASE components did the vendor develop inhouse or through acquisitions?

Some SASE vendors take short cuts to match the Gartner definition and quickly add components that may not work terribly well. But if a component is part of the vendor's core competency, it should be more reliable.

"The vendors have come from different heritages," says Frank Kim, CISO-in-residence at YL Ventures and a SANS Institute fellow. "Depending on where they come from, they have a focus on one area. It's not always truly integrated. It may almost be like you were buying off-the-shelf yourself."

3. Does the vendor's offering have APIs that allow it to work well with tools from other providers?

Ideally, you want to be able to access and control all your SASE components from a single dashboard.

"The whole converged solution concept is about reducing complexity," says Avigad. "You want something that is simple and easy to use and can be managed from a single pane of glass."

4. Can the vendor help you with setting up your SASE solution?

The vendor will probably have more experience implementing a SASE deployment than your team does. Ask if the vendor can assist you — and how much extra that would cost.

5. How many regional points of presence (PoPs) can the vendor offer for your organization's use?

If your company does a lot of business in parts of the world with unreliable broadband, can the vendor offer a private backbone?

"[The PoP distribution] needs to closely match the scale geographically and the size of the organization," says Doug Saylors, partner and co-lead of cybersecurity at ISG. "If you're predominately a U.S. company, you don't need global coverage. But if you're a Fortune 500, you probably will."

6. What kind of security protections does the vendor build into its tools and management console?

That may seem like an odd question as SASE is itself a cloud security solution, but you need to regard your SASE system as a primary target for attackers. "If your SASE console is compromised, attackers will have total access across your enterprise," Saylors points out. "You have to think about how you're going to secure it."

7. What is the vendor's pricing model?

Do you pay according to the number of users you have, according to how much bandwidth you use, or something else? You'll need to factor the cost into your long-term projections.

"I wouldn't want to have to pay more as my organization grows from a usage perspective," says Saylors. "If the pricing is per user, I can build in that cost as we add people."

8. Can the vendor provide references from other customers?

You should also ask industry peers about their experiences with vendors you are considering.

"Buy from a company that has been doing this from a while with a large customer base and a large number of references," says Avigad.

9. What kinds of long-term customer support does the vendor provide?

Does it cost extra? How responsive will the vendor be?

"[Customer support is] just as important as the vendor's technical capabilities," says Kim. "You know there are going to be integration issues. You want to be able to quickly connect with the technical SME to resolve problems. You don't want to file a ticket and then wait like you're at the DMV."

10. What are the vendor's long-term product-development plans?

Are there features that might be added soon? How about farther in the future?

"Understanding what your SASE provider is doing from an R&D perspective is critical," says Saylors. "No one really knows what's around the corner from a technology perspective. You need to pick strong providers who are committed to R&D."

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, and

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.