Since orgs have migrated infrastructure to the cloud and workforces have become highly distributed, network security has been overshadowed by endpoint and cloud-related security. However, network security hasn't lost its importance, it's just that it has needed to adapt to a new paradigm.
For scenarios whereby many employees are working remotely, or at an office branch, and accessing applications in the cloud, it makes less sense to have the security checkpoints located at an org's own data centre. To avoid adding latency it makes more sense to have the security checkpoint at some point along a direct route between the remote employee or office branch and the SaaS application located in the cloud.
In simple terms, this is called SASE (Secure Access Service Edge), and outlines the concept of running security and networking functions off-prem as opposed to on-prem. There are many benefits to SASE, attributed to it being delivered in true SaaS form and hence shifting spend from capex to opex.
With SASE there is no need for remote workers to use VPNs to connect to the corporate network, which adds latency, creates bottlenecks, and offers full network access to bad actors that manage to compromise the connection. SASE enables much faster onboarding of remote workers, direct routes between user and application, and connections pass through a more sophisticated security stack.
Likewise, there is no need to have multiple physical security boxes located at each office branch (e.g., one for firewall, one for VPN, one for routing, one for load balancing, one for web gateway), which reduces capex as well as reduces substantial costs and complexity associated with deploying, maintaining, and updating them. SASE removes excessive deployments and simplifies networking and security management.
Generally, SASE provides orgs with more agility to expand operations, simplify operations, lower costs, and most importantly, improve security and productivity.
The obvious name in the SASE space is Zscaler (ZS), though our favourite name is Fortinet (FTNT). ZS is really the epitome of the SASE definition, first described by Gartner in 2019. However, FTNT has been quite contrarian with its stance on SASE. Their view is that SASE is the conducting of converged security and networking at a location along the most direct route between user and application. And so does it matter whether that is done in a PoP (Point of Presence) off-prem or done in CPE (Client Premise Equipment) on-prem?
In regards to latency, it shouldn't matter. In regards to deployment and maintenance, there is more consideration.
The off-prem option does still require IT admins to manage some networking on-prem, that is the router and the switches. The benefit of SASE, however, is that they don't need to handle any more boxes. Though, FTNT takes this a step further because they've packed all the necessary networking (including router and switches) and security (including firewall, SWG, VPN, load balancer, etc.) functionality into one single box, or CPE - and they are the only vendor to have done so. So, in effect, if IT admins choose to deploy Fortinet on-prem, they actually have fewer boxes to manage than in a SASE deployment.
Fundamentally, this is why we believe FTNT is the strongest SASE contender. They can do SASE off-prem with their global network of PoPs, as well as on-prem with their all-in-one FortiGate box, and the latter still enables IT admins to simplify operations. And they've managed to achieve this with a long-enduring commitment to their own custom silicon, in conjunction with developing advanced software-defined capabilities.
When considering this, FTNT is the most accommodative SASE vendor in the market, and our hypothesis that this will result in substantial hybrid environment revenue growth from larger enterprises has thus far been accurate. Note that FTNT markets its capabilities as converged networking and security rather than as SASE, probably because, in accordance to Gartner's definition, SASE is done off-prem. However, the converged/SASE market still has a lot of upside. There are a few estimates online, and based on these we would say current adoption could be anywhere between 20% to 40%.
For institutional investors (public and private), on request, we can do tailored research for your requirements. For all types of investors, here are individual reports you can purchase related to network security:
For institutional inquiries, or to pay for individual (a' la carte) reports, please click Subscribe for more information. From there you can also sign up as Premium subscriber if you wish to.
Fortinet Equity Research Report (January 2020) - $50
Fortinet Investment Synopsis (April 2021) - $50
Follow-Ups: Fortinet, Multiple Secular Tailwinds & Significant Relative Mispricing (December 2021) - $50
Part 3 Of Mini Security Series: The Importance Of The NGFW (June 2022) - $50
Follow-Ups #2: Fortinet, Early Signs Of Macro Headwinds But Long-Term Sound (August 2022) - $50
Palo Alto Networks Equity Research Report (June 2020) - $50
Palo Alto Networks: Significant Mispricing (April 2021) - $50
Follow-Ups: Palo Alto Networks (September 2021) - $50
The Ultimate Investor Guide To Zero Trust (January 2022) - Free
A Technical Overview Of Segmentation – The Panacea To Stopping Ransomware (January 2022) - $50
Follow-Ups #2: Palo Alto Networks (April 2022) - $50
Palo Alto Networks: Investor Misunderstanding (May 2022) - Free
Tailored research - price negotiable