SASE vs Pomerium

Our Recommendation

Single-vendor cloud-based SASE solutions are only good if your organization does not want to have ownership or management of infrastructure and the security team can accept third-party vendors decrypting sensitive data for inspection.

Companies using SASE solutions for their infrastructure should still deploy Pomerium at edge as the reverse proxy for internal web applications and services. Make sure the SSL inspection happens through Pomerium and not on the vendor’s wires to ensure data tenancy and meet compliance.

Use Cases

• Remote access — SASE offerings are intended to both provision remote access to internal services and also “improve” latency.

• Access Control — Being your one-stop shop for all things access, SASE offerings will also implement access control for you. Implementations will differ by vendor.

Strengths

• Instant infrastructure, just add money! — Cloud-based SASE solutions have infrastructure that you can plug your infrastructure into.

• Limits lateral movement — While all of the cloud-based SASE offerings differ, they normally bundle together SD-WANs, Firewalls, and CASBs through service chaining.

• IdP ready — SASE solutions will integrate with common existing Identity Providers. Some of the single-vendor solutions also want to be your IdP!

• A trail of breadcrumbs — SASE solutions are in a position to implement common logging, observability, and monitoring features. If they didn’t have it, they will acquire for it.

Weaknesses

• Service Chaining — Gartner originally cautioned against these single-vendors trying to repackage their solution through service chaining in order to bring their product to market.

• Replaces Your VPN with Repackaged Tunnels — In almost all the SASE marketing materials you’ll see how they propose replacing the VPN, and some will even explain why VPNs are bad. We agree! So don’t buy SASE solutions that are repackaged tunnels. (How do you know if it’s a tunnel? See Evaluators Should Know below.)

• Expansion of information boundary — A SASE vendor’s role as logger, auditor, access provisioning service, and policy enforcer for your services gives that vendor unlimited insight into the data in your organization. Decrypting your data is necessary to provide you security, and there is no guarantee they can keep that data uncompromised. Some vendors are even proposing to add AI or machine learning to their networking components — perhaps using your data to train their models.

• Pay for that too — Gartner’s original blog post also recommended “short-term SASE contracts of one to two years maximum as licensing models are in flux. Favor SASE vendors that offer the simplicity of identity-/entity-based subscription licensing (not based on bandwidth) across all offerings.” Oh look — SASE vendors all want to charge you based on bandwidth!

• Latency — SASE vendors will all discuss how their service points are “globally distributed” and that they have the “fastest latency.” This isn’t true — the data must be backhauled through their cloud infrastructure subjecting it to additional hops. Pomerium will always be faster through virtue of being deployed at edge.

Evaluators Should Know

If you’ve been looking at SASE marketing materials, does this spiel sound familiar?

"[Solution] seamlessly unifies top-tier connectivity and security, empowering your organization with unparalleled agility. Our SASE solution, fortified with threat intelligence, encryption, and AI-driven anomaly detection, guarantees robust protection. Bid farewell to bottlenecks—welcome a network optimizing data flow and propelling your operations forward. Tailored to your enterprise, [Solution] offers customizable features, a global network infrastructure with local points of presence, and seamless integration with your existing IT infrastructure. Maximize ROI by embracing the future of network security effortlessly."

-- Generic SASE marketing

Better yet, can you tell which of the major single-vendor SASE offerings fits that description? Or do all of them fit that description?

This is because Gartner’s original SASE introduction blog post has been used in one of two ways:

• Vendors rebranding networking by cobbling together components and calling it SASE, or —

• Products that enforce access based on “identity of the entity, real time context and security/compliance policies.”

Be wary of the former. Any solution that purportedly delivers SASE by citing their components should be viewed like a car dealership attaching four wheels to a sofa — it’s not a car.

What changed?

It is very interesting to see Gartner change their stance. They initially warned about the very products currently on their single-vendor SASE page.

Again, here’s the relevant text from their original blog post (emphasis ours):

"Be wary of vendors that propose to deliver services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability and high latency. Also, we recommend short-term SASE contracts of one to two years maximum as licensing models are in flux. Favor SASE vendors that offer the simplicity of identity-/entity-based subscription licensing (not based on bandwidth) across all offerings."

We took a look at the materials and architecture of the major players based on Gartner’s Magic Quadrant for Single-Vendor SASE (it cannot be linked without Gartner’s permission) — none of the products listed pass the test that Gartner themselves originally put out.

• Versa Networks does a wonderful job of explaining the architecture of individual components bundled up into all of these SASE offerings: They are all chaining together FWaaS, SWG, ZTNA, and CASB on top of a SD-WAN backbone with optional components and calling it SASE.

• Cato Networks repackaged a SD-WAN with network provider partnerships. They are selling you another tunneling solution: “The users connect to the nearest Cato PoP, and their traffic is optimally routed across the Cato global private backbone to on-premises or cloud applications.”

• Fortinet also does the same. You’ll need Unified agent to backhaul connections through FortExtender’s infrastructure. Agentless connectivity exists but the architecture will result in lag and bandwidth costs.

• Juniper Networks even put out a paper explaining how they repackaged the SD-WAN with Mist AI for SASE.

• VMware is kind enough to showcase all of the individual services they chain together. They tried to defend the practice, but users will find latency to be an endemic problem in all of these products.

• Cisco isn’t trying anything innovative, but their recent acquisition of Splunk may get bundled in for better security.

• Forcepoint’s SASE solution proposes to add an extra security component called Dynamic Edge Protection, but they are still bundling together the usual components.

Finally, all of them either price their services based on bandwidth or limit bandwidth — exactly what Gartner warned about.

So what are Pomerium’s advantages?

We base our evaluation on a strict four-pillar criteria when evaluating access control solutions. Comparing to these single-vendor SASE solutions we find that Pomerium is still:

• Better — no tunneling, clientless access without compromise

• Faster — deployed at edge is faster than all of these cloud-based vendors

• Safer — self-host to control uptime and data tenancy

• Tailored — able to leverage institutional context for context-aware access

Better — no tunneling, clientless access without compromise

These SASE solutions have material discussing why traditional perimeters are falling short and discuss the inherent failures of the VPN. We agree.

It’s confusing when you look at all of their architecture and data flow only to realize — they’re selling the same thing. You don’t need to take our word for it — search up their reference architecture and documentation and you’ll find:

• An agent or connector to embed within your system or act as a software-defined reverse proxy

• Backhauling that connection to their intermediary infrastructure

• A client for logging in and connecting to their infrastructure (all the clientless access is severely limited)

This is no different from a VPN! Client-based access is poor user experience, and the Points of Presence (PoPs) are just glorified VPN relay points. All of these single-vendor SASE solutions talk about low latency and speed, but we own that conversation. Pomerium is…

Faster — Pomerium is indisputably faster than cloud-based SASE vendors

Backhauling data is exactly what VPNs did. Doing it again in SASE only serves to reintroduce latency and bandwidth issues. Single-vendor SASE solutions are happy to charge or limit your bandwidth, the very activity Gartner originally warned about.

How can we say definitively that we’re faster than any SASE solution out there? It’s because Pomerium does not need PoPs to function — there is no backhauling data when Pomerium is deployed at edge, wherever the application or service is. There are no intermediary servers or clouds to tunnel through, meaning the fastest service possible.

Being deployed at edge has another advantage…

Safer — self-host to control uptime and data tenancy

Third party vendors have multiple customers to serve and their infrastructure isn’t reliable. When a cloud-based SASE’s infrastructure goes down, so does availability.

Not your infrastructure, not your data. Even worse when your data is being decrypted for inspection on third party pipes and wires. Sensitive data like cookies, passwords, and more — all exposed in clear-text to a third party for potential compromise.

Tailored — Pomerium provides context-aware access

Context-aware access is integrating institutional context into policy for making access control decisions.

It is no longer reasonable to make access decisions based on user identity alone. Instead, access control solutions should have access to data that would better inform the context surrounding otherwise legitimate user activity. The authorization policy should integrate that data into access decisions when deciding if an impending user request should be allowed or denied, completing the full circle of all four pillars to your access solution.

As this involves feeding institution-specific data to the access control system, that system and the information it has access to should never leave the organization’s control given the sensitive nature of that data. Given that cloud-based SASE vendors would process access control systems on their infrastructure, any context-aware access would involve giving unacceptable access into the company’s sensitive data.

Pomerium is open-source: Quickstart in 5 minutes!

Pomerium’s place as an open-source context-aware reverse proxy helps prevent ransomware attacks on internal services and resources. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN. The result is:

• Easier with clientless access.

• Faster by being tunnel-free and deployed where your apps and services are.

• Safer because every single action is verified before allowed to execute.

• Tailored to your organization’s needs by integrating all data for context-aware access.

Check out our open-source Github Repository or give Pomerium a try today!