Versa announced last week the general availability of Versa Sovereign SASE – it’s the culmination of work done with early adopters over the past two years, including already-up-and-running deployments by organizations in the defense, financial services, maritime, energy, and retail industries. This also includes several service providers who’ve announced their own SASE offerings riding on a Versa Sovereign SASE implementation – like T-Mobile SASE, Tata Communications Hosted SASE, Lumen SASE, and Crown Castle SASE.
So why are they all doing it? Sovereign means (among other things) “being completely independent.” A sovereign country is self-governing and enjoys autonomy – this is what Brian Fink, head of the managed solutions business at Crown Castle, captures when he speaks of control and ownership of the entire solution as key benefits for Sovereign SASE.
“The flexibility and control offered by Versa’s sovereign SASE deployment model was key to letting us build SASE solutions best suited to our customers. We were able to leverage our in-place infrastructure and own the entire solution, simplifying our customers’ network management while giving them end-to-end visibility with leading-edge security.”
Brian Fink, Head of Managed Solutions Business, Crown Castle
We observe that all of the already-announced deployments (and ones currently underway) had in common that they were done by large organizations with extensive in-place networking and computing infrastructure, and while they appreciated the flexibility of cloud-based as-a-service SASE, they found it limiting in several respects. In conversations, they cited the challenges of staying compliant with regulations, ensuring data privacy and sovereignty, and meeting evolving security mandates. Added to this were their concerns over business continuity from the risk of cloud or SaaS outages, and the cost efficiencies in leveraging infrastructure they already owned, and the need for an alternative became very clear. In the words of the CIO of a global bank, “We’re not going to deploy in the public cloud — we can’t.”
The value propositions of Sovereign SASE for enterprises, government agencies, and service providers overlap, but obviously have different emphases. For enterprises and governments, the solution enables them to meet industry-specific regulatory compliance, data privacy, and security needs while maintaining control of their data and infrastructure with an air-gapped and self-managed deployment that integrates with existing tools.
For service providers, Versa Sovereign SASE empowers them to customize and deliver profitable security and networking services from their own infrastructure, maintaining value and customer relationships while meeting the regulations for data residency and access, security, and privacy.
One implication of the arrival of Sovereign SASE is that it will unlock new use cases and give a further iOne implication of the arrival of Sovereign SASE is that it will unlock new use cases and give a further impulse to market adoption of SASE – our estimate is that it will enlarge the market by 30% (at least!). This is due in the first moment to the improved economics it brings service providers, since it makes it possible for them to offer customized, turnkey services to SMB, SOHO, and consumer market segments that have been overlooked to this point. New use cases will also contribute, some of which we foresee, others of which are still to appear. The ones we know of: Sovereign SASE allows deployments to be extended to things that move (ships, planes, trains, automobiles), extends defense deployments to tactical battlefield use cases, integrates naturally with new private mobility (4G/5G) network-based services, and allows organizations to extend Zero Trust access to on-premises users and devices on IoT/OT networks.
For Versa, the arrival of Sovereign SASE adds an additional deployment model for our single SASE platform – VersaONE – to our SaaS flavor and our Private SASE, which is a bit of a middle term on the continuum of service control that provides a level of isolation of the processing of data, but doesn’t reach the independence of the sovereign model, as shown in the chart below.
| VersaONE Universal SASE Platform Deployment Models | ||
| SASE-as-a-Service | Private SASE | Sovereign SASE |
| SaaS model delivered via shared gateways in Versa’s global SASE fabric | Delivered via customer-dedicated gateways within Versa’s global network fabric | Do-it-yourself SASE deployed on the customer’s own air-gapped infrastructure |
The fundamental role of SASE in any organization is to ensure state-of-the-art network security delivered from a central location, e.g., public or private cloud, data center, co-location. In considering the SASE deployment options, once the basic use case is met, some nuanced questions arise for the CIO and CISO teams that will determine if straight-up SaaS, private, or sovereign SASE makes the most sense:
These are to be considered without losing sight of an (always) important overarching question, namely the future-proofing any technology bet. The decision to choose a SASE tech stack and the vendor delivering it should take into account the option value going forward of being able to transition smoothly to a different model, should the need arise in the future.
To discuss some scenarios, let’s say you are a CISO and run the network security department of a retail organization. You need to care for the security of thousands of remote employees along with hundreds of retail stores and corporate offices, and your goal is to secure each of these entities at the lowest possible cost (thanks to razor-thin margins in your space!). Now, while shared SASE-as-a-Service may be the first option to cross your mind (and it’s what many will choose), you need to ask if that will allow you to integrate the network from all the stores, corporate offices, and remote workers within the same network “fabric” in such a way that a policy can be defined just once – and you’re done! If the answer to this is “yes,” then all options continue to be open to you, but you would likely be choosing between shared SASE or Private SASE. The “future-proofing” question to consider in this context would be: If additional privacy or data compliance needs arise, can the product and its provider support a move to dedicated or private SASE?
Now, if you have the same role at a bank or an energy company that may have regional or global locations with specific data compliancy rules, a shared SASE service is probably off the table, and you would most likely be choosing between Private SASE and Sovereign SASE, though likely leaning more to Sovereign SASE where the entire data and control plane (including analytics data for observability) can operate within the specific boundaries of a given geography and its infrastructure.
And consider a telco or managed service provider who is not only a network and security services provider, but also a trusted advisor for a lot of small, medium and large enterprise customers. If you run the product and business teams at such a service provider, your key needs may also be 100 percent control of the data flow so that you can provide a reliable and dedicated Private SASE service of your own for your end enterprise customers, while consuming Sovereign SASE from the tech stack vendor.
Subscribe to the Versa Blog
Gartner Research Report
Trial
ROI
Contact