16/3/23, 16:48 Gartner Reprint

Licensed for Distribution

Hype Cycle for Workload and Network Security, 2022

Published 18 July 2022 - ID G00769072 - 98 min read

By Charlie Winckless

While public cloud is rapidly becoming the default (or preferred) option in many geographies,
network technologies continue to evolve. Security and risk management leaders must adopt
a unified security approach and use appropriate technologies to protect their assets and
users in any location.

Analysis
What You Need to Know
Despite the recent back-to-office wave, most organizations are still planning for a hybrid
workforce, and they are securing resources and access both on-premises and remote.
Additionally, confidence in and the desire to utilize cloud — whether software as a service (SaaS)
or cloud infrastructure and platform services (CIPS) — have grown to the point that Gartner
believes cloud usage is indispensable or heavily impactful in many enterprises. Workloads are
also increasingly diverse, and SaaS may be considered just another enterprise workload, as well
as an application. As a consequence of the convergence of cloud adoption and the hybrid
workforce, it is no longer where the workload or the workforce is located (or necessarily how they
are connected) that is driving the type of security used. Instead, product selection must be
shaped by how the technologies enable and support increasingly diverse corporate environments.

This has led to this blended Hype Cycle covering network and workload security. Security and risk
management leaders must select the right enabling security technologies to support their
organization’s particular flavor of anywhere, anytime data and workforce security. This includes
not just supporting remote workers, but also continuing to effectively secure the on-premises
workloads and workforce (and back-to-office wave) that remain a significant part of the security
attack surface today.

The Hype Cycle

This Hype Cycle reflects the fact that effective security must be delivered in any location (for
instance, with the new hybrid mesh firewall platform category that provides network security
regardless of what the network) as well as an increased trend toward converged platforms.
Recent Gartner surveys show that vendor consolidation efforts are happening in three-quarters of
organizations surveyed. 1 This consolidation is reflected in the increasing number of platforms on
the Hype Cycle. This includes cloud-native application protection platforms (CNAPPs), secure
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 1/66
16/3/23, 16:48 Gartner Reprint

access service edge (SASE) and the security service edge (SSE). Meanwhile, stand-alone
technologies such as secure web gateways (SWGs), network firewalls and cloud access security
brokers (CASBs) are approaching the Plateau of Productivity, as consolidated platforms provide
enhanced functionality and a more seamless user and administrator experience. Many security
technologies are becoming required functions of the larger platforms, rather than stand-alone
offerings.

Zero trust is shaping the architectural approach for many organizations in the wake of
government guidance and the constant onslaught and effectiveness of attacks. Zero trust is built
upon a foundation of strong and unified identity, and is supported by several technologies
identified in this Hype Cycle, including the new identity-first security category, zero trust network
access (ZTNA) and microsegmentation.

Hybrid work is the new normal, and delivering network security for end users (and branches) from
the cloud has emerged as the most efficient way to support hybrid workers. SSE and stand-alone
ZTNA solutions focus on providing security for end-user egress traffic. Complete SASE (if
sufficiently full-featured frewall as a service [FWaaS] capabilities are included) can extend SSE to
support branch traffic and enable a thin-branch, heavy-cloud architecture.

Along with hybrid work, security and risk management leaders are being asked to secure a
bewildering array of workloads. Business-critical applications are commonly being delivered from
SaaS platforms, requiring consideration of both the data being stored in these applications and
how they are configured and interconnected. These efforts are supported by SSE and SaaS
security posture management (SSPM), respectively. Gartner expects these technologies to merge
in the midterm. Security and risk management leaders are also dealing with serverless workloads,
containers and Kubernetes, and virtual machines both in the cloud and in data centers, and must
have the right technologies to ensure these are all protected. Adoption of these technologies is
being driven not only from central IT, but also from business technologists, and it is imperative to
stay ahead of the risks this adoption will incur. Today’s cloud breaches are overwhelmingly likely
to be caused by customer misconfiguration, not cloud provider weakness, and the automation can
offset the complexity and dynamism of cloud environments.

Figure 1: Hype Cycle for Workload and Network Security, 2022

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 2/66
16/3/23, 16:48 Gartner Reprint

Source: Gartner (July 2022)

The Priority Matrix

Convergence and combined technologies — both in the cloud and on-premises — are driving many
areas in this Hype Cycle. The opportunity to use effective platforms to replace point products is
represented in SASE, SSE and CNAPP. This combination presents an opportunity to combine
services such as SWG, CASB, ZTNA, CWPP and CSPM, and gain a whole that is more than the
sum of its parts. However, CNAPP in particular is an evolving space, and realizing the full benefit
will take more than five years for most organizations.

Also common is the bridge between cloud and on-premises. Most organizations will be hybrid,
and, by leveraging technologies such as cyber asset attack surface management (CAASM), hybrid
mesh firewalls and identity-first security approaches can be unified wherever a workload exists.

SaaS is now business-critical for many organizations. This means that SaaS usage and
configuration must be managed and controlled — and in an automated fashion. SSPM and SSE
(via the CASB capability) are potentially critical controls to manage these workloads.

Table 1: Priority Matrix for Workload and Network Security, 2022

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 3/66
16/3/23, 16:48 Gartner Reprint

Benefit Years to Mainstream Adoption

More
Less Than 2
2 - 5 Years 5 - 10 Years Than 10
Years
Years

Transformational CASBs SASE

Security
Service Edge

High Microsegmen Cloud WAAP Cloud-Native

tation Application
CSPM
Protection
Network
DDoS Platforms
Firewalls
Mitigation
Identity-First
Secure Web
NDR Security
Gateways
SaaS Security
Posture
Management

Moderate Cloud Cloud CAASM

Workload Firewalls
CIEM
Protection
Container
Platforms Hybrid Mesh
and
Firewall Platform
Hardware- Kubernetes
Based Security
Security
Firewall as a
Network Service
Access
Immutable
Control
Infrastructur
e
NSPM

Remote
Browser
Isolation
Serverless
Function
Security

ZTNA

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 4/66
16/3/23, 16:48 Gartner Reprint

Benefit Years to Mainstream Adoption

More
Less Than 2
2 - 5 Years 5 - 10 Years Than 10
Years
Years

Low

Source: Gartner (July 2022)

On the Rise
CAASM
Analysis By: John Watts, Neil MacDonald, Mitchell Schneider

Benefit Rating: Moderate

Market Penetration: 1% to 5% of target audience

Maturity: Emerging

Definition:

Cyberasset attack surface management (CAASM) is an emerging technology area focused on

enabling security teams to overcome asset visibility and exposure challenges. It enables
organizations to see all assets (internal and external), primarily through API integrations with
existing tools, query consolidated data, identify the scope of vulnerabilities and gaps in security
controls, and remediate issues.

Why This Is Important

CAASM aggregates assets from other products that collect a subset of assets, such as
endpoints, servers, devices and applications. By consolidating internal and external cyberassets,
users can make queries to find gaps in coverage for security tools such as vulnerability
assessment and endpoint detection and response (EDR) tools. CAASM provides mostly passive
data collection via API integrations, replacing time-consuming manual processes to collect and
reconcile asset information.

Business Impact

CAASM enables security teams to improve basic security hygiene by ensuring security controls,
security posture, and asset exposure are understood and remediated. Organizations that deploy
CAASM reduce dependencies on homegrown systems and manual collection processes, and
remediate gaps either manually or via automated workflows. Organizations can visualize security

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 5/66
16/3/23, 16:48 Gartner Reprint

tool coverage, support attack surface management (ASM) processes, and correct systems of
record that may have stale or missing data.
Drivers

Full visibility into all information technology (IT), Internet of Things (IoT) and operational
technology (OT) assets under an organization’s control, which improves understanding of the
attack surface area and existing security control gaps or serves as part of a wider ASM
process.

Quicker audit compliance reporting through more accurate, current and comprehensive asset
and security control reports.

Consolidation of existing products that collect asset and exposure information into a single
normalized view, which reduces the need for manual processes or dependencies on
homegrown applications.

Access to consolidated asset views for multiple individuals and teams across an organization,
such as enterprise architects, security operations teams and IT administrators, who can benefit
from viewing and querying consolidated asset inventories with a view to achieving business
objectives.

Lower resistance to data collection from, and better security visibility into, “shadow IT”
organizations, installed third-party systems and line-of-business applications over which the IT
department lacks governance and control. Security teams need visibility in these places,
whereas the IT department may not.

Obstacles

Resistance to “yet another” tool — organizations with adjacent products that provide asset
visibility may find it challenging to justify the cost of CAASM.

Not all vendors have capabilities to identify and integrate with IoT/OT assets for visibility and
vulnerability information.

Products may be licensed per asset consumed and become cost-prohibitive for very large
organizations with millions of assets under management.

The scalability of a single instance may be limited for extremely large environments with huge
amounts of data, in terms of both data collection and usability.

Tools that can be integrated with a CAASM product either do not exist (due, for example, to the
lack of an API) or may be prevented from integrating by the teams that own them.

Reconciliation processes that conflict with source systems can cause confusion and
frustration if the source system of record cannot be corrected when errors are found.

User Recommendations

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 6/66
16/3/23, 16:48 Gartner Reprint

Take advantage of proof-of-concept opportunities, and free versions of products and

subscriptions, in order to “try before you buy,” as CAASM products are nondisruptive and easy
to deploy.

Determine the primary use cases you want to address with CAASM, as vendor capabilities vary
widely.

Favor vendors that can combine inside-out and outside-in asset visibility capabilities.

Favor vendors that understand IoT/OT systems as well as IT systems.

Inventory all available APIs that can be integrated with the CAASM product you are considering,
and ensure you have read-only or low-privilege user accounts available to integrate.

Extend usage beyond core security teams to multiple users, including compliance teams, threat
hunters, vulnerability management teams and system administrators.

Ask your incumbent security vendors what visibility they currently provide into assets and
whether they have a roadmap to provide CAASM functionality in future.
Sample Vendors

Armis; Axonius; Brinqa; Darktrace; Encore; JupiterOne; Lansweeper; Noetic; Panaseer; Sevco
Security

Gartner Recommended Reading

Innovation Insight for Attack Surface Management

Emerging Technologies: Critical Insights for External Attack Surface Management

Hybrid Mesh Firewall Platform
Analysis By: Rajpreet Kaur, Adam Hils

Benefit Rating: Moderate

Market Penetration: 1% to 5% of target audience

Maturity: Emerging

Definition:

Hybrid mesh firewall platforms enable security policy controls to be defined and enforced
between workloads, and between users and workloads connected on any network in on-premises-
first organizations. Capabilities include control and management planes for connecting multiple
enforcement points. Hybrid mesh firewall platforms are delivered as a mix of hardware, virtual,
cloud-native and cloud-delivered services, and integrate with other technologies to share security
context signals.

Why This Is Important

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 7/66
16/3/23, 16:48 Gartner Reprint

Hybrid mesh firewall platforms enable hybrid environment security by extending modern network
firewall controls to multiple enforcement points, including FWaaS and cloud firewalls with
centralized management through a single cloud-based manager. These platforms enable security
teams to extend existing firewall-based security policies to support other teams, such as cloud
and DevOps teams, and integrate with other technologies, such as XDR, CNAPP, SASE and CWPP,
for improved overall visibility and control.
Business Impact

The platform supports extending a security team’s visibility and control to hybrid workforces and
hybrid environments. It aligns with the overall trend of vendor consolidation by combining multiple
point solutions into fewer, well-integrated offerings, resulting in less overhead for security
administrators. The platform ensures traffic is protected by different configurations and
capabilities in different (hybrid) environments by enabling more native integrations into modern
public and private cloud environments.

Drivers

Organizations need to extend visibility and control beyond their physical environment into IaaS
from a centralized manager.

Some organizations are on-premises-first, not cloud-first, so SASE/SSE is not a reasonable

strategy for them. A hybrid mesh firewall platform is a good network security choice for them.

There is an increased need to integrate on-premises firewalls and cloud-based FWaaS offerings
with cloud-native firewalls integrated in IaaS environments for end-to-end controls.

There is an increasing overlap in tools purchased by DevOps teams and security teams to add
security across hybrid environments, particularly when security needs to secure modern
environments, such as containers accessing legacy hardware or virtualized workloads in
separate environments.

A demand exists for mature integration and centralized visibility and control with overlapping
solutions that may already be in place.

Obstacles

Lift and shift of security controls to cloud environments may work in some cases, but cannot
simply replicate on-premises operating and control models.

Point solutions that offer best-of-breed capabilities and do not integrate with hybrid mesh
firewall platforms lower the overall value of the platform.

A lack of congruent requirements between network security, application and cloud teams leads
to different buying centers and dedicated sets of requirements.

Platforms that offer strong security capabilities, but limited support for the DevOps team’s
toolchains, leave teams with two separate solutions.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 8/66
16/3/23, 16:48 Gartner Reprint

There are complicated pricing models to support multiple firewall enforcement types and the
flexibility to move them.

There is a lack of open standards for integration between hybrid mesh firewall platforms and
adjacent technologies.

Developers view security as an inhibitor, and legacy firewall vendors have no credibility with
developers or development pipelines.
User Recommendations

Give preference to vendor platform approaches that offer truly unified management interfaces
over a portfolio approach, where there are interfaces for each environment (e.g., cloud-native
management interfaces separate from hardware firewall interfaces).

Work with, not against, DevOps teams to understand and implement controls from the platform
that improve security without interfering with the ability to deliver value for the business
through rapid release cycles.

Network security teams, application teams and cloud teams must discuss use-case-specific
requirements and evaluate them as a part of overall firewall control selection.

Give preference to vendors that deliver requisite SASE functionality natively from the cloud, or
that have explicit partnerships with SSE vendors to connect to their edge and share security
telemetry and event data with the hybrid mesh firewall platform.

Value a vendor’s ability to integrate with infrastructure-as-code deployments in IaaS

environments.

Sample Vendors

Barracuda; Check Point Software Technologies; Cisco; Forcepoint; Fortinet; H3C; Huawei; Juniper;
Palo Alto Networks; SonicWall

Gartner Recommended Reading

Quick Answer: Demystifying Network Firewall Pricing Models to Build an Effective Sourcing
Strategy

Tool: Competitive Evaluation of Network Firewalls

SaaS Security Posture Management
Analysis By: Charlie Winckless

Benefit Rating: High

Market Penetration: 1% to 5% of target audience

Maturity: Adolescent

Definition:

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 9/66
16/3/23, 16:48 Gartner Reprint

SaaS security posture management (SSPM) continuously assesses the security risk and manages
the security posture of SaaS applications. Core capabilities of SSPM tools include reporting the
configuration of native SaaS security settings, managing identity permissions and offering
suggestions for improved configuration to reduce risk. Optional capabilities include comparison
against industry frameworks, understanding integrations between SaaS applications, and
automated remediation.
Why This Is Important

SaaS is now the delivery model for many critical enterprise applications, leading to large amounts
of sensitive information being stored outside the traditional controls of the corporate network.
SaaS applications often act as the system of record and are commonly interconnected with other
SaaS applications, making them critical to business operation. SaaS security must evolve to meet
this pivotal change in risk exposure and protect against increasingly advanced attacks on SaaS
applications.

Business Impact

Many organizations use hundreds of SaaS applications, but most rely on a common set for
business-critical operations. Security service edge (SSE) vendors provide protection of sensitive
data and user access at the network layer, but are blind to complex configuration errors and SaaS-
to-SaaS communication. SSPM tools reduce risks by continuously scanning for and eliminating
configuration mistakes and overly scoped permissions, which represent the most common forms
of cloud security failure.

Drivers

As more valuable data is processed using SaaS, hackers will increasingly target these
applications to breach sensitive data. The primary source of cloud breaches is failure in
configuration, not an underlying flaw in the platform.

The increasing adoption, complexity and interconnectedness of SaaS have led to blind spots
(for example, a connected application that may not be secured might have the ability to access
data, potentialgly with minimal restrictions) and control gaps (especially around SaaS
configuration) in ever-more critical applications. Traditional controls and even SSE controls
cannot manage and mitigate these gaps effectively. In such cases, SSPM tools provide the
necessary visibility and protection.

Regulation is becoming increasingly strict, imposing large penalties for data breaches.

SaaS is not simple as a service. Trying to control SaaS via manual processes does not scale.
Increased automation of configuration validation and remediation is necessary for effective
control.

Obstacles

SSE and SaaS management platform (SMP) vendors are integrating some SSPM features into
their products.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 10/66
16/3/23, 16:48 Gartner Reprint

Few enterprises possess the appetite to manage yet another console for governing the cloud.

You can’t secure what you don’t know about. Most current SSPM tools lack discovery
capabilities, so rely on alternative tools (such as SMPs, SSEs or next-generation firewalls) to
identify the SaaS applications in use across the enterprise. Without this information and
controls to limit unsanctioned SaaS usage, SSPM cannot be used to manage the unknown
apps.

SSPM tools must evolve if they are to stand alone. Scaling to hundreds of applications is
unavoidably complex; hence, development costs may remain too high to justify a limited set of
features.

SSPM tools rely heavily on robust APIs from the SaaS provider for visibility into configuration
and identity permissions. While leading SaaS apps provide APIs, little standardization exists
and most smaller vendors have limited or no API-based visibility.
User Recommendations

Evaluate the current SSPM-like capabilities of existing tools, including cloud access security
broker (CASB) and SMP. If they provide sufficient visibility and management of SaaS native
controls, use them. Don’t buy yet another product.

Evaluate SSPM tools if existing tools lack the required capabilities, and invest tactically to
address shortcomings in CASB and SMPs. Favor vendors that offer automatic remediation.

Configure the SSPM tool to crawl through each new release of governed SaaS applications to
discover new functions and potential attack surfaces, such as exposed APIs, to maintain full
visibility and compliance.

Pressure vendors in established cloud security and management markets to broaden their
capabilities to offer SSPM capabilities, including automation for SaaS control with a specific
focus on CASB and SMP providers.

Sample Vendors

Adaptive Shield; AppOmni; Atmosec; DoControl; Obsidian; Palo Alto Networks; RevCult; Zilla
Security; Zscaler

Gartner Recommended Reading

Toolkit: A Checklist for SaaS Security Features

What to Include in Your SaaS Security Policy

Magic Quadrant for Security Service Edge

Critical Capabilities for Security Service Edge

Market Guide for SaaS Management Platforms

Identity-First Security
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 11/66
16/3/23, 16:48 Gartner Reprint

Analysis By: Paul Rabinovich

Benefit Rating: High

Market Penetration: 5% to 20% of target audience

Maturity: Adolescent

Definition:

Identity-first security is an approach to security design that makes identity-based controls the
foundational element of an organization’s protection architecture. It marks a fundamental shift
from perimeter-based controls that have become obsolete because of the decentralization of
assets, users and devices.

Why This Is Important

All organizations are operating in a challenging and escalating threat environment. Users and
resources are no longer confined to the corporate network, and the corporate network itself
cannot be trusted. Identity-first security offers a way forward by treating identity as the
cornerstone of security. It shifts the control plane for security from the network (and the physical
perimeter) to identity-based controls.

Business Impact

Identity-first security was introduced because the traditional network security model could no
longer protect modern organizations. By embracing an identity-first security mindset
organizations can drastically improve their security posture and mitigate security incidents.
However, it requires a culture shift followed by investments in new tools, processes, policies and
architectures.

Drivers

With the advent of cloud services, digital supply chains and remote access, the perimeter has
become porous. A typical organization’s attack surface dramatically expanded to include
assets and users outside of the corporate network.

Even before the COVID-19 pandemic 30% of the workforce worked remotely at least some of
the time. Although users can continue connecting to their corporate network using a VPN, their
device may hold company data and needs to be protected.

External access to organizations’ applications and data is now common. Enterprises need to
collaborate with partners, vendors and suppliers, support API-based access to their information
and interact with their customers through digital channels.

Digital supply chain risks continue to rise. Some organizations share infrastructure with third
parties such as managed service providers.

The zero trust access model and its supporting tools, Gartner’s cybersecurity mesh
architecture (CSMA) and emerging identity threat detection and response (ITDR) products and
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 12/66
16/3/23, 16:48 Gartner Reprint

services provide the technical means for implementing identity-first security.

Obstacles

Identity-first security requires a fundamental rethinking of an organization’s approach to its

protection architecture. One cannot buy an enterprisewide identity-first security product and be
done with it. Only layered defenses combining multiple IAM and security controls, processes
and technologies can deliver the necessary level of security.

Legacy systems are the biggest barrier to implementing identity-first security. Most software-
delivered applications were written under the assumption that they would run in a closed — and
benign — environment. Older IAM tools do not natively support anywhere computing,
unmanaged devices and access by external users.

IAM maturity at many organizations is insufficient to meet the demands of identity-first

security. IAM must efficiently handle new types of identity (for example, machines), new
entitlements and advanced controls such as adaptive access.

User Recommendations

Inventory all applications and services and identify where and how they rely on implicit trust.

Assess risk and, for those applications and services where existing risk exceeds the
organization’s risk tolerance, evaluate alternative identity-first security-based architectures.

Evaluate tools (for example, access management [AM] and zero trust network access [ZTNA])
that can support such architectures and, where needed, integrate them with the organization’s
existing identity infrastructure.

Incorporate contextual data such as risk and recognition signals into authentication and
authorization processes that make allow/deny decisions for user access.

Evaluate the use of device and workload identities to enable more granular access policies and
support application-to-application access use cases.

Ensure that the IAM team effectively communicates with business stakeholders, security
teams, I&O, cloud and DevOps as the newly introduced IAM controls will impact both end users
and IT personnel.

Gartner Recommended Reading

Emerging Technologies: Applying SASE’s Architectural Model to Secure Distributed Composite

Apps

Predicts 2022: Identity-First Security Demands Decentralized Enforcement and Centralized

Control

IAM Leaders’ Guide to Access Management

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 13/66
16/3/23, 16:48 Gartner Reprint

Quick Answer: How to Explain Zero Trust to Technology Executives

Top Strategic Technology Trends for 2022: Cybersecurity Mesh

At the Peak
CIEM
Analysis By: Henrique Teixeira

Benefit Rating: Moderate

Market Penetration: 1% to 5% of target audience

Maturity: Emerging

Definition:

Cloud infrastructure entitlement management (CIEM) tools help enterprises manage cloud
access risks via administration time controls for the governance of entitlements in hybrid and
multicloud IaaS. They use analytics, machine learning (ML) and other methods to detect
anomalies in account entitlements, like accumulation of privileges, and dormant and unnecessary
permissions. CIEM ideally provides enforcement and remediation of least privilege approaches.

Why This Is Important

Managing cloud infrastructure entitlements is challenging due to their rapid increase in number
and complexity, further exacerbated by the multicloud and the proliferation of machine identities,
making entitlements inconsistently defined and configured. Traditional identity and access
management (IAM) and cloud security solutions have not adequately addressed the need for
visualizing and managing granular and dynamic entitlements. CIEM capabilities, both in new and
traditional cloud security and IAM tools, can fill this gap.

Business Impact

CIEM offers a quicker time to value than traditional IAM and cloud security tools when mitigating
IaaS identity risks. For example:

Managing permissions risks of human and machine identities to help prevent cloud breaches
and data theft.

DevSecOps use cases, or cases where agility and speed need to be balanced with identity-first
security in the cloud.

Defining IaaS access policies, addressing auditor concerns and simplifying compliance.

Improving existing cloud security, privileged access management (PAM) and identity
governance and administration (IGA) processes.

Drivers

Inquiries into Gartner on CIEM have increased significantly in the past year.
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 14/66
16/3/23, 16:48 Gartner Reprint

More IAM providers in the IGA and PAM markets have added CIEM capabilities since last year.
Traditional cloud security posture management (CSPM) vendors have also been adding more
CIEM capabilities, which is becoming a foundational piece in cloud native application
protection platforms (CNAPP). The market has now over 20 vendors providing CIEM
capabilities at different stages of maturity.

The number of machines (workloads and devices) that are deployed in organizations’ hybrid
and multiclouds is rapidly increasing. It is estimated that 88% of users and roles in the cloud
are machine identities, not human.

A report from Sysdig shows that 78% of cloud accounts contain exposed S3 buckets, and 36%
of S3 buckets are open to the public. Also, 27% of DevOps teams still use “root” users for daily
tasks, and 48% of teams are not protecting those accounts with multifactor authentication
(MFA).

A research report from Ermetic shows that more than 70% of environments had machines
publicly exposed and linked to identities whose permissions could be exploited for performing
ransomware attacks. Eighty percent of environments had privileged users with access keys not
used for over 180 days. Sixty percent had privileged users without MFA enabled, and 45% had
misconfigured third-party users that could perform ransomware.

Authomize estimates that 80% of accounts in cloud infrastructure are inactive, while 55% of
entitlements of the active accounts are unused, and 30% of these active accounts are
privileged.

Through 2023, Gartner estimates that at least 99% of cloud security failures will be the
customer’s fault.

The more mature CIEM vendors have started to expand their scope beyond IaaS. Some now
include SaaS, on-premises targets and cloud identity providers (IdPs). Some vendors like
SentinelOne (Attivo Networks) have started to offer CIEM products that extend into identity
threat detection and response (ITDR).

Cloud providers, except for Microsoft, haven’t invested in more sophisticated CIEM functions.
Obstacles

Awareness about CIEM challenges and solutions: CIEM is still an emerging category, and
vendors and customers are still experiencing early challenges in understanding what CIEM can
provide today, and what this technology may become in the future.

Limited and varied maturity of CIEM technologies and only a small number of customer
success stories.

There are some pure-play CIEM vendors, then a group of cloud security (CSPM/CNAPP) and
IAM vendors that do some CIEM capabilities. As a result, there’s a lot of merger and acquisition
activity happening and lots of confusion for adoption.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 15/66
16/3/23, 16:48 Gartner Reprint

In most cases, especially in more complex organizations with lots of legacy and on-premises
resources, CIEM cannot replace full-featured IGA and PAM technologies.
User Recommendations

Use CIEM as part of a broader IAM strategy; it cannot replace full-featured IGA and PAM
technologies, especially in organizations with lots of legacy and on-premises resources.

Check if your existing IAM and cloud security vendors offer CIEM capabilities to avoid
redundant investments.

If there are gaps in existing tools, prioritize investment into CIEM capabilities for protecting
multicloud IaaS.

Use CIEM to manage entitlements of machine identities. It should be combined with tools like
secrets management, hierarchical storage management (HSM), key management service
(KMS), PAM, public-key infrastructure (PKI) and IGA. Machine IDs require very granular and
dynamic (behavior based) privilege management.

Use CIEM’s advanced analytics for simplifying dynamic privilege management with reduced
manual input.

Leverage CIEM in DevSecOps, and infrastructure as code, leveraging its abilities to provide
visibility to unnecessary privileges, and refining policies, without disrupting developer flows.

Sample Vendors

Authomize; Britive; CyberArk; Ermetic; Microsoft (CloudKnox); SailPoint; Saviynt; SentinelOne

(Attivo Networks); Sonrai Security; Zscaler

Gartner Recommended Reading

Innovation Insight for Cloud Infrastructure Entitlement Management

IAM Leaders’ Guide to Identity Governance and Administration

Quick Answer: How to Use Different Types of Identity Analytics for More Efficient IGA

Managing Machine Identities, Secrets, Keys and Certificates

IAM Leaders’ Guide to Privileged Access Management

Managing Privileged Access in Cloud Infrastructure

Cloud-Native Application Protection Platforms
Analysis By: Neil MacDonald, Charlie Winckless

Benefit Rating: High

Market Penetration: 1% to 5% of target audience

Maturity: Emerging
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 16/66
16/3/23, 16:48 Gartner Reprint

Definition:

Cloud-native application protection platforms (CNAPPs) are an integrated set of security and
compliance capabilities designed to help secure and protect cloud-native applications across
development and production. CNAPPs consolidate a large number of previously siloed
capabilities, including container scanning, cloud security posture management, infrastructure as
code scanning, cloud infrastructure entitlements management and runtime cloud workload
protection platforms.

Why This Is Important

Until relatively recently, comprehensively securing cloud-native applications required the use of
multiple tools from multiple vendors that are rarely well-integrated. This lack of integration slows
developers down, and creates fragmented visibility of risk and friction. CNAPP offerings allow an
organization to use a single integrated offering to protect the entire life cycle of a cloud-native
application.

Business Impact

Cloud-native application protection platforms consolidate a disparate number of fragmented

security testing and protection tools that increase cost and complexity for IT. Using a CNAPP
offering will improve developer and security professional effectiveness, and reduce complexity
and costs while maintaining development agility.

Drivers

CNAPPs:

Reduce the chance of misconfiguration, mistake or mismanagement as cloud-native

applications are rapidly developed, released into production and iterated.

Reduce the number of tools and vendors involved in the continuous integration/continuous
delivery (CI/CD) pipeline.

Reduce the complexity and costs associated with creating secure and compliant cloud-native
applications.

Facilitate the reporting and auditing of cloud security posture/status.

Allow developers to accept security-scanning capabilities that seamlessly integrate into their
development pipelines and tooling.

Place an emphasis on scanning proactively in development and rely less on runtime protection,
which is well-suited for container as a service and serverless function environments.

Obstacles

Cloud workload protection platform (CWPP) vendors that are good at runtime protection aren’t
necessarily good at integrating into development.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 17/66
16/3/23, 16:48 Gartner Reprint

Cloud-native workloads in the form of containers and serverless functions don’t require
heavyweight runtime protection capabilities.

There is no single CNAPP offering that does everything. Convergence of capabilities will occur,
but will take place over several years.

Organizations may have siloed purchases of application security testing tooling that is chosen
by a different team that manages the runtime protection of workloads.

Organizational immaturity in terms of cloud-native application development may inhibit

adoption.

Not all vendors fully support Kubernetes.

Buying center shifts to DevOps architects and cloud security engineering challenge traditional
vendors.
User Recommendations

Sign contracts of one to two years only because the market for CNAPP is emerging.

Solicit CWPP vendors to scan containers in development and add cloud security posture
management (CSPM) capabilities, including infrastructure-as-code scanning.

Select integrated offerings with flexible licensing models that allow you to only pay for the
capabilities your organization is prepared to use.

Evaluate the CSPM vendor’s ability to add scan of Kubernetes security posture (KSPM) as well
as provide runtime Kubernetes protection capabilities.

Consolidate OSS vulnerability scanning and software composition analysis through

integrations or replacement within a CNAPP offering.

Scan containers proactively in development for all types of vulnerabilities, not just vulnerable
components — including hard-coded secrets, malware and Kubernetes misconfiguration.

Sample Vendors

Aqua Security; Lacework; Lightspin; Palo Alto Networks; Rapid7; Red Hat; Snyk; Sysdig; Trend
Micro; Wiz

Gartner Recommended Reading

Market Guide for Cloud Workload Protection Platforms

How to Make Cloud More Secure Than Your Own Data Center

Innovation Insight for Comprehensive Secure Connectivity for Composite Applications

Innovation Insight for Cloud-Native Application Protection Platforms

Security Service Edge
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 18/66
16/3/23, 16:48 Gartner Reprint

Analysis By: John Watts, Neil MacDonald

Benefit Rating: Transformational

Market Penetration: 5% to 20% of target audience

Maturity: Adolescent

Definition:

Security service edge (SSE) secures access to the web, cloud services and private applications.
Capabilities include access control, threat protection, data security, security monitoring and
acceptable use control enforced by network-based and API-based integration. SSE is primarily
delivered as a cloud-based service and may include on-premises or agent-based components.

Why This Is Important

SSE improves organizational flexibility to secure usage of cloud services and remote work. SSE
offerings are the convergence of security functions (secure web gateways [SWGs], cloud access
security brokers [CASBs] and zero trust network access [ZTNA]) to reduce complexity and
improve user experience, delivered from the cloud. SSE stands alone, but when organizations are
pursuing a SASE architecture, it is paired with SD-WAN to simplify networking and security
operations.

Business Impact

The trend of hybrid work and the adoption of public cloud services accelerated in the past few
years. SSE allows the organization to support the anywhere, anytime workers using a cloud-
centric approach for the enforcement of security policy when accessing the web, cloud services
and private applications.

Drivers

Organizations need to secure users, applications and enterprise data that are now everywhere.

SSE enables flexible cloud-based security for users and devices without tying it to on-premises
network infrastructure.

Organizations look for deeper security capabilities when building a SASE architecture
compared to vendors that may have a minimal set of security features as part of their SD-WAN
offering.

SSE allows organizations to implement a zero-trust posture based on identity and context at
the edge.

By consolidating vendors, organizations reduce complexity, costs and the number of vendors
used to define security policy. It simplifies complexity or gaps in coverage with the use of
multiple offerings.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 19/66
16/3/23, 16:48 Gartner Reprint

Sensitive data inspection and malware inspection can be done in parallel across all channels of
access with better performance than doing this separately.

Improve user experience by unifying the same security outcomes regardless of location.
Obstacles

Some organizations want to strategically combine their SD-WAN and SSE from a single vendor,
but networking requirements or discrete buying centers prohibit them from adopting a best-of-
breed SSE.

Because the market is being formed by convergence of capabilities, vendors may be strong in
certain capabilities while weak in others, or lack overall tight integration of SSE capabilities or
with SD-WAN providers.

Some vendors are weak in sensitive data identification and protection, and this capability is
critical for risk- and context-based access decisions.

Being cloud-centric, SSE typically doesn’t address every need for on-premises functionality.

Not all vendors will commit to performance SLAs on all services or may have inconsistent
SLAs across services.

Switching costs for incumbent vendors or timing of contract expirations prohibit near-term
consolidation.

User Recommendations

Consolidate vendors, and cut complexity and costs as contracts renew for SWGs, CASBs and
VPNs (replacing with a ZTNA approach). Leverage a converged market that emerges by
combining these services.

Approach SSE consolidation identifying which elements you may already have in place (e.g.,
existing cloud-based CASB). Then, create a detailed understanding of the use cases applicable
to secure end users remotely and on-premises, the cloud services you use, and the data you
need to protect to develop a shortlist of vendors.

Inventory equipment and contracts to implement a multiyear phaseout of on-premises

perimeter and branch security hardware in favor of cloud-based delivery of SSE. Target
consolidation of on-premises equipment ideally to a single appliance.

Actively engage with initiatives for branch office transformation, SD-WAN and Multiprotocol
Label Switching (MPLS) offload to integrate cloud-based SSE into the scope of project
planning.

Sample Vendors

Broadcom (Symantec); Cisco; Forcepoint; iboss; Lookout; Netskope; Palo Alto Networks; SkyHigh
Security; Versa; Zscaler
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 20/66
16/3/23, 16:48 Gartner Reprint

Gartner Recommended Reading

2021 Strategic Roadmap for SASE Convergence

Magic Quadrant for Security Service Edge

Critical Capabilities for Security Service Edge

Market Guide for Zero Trust Network Access

Firewall as a Service
Analysis By: Adam Hils, Rajpreet Kaur

Benefit Rating: Moderate

Market Penetration: 5% to 20% of target audience

Maturity: Adolescent

Definition:

Firewall as a service (FWaaS) is a multifunction security gateway delivered as a cloud-based

service, often to protect small branch offices and mobile users. FWaaS can provide a simpler,
more flexible architecture using centralized policy management, multiple enterprise firewall
features and traffic tunneling to move security inspections partially or fully to a cloud service.

Why This Is Important

Hybrid working is here to stay, and growing adoption of software-defined WAN (SD-WAN) and
hybrid WAN architectures is increasing interest in using FWaaS to help secure small branches and
securely enable hybrid work. We expect this trend to continue. FWaaS offerings are of varying
levels of maturity.

Business Impact

The main business impacts are as follows:

FWaaS offers a significantly different architecture for branches or single-site organizations. It

offers greater visibility with centralized policy, increased flexibility and the reduced capital costs
associated with a fully or partially hosted security workload.

FWaaS enables inspection of both web and nonweb protocols, thus providing more outbound
protocol coverage.

FWaaS changes budgetary considerations as organizations move from capital to operational

spending.

Organizations with hybrid workforces will find that FWaaS helps them work securely in a widely
distributed network.

Drivers

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 21/66
16/3/23, 16:48 Gartner Reprint

Organizations rearchitecting their networks by implementing SD-WAN technology often want

FWaaS to secure outbound network traffic. FWaaS can also support inbound traffic use cases.

FWaaS is a core component of the secure access service edge (SASE) framework often offered
as part of a larger SASE architecture.

FWaaS can decrypt outbound traffic for inspection on a large scale. Alternative branch firewalls
often lack the performance to do this.

The move toward hybrid working since 2020 necessitates bringing security services closer to
workers in order to minimize latency.
Obstacles

Network firewall appliances comprise the largest security equipment market. The appliance
approach has been predominant, and many organizations use appliances effectively and
efficiently. Many organizations lack compelling reasons to change to a new form factor.

Security teams find some FWaaS solutions difficult to implement and manage. New FWaaS
deployments often require professional services engagements.

Over 80% of outbound traffic in organizations uses HTTP and HTTPS. Cloud-based security
service edge (SSE) services can protect and inspect this traffic at scale to offload existing
hardware firewalls. This makes it much easier to extend investments in existing firewall
hardware than to rearchitect the edge to forward all traffic to a FWaaS.

FWaaS licensing is based on per user per year subscription pricing. This can be more expensive
for large organizations with high user counts than hardware-based solutions that may have
lower subscription costs and that can be deployed and used beyond their capital depreciation
life span.

User Recommendations

Verify that the additional hop to FWaaS infrastructure does not create unacceptable latency for
some of your sites, and look at business models that limit initial investment until acceptable
latency is proven. The appeal of simpler architecture and increased flexibility must materialize
in faster deployment and easier maintenance.

Determine whether your organization is ready to move its entire security workload to the cloud,
or whether you need thicker local devices to address privacy concerns and perform some on-
premises segmentation or virtual LAN trunking.

Assess how FWaaS might impact your branch architecture. Current FWaaS offerings offer
mostly outbound security or protect mobile workers or companies that are primarily cloud-
hosted with no dependency on headquarters for applications. Consider maintaining on-
premises firewalls for data center use cases.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 22/66
16/3/23, 16:48 Gartner Reprint

Evaluate the strength of the cloud service in three key respects: data center locations, points of
presence and SLA.

Determine whether the complexity of an FWaaS project will necessitate a professional services
engagement for initial setup and configuration.
Sample Vendors

Barracuda; Cato Networks; Check Point Software Technologies; Cisco; Forcepoint; Fortinet;
Juniper; Palo Alto Networks; Versa Networks

Gartner Recommended Reading

Magic Quadrant for Network Firewalls

Critical Capabilities for Network Firewalls

Select the Right Strategy for Securing Web Access

Sliding into the Trough
Cloud Firewalls
Analysis By: Adam Hils, Rajpreet Kaur

Benefit Rating: Moderate

Market Penetration: 20% to 50% of target audience

Maturity: Early mainstream

Definition:

Cloud network firewalls offer bidirectional, stateful traffic inspection (both egress and ingress) for
securing different types of public clouds. They can be deployed as cloud native from the cloud
infrastructure vendor, as a separate virtual instance or in containers. Container firewalls can also
secure interconnections between containers.

Why This Is Important

Gartner forecasts that 2022 total public cloud spend will approach $500 billion globally. Many
organizations also use private clouds. Cloud firewalls are critical for securing ingress and egress
traffic, and can potentially offer additional attached security capabilities such as intrusion
prevention system (IPS) and URL filtering. Security and risk management (SRM) leaders are
tasked with securing these varied environments, and cloud firewalls are foundational to cloud
security strategy.

Business Impact

Security provided by infrastructure as a service (IaaS) firewalls enables organizations to

support both digital transformation and compliance requirements.

Cloud firewalls are mostly delivered as software and are licensed based on consumption. As
public cloud estates grow, on-premises network firewall hardware and software spend will

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 23/66
16/3/23, 16:48 Gartner Reprint

decrease, and the operating expenditure budget portion will grow while capital expenditure will
shrink, resulting in more predictable firewall budgets.
Cloud firewalls are key to strategic hybrid data center initiatives.
Drivers

The cloud firewall market will grow in parallel with the IaaS market.

SRM leaders who desire to have more advanced security firewall features (IPS and web
filtering, for example) often choose to use a more advanced cloud-native option or a third-party
best-of-breed solution for better security outcomes.

Some IaaS vendors have teamed with third-party firewall vendors in joint development projects
to instrument advanced security capabilities into the native infrastructure, improving security
without adding the operational friction that a third-party firewall often does.

SRM leaders often use third-party firewall virtual appliance solutions to unify firewall policy
management across hybrid networks. In this case, the network security team has a “single
source of truth” in one firewall management console, reducing management complexity.

As container firewalls become more capable, security-conscious DevOps teams are selecting
firewalls built specifically to secure the interconnection between containers.

Obstacles

Several IaaS providers offer ingress/egress gateway firewalls for each virtual private cloud by
default. Organizations deploying IaaS have native, basic firewall capabilities upon cloud
deployment, presenting an obstacle to third-party cloud firewalls.

The basic built-in cloud-native firewalls lack security features such as IPS and URL filtering.
SRM leaders therefore hesitate to deploy critical workloads behind basic security tools.

For SRM leaders choosing to use cloud-native firewalls, multiple clouds mean multiple
management consoles, increasing management complexity and staffing pressure.

Third-party firewalls can create significant operational drag, rendering them suboptimal for
cloud architects and application developers.

Some organizations in heavily regulated industries and regions are hesitant to move to the
cloud.

Implementing container firewalls requires changing the cloud container architecture.

User Recommendations

Align your cloud firewall strategy with the organization’s overall digital transformation strategy.
As critical infrastructure moves to the cloud, plan for firewalls appropriate to risk level and
potential operational complexity.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 24/66
16/3/23, 16:48 Gartner Reprint

When a third-party firewall makes sense, use the same brand of firewall as one used in on-
premises environments for consistency in policy management.

Use a cloud firewall provider that partners closely with the cloud service provider (CSP), or a
third party that offers detailed architecture guidance to achieve optimal integrations with the
CSP.

For a purely ingress/egress use case, firewall as a service (FWaaS) may be a suitable
alternative approach.
Sample Vendors

Amazon Web Services; Check Point Software Technologies; Fortinet; Google; Microsoft; Palo Alto
Networks; Valtix
Serverless Function Security
Analysis By: Charlie Winckless

Benefit Rating: Moderate

Market Penetration: 1% to 5% of target audience

Maturity: Emerging

Definition:

Serverless function (also referred to as “function PaaS”) security technologies are designed to
address the unique security and compliance requirements of serverless function protection.
Comprehensive solutions start with proactive vulnerability and configuration scanning in
development, entitlement and access checking, typically combined with lightweight runtime
protection and behavioral analysis.

Why This Is Important

Serverless functions are available in all hyperscale platforms and commonly included in cloud-
native applications as a simple and scalable way to enable the event-driven microservices
architecture. Serverless computing (like containers) appeals to developers, enabling them to
focus on writing code without having to worry about all the necessary layers below the code.
While not completely unsecure by default, these small workloads need to be secured and
protected like any other workload.

Business Impact

By ensuring the security and compliance of the serverless functions they create, information
security organizations can securely enable the developer-driven adoption of these technologies,
without slowing down development. Longer term, serverless should dramatically improve overall
enterprise security profiles, as it reduces the attack surface elements the enterprise must
manage.

Drivers

Driven by developers, adoption of serverless functions is increasing across all IaaS providers.
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 25/66
16/3/23, 16:48 Gartner Reprint

The greatest risk comes from the use of vulnerable code and misconfiguration of the
serverless function environment, driving the need for security capabilities such as vulnerability
scanning, API security, and correct and compliant serverless PaaS configuration.

When new types of attacks emerge against serverless PaaS, serverless function security is
uniquely positioned to help organizations detect and respond to those attacks, as it provides
visibility and security controls into the PaaS environment.

Cloud permissions are extremely complex, and serverless function security allows for
automatic detection and remediation of overly permissioned functions that increase risk.
Obstacles

In most cases, information security is blind to the use of serverless functions and unaware of
the risks they pose.

Serverless function security must have minimal friction for developers to avoid its adoption
being disrupted by the developer community.

IaaS vendors may not provide granular access controls on all serverless and PaaS capabilities.

At runtime, since serverless functions live for a matter of seconds or minutes, the need for
additional runtime security other than monitoring is minimal. Very few options are available
short of injecting or wrapping serverless functions with runtime protection code.

Serverless security tools are still maturing and standards for secure deployment across
multiple platforms are yet to be defined.

User Recommendations

Engage with cloud-native development teams now to understand the time frame for use of
serverless. Run a discovery project to see if serverless code is in use that you aren’t aware of.

Scan for vulnerabilities and misconfiguration automatically during development, as you would
for any static application code.

Require your cloud security posture management (CSPM) tool to provide risk visibility and
configuration/permissions management of the entire IaaS configuration, including serverless.

Adopt a least-privilege security posture, including serverless function permissions and network
connectivity.

Require an API gateway or event broker for invocation, providing a visibility and control point.

Require your cloud workload protection platform (CWPP) vendor to offer serverless function
security and compliance capabilities either now or as a roadmap item.

Sample Vendors

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 26/66
16/3/23, 16:48 Gartner Reprint

Amazon Web Services (AWS); Aqua Security; Check Point Software Technologies; Palo Alto
Networks; Rapid7; Snyk; Trend Micro
Gartner Recommended Reading

Market Guide for Cloud Workload Protection Platforms

5 Things You Must Absolutely Get Right for Secure IaaS and PaaS

How to Make Cloud More Secure Than Your Own Data Center
Cloud WAAP
Analysis By: Jeremy D'Hoinne, Adam Hils, Rajpreet Kaur, John Watts

Benefit Rating: High

Market Penetration: 20% to 50% of target audience

Maturity: Early mainstream

Definition:

Cloud web application and API protection (WAAP) platforms mitigate a broad range of runtime
attacks, notably related to the OWASP top 10 for web application, automated threats and API
security. Capabilities include web application firewall (WAF), distributed denial of service (DDoS)
protection, bot management and API security. WAAP is driven by enterprises’ need to better
defend against multiple threat vectors while significantly growing their number of web
applications and APIs.

Why This Is Important

Organizations with a mix of web applications and API hosted on-premises, and one or many IaaS
platforms, primarily select cloud WAAP solutions from specialized security vendors, CDN
providers or IaaS providers to shield these applications and APIs. These solutions can be
delivered and managed more flexibly than a traditional virtual appliance due to their ability to be
easily deployed.

Business Impact

Public-facing web applications are at high risk of breach. As most critical business processes and
sensitive data are hosted on these applications, protecting them is paramount. Cloud WAAP
solutions can also be deployed more easily and managed more efficiently than their appliance
counterparts. The value of cloud WAAP goes beyond the bundling approach, with potential
benefits from the global visibility provided by cloud deployment.

Drivers

Cloud WAAP simplifies the deployment of runtime application security controls in front of one or
many applications. For smaller organizations, compliance requirements represent a primary driver
for deploying WAAP in front of public-facing applications. Digital natives, B2C verticals (e.g.,
retail) and global organizations deploy cloud WAAP to protect assets that they consider critical.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 27/66
16/3/23, 16:48 Gartner Reprint

Core capabilities include:

WAF: Combines positive security models, signatures, heuristics and anomaly detection to
detect and prevent exploit of application vulnerabilities.

DDoS protection: Can mitigate volumetric and “low and slow” attacks by offering sufficient
bandwidth, rate limits and anomaly detection. Offers distributed points of presence to mitigate
attacks closer to their sources.

Bot management: Detects malicious behavior from automated sources through reputation,
fingerprinting, heuristics and machine learning techniques. Also ensures that authorized bots
can get through.

API protection: Discovers, categorizes and applies specialized controls to API traffic; extracts
policy from API scheme.
Obstacles

Privacy-related: Compliance requirements or fear of legal issues or complex project approval

can be issues for organizations. Some don’t trust the cloud to decrypt and log application
traffic and host related secrets.

Application fit: Organizations with a majority of on-premises applications might not see value
in cloud WAAP deployments, or favor a unified management approach where they use hosted
virtual appliances to keep the same centralized console for on-premises and cloud-hosted
applications.

Cost: WAAP as a feature of an ADC might be less costly than a cloud WAAP solution. Indirectly,
WAAP appliances might appear less expensive for organizations that don’t want to embark on
a new learning curve when they are satisfied with existing products.

Regional support: The availability of skilled and experienced support teams might vary for the
more recent cloud WAAP products in regions not well-supported by vendors, or when no PoPs
are located near the organization’s origin servers.

User Recommendations

Build your application security strategy for the present and future of your application
architecture by applying a cloud-first strategy or “follow the app” principle when deciding
between an on-premises WAF appliance, cloud WAAP or distributed WAAP.

Carefully evaluate the expected benefits and challenges of cloud WAAP. This includes
simplicity, data privacy, DDoS protection, bot mitigation and API security, as well as deployment
challenges such as certificate management for TLS decryption.

Continue to improve your stance against bots and other automated attacks by measuring the
efficacy of existing controls and adding new techniques when results decline.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 28/66
16/3/23, 16:48 Gartner Reprint

Implement products with automated API discovery and anomaly detection. Note that many
WAAP solutions do not yet offer best-of-breed API security capabilities; compare them with
offerings from dedicated API security vendors.

Evaluate integrations with API gateways or vendors that provide gateways that help with API
management when looking for a consolidated approach for API management and API security.
Sample Vendors

Akamai; Barracuda; Cloudflare; F5; Fastly; Fortinet; Imperva; Radware; ThreatX

Gartner Recommended Reading

Magic Quadrant for Web Application Firewalls

Critical Capabilities for Cloud Web Application and API Protection

SASE
Analysis By: Neil MacDonald, Andrew Lerner

Benefit Rating: Transformational

Market Penetration: 5% to 20% of target audience

Maturity: Adolescent

Definition:

Secure access service edge (SASE) delivers converged network and security as a service
capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA). SASE
supports branch office, remote worker and on-premises secure access use cases. SASE is
primarily delivered as a service and enables zero trust access based on the identity of the device
or entity, combined with real-time context and security and compliance policies.

Why This Is Important

SASE is a key enabler of modern digital business transformation, including work from anywhere
and the adoption of edge computing and cloud-delivered applications. It increases visibility, agility,
resilience and security. SASE also dramatically simplifies the delivery and operation of critical
network and security services mainly via a cloud-delivered model. SASE can reduce the number of
vendors required for secure access to one to two over the next several years.

Business Impact

SASE enables:

New digital business use cases (such as branch office transformation and hybrid workforce
enablement) with increased ease of use, while reducing costs and complexity via vendor
consolidation and dedicated circuit offload.

Infrastructure, and operations and security teams to deliver a rich set of networking and
network security services in a consistent and integrated manner to support the needs of digital

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 29/66
16/3/23, 16:48 Gartner Reprint

business transformation, edge computing and work from anywhere.

Drivers

SASE is driven by enterprise digital business transformation including the adoption of cloud-
based services by mobile workforces, edge computing and business continuity plans that must
include flexible, anywhere, anytime, secure access, and use of the internet and cloud services.

The need to flexibly support digital business transformation efforts with a zero trust security
architecture while managing complexity is a significant factor for the adoption of SASE,
primarily delivered as a cloud-based service (see 2021 Strategic Roadmap for SASE
Convergence). The rapid shift to hybrid work models accelerated these trends.

For IT, SASE can reduce the deployment time for new users, locations, applications and devices
as well as reduce the attack surface and shorten remediation times.

Network security models based on data center perimeter security are ill-suited to address the
dynamic needs of a modern digital business and its distributed digital workforce. This is
forcing a transformation of the legacy perimeter into a set of cloud-based, converged
capabilities created when and where an enterprise needs them — that is, a dynamically created,
policy-based SASE.

Obstacles

Organizational silos, existing investments and skills gaps: A full SASE implementation
requires a coordinated and cohesive approach across security and networking teams, which is
challenging given refresh/renewal cycles, silos, and existing staff expertise.

Organizational bias and regulatory requirements for on-premises deployment: Some

customers have an aversion to the cloud and want to maintain control.

Global coverage: SASE depends upon cloud delivery, and a vendor’s cloud footprint may
prevent deployments in certain geographies, such as China, Africa, South America and the
Middle East.

SASE maturity: SASE capabilities vary widely. Sensitive-data visibility and control is often a
high-priority capability, but it is difficult for many SASE vendors to address. While your preferred
single vendor may lack the capabilities you require, two-vendor partnerships can be a viable
approach.

User Recommendations

Involve the chief information security officer (CISO) and network architect when evaluating
offerings and roadmaps from incumbent and emerging vendors to ensure an integrated
approach.

Leverage WAN, firewall, VPN hardware refresh cycles or software-defined WAN (SD-WAN)
deployments to update network and network security architectures.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 30/66
16/3/23, 16:48 Gartner Reprint

Strive for no more than two vendors for all core services to minimize complexity and improve
performance.

Identify required capabilities for networking and security, including latency, throughput,
geographic presence, and endpoint types to develop evaluation criteria.

Focus on vendors who invest significantly in sensitive data discovery and protection
capabilities for their SASE covering multiple data exfiltration vectors and serving verticals with
highly advanced requirements for data security.

Combine branch office and remote access in a single implementation to ensure consistent
policies and minimize the number of vendors required.

Leverage branch office transformation and dedicated circuit offload projects to adopt SASE for
security services.
Sample Vendors

Cato Networks; Cisco; Forcepoint; Fortinet; Juniper; Netskope; Palo Alto Networks; Versa
Networks; VMware; Zscaler

Gartner Recommended Reading

2021 Strategic Roadmap for SASE Convergence

Quick Answer: Does SSE Replace SASE?

The Future of Network Security Is in the Cloud

Magic Quadrant for WAN Edge Infrastructure

Magic Quadrant for Security Service Edge

Immutable Infrastructure
Analysis By: Neil MacDonald, Tony Harvey

Benefit Rating: Moderate

Market Penetration: 5% to 20% of target audience

Maturity: Early mainstream

Definition:

Immutable infrastructure is a process pattern (not a technology) in which the system and
application infrastructure, once deployed, is never updated in place. Instead, when changes are
required, the infrastructure and applications are simply replaced from the development pipeline.

Why This Is Important

Immutable infrastructure ensures the system and application environment is accurately deployed
and remains in a predictable, known-good-configuration state. It simplifies change management,
supports faster and safer upgrades, reduces operational errors, improves security, and simplifies
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 31/66
16/3/23, 16:48 Gartner Reprint

troubleshooting. It also enables rapid replication of environments for disaster recovery,

geographic redundancy or testing. This approach is easier to adopt and often applied with cloud-
native applications.
Business Impact

Taking an immutable approach to workload and application management simplifies automated

problem resolution by reducing the options for corrective action to, essentially, just one — repair
the application or image in the development pipeline and rerelease. The result is an improved
security posture with fewer vulnerabilities and a faster time to remediate when new issues are
identified.

Drivers

Linux containers and Kubernetes are being widely adopted. Containers improve the practicality
of implementing immutable infrastructure and will drive greater adoption.

Interest in zero-trust and other advanced security postures where immutable infrastructure can
be used to proactively regenerate workloads in production from a known good state (assuming
compromise), a concept referred to as “systematic workload reprovisioning.”

For cloud-native application development projects, immutable infrastructure simplifies change

management, supports faster and safer upgrades, reduces operational errors, improves
security, and simplifies troubleshooting.

Obstacles

The use of immutable infrastructure requires a strict operational discipline that many
organizations haven’t yet achieved, or have achieved for only a subset of applications.

IT administrators are reluctant to give up the ability to modify or patch runtime systems.

Although immutable infrastructure may appear simple, embracing it requires a mature

automation framework, up-to-date blueprints and bills of materials, and confidence in your
ability to arbitrarily recreate components without negative effects on user experience or loss of
state.

Many application stacks have elements that are deployed in the form of virtual machine
images. VM replacement is slower and requires greater coordination than other workload
components such as containers.

User Recommendations

Reduce or eliminate configuration drift by establishing a policy that no software, including the
OS, is ever patched in production. Updates must be made to individual components, versioned
in a source-code-control repository, then redeployed for consistency.

Prevent unauthorized change by turning off all normal administrative access to production
compute resources, for example, by not permitting Secure Shell (SSH) or Remote Desktop
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 32/66
16/3/23, 16:48 Gartner Reprint

Protocol (RDP) access.

Adopt immutable infrastructure principles with cloud-native applications first. Cloud-native
workloads are more suitable for immutable infrastructure architecture than traditional on-
premises workloads.

Treat scripts, recipes and other codes used for infrastructure automation similar to the
application source code itself, as this mandates good software engineering discipline.

Include immutable infrastructure scripts, recipes, codes and images in your backup and
ransomware recovery plans as they will be your primary source to rebuild your infrastructure
after an infection.
Sample Vendors

Amazon Web Services; Google; HashiCorp; Microsoft; Perforce; Progress (Chef); Red Hat; Snyk
(Fugue); Turbot; VMware

Gartner Recommended Reading

How to Make Cloud More Secure Than Your Own Data Center

2022 Strategic Roadmap for Compute Infrastructure

Innovation Insight for Continuous Infrastructure Automation

To Automate Your Automation, Apply Agile and DevOps Practices to Infrastructure and Operations

Innovation Insight for Cloud-Native Application Protection Platforms

Remote Browser Isolation
Analysis By: John Watts, Neil MacDonald

Benefit Rating: Moderate

Market Penetration: 5% to 20% of target audience

Maturity: Adolescent

Definition:

Remote browser isolation (RBI) separates the rendering of untrusted content (typically from the
internet) from users and their devices, or it separates sensitive applications and data from an
untrusted device. When used to protect from untrusted content, RBI significantly reduces the
chance of a breach, as a large number of attacks have shifted to users and endpoints. When used
to protect sensitive data and applications from unmanaged devices, RBI helps to reduce risks
associated with BYOD.

Why This Is Important

Browser isolation keeps the session between an endpoint and the web services it is accessing
segregated, reducing risk of malware and data loss. When an endpoint is accessing web content,
RBI prevents web-delivered malware from getting onto it. RBI also works in the reverse direction.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 33/66
16/3/23, 16:48 Gartner Reprint

In use cases such as SaaS access via a CASB or internal application access via ZTNA, it protects
sensitive data and applications from attack by an unmanaged and potentially infected device.
Business Impact

Today, most attacks are delivered via the public internet, through either web browsing or emailed
links that trick users into visiting malicious sites. Simply removing (or, more strongly, isolating) the
browser from the end user’s desktop significantly improves enterprise security posture, including
protection from malware attacks. RBI protection can also extend to internal private applications
and SaaS applications accessed from unmanaged devices, thus reducing the threat of data
exfiltration.

Drivers

Static blocklists of bad sites can fail and are too slow to stop targeted attacks.

Blocking uncategorized sites can hurt the end-user experience.

Remote work continues to bring unmanaged devices into the mix. RBI can serve as a control
point for unmanaged devices to support sensitive-data protection. Cloud access security
brokers (CASBs) and zero trust network access (ZTNA) offerings are now employing RBI for
this use case.

Email-based URLs that resolve externally are often used to phish employees. Isolating these
can reduce successful phishing attacks.

Security service edge (SSE) has combined a set of access capabilities from the cloud, including
secure web gateway (SWG), CASB and ZTNA. RBI adds value in multiple use cases and is
becoming a common feature of these products.

RBI is cheaper than using virtual desktop infrastructure (VDI) for isolation, if the applications
being isolated are browser-based.

Obstacles

User experience (UX) is a huge obstacle to adoption. Standardizing on Chromium as the

rendering engine helps with most issues; however, concerns remain about latency and
bandwidth impacts on UX.

RBI incurs greater administrative overhead for exception handling and troubleshooting than
traditional SWG solutions.

Localizing the browsing experience requires IP address assignments to be regionally combined

with either VPN exit points or local POPs.

RBI is potentially expensive and additional to existing SWG or firewall per-user licensing.

Most RBI offerings are software-based and cloud-delivered, limiting options for companies that
prefer to run solutions in-house and for defense and intelligence scenarios that require the

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 34/66
16/3/23, 16:48 Gartner Reprint

stronger isolation of hardware-based RBI.

RBI does not protect against infected content that is permitted to download to the endpoint.
Mechanisms like malware scanning, network sandboxing, conversion to PDF, or content disarm
and reconstruction (CDR) are required.
User Recommendations

Evaluate and pilot a browser isolation solution for specific high-risk users (such as finance
teams) or use cases (such as rendering email-based URLs), particularly if your organization is
risk-averse.

Pressure your SSE or stand-alone SWG, CASB, ZTNA and/or SEG vendor to provide RBI as an
optional defense-in-depth protection option.

Roll out RBI incrementally for threat protection. Start by deploying to a limited number of high-
value target users and by selectively isolating a limited number of URLs. Then, expand the use
cases.

Evaluate different vendor approaches for rendering (e.g., pixel streaming, vector-based), based
on performance, latency and bandwidth requirements.

Use RBI to isolate files for read-only viewing. However, when downloads are required, use CDR
or best-in-class file scanning to prevent malware.

Sign one- to two-year contracts only; the market is in flux, with downward pricing pressure.

Sample Vendors

Authentic8; Broadcom; Cloudflare; Ericom Software; Forcepoint; Garrison; Menlo Security;

Netskope; Skyhigh Security; Zscaler

Gartner Recommended Reading

2021 Strategic Roadmap for SASE Convergence

Magic Quadrant for Security Service Edge

Critical Capabilities for Security Service Edge

Quick Answer: How to Securely Enable Access for Unmanaged Devices

Climbing the Slope
NDR
Analysis By: Jeremy D'Hoinne, Nat Smith

Benefit Rating: High

Market Penetration: 20% to 50% of target audience

Maturity: Early mainstream

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 35/66
16/3/23, 16:48 Gartner Reprint

Definition:

Network detection and response (NDR) products detect abnormal system behaviors, notably by
applying behavioral analytics to network traffic data. They continuously analyze traffic patterns
from metadata (for example, Netflow) between internal networks (east-west) and public networks
(north-south), hosted on-premises or on IaaS. Organizations expect NDR to detect and contain
postbreach activity. NDR complements other technologies that trigger alerts primarily based on
rules and signatures.
Why This Is Important

NDR focuses on detecting abnormal behaviors, with less emphasis on more traditional signature-
based controls detecting known threats. The approach is effective in detecting weak signals and
previously unknown behavior from traffic on networks such as lateral movement or data
exfiltration. NDR solutions expand beyond on-premises networks with increasing adoption in IaaS
networks, and also provide automated response capabilities that can be relevant in a few use
cases.

Business Impact

NDR solutions provide visibility into network traffic. The machine learning algorithms that are at
the core of many NDR products help to detect anomalous traffic that is often missed by other
detection techniques. The automated response capabilities help to offload some of the workload
for incident responders. The threat hunting functionality provides valuable tools for incident
responders.

Drivers

Low Risk — High Reward: Implementing NDR tools is a low-risk project because the sensors
are positioned out-of-band (they aren’t in the line of traffic so they don’t represent a point of
failure or a “speed bump” for network traffic). Enterprises that implement NDR solutions as a
proof of concept (POC) often report high degrees of satisfaction because the tools provide
much needed visibility into network traffic. The POC projects often result in the customer
buying the solution, because they see value in the traffic visibility.

Detecting post breach activity: NDR complements traditional preventative controls by catching
activities based on deviations from baseline. This allows the security team to investigate inside
activities resulting from breaches without relying on having observed a previous occurrence of
the same activity.

Monitoring Cloud traffic: A growing number of NDR vendors offer the ability to monitor IaaS
traffic by leveraging available APIs from the cloud providers. Organizations expanding their
cloud presence use NDR to avoid creating gaps in their ability to monitor interactions between
their systems.

Obstacles

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 36/66
16/3/23, 16:48 Gartner Reprint

NDR competes for budget with endpoint detection and response (EDR), and extended detection
and response (XDR) when organizations pursue a vendor consolidation strategy.

Enterprises with a lower maturity security operation program might struggle to justify the
expense for a technology that cannot simply be evaluated by counting the number of alerts it
triggers.

The response features of the NDR products are more rarely deployed or narrowed down to
specific use cases, such as ransomware, due to a perceived risk of false positives.

Midsize enterprises that do not have the staff to support and operate a detection-only tool,
struggle to accept a fully automated response.

False positives are inevitable with any behavioral-based detection tool. NDR tools might require
fine-tuning of the configuration to reduce the amount of false alerts, especially in early days of
the deployment. This explains why response capabilities are more rarely deployed initially.
User Recommendations

Develop a strong understanding of the overall traffic patterns and specific traffic patterns in
your enterprise network to gain maximum value from NDR.

Carefully plan sensor deployment so that the most relevant network traffic can be analyzed.
Proper positioning of the NDR sensors is critically important.

Tune out false positives in the implementation phase (false positives may be triggered by
vulnerability scanners, shadow IT applications, and other factors that may be specific to your
environment).

Select sensor capturing capacity that is sized appropriately for your network. Some vendors
offer sensors that support up to 100 Gbps of line rate capture, whereas other vendors’ sensors
can only scale up to 10 Gbps.

Sample Vendors

Arista Networks; Cisco; Corelight; Darktrace; ExtraHop; Fidelis Cybersecurity; Gigamon; Plixer;
Vectra

Gartner Recommended Reading

Market Guide for Network Detection and Response

ZTNA
Analysis By: John Watts, Neil MacDonald

Benefit Rating: Moderate

Market Penetration: 5% to 20% of target audience

Maturity: Adolescent

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 37/66
16/3/23, 16:48 Gartner Reprint

Definition:

Zero trust network access (ZTNA) makes possible an identity- and context-based access
boundary between any user and device to applications. Applications are hidden from discovery
and access is restricted via a trust broker to a set of named entities. The broker dynamically
verifies identity — context for policy adherence of specified participants and devices before
allowing access — and limits lateral movement in the network.
Why This Is Important

ZTNA is a key technology for enabling dynamic user-to-application segmentation through a trust
broker, to enforce a security policy that allows organizations to hide private applications and
services and enforce a least-privilege access model for applications. It reduces the surface area
for attack by creating individualized “virtual perimeters” that encompass only the user, the device
and the application.

Business Impact

ZTNA removes full network access to reduce an organization’s attack surface, improves user
experience (UX) and remote access flexibility. It enables dynamic, granular user-to-application
segmentation through simplified policy management. Cloud-based zero trust network access
(ZTNA) offerings improve scalability and ease of adoption for secure remote access.

Drivers

The need to modernize and simplify traditional VPN deployments that were optimized for static
user locations connecting to data center environments rather than applications, services and
data located outside the enterprise.

The need for augmenting remote access methods with cloud-based ZTNA services to offload
hardware-based solutions when hybrid work demand exceeds hardware capacity constraints.

The rise of zero trust initiatives within organizations, which resulted in the need for more
precise access and session control in on-premises and cloud applications.

A need to connect third parties such as suppliers, vendors and contractors to applications
securely without exposing the entire network over VPN, or to connect the application to the
internet for access.

Mergers and acquisitions enabled by the ability to extend application access to acquired
companies preclosure without needing to deploy endpoints or interconnect the corporate
networks.

The emergence of the security service edge (SSE) market, including ZTNA components, as
organizations increasingly seek to secure private applications, web and cloud-services using a
single platform and endpoint agent.

Obstacles

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 38/66
16/3/23, 16:48 Gartner Reprint

Cost: ZTNA is typically licensed per named user on a per-user/per-year basis at roughly two to
three times more than traditional VPNs.

Limited support: Not all products support all applications. For example, some only support
web, Remote Desk Protocol (RDP) and Secure Shell (SSH) protocols.

Weak identity management: Organizations with no federated identity support in the cloud find
limitations with applicable use cases.

No on-premises trust brokers: Cloud-based trust brokers may not be preferred when extending
remote access policies on-premises. Some providers offer both cloud-based and on-premises
gateways.

Complex policies: Organizations must map the correct application accesses upfront to get the
full benefit of ZTNA, but mapping individuals to resources may be too complex to model,
implement and manage operationally at scale.

Marketing confusion: Vendors who market VPN as a service (VPNaaS) (or SSL VPN) as ZTNA
confuse buyers as they typically lack some zero trust posture capabilities.
User Recommendations

Enable applications and services intended for extended workforce and B2B end users to be
accessed with ZTNA.

Normalize the UX for application access both on and off the corporate network.

Implement application-specific access as an alternative to VPN-based access.

Extend access to systems prior to a merger, without having to configure site-to-site VPN and
firewall rules.

Allow access on personal devices by reducing full bring your own device (BYOD) management
requirements and enabling more secure direct application access.

Cloak systems from hostile networks, such as traditional VPN concentrators and collaboration
systems exposed to the internet.

Permit users in potentially dangerous areas of the world to interact with limited applications
and data to reduce or eliminate risk.

Secure access to enclaves of Internet of Things (IoT) devices if the device can support a
lightweight agent or a virtual appliance-based connector on the IoT network segment.

Sample Vendors

Akamai; Appgate; Banyan Security; Cisco; Cloudflare; Cyolo; Google; Microsoft; Netskope; Zscaler

Gartner Recommended Reading

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 39/66
16/3/23, 16:48 Gartner Reprint

Market Guide for Zero Trust Network Access

How to Select the Right ZTNA Offering

Best Practices for Implementing Zero Trust Network Access

Quick Answer: How to Securely Enable Access for Unmanaged Devices

2021 Strategic Roadmap for SASE Convergence

NSPM
Analysis By: Adam Hils, John Watts, Rajpreet Kaur

Benefit Rating: Moderate

Market Penetration: 5% to 20% of target audience

Maturity: Early mainstream

Definition:

Network security policy management (NSPM) tools offer centralized network security policy
management, orchestration and auditing capabilities which go beyond firewall rules and extend to
hybrid environments, hence simplifying the management of network security policies across
environments.

Why This Is Important

NSPM tools can play an important role by offering centralized visibility and policy workflow
management for hybrid network security architectures. NSPM provides rule optimization, change
management workflow and, more recently, application connectivity mapping.

Business Impact

NSPM tools support enterprises with hybrid environments by managing cloud-native security
policies.

Drivers

As networks have evolved and the majority of enterprises have begun to run across hybrid
environments, network security architecture has become more complicated than ever. NSPM
tools help network security teams work toward achieving segmentation using APIs. While this is
currently the primary driver for NSPM adoption, there are a number of other drivers, such as:

Centralized management of multiple/multibrand firewall rules

Continuous audit and compliance of security policies

Change management and automation of network security operations

Migration of firewalls

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 40/66
16/3/23, 16:48 Gartner Reprint

Continuous network security risk analysis and vulnerability assessment around policy changes

Removal of unnecessary or conflicting rules.

Reduction of manual work through automation

Reduced chance of configuration mistakes

Application connectivity management

DevSecOps
Obstacles

End-user perception: As the primary use case of NSPM tools has been the management of
firewall rules and auditing, users often fail to recognize the other features these tools offer.

Integration challenges: Users often complain about integration issues when the integrated
products undergo a firmware upgrade.

Overlapping markets: The NSPM market capabilities overlap with those of markets such as
cloud security posture management (CSPM), firewall-centralized management and vulnerability
management.

Cloud support: NSPM vendors have failed to offer mature features to support multicloud
environments when compared to CSPMs, with limited support for limited hyperscaler vendors.

Kubernetes support: NSPM vendors have been slow to add support for Kubernetes, a cloud
within a cloud, which has its own networking policies that should be managed

User Recommendations

NSPM tools have the potential to meet multiple network security and application management
use cases. NSPM tools have extended visibility into, and security policy management capabilities
for, public and private cloud platforms such as VMware vswitch, VMware NSX, Amazon Web
Services (AWS), Google Cloud Platform (GCP), Microsoft Azure and occasionally OpenStack.
Users are advised to:

Identify the primary and initial use case to address as the main requirement before shortlisting
vendors. NSPM tools come with multiple subscriptions and associated costs.

Identify and evaluate the API integration capabilities of NSPM platforms to achieve centralized
visibility and control across environments, including the native network security controls
implemented.

Avoid finalizing any NSPM tool purchase without conducting a proper evaluation of the primary
and adjacent use cases. Evaluation factors must include support for different network security
products with their current firmware version.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 41/66
16/3/23, 16:48 Gartner Reprint

Sample Vendors

AlgoSec; AppviewX; FireMon; Indeni; RedSeal; Skybox Security; Tufin; vArmour

Container and Kubernetes Security
Analysis By: Charlie Winckless, Neil MacDonald

Benefit Rating: Moderate

Market Penetration: 5% to 20% of target audience

Maturity: Adolescent

Definition:

Container and Kubernetes security refers to the implementation of security processes, testing and
controls in container-based environments, ideally with support for Kubernetes. Full-life-cycle
container security starts in development by assessing the risk/trust of the container’s contents,
secrets management and Kubernetes configuration, and should extend into production with
runtime container segmentation, threat protection and access control.

Why This Is Important

By enabling greater speed and agility to streamline development, container-based applications

have become mainstream. Rapid adoption of orchestration platforms, such as Kubernetes, has
left traditional vendors and some security teams without appropriate tools to ensure secure
application deployment. Container security requires a life cycle approach, starting with scanning
of containers in development and protection of containers at runtime.

Business Impact

Containers are not inherently unsecure, but they are being deployed unsecurely with known
vulnerabilities and configuration issues. Without proper controls, developers can introduce
vulnerabilities into development and, subsequently, production environments, exposing
organizations to avoidable risk. Further, security has been slow to embrace secure container
development practices and tools, leaving organizations unaware of potential risks and unprepared
to respond to attacks.

Drivers

Developer adoption of containers and Kubernetes has shifted threats from traditional
environments to containerized ones, forcing security teams to use different tools and
approaches to address these new threats.

Container as a service (CaaS) offerings, such as Amazon Elastic Kubernetes Service (EKS),
Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE), are on the rise. These
require security integrations to provide coverage.

Security and risk management leaders must address container security issues around
vulnerabilities, visibility, compromise and compliance.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 42/66
16/3/23, 16:48 Gartner Reprint

Multiple point solutions can now integrate transparently into the CI/CD pipeline and DevOps
practices to proactively scan containers for security and compliance issues. However,
organizations must carefully manage these point solutions to minimize the complexity they
introduce.

Traditional workload protection vendors, such as CrowdStrike, SentinelOne and Trend Micro,
have now added support for containers and Kubernetes integration.

Containers and Kubernetes are a natural fit for DevOps-style development of microservices-
based applications that deploy onto programmatic cloud infrastructure.
Obstacles

Container security must start in development, yet many security vendors and enterprises treat
container security as a runtime-only problem. Worse, some vendors are simply placing an agent
on a container, forwarding logs and calling this “container security.”

Application security blurs with infrastructure security, creating overlap in vendors, offerings and
responsibilities.

Simply identifying vulnerabilities doesn’t provide enough context to know whether the code is
actually used in production or is reachable from the outside.

Some container orchestration platforms other than Kubernetes are not supported by all
vendors, leaving alternative environments exposed.

Unless container security solutions are designed to provide minimal friction for developers,
their adoption will be, at best, resisted and, at worst, actively circumvented.

User Recommendations

Use a hardened, patched OS for the container host OS.

Scan containers in development for configuration and vulnerability issues of all code types,
before deploying to production.

Use automated tools to continuously assess the container orchestration environment (typically
Kubernetes) for proper patch levels and correct and compliant configuration, both in
development and in production.

Take advantage of continuous scanning provided by code repositories and cloud providers.

Pressure existing workload protection vendors to provide complete solutions for container
security that address end-to-end container security pipelines.

Examine the processes expected to run in containers, along with their behaviors. Use this
information to replace signature-based deny-listing with allow-listing-based lockdown.

Require container security solutions to explicitly support Kubernetes, including CaaS offerings.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 43/66
16/3/23, 16:48 Gartner Reprint

Design single-purpose containers and clear tagging mechanisms to track data sensitivity.
Sample Vendors

Aqua Security; Lacework; Palo Alto Networks; Red Hat; Skyhigh Security; Snyk; Sysdig; Tigera;
Trend Micro; Uptycs

Gartner Recommended Reading

Market Guide for Cloud Workload Protection Platforms

How to Make Cloud More Secure Than Your Own Data Center

Guidance Framework for Securing Kubernetes

Containers: 11 Threats and How to Control Them

Microsegmentation
Analysis By: Adam Hils, Jeremy D'Hoinne, Rajpreet Kaur

Benefit Rating: High

Market Penetration: 5% to 20% of target audience

Maturity: Early mainstream

Definition:

Microsegmentation — also referred to as identity-based segmentation, zero-trust network

segmentation or logical segmentation — can create more granular and dynamic policies than
traditional network segmentation, which is limited to internet protocol/virtual LAN (IP/VLAN)
circuits.

Why This Is Important

Once a system is breached, most attackers move laterally (including ransomware attacks), which
can cause serious damage. Microsegmentation seeks to limit the propagation of such attacks.

Business Impact

Microsegmentation can reduce the risk and impact of cyberattacks. It is a form of zero-trust
networking that controls the access between workloads and is used to limit lateral movement, if
and when an attacker breaches the enterprise network. Microsegmentation also enables
enterprises to enforce consistent segmentation policies across on-premises and cloud-based
workloads, including workloads that host containers.

Drivers

As servers are being virtualized, containerized or moved to infrastructure as a service (IaaS),

existing safeguards such as traditional firewall, intrusion prevention, and antivirus are rarely
able to follow the fast pace of deployment for new assets. This leaves the enterprise vulnerable
to attackers gaining a foothold and then moving laterally within enterprise networks. This has

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 44/66
16/3/23, 16:48 Gartner Reprint

created increased interest in visibility and granular segmentation for east-west traffic between
applications, servers and services in modern data centers.
The increasingly dynamic nature of data center workloads makes traditional network-centric
segmentation strategies difficult to manage at scale, if not impossible to apply.

Some microsegmentation products provide rich application communication mapping, allowing

data center teams to identify which communication paths are valid and secure.

The shift to microservices container architectures for applications has also increased the
amount of east-west traffic and further restricted the ability of network-centric firewalls to
provide this segmentation.

The extension of data centers into IaaS has also placed a focus on software-based approaches
for segmentation — in many cases, using the built-in segmentation capabilities of the cloud
providers.

Growing interest in zero-trust networking approaches has also increased interest in using
application and service identities as the foundation for adaptive application segmentation
policies. This is critical to enforcing segmentation policies in the dynamic networking
environments used within container-based environments.
Obstacles

Complexity — If not planned and scoped correctly, microsegmentation projects can lose
organizational support before completion.

Lack of knowledge — Security and risk leaders don’t know which applications should be
communicating with others, sowing doubt in automatically generated protection rules.

Legacy network firewalls — Some data centers have network firewalls for broader east-west
traffic segmentation, which is adequate for some organizations. Traditional firewalls can also
present operational challenges to some identity-based segmentation solutions when policies
overlap or conflict.

Organizational dynamics — Cloud-centric organizations employing DevOps may value agility

more than security, believing that any additional security controls will introduce operational
friction.

Expense — Full microsegmentation can come at a high price. Many organizations consider
microsegmentation to be a net new budget item.

User Recommendations

Start small and iterate with basic policies. Oversegmentation is the leading cause of failure and
an unnecessary expense for segmentation projects.

Do not use IP addresses or network location as the foundation for east-west segmentation
policies. Use the identities of applications, workloads and services — either via logical tags,

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 45/66
16/3/23, 16:48 Gartner Reprint

labels, fingerprints or stronger identity mechanisms.

Use the microsegmentation style (agent-, network- or hypervisor-based) that covers both the
location of the workloads (on-premises, hybrid and IaaS) and the type of environment in which
workloads are hosted (containers and virtual machines).

Apply continuous adaptive segmentation. Start with new assets, then close existing gaps.
Identify quick wins, and mix zoning governing principles when needed.

Target the most critical assets and segment them first.

Plan for coexistence of traditional firewalls and microsegmentation approaches for the next
five years, and seek products that can support both.
Sample Vendors

Akamai; Aqua Security; Cisco; ColorTokens; Illumio; Palo Alto Networks; TrueFort; vArmour;
VMware; Zscaler

Gartner Recommended Reading

Three Styles of Identity-Based Segmentation

CSPM
Analysis By: Neil MacDonald, Charlie Winckless

Benefit Rating: High

Market Penetration: 20% to 50% of target audience

Maturity: Early mainstream

Definition:

Cloud security posture management (CSPM) offerings continuously manage IaaS and PaaS
security posture through prevention, detection and response to cloud infrastructure risks. The
core of CSPM offerings applies common frameworks, regulatory requirements and enterprise
policies to proactively and reactively discover and assess risk/trust of cloud services
configuration and security settings. If an issue is identified, remediation options (automated or
human-driven) are provided.

Why This Is Important

The complexity of a modern IaaS or PaaS environment makes validating secure configuration
extremely difficult. Even simple misconfiguration issues, such as open-storage objects, represent
significant and often unidentified risk. The speed and scale of modern cloud deployments
compound the impact of misconfiguration, and makes it effectively impossible to address cloud
risk without automation. This is an urgent problem, and one that is encouraging rapid growth in
the availability and maturation of this category.

Business Impact

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 46/66
16/3/23, 16:48 Gartner Reprint

CSPM offerings provide business and security leaders assurance that their cloud services are
implemented in a secure and compliant fashion despite the speed, complexity, dynamics and
scale of IaaS and PaaS deployments. For enterprises that have a multicloud strategy, CSPM
offerings provide a single way to implement and monitor security and compliance guardrails
across multiple IaaS providers.
Drivers

Multiple mature offerings are now available from established vendors.

Hyperscale cloud service providers offer built-in CSPM capabilities suitable for single-cloud
deployments.

Most cloud-native application protection platforms (CNAPP), cloud workload protection

platform (CWPP) and security service edge (SSE) vendors now offer CSPM capabilities as a
result of acquisitions or open-source integration.

CSPM tools offer an abstraction layer that allows for consistent policy management across
multiple clouds — a feat that borders on the impossible if you rely entirely on each CSP’s native
console.

Several open-source software (OSS) options are emerging with enterprise offerings available.

Some emerging CSPM platforms leverage graph and relationship mapping technologies that
enable rich simulation, detection and forensic use cases.

Vendors are starting to offer full-stack risk visibility with an understanding of vulnerabilities
within the workload itself (virtual machine [VM] or container), typically achieved by taking a
snapshot of the running workload.

Obstacles

The market for CSPM is maturing and consolidating.

Emerging CNAPP offerings subsume CSPM capabilities and offer a longer-term alternative
more integrated approach.

The market is increasingly looking for tooling that shifts left and offers infrastructure as code
scanning capabilities. Not all vendors offer this or only offer a limited set of infrastructure as
code scripting languages.

CSPM capabilities are available in many adjacent markets, making it difficult for end users to
select the best approach.

There is no standard way to remediate issues identified and approaches vary.

Organizations are reluctant to enable automated remediation from SaaS-based CSPM offerings
(that require read/write access), and prefer remediation within the context and control of their
own CSP tenancy.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 47/66
16/3/23, 16:48 Gartner Reprint

User Recommendations

Investigate and see if you already have suitable CSPM capabilities from your IaaS provider,
CWPP vendor, SSE/cloud access security broker (CASB) vendor and IT operations team. The
IaaS provider might have sufficient CSPM capabilities built in and the IT operations team may
have purchased a cloud management platform for billing/utilization, but many also have
suitable CSPM capabilities.

Treat investments as tactical if a point solution is used. Limit contracts to one to two years as
the market matures and further consolidates.

Evaluate the CSPM provider’s cloud infrastructure entitlements management capabilities as an

alternative to purchasing a stand-alone solution for this.

Extend scanning into development, including infrastructure as code scanning.

Evaluate and compare the response options when an out-of-compliance configuration is

encountered, including alerting and automated remediation alternatives.

Sample Vendors

Check Point Software Technologies; Lacework; OpsCompass; Orca Security; Palo Alto Networks;
Rapid7; Skyhigh Security; Tenable; Trend Micro; Wiz

Gartner Recommended Reading

How to Make Cloud More Secure Than Your Own Data Center

How to Protect Your Clouds With CSPM, CWPP, CNAPP and CASB

Market Guide for Cloud Workload Protection Platforms

Innovation Insight for Cloud Security Posture Management

Innovation Insight for Cloud-Native Application Protection Platforms

DDoS Mitigation
Analysis By: Rajpreet Kaur

Benefit Rating: High

Market Penetration: 5% to 20% of target audience

Maturity: Mature mainstream

Definition:

DDoS mitigation includes vendors that detect and mitigate DDoS attacks. It includes specialty
vendors, whose primary focus is DDoS mitigation, as well as vendors that offer DDoS mitigation
as a feature of other services. These include dedicated, appliance-based vendors,
communications service providers (CSPs), content delivery network (CDN) vendors, hosting

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 48/66
16/3/23, 16:48 Gartner Reprint

providers and leading infrastructure as a service (IaaS) vendors that include DDoS mitigation
among their offerings.
Why This Is Important

Any website can be targeted by DDoS attackers. Attackers will sometimes target nonweb
resources (such as firewalls) to disrupt user access to the internet. DDoS mitigation services are
highly effective in mitigating these attacks and will prevent the website going down or restore
access based on the type of service, even during a large-scale attack. Enterprises that lack DDoS
mitigation services could face an extended outage and could incur heavy financial losses in the
event of an attack.

Business Impact

Most enterprises fall into one of two risk categories for DDoS attacks:

High-risk enterprises are targeted on a daily (or near-daily) basis. Sometimes, the attacks are
sophisticated, which requires these enterprises to invest in best-in-class DDoS mitigation
services.

Low-risk enterprises are attacked intermittently, possibly every 12 to 18 months. These attacks
are typically smaller in volume and can be mitigated by commodity-class DDoS mitigation
services.

Drivers

The risk of a highly disruptive DDoS attack drives enterprises to adopt DDoS mitigation
services.

Enterprises seeking DDoS mitigation services that are “good enough” (to protect against typical
DDoS attacks) have driven more ISPs and hosting companies to enter the market.

Leading infrastructure as a service (IaaS) providers have expanded their DDoS mitigation
offerings to include more robust, fee-based services.

As hybrid environments are growing and businesses want to build resiliency, they are also
considering hybrid, layered defense models that include on-premises mitigation appliances.

The wide availability of DDoS stressers (aka DDoS booters) is an important factor in the
increasing number of attacks, thereby driving the adoption of DDoS mitigation services. These
low-cost DDoS stresser services (many available for $25 per month or lower) make it easy for
nontechnical individuals to launch a DDoS attack.

Obstacles

Cost is the biggest obstacle to the adoption of DDoS mitigation services. Prices vary widely
with fee-based IaaS offerings typically $3,000 per month. Fees for the scrubbing center
services can easily exceed $10,000 per month. Pricing is usually based on bandwidth — the
higher the committed information rate (CIR), the higher the fee. The pricing for ISP-based
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 49/66
16/3/23, 16:48 Gartner Reprint

services is typically 15% of the cost of the bandwidth (usually less than the scrubbing center
option).
Gartner clients prefer fully managed services in most of the cases because of staffing issues.

Even the lower-cost ISP services are a significant obstacle for many enterprises.

Risk acceptance, or even outright complacency, impedes the adoption of DDoS mitigation.
Many enterprises choose to forgo DDoS mitigation services, hoping that they will not
experience a DDoS attack. For most enterprises though, forgoing DDoS mitigation services is a
high-risk gamble, given the growing spread of attacks.
User Recommendations

Based on your risk appetite and budget, explore and choose between always-on, on-demand or
hybrid mitigation.

Make DDoS mitigation services a standard part of business continuity or disaster recovery
planning. They should be included in all internet service procurements when the business
depends on the availability of internet connectivity.

Evaluate detection and mitigation services that are available from CSPs, hosters or DDoS-
security-as-a-service specialists (for example, scrubbing center providers).

Explore hybrid layered defense models where ISP-based services are not available (or too
expensive).

Adopt a content delivery network approach to DDoS protection when the organization is already
using a CDN for content distribution to improve the performance of its website. The CDN
approach only protects websites. It does not protect against attacks on other targets.

Evaluate the basic and advanced (fee-based) DDoS mitigation services of leading IaaS
providers.

Sample Vendors

A10 Networks; Akamai; AT&T; Cloudflare; Corero Networks; F5; Imperva; Link11; NETSCOUT
SYSTEMS; Neustar; Nexusguard; Radware; Verizon

Gartner Recommended Reading

Market Guide for DDoS Mitigation Services

DDoS: A Comparison of Defense Approaches

Cloud Workload Protection Platforms
Analysis By: Charlie Winckless, Neil MacDonald

Benefit Rating: Moderate

Market Penetration: 20% to 50% of target audience

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 50/66
16/3/23, 16:48 Gartner Reprint

Maturity: Mature mainstream

Definition:

Cloud workload protection platforms (CWPPs) are workload-centric security offerings that protect
server workloads in hybrid and cloud deployments. CWPPs provide consistent visibility and
control for physical machines, virtual machines, containers and serverless workloads, regardless
of location. CWPP offerings protect the workload using a combination of system integrity
protection, application control, behavioral monitoring, intrusion prevention and optional anti-
malware protection.

Why This Is Important

As enterprises spread workloads across data centers and public clouds, they need ways to
integrate security into the workload creation toolchain and maintain the visibility and control of
the workload at runtime regardless of location. The only way to address the speed, scale and
complexity of workload protection when cloud is in the equation is to use an appropriately
designed offering. Simply using a solution designed for on-premises data centers or end-user
endpoints won’t work.

Business Impact

Enterprises are implementing hybrid data center architectures, with workloads spanning on-
premises and public cloud IaaS providers, container-based implementations and serverless
functions. These workloads have unique security requirements that differ significantly from end-
user systems. In order to secure these workloads and realize the benefits of cloud native
applications, it is necessary to use the appropriate tools.

Drivers

The only way to address the speed, scale, complexity, and the ephemeral and elastic nature of
cloud workload protection is to use a tool designed for how these workloads are deployed.

Simply using a solution designed for on-premises data centers or end-user endpoint protection
platforms (EPPs) won’t work. Thus, many vendors are now explicitly targeting the CWPP
market, including multiple startup point solutions. Established EPP vendors are adding
dedicated CWPP products to support this trend.

Cloud server workload protection strategies must be based on a foundation of solid operational
hygiene including proper administrative control, patching discipline (or the use of immutable
infrastructure) and configuration management.

Workloads are no longer remotely homogeneous; tools must protect containers, VM and
serverless workloads, and grant the appropriate levels of security to each.

Unlike end-user endpoints, server workloads do not commonly encounter and execute unknown
arbitrary code, thus lending themselves to a default deny, application-control-based protection
strategy.
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 51/66
16/3/23, 16:48 Gartner Reprint

As vendor convergence becomes more important to Gartner clients, the convergence of CWPP
and CSPM into a cloud-native application platform supports fewer tools that still provide the
same value.
Obstacles

Some organizations are maturing their approach to cloud protection and have not identified a
need for cloud-native security toolsets, or prefer to continue with existing endpoint tools
despite their lack of suitability for cloud deployments.

Organizations still wish to extend on-premises controls and control patterns to the cloud,
regardless of suitability.

Single cloud-using organizations may wish to use CSP-native tools. This can be shortsighted
due to multicloud deployments, increasing options for cost and feature improvements.

Not all vendors offer all capabilities. Some specialize in only one or two forms of workload
protection.

Not all vendors offer support for physical servers or out-of-support and older operating
systems that still require protection.

Serverless functions and PaaS security protection capabilities require new approaches that
don’t require agents or privileged containers.

User Recommendations

Don’t use an end-user EPP solution to protect cloud server workloads.

Architect for consistent visibility and control of all workloads regardless of location, size, or
type as well as for cases where runtime agents may not be used or may not make sense.

Require vendors to support native integration with leading cloud platforms.

Prioritize “zero-trust execution”/default deny/application control approach.

Extend workload scanning and compliance efforts into development (DevSecOps), especially
for containers and serverless functions.

Require CWPP offerings to expose all functionality via application programming interfaces.

Require vendors to provide solutions for the protection of containers and Kubernetes with the
ability to scan the containers in development for vulnerabilities before deployment into
production.

Require vendors to provide solutions for serverless functions, both in terms of scanning static
code and validating runtime behavior.

Sample Vendors

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 52/66
16/3/23, 16:48 Gartner Reprint

Aqua Security; Bitdefender; CrowdStrike; Lacework; Microsoft; Palo Alto Networks; Skyhigh
Security; Sophos; Trend Micro; VMware
Gartner Recommended Reading

Market Guide for Cloud Workload Protection Platforms

How to Make Cloud More Secure Than Your Own Data Center

Magic Quadrant for Endpoint Protection Platforms

Hardware-Based Security
Analysis By: Tony Harvey, Neil MacDonald

Benefit Rating: Moderate

Market Penetration: 5% to 20% of target audience

Maturity: Early mainstream

Definition:

Hardware-based security uses chip-level techniques for the protection of critical security controls
and processes in host systems independent of OS integrity. Typical control isolation includes
encryption key handling, secrets protection, secure I/O, process isolation/monitoring and
encrypted memory handling.

Why This Is Important

The integrity of a computing system starts with the integrity of the hardware. Hardware-based
security uses the strong isolation and protection characteristics of hardware to extend assurance
and protection into the software layers running above it. For example, if system firmware or a
hypervisor is compromised, any upper layer security controls can be disabled and sensitive data
in memory stolen. The use of shared compute services such as IaaS, PaaS and SaaS exacerbates
this issue.

Business Impact

Hardware-based security provides the foundation of a secure enterprise by ensuring that the
hardware, firmware and boot process have not been tampered with. In addition, hardware-based
security functions like confidential computing, and encrypted VMs and containers ensure that
data cannot be leaked due to activity by compromised or malicious environments on the same
system.

Drivers

The desire to extend trust from the hardware level of a system, through the OS, to applications
and workloads, including containers that run above it. This root of trust needs the strong
foundation that hardware-based security provides.

Software-based isolation of security controls is inevitably fallible and will be attacked,

increasing interest in protection approaches rooted in hardware.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 53/66
16/3/23, 16:48 Gartner Reprint

Requirements for data sovereignty or the need to use IaaS providers in potentially hostile parts
of the world and protect these workloads from OS compromise or virtual machine and memory
snapshotting are increasing.

Most hardware platforms for servers and mobile devices, including Android and iOS devices,
now include hardware-based isolation capabilities.
Obstacles

In public clouds, enterprises do not have access to the underlying hardware and must rely on
hardware-based attestations provided by the CSP.

Approaches to hardware-based confidential computing vary across microprocessor vendors,

complicating application deployment using these techniques. No single approach covers all
use cases. Abstraction layers, such as Asylo (open source) or Anjuna (commercial), may help,
but add another layer of complexity and are not widely adopted.

Hardware-based security is strong, but may potentially still be broken by software flaws or side-
channel attacks, such as Spectre and Meltdown.

User Recommendations

Make strong isolation of sensitive code and security controls a mandatory part of IT systems
procurement, especially IaaS.

Make a secure root of trust that can detect firmware tampering and monitor the boot process a
requirement for all hardware and IaaS suppliers.

Enable “secure boot” features on all devices, servers, desktops and laptops wherever possible.

Evaluate the need for confidential computing capabilities only for the most critical applications
that move to public cloud infrastructure.

Check for compatibility issues with third-party approaches that also use virtualization
techniques before activating OS-based virtualization-based security.

Explore the use of hypervisor-based approaches with security rooted in hardware virtualization
techniques to achieve similar levels of strong isolation.

Plan different strategies for different devices and server platforms, as none of these
mechanisms are interoperable.

Sample Vendors

Amazon Web Services (AWS); AMD; Anjuna; Apple; Bitdefender; Fortanix; Google; Intel; Microsoft;
Samsung Electronics

Gartner Recommended Reading

How to Make Cloud More Secure Than Your Own Data Center
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 54/66
16/3/23, 16:48 Gartner Reprint

Select the Right Key Management as a Service to Mitigate Data Security and Privacy Risks in the
Cloud
CASBs
Analysis By: Craig Lawson, Neil MacDonald

Benefit Rating: Transformational

Market Penetration: More than 50% of target audience

Maturity: Mature mainstream

Definition:

Cloud access security brokers (CASBs) provide critical controls to allow for the secure use of
cloud services, with key features being visibility, compliance, data security and threat protection.
They consolidate multiple types of security enforcement into one place that can span SaaS, IaaS
and PaaS.

Why This Is Important

CASBs are critical for organizations to secure usage of business-critical cloud services. The four
key areas — visibility, compliance, data security and threat protection — are the primary value
propositions for the use of CASBs.

Business Impact

CASBs enable the secure use of cloud services, are suitable for organizations of all sizes in all
industries and can demonstrate that organizational cloud usage is well-governed. With continued
feature expansion, ongoing convergence with secure web gateway (SWG) and zero trust network
access (ZTNA) into security service edge (SSE), and relative ease of switching providers, we
recommend preferencing an SSE solution when renewing or selecting CASB features. One year
contract terms are still recommended for this evolving market unless substantial discounts can
be obtained and you are satisfied with that vendor’s roadmap execution.

Drivers

End-user organizations need to: secure use of business-critical, cloud-delivered applications

and infrastructure; secure general internet to prevent threats to users, regardless of their
location; and improve access to existing services while taking advantage of zero trust
concepts. Today, CASB is converging with SWG and ZTNA to deliver this “three-legged stool”
concept to support all these use cases.

With CASB vendors enabling secure use of business-critical cloud applications and
infrastructure, and SWG vendors expanding functionality for general internet security and
access to existing services, security leaders are now able to successfully deliver on the above-
mentioned three capabilities from an increasing number of vendors providing all three.

The past few years have seen increased focus on two specific use cases that CASB technology
directly helps with: the huge shift to remote working and the continuously increasing use of

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 55/66
16/3/23, 16:48 Gartner Reprint

cloud services critical to business.

Obstacles

Unclear and often distributed organizational ownership of cloud services can lead to a CASB
implementation that fails to secure these services adequately.

Overlapping CASB functionality from a number of vendors leads to duplication and confusion.
Lack of an effective data security policy can lead to frustration, with a CASB trying to enforce
an ineffective policy resulting in issues like false positives and risk of data loss.

A subset of controls are offered by some cloud service providers themselves. For example,
Microsoft 365’s native security features and Salesforce Shield continue to see interest from
users.

Some cloud workload protection platform (CWPP)/cloud native application protection platform
(CNAPP) offerings also overlap in the area of IaaS security.

User Recommendations

The CASB market has now converged into the security service edge (SSE) market and, as such,
Gartner has depreciated the stand-alone CASB and SWG Magic Quadrants. Therefore, we
recommend you:

Move to a consolidated SSE offering during upcoming refresh cycles.

Read the Magic Quadrant for Security Service Edge for a more detailed analysis of the SSE
market where we have detailed evaluations of vendors that can help you secure access to the
web, cloud services and private applications.

Seek support for multiple modes of operation, namely forward proxy, reverse proxy (or RBI) and
API for the best support of managed and unmanaged devices and cloud services via a CASB.

Sample Vendors

Broadcom; Cisco; iboss; Lookout; Microsoft; Netskope; Palo Alto Networks; Skyhigh Security;
Versa; Zscaler

Gartner Recommended Reading

2021 Strategic Roadmap for SASE Convergence

Magic Quadrant for Security Service Edge

Critical Capabilities for Security Service Edge

Market Guide for Zero Trust Network Access

Entering the Plateau
Network Access Control

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 56/66
16/3/23, 16:48 Gartner Reprint

Analysis By: Aaron McQuaid

Benefit Rating: Moderate

Market Penetration: 20% to 50% of target audience

Maturity: Mature mainstream

Definition:

Network access control (NAC) enables organizations to apply policies and control access to
corporate endpoints such as end- user devices, Internet of Things (IoT) devices, and operational
technology (OT) devices. Policies may be based on authentication, endpoint configuration
(posture assessment) or users’ role/identity. NAC can also implement postconnect policies based
on integration with other security products.

Why This Is Important

NAC is an important technology for access control, posture assessment, network visibility and
network segmentation (when combined with other solutions). NAC is an on-premises technology
that is usually focused on the campus network.

Business Impact

The NAC market is considered mature with slow growth and acquisition of existing vendors
(Pulse Secure and Inverse, for example). In addition, the primary use case for implementing NAC
is visibility and access control of equipment in the local infrastructure of the organization. NAC
represents an important tool to apply segmentation and isolation of endpoints that may represent
a risk to the entire infrastructure.

Drivers

Protecting campus wired and wireless networks via preconnect or postconnect authentication
approaches. Preconnect authentication (typically based on 802.1X) can be thought of as a
“guilty until proven innocent” model (or “default deny”) which is important for organizations that
value a strict security posture. Postconnect authentication can be considered an “innocent
until proven guilty” model (“default allow”) which is favored by organizations that value ease of
use and simplicity of operation.

Visibility into on-premises infrastructure connected devices with the goal of implementing
access policies. This includes commonly used devices such as workstations, laptops, printers,
IP phones, IP cameras, access points, IoT devices and OT devices (including medical devices
and building automation).

Management of corporate network access for different types of users and devices, such as
employees, contractors, consultants and guests, using either corporate-owned or user-provided
endpoints.

Ability to analyze compliance with a minimum security posture at the endpoint and provision of
a quarantine network for devices not in compliance via change of authorization (CoA). If not
https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 57/66
16/3/23, 16:48 Gartner Reprint

compliant, that device is given limited access via a quarantine state until those items are
remediated.
Improve the overall risk posture of the organization via bidirectional integration with other
security solutions. Integration with other solutions can happen in two ways: customization
through open APIs; or the use of built-in integration.
Obstacles

NAC rarely extends the same controls to a remote workforce and may conflict with remote
workforce access security policies.

NAC’s focus is primarily as an on-premises control for devices and users, and can be expensive
and difficult to implement at scale across an organization.

NAC solutions are still largely hosted via on-premises appliances. Few vendors have as-a-
service NAC offerings.

Lightweight NAC use cases are increasingly provided by alternatives like zero trust network
access (ZTNA) that do not rely on underlying infrastructure implementations to secure user
and device access to applications. ZTNA vendors are starting to add posture assessment and
access control features, and we believe that this trend will continue to gather momentum in the
future.

User Recommendations

Focus on vendors that target organizations of your size and complexity (and, in some
instances, industry vertical or region). Because NAC is a mature market, many vendors are
clearly aligned regarding small and midsize businesses and large-enterprise opportunities or
specialize in certain industry verticals and regions such as Europe and Southeast Asia.

Perform an initial network inventory before selecting an NAC vendor. This will influence your
decision based on the capabilities of your network switches and routers, as well as help with
budgeting since many NAC vendors base their licenses on the number of IP addresses
protected.

Determine if you have a large number of IoT or OT devices in the network. Some NAC vendors
are stronger than others when using an agentless (non-802.1Xbased) approach and are thus
better choices for IoT/OT environments.

Implement NAC to deliver visibility and control over your corporate network. Integrate with
existing asset management solutions bidirectionally to help maintain an accurate list of
devices connected to the organization.

Evaluate SSE buying strategy at the time of NAC renewal in order to rationalize potentially
overlapping feature sets.

Sample Vendors

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 58/66
16/3/23, 16:48 Gartner Reprint

Akamai; Auconet; Cisco; Forescout Technologies; Fortinet; Hewlett Packard Enterprise; Ivanti;
macmon secure; Open Cloud Factory; OPSWAT; Portnox
Gartner Recommended Reading

Market Guide for Network Access Control

Toolkit: Sample RFP for Network Access Control

Solution Path for Evolving to Next-Generation Enterprise Networks

Campus Network Security and NAC Are Ripe for Market Disruption
Secure Web Gateways
Analysis By: John Watts

Benefit Rating: High

Market Penetration: More than 50% of target audience

Maturity: Mature mainstream

Definition:

Secure web gateways (SWGs) use URL filtering and a range of advanced threat defense (ATD)
methods to protect organizations and enforce internet use and compliance with acceptable use
policies. SWGs are delivered as cloud-based services, hybrid (cloud and on-premises), or on-
premises solutions only.

Why This Is Important

Because SWGs are positioned between the user and the internet, they offer valuable protection
from internet-born threats. Also, the SWG dashboards and reporting tools provide visibility into
users’ behavior on the internet. This functionality is important to detect and investigate whether
an employee has violated the organization’s internet usage policy.

Business Impact

SWGs provide an additional layer of protection against destructive attacks, and enable safer,
more-efficient adoption of cloud-based services. Cloud-delivered SWGs can reduce branch office
networking costs by using commodity internet access for outbound web security, instead of
backhauling web traffic over MPLS links to appliances in a centralized data center. Cloud SWG
services are increasingly part of security service edge (SSE) offerings to provide protection
regardless of the location.

Drivers

Rapid adoption of SaaS and hybird work is driving enterprises to migrate from on-premises,
appliance-based SWGs to cloud-delivered SWG services. They are increasingly delivered with
cloud access security broker (CASB) and zero trust network access (ZTNA) components from
a converged SSE offering.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 59/66
16/3/23, 16:48 Gartner Reprint

Improve the end-user experience through a reduction in latency by routing internet-bound traffic
directly to a cloud SWG, rather than using a WAN backhaul to a centralized data center where
physical security appliances are positioned.

Cloud-based SWGs continue to add security services, including firewall as a service (to apply
policies to all ports and protocols), data loss prevention (DLP), sandboxing and remote browser
isolation. Cloud-based SWGs form the foundation for platforms that can decrypt once and
inspect with multiple security services to improve latency.
Obstacles

Cloud-based recursive DNS solutions have become popular solutions with midmarket
customers, because they offer cost-effective security protection. Some of the Domain Name
System (DNS) services use selective proxying — i.e., they proxy traffic destined for suspicious
websites (typically, about 10% to 15% of the traffic is proxied).

Some industry verticals that are cloud-averse have resisted migrating their on-premises SWGs
to the cloud. This is particularly true in the financial services and healthcare verticals.

Appliance-based SWG options in the market are dwindling, forcing organizations that require
on-premises appliances to consider alternatives, such as higher-end, hardware-based firewalls
on the edge to decrypt and inspect web traffic.

User Recommendations

Take a fresh look at the emerging SSE market, rather than the stand-alone SWG market, when
renewing existing appliance or cloud SWG contracts.

Replace SWG appliances with cloud-based SWG offerings as part of a larger SSE service to
improve the end-user experience and flexibility to apply a single web security policy for hybrid
workers.

Replace branch office firewalls with a secure access service edge (SASE) architecture that
includes cloud-based SWG to secure web traffic integrated with a software-defined wide-area
network (SD-WAN) device at the branch.

Sample Vendors

Broadcom; Cisco; ContentKeeper; Forcepoint; iboss; SkyHigh Security; Menlo Security; Netskope;
Sangfor Technologies; Zscaler

Gartner Recommended Reading

Magic Quadrant for Security Service Edge

Critical Capabilities for Security Service Edge

Using Secure Web Gateway Technologies to Protect Users and Endpoints

Network Firewalls

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 60/66
16/3/23, 16:48 Gartner Reprint

Analysis By: Rajpreet Kaur, Adam Hils

Benefit Rating: High

Market Penetration: More than 50% of target audience

Maturity: Mature mainstream

Definition:

The network firewall market is defined as bidirectional stateful traffic inspection (both egress and
ingress) for securing networks. Capabilities include advanced networking, threat inspection and
detection, and web filtering. Network firewalls are enforced through hardware/virtual appliances.

Why This Is Important

As networks are evolving, the shortlisting criteria of network firewalls are also changing. While the
primary market is around hardware and virtual appliances, the other forms, such as cloud
firewalls and FWaaS, are evolving as stand-alone markets. As a result, the market is expanding,
with public cloud providers offering cloud-native firewalls and SASE vendors.

Business Impact

Network firewalls continue to dominate the data center, enterprise and SMB perimeter use cases.
Businesses are working toward rearchitecting their infrastructure, and firewall vendor
requirements are evolving from what the network firewalls offer.

Drivers

Network firewall growth in the market comes from rearchitecting infrastructure involving the
upgrade of existing equipment and adoption of other forms such as cloud firewalls and SASE.

The evolving use cases are leading to different pricing and consumption models as compared
to traditional a la carte pricing models.

Acquisitions and partnerships to constantly broaden the scope of threat prevention to include
capabilities such as IoT security, OT security and branch-campus networking are further driving
the market to expand their capabilities.

Obstacles

Network firewalls are unable to offer unified consolidated offerings to support multiple firewall
enforcement types, making it less useful.

Cloud firewalls and FWaaS are evolving as separate markets with respect to the network
firewall market.

There is a demand for firewalls that can support multiple firewall enforcement types as a
platform, which we define as hybrid mesh firewall platforms.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 61/66
16/3/23, 16:48 Gartner Reprint

This year, Gartner believes the biggest obstacle to the network firewall market is pricing
complexity for hybrid environments, creating frustration within the end-user customer base.
User Recommendations

Ask for transparent pricing to compare a la carte SKUs with bundled packages or alternative
costing measures. Compare vendors at the next renewal, and include vendors that are more
transparent about contract pricing.

Keep in mind the emerging use cases of firewall deployments such as cloud firewall, FWaaS
and microsegmentation, where vendors can have use-case-based limitations; hence, you
should thoroughly evaluate the offerings before buying them.

Clients must align their requirement of consolidation to their primary use case and the security
roadmap to decide whether they require a platform approach or a pure-play vendor.

Sample Vendors

Barracuda; Check Point Software Technologies; Cisco; Fortinet; H3C; Huawei; Juniper; Palo Alto
Networks; SonicWall; WatchGuard

Gartner Recommended Reading

Magic Quadrant for Network Firewalls

Critical Capabilities for Network Firewalls

Solution Comparison for Network Firewalls

How the Shift From Firewall Appliances to Hybrid Cloud Firewalling Will Change Selection Criteria

Quick Answer: Demystifying Network Firewall Pricing Models to Build an Effective Sourcing
Strategy
Appendixes
Hype Cycle Phases, Benefit Ratings and Maturity Levels

Table 2: Hype Cycle Phases

Phase Definition

Innovation A breakthrough, public demonstration, product launch or other event

Trigger generates significant media and industry interest.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 62/66
16/3/23, 16:48 Gartner Reprint

Phase Definition

Peak of Inflated During this phase of overenthusiasm and unrealistic projections, a flurry of
Expectations well-publicized activity by technology leaders results in some successes, but
more failures, as the innovation is pushed to its limits. The only enterprises
making money are conference organizers and content publishers.

Trough of Because the innovation does not live up to its overinflated expectations, it
Disillusionment rapidly becomes unfashionable. Media interest wanes, except for a few
cautionary tales.

Slope of Focused experimentation and solid hard work by an increasingly diverse

Enlightenment range of organizations lead to a true understanding of the innovation’s
applicability, risks and benefits. Commercial off-the-shelf methodologies
and tools ease the development process.

Plateau of The real-world benefits of the innovation are demonstrated and accepted.
Productivity Tools and methodologies are increasingly stable as they enter their second
and third generations. Growing numbers of organizations feel comfortable
with the reduced level of risk; the rapid growth phase of adoption begins.
Approximately 20% of the technology’s target audience has adopted or is
adopting the technology as it enters this phase.

Years to The time required for the innovation to reach the Plateau of Productivity.
Mainstream
Adoption

Source: Gartner (July 2022)

Table 3: Benefit Ratings

Benefit
Definition
Rating

Transformational Enables new ways of doing business across industries that will result in
major shifts in industry dynamics

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 63/66
16/3/23, 16:48 Gartner Reprint

Benefit
Definition
Rating

High Enables new ways of performing horizontal or vertical processes that will
result in significantly increased revenue or cost savings for an enterprise

Moderate Provides incremental improvements to established processes that will result

in increased revenue or cost savings for an enterprise

Low Slightly improves processes (for example, improved user experience) that
will be difficult to translate into increased revenue or cost savings

Source: Gartner (July 2022)

Table 4: Maturity Levels

Maturity
Status Products/Vendors
Levels

Embryonic In labs None

Emerging Commercialization by vendors First generation

Pilots and deployments by industry High price
leaders
Much customization

Adolescent Maturing technology capabilities and Second generation

process understanding
Less customization
Uptake beyond early adopters

Early Proven technology Third generation

mainstream
Vendors, technology and adoption rapidly More out-of-box
evolving methodologies

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 64/66
16/3/23, 16:48 Gartner Reprint

Maturity
Status Products/Vendors
Levels

Mature Robust technology Several dominant vendors

mainstream
Not much evolution in vendors or
technology

Legacy Not appropriate for new developments Maintenance revenue

focus
Cost of migration constrains replacement

Obsolete Rarely used Used/resale market only

Source: Gartner (July 2022)

Evidence
1
2022 Gartner CISO: Security Vendor Consolidation XDR and SASE Trends Survey: This study
was conducted to determine how many organizations are pursuing vendor consolidation efforts,
what the primary drivers are for consolidation, expected or realized benefits of vendor
consolidation, and how those who are consolidating are prioritizing their consolidation efforts. A
primary purpose of this survey was to collect objective data on extended detection and response
(XDR) and secure access service edge (SASE) for consolidation of megatrend analysis. The
research was conducted online from March through April 2022 among 418 respondents from
North America (n = 277; U.S., Canada), Asia/Pacific (n = 37; Australia, Singapore) and EMEA (n =
104; France, Germany, U.K.). Results were from respondents with $50 million or more in 2021
enterprisewide annual revenue. Industries surveyed included manufacturing, communications and
media, information technology, government, education, retail, wholesale trade, banking and
financial services, insurance, healthcare providers, services, transportation, utilities, natural
resources, and pharmaceuticals, biotechnology and life sciences. Respondents were screened for
job title, company size, job responsibilities to include information security/cybersecurity and IT
roles, and primary involvement in information security.

Disclaimer: Results of this survey do not represent global findings or the market as a whole, but
reflect the sentiments of the respondents and companies surveyed.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 65/66
16/3/23, 16:48 Gartner Reprint

© 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc.
and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior
written permission. It consists of the opinions of Gartner's research organization, which should not be
construed as statements of fact. While the information contained in this publication has been obtained from
sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy
of such information. Although Gartner research may address legal and financial issues, Gartner does not
provide legal or investment advice and its research should not be construed or used as such. Your access and
use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for
independence and objectivity. Its research is produced independently by its research organization without input
or influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send
Feedback

© 2023 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

https://www.gartner.com/doc/reprints?id=1-2BFJUAY3&ct=221017&st=sb&submissionGuid=f8488467-271a-477f-af0e-d4b7492ddfcb 66/66