Are content delivery networks (CDN) the dark horses of the SASE market? Dell'Oro Group Research Director Mauricio Sanchez thinks they might be.

Vendors from both ends of the spectrum have aggressively pursued the model since Gartner coined secure access service edge (SASE) to define the convergence of SD-WAN and security as a cloud-delivered service.

While much has been made about who does or doesn't have a full SASE stack, Gartner considers this one of many factors for evaluation. The density of the vendor's service edge — the network of data centers from which the software stack is deployed — is just as important, according to the firm.

"The SASE solution should offer distributed points of presence and a portfolio of traffic peering relationships that align with the digital enterprise's access latency and data center requirements," Gartner wrote in its 2019 Hype Cycle report.

Cloudflare and Akamai, two of the larger CDN providers, have only recently waded into the SASE market with the launch of remote access and secure web gateway (SWG) offerings, but both offer something that few competing SASE vendors can claim: large, well-established networks that were built from the start to put resources as close to customers as possible.

"CDN vendors should not be counted out of the SASE race for a couple reasons. First, they already have large and geographically dispersed compute pools that can be leveraged to provide networking and security services both on the customer edge, wherever the application request is originating, and the application edge, wherever the destination application resides," Sanchez wrote in an email to SDxCentral.

Cloudflare's private network reaches more than 100 countries and 200 cities around the globe. Roughly 40 of these data centers are located in the United States.

“I think we are the largest of all of the SASE vendors,” Cloudflare CTO John Graham-Cumming said in a recent interview with SDxCentral.

What’s more, Cloudflare’s role as a CDN means that many of the apps, websites, and services customers are accessing are already being cached and, in some cases, running in the company’s data centers.

Akamai, as of 2019, claimed to have 250,000 edge servers running in thousands of locations across 150 countries. This, the company claims, puts 90% of internet users within one hop of its network.

The challenge of delivering cloud-based security without adding too much latency recently drove McAfee to offload some security functions to SD-WAN appliances.

Since “each of those branches is going to have an endpoint anyway, at the flow level, it’s almost criminal not to take advantage of that. Why should you drag that traffic four hops away to do the exact same level of inspection through it? The inspection is not any better,” argued Sadik Al-Abdulla, VP of product management at McAfee, in a recent interview with SDxCentral.

McAfee's service edge spans 37 physical data centers and additional 45 virtual points of presence, approximately 20% of which cover the U.S. market, according to the company.

CDN vendors' experience optimizing, and increasingly hosting applications gives them a distinct advantage over SASE vendors that have to build out a service edge through new data centers or in co-location facilities, according to Sanchez.

"CDN vendors know how to extract application performance that lead to good user experience, in particular, for real-time and data-intensive applications," he wrote.

During the last five years, CDN vendors have also made sizable investments in their respective security portfolios, Sanchez said. "A number have been offering their customers the foundational products like secure web gateways and zero-trust solutions."

Both Cloudflare and Akamai have made their SASE ambitions clear in recent months.

In January, Cloudflare launched its Cloudflare for Teams remote access platform, which comprised a zero-trust network access (ZTNA) platform for securing internal apps and an SWG for securing software-as-a-service applications and other internet traffic.

Meanwhile in March, Akamai added SWG to its security platform in a bid to bolster its SASE architecture.

Akamai already offered ZTNA, distributed domain application security, threat protection at the domain name system (DNS) traffic level, and a cloud proxy to provide additional security for some traffic at the URL level to inspect risky payloads for malicious behavior.

The addition of an SWG enabled the company to deliver an always-on proxy that sends all network traffic to Akamai’s Enterprise Threat Protector for deeper inspection.

It should be noted that neither CDN provider can claim a complete SASE stack. Instead, both vendors are approaching the market in a similar fashion to Zscaler, which argues that SASE vendors don’t need to own the SD-WAN to compete.

Like Zscaler, Cloudflare allows customers to pair existing SD-WAN deployments with its private network, security stack, and access controls using the company's Magic Transit service.

Patrick Sullivan, CTO of security and strategy at Akamai, recently acknowledged that the company doesn't provide the full SASE networking and security stack, but argued: “if you look at the checklist for SASE, no one does 100% of the things in there.”

Akamai and Cloudfare plan to continue adding new security functionality to their SASE offerings.

Cloudflare will be adding remote browser isolation to its SASE platform later this year, Graham-Cumming said, but he declined to elaborate on other functionality coming to the platform.

Akamai, according to Sullivan, is also looking to add new security and networking capabilities to its platform. "We are going to add items our customers ask for, and the SASE list seems to line up pretty well."