What is SASE?
Secure Access Service Edge
A cloud-delivered architecture that converges SD-WAN and security services (SWG, CASB, ZTNA, FWaaS) into a single, globally distributed platform.
SASE, coined by Gartner in 2019, merges wide-area networking with network security into one cloud-native service. Instead of backhauling branch and remote-user traffic to a centralized data center for inspection, SASE pushes policy enforcement to the nearest Point of Presence (PoP). Traffic is routed through the provider's backbone, inspected once using a single-pass architecture, and forwarded to its destination. This eliminates the latency penalty of hairpinning through a hub-and-spoke topology.
The networking side, SD-WAN, handles path selection, QoS, and transport-agnostic connectivity. The security side, often referred to as SSE, handles threat prevention, data protection, and access control. A full SASE deployment unifies both under one policy engine, one management console, and ideally one agent on the endpoint.
The most common failure mode in SASE adoption is treating it as a product purchase rather than an architecture transition. Organizations that bolt SASE on top of existing MPLS and legacy firewalls without decommissioning redundant controls end up paying twice and gaining little. Successful rollouts typically start with a specific use case, such as replacing VPN with ZTNA, and expand incrementally.
The security half of SASE, delivering SWG, CASB, ZTNA, and DLP as cloud-delivered services without the SD-WAN networking component.
A virtualized WAN architecture that abstracts transport links (MPLS, broadband, LTE/5G) and uses software-based policy to select the optimal path for each application.
An access model that grants users connectivity to specific applications, not networks, based on identity and device posture, verified continuously per session.
A cloud or on-premises proxy that inspects all web-bound traffic for malware, enforces URL filtering policies, and prevents data exfiltration over HTTP/HTTPS.
A security control point between users and SaaS applications that provides visibility into shadow IT, enforces data protection policies, and detects threats across cloud services.
A cloud-delivered next-generation firewall that provides IPS, application control, and threat prevention without on-premises hardware, typically running in the provider's PoPs.
A geographically distributed data center operated by a SASE/SSE provider where security inspection and traffic optimization occur as close to the user as possible.
A traffic processing design in which a single inspection engine applies all security policies (firewall, IPS, DLP, malware scanning) to each packet or flow in one pass, rather than chaining multiple sequential inspection stages.
One email per publish. Unsubscribe anytime.