SASE (Secure Access Service Edge)

Definition

SASE (Secure Access Service Edge) is a cloud-native architecture that combines network security and WAN capabilities into a single, unified service delivered from the cloud. It was coined by Gartner (2019) to describe the convergence of SD-WAN and security services.

SASE delivers security and networking functions from the cloud, eliminating the need for traditional hardware appliances at branch offices.

SASE Components

SASE converges the following capabilities into one cloud service:

Component Description
SD-WAN Software-defined wide area network
FWaaS (Firewall as a Service) Cloud-based firewall
CWPP (Cloud Workload Protection) Protect cloud workloads
CASB (Cloud Access Security Broker) Monitor and secure cloud app usage
ZTNA (Zero Trust Network Access) Application-level access control
SWG (Secure Web Gateway) Web filtering, URL categorization
DLP (Data Loss Prevention) Prevent data exfiltration
DNS Security DNS filtering and protection

SASE Architecture

Remote User/Branch ───▶ SASE Edge (Cloud) ───▶ Internet/Internet
                              │
                              ├── SD-WAN
                              ├── ZTNA
                              ├── SWG
                              ├── CASB
                              ├── FWaaS
                              └── DLP
                              │
                              ▼
                        Cloud Apps (SaaS, IaaS)

SASE vs Traditional Networking

Aspect Traditional SASE
Architecture Hub-and-spoke (branch to data center) Cloud-native (direct to cloud)
Security Hardware appliances at branch Cloud-delivered security
Performance Traffic backhauls to data center Local internet breakout
Management Per-device, per-location Centralized cloud policy
Scalability Hardware procurement Cloud auto-scaling
Cost CapEx (hardware) OpEx (subscription)

SASE Vendors

Vendor SASE Product Notes
Cisco Viptela + Umbrella Strong enterprise presence
Palo Alto Prisma Access Integrated with CNAPP
Zscaler Zscaler Internet Access Pioneer in SASE
Fortinet FortiSASE Integrated with FortiGate
Cloudflare Cloudflare One Developer-friendly, affordable
Netskope Netskope SASE CASB heritage
VMware Tanzu + Velo VMware SASE stack

SASE vs SSE

Aspect SASE SSE
Scope Networking + Security Security only
Includes SD-WAN Yes No
Origin Gartner (2019) Gartner (2020)
Use case Full branch-to-cloud transformation Security-first approach
Example Cisco SASE, Zscaler SASE Zscaler SSE, Netskope SSE

SASE Benefits

  • Simplified architecture: One platform for networking and security
  • Better performance: Local internet breakout, no backhauling
  • Zero Trust: Built-in ZTNA and identity-based access
  • Scalability: Cloud-native, auto-scaling
  • Cost reduction: Replace hardware with subscription
  • Consistent policy: Same security everywhere

SASE Challenges

  • Complexity: Integrating multiple security functions
  • Vendor lock-in: Most SASE platforms are proprietary
  • Latency: Cloud-dependent for all traffic
  • Compliance: Data residency and regulatory requirements
  • Migration: Hard to migrate from existing infrastructure
  • Zero Trust — networking component of SASE
  • ZTNA — access control component of SASE
  • Cloud — SASE is cloud-native architecture
  • VPN — SASE replaces traditional VPN
  • Waf