What Is SASE? Secure Access Service Edge Explained

Short answer: SASE (pronounced "sassy") stands for Secure Access Service Edge. It's a network architecture that combines SD-WAN with security services like ZTNA, CASB, SWG, and FWaaS, and delivers all of it from the cloud instead of a data center. Gartner coined the term in 2019 to describe what happens when networking and security stop being separate boxes and become one service.

If you've spent any time managing branch office firewalls or trying to explain to a VP why the VPN falls over every Monday morning, you already understand the problem SASE is trying to solve. Your users aren't in the office anymore, your apps aren't in your data center anymore, but a lot of network security architecture still assumes both of those things are true. SASE is the industry's answer to that mismatch.

What is SASE, exactly?

SASE was defined by Gartner analysts Neil MacDonald, Lawrence Orans, and Joe Skorupa in the August 2019 report "The Future of Network Security Is in the Cloud." Their argument was simple: users, devices, and the apps they need are everywhere now, so the security perimeter can't live at the edge of a physical network anymore. It has to move to wherever the connection is happening.

In practice, SASE means bundling together capabilities that used to be separate appliances or separate vendor contracts:

  • SD-WAN — routes traffic intelligently across multiple links instead of forcing everything through MPLS back to HQ
  • SWG (Secure Web Gateway) — filters and inspects web traffic for malware and policy violations
  • CASB (Cloud Access Security Broker) — controls and monitors access to SaaS apps
  • FWaaS (Firewall as a Service) — next-gen firewall functionality delivered from the cloud
  • ZTNA (Zero Trust Network Access) — grants access to specific applications, not the whole network

All of it gets delivered from distributed cloud points of presence (PoPs) close to the user, managed under one policy engine, instead of stitched together from five different vendor consoles.

Why did this become a thing enterprises actually adopt?

The old model — hub-and-spoke, where branch traffic gets backhauled over MPLS to a data center firewall stack before it's allowed out to the internet — made sense when your apps lived in that data center. It makes a lot less sense when the app your user needs is Salesforce or Microsoft 365 sitting in someone else's cloud three time zones away. You end up adding latency to protect traffic that never needed to touch your data center in the first place.

I've watched this play out at a mid-size company that insisted on routing all internet-bound traffic through a central firewall cluster for "visibility." Users in a regional office were seeing 300+ ms round trips to reach cloud apps that would've been under 40 ms with direct internet breakout. The fix wasn't more bandwidth — it was rethinking where the inspection point lived. That's the exact gap SASE is built to close.

SASE vs SD-WAN: what's the actual difference?

This is the most common point of confusion, so it's worth being blunt about it: SD-WAN is one ingredient in SASE, not a competitor to it. SD-WAN alone solves the "which path should this traffic take" problem. It doesn't inspect content, enforce identity-based access, or replace your firewall stack. SASE takes SD-WAN and wraps a full security stack around it, delivered as a service rather than a rack of appliances.

QuestionSD-WAN aloneSASE
Optimizes path selection across links?YesYes (SD-WAN is a component)
Includes identity-based access control (ZTNA)?NoYes
Includes cloud-delivered firewall (FWaaS)?No, usually bolted on separatelyYes, native
Controls SaaS app access (CASB)?NoYes
Delivery modelOften appliance-based at the branchPrimarily cloud-delivered from PoPs
Who manages the security policy?Usually a separate security stack/vendorUnified policy engine across network and security

A lot of vendors sell "SASE" that's really SD-WAN with a security add-on chained on through APIs. It technically checks the boxes but performs worse and is harder to manage than a platform built around a single cloud-native policy engine. Worth asking vendors directly whether their SASE is single-vendor/native or several products service-chained together — the answer changes both performance and your support experience when something breaks.

How does Zero Trust Network Access fit into SASE?

ZTNA is the access-control piece of SASE, and it's the part most organizations actually feel first when they move away from VPN. A traditional VPN authenticates you once, then treats you as trusted on the whole network — which is exactly what an attacker wants after phishing one set of credentials. ZTNA flips that: it authenticates and authorizes access to a specific application, not the network, and it keeps checking context (device posture, location, risk signals) for the life of the session.

Practically, this means a compromised laptop with valid ZTNA credentials can reach the one finance app it's authorized for — not scan the whole subnet looking for a file server to hit next. That's the real security win, more than any latency or convenience argument.

Gartner also defines Security Service Edge (SSE) as of 2021 — it's the security half of SASE (SWG, CASB, FWaaS, ZTNA) without the SD-WAN networking layer. If your WAN is already modern and you just need to consolidate cloud security tools, SSE alone might be the right first step instead of a full SASE rebuild.

How do I know if my organization actually needs SASE?

SASE isn't automatically the right move for every network. It tends to pay off when you're dealing with a few specific symptoms at once, not just one of them:

  • A distributed or remote workforce that's backhauling traffic through a VPN concentrator that's constantly near capacity
  • Branch offices still routing everything through MPLS to a central data center for internet-bound traffic
  • A pile of point security products (separate CASB, separate SWG, separate firewall vendor) that don't share policy or logging
  • Heavy SaaS usage where users complain about app performance more than they complain about "the internet being slow"

If none of that describes you — say, you're a single-site business with everything on-prem and no remote workforce to speak of — a full SASE platform is probably overkill and over-budget. Fix the actual bottleneck first.

One low-effort way to get evidence before you buy anything: run a basic path and latency check from a remote or branch location to the cloud app your users complain about, and compare it to a direct route.

traceroute app.saascompany.com
 
# or on Windows
tracert app.saascompany.com

If you see the traffic hopping through several internal hubs before it ever reaches the public internet, that's backhaul overhead you're paying for in latency — the exact thing SASE's local breakout model is designed to remove.

What does rolling this out actually look like?

Nobody rips out their whole network stack in a weekend, and any vendor who suggests otherwise hasn't run a real migration. The realistic path most teams take:

  1. Start with ZTNA for remote access, replacing VPN for a pilot group — this has the fastest, most visible win and the least blast radius if something's misconfigured
  2. Move SaaS traffic to local internet breakout with cloud-delivered SWG/CASB in front of it
  3. Bring branch office WAN under SD-WAN with security policy tied to the same cloud platform
  4. Retire the legacy MPLS/firewall stack once you've proven the new path handles load and outages gracefully

The part that trips people up isn't the technology — it's identity. SASE policy is built around who and what is asking for access, so if your identity provider setup is messy (stale groups, inconsistent MFA enforcement, service accounts nobody owns), you'll inherit that mess into every SASE policy you write. Clean up IAM before you migrate, not during.

FAQ

Is SASE the same as SD-WAN?

No. SD-WAN is one component inside SASE. SASE adds a full cloud-delivered security stack — ZTNA, SWG, CASB, FWaaS — on top of SD-WAN's path optimization.

Is SASE the same as SSE?

No, but they're related. SSE is the security-only subset of SASE (no SD-WAN networking layer). Gartner introduced SSE as a separate category in 2021 for organizations that want to consolidate security tools without rebuilding their WAN at the same time.

Does SASE replace my firewall?

It can replace on-premises next-gen firewall appliances by delivering that inspection as FWaaS from the cloud, but you're trading hardware maintenance for dependence on your SASE provider's uptime and PoP coverage in your regions — check their PoP map against where your offices and remote users actually are before committing.

Does SASE replace VPN entirely?

For most remote-access use cases, yes — ZTNA is generally considered the modern replacement for remote-access VPN. Site-to-site VPN for legacy systems that can't do modern authentication sometimes sticks around longer during a transition.

Is SASE only for large enterprises?

No, but the economics matter more for smaller shops. If you're a single office with no remote workforce and no SaaS sprawl, you likely don't have the problem SASE solves. It earns its cost when you've got distributed users, branches, and cloud apps working against each other.