SASE - Secure Access Service Edge
About 2 min read
SASE (Secure Access Service Edge, pronounced "sassy") is an architecture that delivers networking functions (SD-WAN) and security functions (SWG, CASB, ZTNA, FWaaS) in an integrated manner from the cloud. Proposed by Gartner in 2019, the concept fundamentally rethinks the traditional data-center-centric network design and creates an environment in which users can access applications securely and quickly from wherever they are. As a framework that implements the principles of Zero Trust at the network level, it is becoming the standard design philosophy for enterprise networks in the era of remote work.
The Background Behind Gartner's Proposal
When Gartner proposed SASE in its 2019 report "The Future of Network Security Is in the Cloud," the move was driven by three structural changes in enterprise IT environments. First, the spread of SaaS meant that most traffic was now headed for the internet. Second, the expansion of remote work scattered users outside the office. Third, the migration to the cloud moved applications outside the data center. Because of these changes, the traditional model of inspecting all traffic through the data center had reached its limits in both performance and cost.
The Components of SASE
Virtualizes WAN connectivity and optimizes communication through dynamic routing based on link quality
Visibility into SaaS usage, shadow IT detection, and enforcement of data protection policies
Inspection of web traffic, URL filtering, and malware scanning
Per-application access control based on identity and context
Cloud-delivered next-generation firewall capabilities
Comparison With the Traditional Hub-and-Spoke Model
| Item | Hub-and-Spoke Model | SASE |
|---|---|---|
| Traffic path | All traffic routed through the data center | Directly to the cloud from the nearest PoP |
| Security inspection | Appliances in the data center | Distributed PoPs in the cloud |
| Remote users | Connect to the data center via VPN | Connect to the nearest PoP via an agent |
| Scalability | Requires adding hardware | Auto-scales in the cloud |
| Latency | High latency due to backhauling | Low latency via the shortest path |
In the traditional model, even when accessing Microsoft 365 from a Tokyo office, traffic first had to pass through the headquarters data center (for example, in Osaka) before reaching the internet. With SASE, the connection to Microsoft 365 is made directly from a Tokyo PoP (Point of Presence), which significantly reduces latency.
Why It Is Needed in the Era of Remote Work
The expansion of remote work since COVID-19 has been the single largest factor accelerating the adoption of SASE. With the traditional VPN-centralized architecture, when all employees connected remotely at the same time, the VPN gateway became a bottleneck, causing disruptions to business operations worldwide. Because SASE can apply consistent security policies regardless of where users are located, the same level of protection is maintained whether access comes from the office, home, or a cafe. Access control to cloud storage can also be managed centrally through SASE's integrated policies.
The Relationship With SSE (Security Service Edge)
In 2021, Gartner additionally defined the concept of SSE (Security Service Edge). SSE is a subset consisting only of the security functions of SASE, with the networking function (SD-WAN) removed.
Network optimization
SWG + CASB + ZTNA + FWaaS
For companies that have already deployed SD-WAN, a realistic approach is to add only SSE and build out SASE gradually. Vendors differ in their areas of strength: Zscaler and Netskope are strong in SSE, while Palo Alto Networks and VMware (now Broadcom) offer full SASE including SD-WAN.
A common misconception is the belief that "deploying SASE eliminates the need for VPN," but due to access to legacy systems and certain regulatory requirements, VPN does not disappear entirely. Rather than replacing VPN outright, a realistic approach is to gradually reduce dependence on VPN with SASE.
We explain remote work security in detail in the remote work security article, and the basics of VPN in the VPN basics and how to choose one article. Be sure to also refer to Zero Trust security.network security books on Amazon as well.
Was this article helpful?