What is SASE? Secure Access Service Edge Explained

What SASE Combines

SASE, coined by Gartner in 2019, bundles five previously separate technology categories into a unified cloud-delivered service.

SD-WAN (Software-Defined Wide Area Networking) provides intelligent, software-controlled connectivity across locations — replacing MPLS circuits and traditional WAN routers with flexible, cost-effective connectivity that can use any mix of internet, LTE, and private links.

Zero Trust Network Access (ZTNA) replaces VPN with application-level access controls. Rather than granting network-level access to authenticated remote users, ZTNA grants access only to specific applications, based on verified identity, device health, and context — and nothing else.

Cloud Access Security Broker (CASB) provides visibility and control over SaaS application usage — enforcing data policies, detecting shadow IT, and preventing unauthorized data movement to cloud services.

Secure Web Gateway (SWG) inspects internet traffic for malware, blocks access to malicious or policy-violating sites, and enforces acceptable use policies — without requiring traffic to route through a central data center.

Firewall as a Service (FWaaS) delivers next-generation firewall capabilities from the cloud, with full Layer 7 inspection, application-aware policies, and threat prevention — applied consistently regardless of where the user or device is located.

Why the Traditional Model Breaks Down

Legacy network architectures assumed that users worked from offices, applications lived in on-premises data centers, and all traffic could be routed through a central corporate network for security inspection. None of those assumptions hold for most organizations in 2026.

When a remote employee accesses Salesforce, Microsoft 365, or a cloud-hosted application through a VPN connected to a corporate data center, that traffic travels from the user to the corporate network, through the security stack, and then out to the cloud application — adding latency, consuming capacity, and creating a chokepoint. The security inspection that happens at the corporate network adds hundreds of milliseconds to every transaction. Users experience it as slowness and work around it.

SASE solves this by moving security inspection to the cloud edge — close to where the user is, close to where the application is. Traffic goes directly from the user through the SASE service to the application, with full security inspection applied in the cloud, without the backhaul penalty.

SASE vs. SSE: The Distinction That Matters for Procurement

Gartner split SASE into two categories in 2021: SASE (which includes SD-WAN as a networking component) and SSE (Security Service Edge), which covers only the security components — ZTNA, CASB, SWG, and FWaaS — without the SD-WAN layer. Organizations that have existing SD-WAN investments often adopt SSE first and integrate it with their existing WAN infrastructure rather than replacing everything simultaneously.

The practical implication for vendor evaluation: vendors who claim to offer 'full SASE' should be evaluated on whether they own the SD-WAN component natively or rely on a third-party integration. Native integration typically provides better performance and simpler management; partnership-based integration requires more operational complexity to manage.

SASE for PE Portfolio Companies

For PE due diligence, SASE and SSE maturity is a leading indicator of network security modernization. Portfolio companies still operating on legacy VPN architectures with hub-and-spoke network designs have two intersecting problems: security exposure (VPN credentials are among the most commonly compromised initial access vectors) and operational inefficiency (backhaul architectures degrade performance for cloud-dependent workforces).

Post-close, SASE transformation is a meaningful infrastructure investment — typically 18-24 months for a mid-market company with multiple locations and a distributed workforce. The investment case is typically made on security improvement plus productivity gain plus WAN cost reduction, which often produces a positive ROI even before security risk reduction is quantified. Identifying SASE readiness before close allows PE teams to model the investment and timeline accurately.

The SASE Vendor Landscape

The SASE market is consolidating rapidly. Leading platforms include Zscaler (ZIA + ZPA as SSE), Palo Alto Networks Prisma SASE, Cisco+ Secure Connect, Fortinet Secure SD-WAN, and Netskope. Cloudflare One is a significant challenger with a developer-friendly architecture and competitive pricing. Each has different strengths in SD-WAN vs. security depth vs. integration ecosystem — the right choice depends on the organization's existing infrastructure, primary use case priority, and IT operational model.

Related Reading

• What is Zero Trust Security?
• What is CASB?
• What is a Firewall?
• What is Cloud Security?
• What is MFA?

Colonial Pipeline and the VPN Problem SASE Solves

The Colonial Pipeline breach — which began with a compromised VPN credential for an inactive account without MFA — illustrates the structural risk of VPN-dependent network access. A ZTNA architecture, the access control component of SASE, would have addressed this specific failure mode: ZTNA grants access only to specific applications for authenticated, MFA-verified users, and access for inactive accounts is automatically revoked. The Colonial Pipeline attacker would have needed to compromise active credentials with MFA — a materially higher bar. VPN replacement with ZTNA is now one of the most frequently cited security ROI cases in the SASE market, and Colonial Pipeline is the case study that makes the board-level argument.