Secure Access Service Edge (SASE)
SASE converges SD-WAN with cloud-delivered security services including ZTNA, SWG, CASB, and FWaaS into a unified architecture enforced at global edge locations.
Continue your mission
SASE converges SD-WAN with cloud-delivered security services including ZTNA, SWG, CASB, and FWaaS into a unified architecture enforced at global edge locations.
# Secure Access Service Edge (SASE)
Secure Access Service Edge (SASE) is a cloud-delivered architecture that converges wide-area networking and network security into a single, unified service model. It exists because the traditional perimeter-based security model collapsed under the weight of cloud adoption, remote work, and distributed application environments. When users, data, and applications no longer live inside a corporate data center, routing all traffic through a central hub for inspection becomes both a performance bottleneck and a security liability. SASE dissolves that bottleneck by moving networking and security enforcement to the edge, as close as possible to users and the applications they access, while maintaining centralized policy control and visibility.
SASE (pronounced "sassy") was formally defined by Gartner analysts Neil MacDonald and Joe Skorupa in a 2019 report titled "The Future of Network Security Is in the Cloud." At its core, SASE combines Software-Defined Wide Area Networking (SD-WAN) with a converged set of cloud-native security services: Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), and Data Loss Prevention (DLP). These functions are delivered from a globally distributed network of points of presence (PoPs) and governed through a single management plane.
SASE is not a product but an architectural framework and service delivery model. Organizations seeking SASE capabilities may deploy single-vendor solutions that provide the complete stack or multi-vendor implementations that integrate specialized providers. Both approaches are valid, with tradeoffs between tight integration and best-of-breed component selection. Organizations with existing SD-WAN investments frequently adopt multi-vendor models to preserve infrastructure investments while adding security capabilities.
Understanding SASE requires tracing a typical user traffic flow from initiation to resolution across all enforcement points. The mechanics reveal how identity, device state, network path optimization, and security inspection converge into unified policy enforcement.
Identity and Device Verification
When a user attempts to access any resource, a lightweight SASE client agent installed on the endpoint captures the request and routes it to the nearest PoP rather than directly to the destination. Before processing any traffic, the platform verifies user identity through integration with an Identity Provider (IdP) such as Okta, Azure Active Directory, or a SAML-compliant directory service. Device posture assessment occurs simultaneously: Is the device enrolled in mobile device management? Is the operating system patched to required versions? Are security agents active and current? These verifications complete in milliseconds but inform every subsequent policy decision throughout the session.
Dynamic Path Optimization
For traffic requiring optimized routing or private application access, SD-WAN components analyze available network paths in real-time. Multiple connections (MPLS, broadband, LTE, or others) are continuously monitored for latency, jitter, packet loss, and throughput. Traffic steering happens per-application based on performance requirements and business priorities. Video conferencing sessions automatically select the lowest-latency path, while bulk file transfers may use higher-throughput connections despite increased latency. This optimization occurs dynamically without manual intervention or pre-configured static routes.
Converged Security Inspection
All traffic flows through integrated security functions at the PoP in a unified inspection pipeline. The Secure Web Gateway examines internet-bound HTTP and HTTPS traffic for malware, phishing sites, and policy violations such as prohibited content categories. TLS inspection occurs at the PoP, decrypting traffic for deep packet inspection and re-encrypting before forwarding, eliminating the need to hairpin traffic through corporate data centers. CASB components enforce granular policies on SaaS applications: blocking unsanctioned cloud storage uploads, restricting sensitive document access based on device trust level, or flagging anomalous user behavior patterns across multiple applications. Firewall as a Service applies network-layer controls, inspecting traffic for protocol anomalies and enforcing IP and port-based access restrictions. DLP engines scan all traffic flows for sensitive data patterns including credit card numbers, Social Security numbers, or proprietary intellectual property, with configurable responses ranging from logging to blocking.
Zero Trust Application Access
Private application access operates through ZTNA rather than traditional VPN mechanisms. Instead of placing users on corporate networks, ZTNA creates secure, brokered connections to specific authorized applications. Applications remain invisible to the public internet, accessible only through the SASE platform. Compromised user credentials cannot enable lateral movement because users never gain network-level access. Access decisions are evaluated continuously throughout sessions, not just at authentication. If device posture deteriorates during an active session, access can be automatically terminated, downgraded to read-only, or subjected to additional verification requirements.
Unified Policy and Telemetry
All security functions share a common data fabric and policy engine. SWG, CASB, ZTNA, and FWaaS components exchange real-time context about user identity, device state, application behavior, and threat indicators. This shared intelligence enables correlated policy enforcement across all functions simultaneously. A user triggering unusual download volume alerts in CASB may automatically receive restricted internet access categories in SWG and elevated authentication requirements for ZTNA sessions, all driven by unified policies without manual administrative intervention.
Real-World Example: Remote Developer Access
A software developer connects from a personal laptop while traveling. The SASE client identifies the device as unmanaged and initiates identity verification. The user's credentials authenticate successfully, but device posture checks reveal an unpatched operating system and missing endpoint protection. SASE policies for unmanaged devices permit read-only access to project documentation and issue tracking systems but block access to source code repositories and build environments. Internet traffic receives enhanced inspection, with personal cloud storage uploads automatically blocked by CASB. The developer cannot establish VPN tunnels or gain network-level access to any corporate segments. All access attempts are logged with full context including device state, location, and application behavior for security team visibility.
The traditional hub-and-spoke security model requires backhauling all traffic through centralized data centers for inspection, regardless of user location or application destination. As organizations adopted SaaS applications and distributed workforces, this architecture created severe performance bottlenecks and expanded attack surfaces. Remote workers experienced degraded application performance as internet traffic was unnecessarily routed through corporate infrastructure. Security teams struggled with fragmented policy enforcement across multiple vendor solutions, each with distinct management interfaces and policy models.
SASE addresses these failures by consolidating previously disparate security functions into a unified, policy-consistent service. Organizations replace complex stacks of VPN concentrators, web proxies, standalone CASB solutions, network firewalls, and WAN optimization appliances with a single platform. The operational benefits are measurable: reduced vendor management overhead, consistent policy enforcement regardless of user location, and elimination of performance penalties for cloud application access.
Without converged architectures like SASE, distributed organizations face documented failure modes. Policy fragmentation is common when VPN servers enforce different access rules than web proxies, creating gaps where users are permitted by one control but should be blocked by organizational policy. SaaS application access from unmanaged devices frequently escapes inspection entirely because CASB deployments were never extended to cover off-network scenarios. Data loss prevention controls that function correctly for office-based users often fail completely for remote workers accessing the same applications through different network paths.
The widespread exploitation of VPN infrastructure vulnerabilities in 2020-2021 demonstrated the consequences of these architectural gaps. Attackers exploited unpatched VPN appliances to gain initial network access, then moved laterally because VPN placement granted broad network-level privileges. Organizations that had migrated private application access to ZTNA-based models experienced significantly reduced exposure because compromised credentials provided no network foothold and application access remained gated on device posture and continuous verification.
A persistent misconception positions SASE primarily as a cost reduction initiative through vendor consolidation. While simplified licensing can reduce administrative overhead, the primary value is improved security posture through consistent, identity-aware enforcement at scale. Another common misunderstanding assumes SASE requires complete infrastructure replacement. Most successful deployments proceed in phases, beginning with ZTNA to replace VPN access, followed by SWG and CASB for internet and SaaS traffic, and finally SD-WAN integration for complete convergence. This phased approach allows organizations to preserve existing investments while systematically improving security capabilities.
CDA approaches SASE through the Planetary Defense Model's Vulnerability Surface Defense (VSD) domain, which treats every exposed interface, service, and access pathway as a potential entry point requiring active identification and elimination. The governing methodology is Continuous Surface Reduction (CSR): "Every surface you expose is a surface we eliminate."
Traditional remote access architectures expose multiple attack surfaces: VPN endpoints listening on public IP addresses, management interfaces for security appliances, over-privileged network access grants, and unmonitored direct-to-SaaS connections. Each exposed surface represents potential adversary entry points. SASE, applied through CSR methodology, systematically collapses these surfaces by converging multiple access pathways into unified, continuously monitored enforcement points.
CDA's operational approach begins with comprehensive surface enumeration, cataloging every current access pathway including VPN concentrators, remote desktop gateways, jump servers, and direct SaaS SSO configurations. Each pathway is assessed for the gap between access granted and access actually required by business functions. This "access overhang" measurement drives CSR prioritization, focusing surface reduction efforts on the largest gaps between necessary access and current exposure.
CDA extends standard SASE deployments through continuous posture monitoring throughout entire user sessions rather than only at authentication. Most implementations verify device state at login but do not re-evaluate posture during active sessions. CDA configures inline posture re-assessment, automatically restricting access when device security state degrades mid-session. A device that authenticates successfully but subsequently has security agents disabled will experience immediate access restrictions without requiring new authentication events.
SASE telemetry integration represents another CDA differentiation. Rather than analyzing SASE logs in isolation, CDA feeds SWG, CASB, ZTNA, and FWaaS events into centralized monitoring pipelines for correlation with threat intelligence from the Intrusion and Attack Tactics (IAT) domain. This enables detection of access patterns that individual security functions would not flag independently but represent coherent adversary behavior when viewed holistically across all enforcement points.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.