SASE: A Practical Guide
Note: This is general information and not legal advice.
On this page
Executive Summary
- Perimeter-based security doesn't work for remote/hybrid work: users connect from home, coffee shops, and branch offices—traditional "authenticate once, trust forever" VPNs create bottlenecks and blind spots.
- Cloud apps need cloud security: routing SaaS traffic through a centralized VPN gateway adds latency and doesn't protect against account takeover or data exfiltration.
- Reduces complexity and cost: consolidating multiple point products (legacy VPN, firewall, web filter, CASB) into a unified cloud service simplifies operations and licensing.
- You have a distributed workforce (remote, hybrid, or multi-site) and legacy VPN performance or management is becoming a problem.
- You're moving apps to the cloud (SaaS, IaaS) and need consistent security policies regardless of where users connect.
- You want to reduce reliance on on-premises security appliances and simplify branch office connectivity.
- Consistent security policies applied at the edge (near users) rather than backhauling traffic through a central data center.
- Identity-driven access controls that verify user + device + context before granting access to apps and data.
- Unified visibility and logging across network and security functions—no more stitching together logs from five different vendors.
- We assess your current network and security architecture to identify where SASE components make sense (not everything needs to be replaced at once).
- We design phased migration paths that maintain business continuity while modernizing remote access and improving user experience.
Common failure modes
- Rip-and-replace without a plan: turning off existing remote access before SASE policies are tested and tuned leads to outages and user lockouts.
- Treating SASE as a single product: SASE is a framework—vendors offer different combinations of SD-WAN, ZTNA, CASB, SWG, and FWaaS. Buying one component doesn't give you the full model.
- Ignoring identity integration: SASE relies on strong identity controls (MFA, device posture, conditional access). Weak identity undermines the entire architecture.
- No visibility into cloud app usage: deploying SASE without CASB or SWG means you can't see or control what users do in SaaS apps (shadow IT, data exfiltration).
- Underestimating change management: users expect remote access to "just work." Shifting access patterns requires clear communication, training, and support coverage.
Implementation approach
SASE is best implemented in phases, starting with the highest-pain areas (remote access, SaaS security) and expanding to full network convergence over time.
- Assess current state: map where users connect from, what apps they use, and where traffic flows today (remote access, direct internet, branch MPLS).
- Start with identity and device posture: ensure strong identity controls (MFA, conditional access) and device management are in place—SASE depends on them.
- Pilot ZTNA for high-value apps: start with identity-aware access to specific internal apps (finance systems, admin portals) to prove the model works.
- Add SWG and CASB for cloud apps: route SaaS traffic through a secure web gateway to enforce DLP, malware scanning, and shadow IT visibility.
- Expand to SD-WAN and FWaaS: once remote access is stable, migrate branch offices and data center connectivity to cloud-delivered networking and firewall services.
Operations & evidence
- Unified logging: SASE platforms should provide centralized logs for network traffic, security events, and user activity—no more stitching together logs from multiple point products.
- Policy consistency: security policies (web filtering, DLP, malware scanning) should apply uniformly whether users are on-site, remote, or at a branch office.
- Performance monitoring: track latency, throughput, and user experience metrics to ensure SASE isn't introducing new bottlenecks.
- Access reviews: regularly review who has access to what apps and data—SASE makes this easier with identity-driven policies, but it still requires operational discipline.
- Incident response integration: ensure SASE logs feed into your SIEM and SOC workflows for threat detection and response.
Further reading: Gartner SASE definition, NIST SP 800-207 (Zero Trust Architecture).
SASE components explained
SASE is a convergence of multiple technologies. Here's what each component does:
- SD-WAN (Software-Defined Wide Area Network): intelligently routes traffic across multiple network paths (MPLS, broadband, LTE) to optimize performance and reduce costs.
- ZTNA (Zero Trust Network Access): identity-driven, application-level access with continuous verification. Users authenticate to specific apps with device posture checks, not blanket network access.
- CASB (Cloud Access Security Broker): monitors and controls access to SaaS apps (Microsoft 365, Salesforce, etc.), enforcing DLP and detecting risky behavior.
- SWG (Secure Web Gateway): filters web traffic to block malicious sites, enforce acceptable use policies, and scan for malware.
- FWaaS (Firewall-as-a-Service): cloud-delivered firewall that inspects traffic and enforces security policies without requiring on-premises hardware.
Not every organization needs all five components immediately. Start with the areas that solve your biggest pain points (usually ZTNA and SWG for remote users).
A note on modern VPNs
Not all VPNs are created equal. The limitations described above apply to legacy VPN architectures—centralized gateways with "authenticate once, trust forever" models.
Next-generation VPN solutions (like WireGuard-based mesh networks) implement Zero Trust principles at the network layer: identity-aware access, device posture checks, per-resource policies, and continuous verification. These can be powerful tools when combined with ZTNA—especially for legacy systems that can't run modern agents or don't support application-layer security.
The right approach often isn't "VPN vs. ZTNA" but rather layered security using both network and identity controls. VPN connection status can serve as a signal for conditional access policies, adding defense in depth.
Common Questions
What is SASE and what problem does it solve?
SASE (Secure Access Service Edge) converges network and security into a cloud-delivered service. It's designed for distributed workforces where users, apps, and data are no longer behind a single perimeter—providing consistent security policies regardless of where users connect.
What are the components of SASE?
SASE combines SD-WAN (intelligent traffic routing), ZTNA (identity-driven application access), CASB (SaaS security), Secure Web Gateway (web filtering and malware scanning), and Firewall-as-a-Service. Not every organization needs all five immediately—start with the areas that solve your biggest pain points.
How is SASE different from traditional VPN?
Traditional VPNs grant network-level access after a single authentication. SASE uses identity-driven, application-level access with continuous verification—users authenticate to specific apps with device posture checks, not blanket network access. Security policies apply at the edge near users, not through centralized gateways.
What should we implement first in a SASE rollout?
Start with identity and device posture (MFA, conditional access, device management). Pilot ZTNA for high-value apps to prove the model. Add Secure Web Gateway and CASB for cloud app visibility. Expand to SD-WAN and FWaaS for branch offices once remote access is stable.
What are common SASE implementation mistakes?
Rip-and-replace without a plan (turning off existing access before testing), treating SASE as a single product rather than a framework, ignoring identity integration (weak identity undermines the architecture), and underestimating change management for users expecting remote access to "just work."
Related resources
Need a modern approach to secure remote access?
We help design and implement cloud-delivered security that scales with distributed teams.
Contact N2CON