SASE (Secure Access Service Edge): What is it and what benefits does it bring to a company? | nFlo Blog

What is SASE and why is it revolutionizing network security in the era of remote work?

Write to us

Traditional corporate network architecture was built around the idea of a central castle – a corporate data center. No matter where users were located – at headquarters, in a branch office or on a business trip – all of their network traffic had to first go to this one, heavily fortified location to be subjected to security checks. This model worked well in a world where applications and data resided inside the castle. Today, in an era of work-from-anywhere, cloud-based applications and IoT devices, this model has become not only inefficient, but dangerous. Forcing users to take a circuitous route through headquarters to access a nearby cloud service generates delays and frustration.

In response to this fundamental change, analytics company Gartner has introduced a new architectural concept in 2019: SASE (Secure Access Service Edge). It’s a revolutionary approach that turns the old model upside down. Instead of pulling users to where the security is, SASE delivers security where the users are. It abandons the idea of a single, central control point in favor of a global, distributed network that enforces policies at the “edge” – as close as possible to the point of connection of an employee, branch or device. It’s an architecture built for a world without borders.

What is SASE and why has the traditional network architecture become obsolete?

SASE (Secure Access Service Edge) is an architectural model that combines wide area network (WAN) functions and a complete network security stack into a single, integrated service delivered from the cloud. Instead of buying, deploying and managing dozens of separate devices and systems (firewalls, VPNs, proxies), the organization consumes the network and security as one cohesive service from a single provider.

The traditional architecture has become obsolete because it was designed around the data center as the logical center of the universe. This model assumed that users were in the office and applications were on servers in the server room. Today’s reality is distributed:

  • Users are everywhere: at home, at the coffee shop, on the go.
  • Applications are everywhere: in the public cloud (SaaS, IaaS), in the private cloud and still partly in the data center.
  • Data is everywhere: on laptops, on phones, in cloud services.

Attempting to serve this distributed reality with a centralized model leads to the so-called “trombone” (tromboning) effect, where network traffic must travel a long and inefficient distance to the headquarters and back. SASE solves this problem by moving the point of enforcement of security policies from the data center to globally distributed points of presence (PoPs) in the vendor’s cloud.

What are the key technology components that make up the SASE platform?

SASE is not a single product, but a convergence (combination) of several key network and security technologies in a single, integrated platform. The five fundamental pillars that define the SASE architecture are:

  1. SD-WAN (Software-Defined WAN): A network component responsible for intelligently and optimally connecting branch offices and data centers to the SASE cloud.
  2. ZTNA (Zero Trust Network Access): A security component that replaces the traditional VPN and provides granular, identity-based access to private applications.
  3. SWG (Secure Web Gateway): A security component that protects users from Internet threats (malware, phishing) by filtering their web traffic.
  4. CASB (Cloud Access Security Broker): A security component that provides visibility and control over the use of cloud applications (SaaS), protecting corporate data.
  5. FWaaS (Firewall-as-a-Service): A security component, or next-generation cloud-delivered firewall, that provides network and application layer protection for all traffic.

It is the native integration of these five elements into a single service, with a single management console and a single consistent policy that makes the SASE model powerful and revolutionary.

Pillars of SASE (Secure Access Service Edge) Architecture.
ComponentMain FunctionWhat problem does it solve?
SD-WANSmart and optimized connection of branches to the SASE cloud.Inefficiency and high cost of traditional WANs (MPLS).
ZTNA (Zero Trust Network Access).Secure, identity-based access to private applications (in the data center/cloud).Excessive permissions and large attack surface of traditional VPNs.
SWG (Secure Web Gateway).Protect users from threats from the public Internet (Web traffic filtering).Risk of malware infections and phishing attacks while browsing the Internet.
CASB (Cloud Access Security Broker).Visibility and control over SaaS application usage (e.g., M365, Salesforce) and data protection.The “Shadow IT” phenomenon and the risk of data leakage from cloud applications.
FWaaS (Firewall-as-a-Service).Network- and application-level protection for all traffic passing through the platform.The complexity and cost of managing distributed, physical firewalls in branch offices.

How does SASE implement the principles of the Zero Trust Model (ZTNA)?

One of the most important security components in the SASE architecture is ZTNA (Zero Trust Network Access). This is a modern approach to remote access that is a practical implementation of the Zero Trust philosophy (“never trust, always verify”) and is a direct successor to traditional VPNs.

The traditional VPN, after successful authentication, granted the user broad access to the entire corporate network, operating on the principle of “you’re in, so we trust you.” This posed a huge risk – if an attacker took over the VPN credentials, he or she gained an open path to roam the entire internal infrastructure.

ZTNA works quite differently. Access is not granted to a “network,” but to a specific, single application. Each time a user tries to connect to a particular application, ZTNA verifies a number of factors: the user’s identity (often through strong MFA authentication), the security status of their device (whether they have up-to-date antivirus, encryption enabled), location and time of day. Only after all these signals have been successfully verified is a secure, encrypted tunnel created to that one application only. The user cannot see or access any other resources on the network. This drastically reduces the attack surface and prevents lateral traffic.

What are the main business benefits of implementing the SASE model?

Implementing a SASE architecture brings a number of benefits to organizations that go beyond just cyber security and have real impact on finances, operations and productivity.

  • Reducing cost and complexity: SASE allows you to replace expensive private MPLS links with cheaper Internet connections. More importantly, it eliminates the need to buy and maintain many different physical security devices at each branch, consolidating them into a single, subscription-based service. This turns high capital investment (CAPEX) into predictable operating costs (OPEX).
  • Increased productivity and convenience: With intelligent SD-WAN routing and local SASE cloud access points, users get fast and direct access to cloud applications, without the latency generated by “back and forth” traffic through the PBX. This translates into better video conferencing performance, faster access to CRM/ERP systems and an overall improved user experience.
  • Unified security and consistent policies: SASE provides the same high level of protection for every user and every device, whether connecting from the office, from home or from a hotel on the other side of the world. Security policies are defined centrally and enforced globally, eliminating the gaps and inconsistencies inherent in traditional architectures.
  • Flexibility and scalability: The cloud model allows you to adapt instantly to changing business needs. The opening of a new branch office, the acquisition of another company, or a sudden shift to remote working no longer requires months of planning and costly hardware investments. Simply connect new locations or users to the nearest SASE point of presence.

What is the difference between SASE and SSE (Security Service Edge)?

As the market evolved, Gartner analysts introduced an additional term to clarify the SASE architecture: security service edge (SSE). The introduction of this term was intended to separate the pure networking components from the security components.

SASE is an end-to-end architecture that includes both a network layer (WAN Edge) and a security layer (Security Service Edge).

  • The network layer (WAN Edge) is primarily SD-WAN technology, responsible for physically and logically connecting branches, users and data centers.
  • The Security Service Edge (SSE) layer is an integrated suite of security services delivered from the cloud. SSE includes key components such as ZTNA, SWG, CASB and FWaaS.

In practice, SSE is the “half” of the SASE architecture – the one responsible for security. Many companies start their SASE journey just by implementing the SSE platform, integrating it with their existing SD-WAN solution. Others choose to implement a full, integrated SASE platform from a single vendor that offers both components. Regardless of the path, the end goal is always to achieve a full, consistent SASE architecture.

How can nFlo help your company design and implement a SASE strategy?

Migrating to a SASE architecture is one of the most important network and security transformations an organization can undertake. This is not a simple firewall upgrade, but a fundamental paradigm shift that requires careful planning and deep expertise. At nFlo, we act as a trusted advisor and technology partner to guide organizations through this complex journey.

We begin our process with a strategy workshop and readiness assessment. Together with management and technical teams, we analyze the business objectives, current architecture and risk profile to answer the question of if and when a SASE is the right direction. We help build the business case and create a realistic, multi-stage migration roadmap.

With our technology-neutral approach, we help you choose the right SASE or SSE platform that best suits your unique needs and budget. Our team of certified engineers then performs a comprehensive implementation, taking care of a smooth migration, integration with existing systems (such as an identity provider like Azure AD) and precise configuration of security policies. For companies that want to fully focus on their business, we also offer managed services (Managed SASE), where our 24/7 SOC team monitors and manages the entire environment, ensuring the highest level of protection and performance.

About the author:
Łukasz Gil

Łukasz is an experienced specialist in IT infrastructure and cybersecurity, currently serving as a Key Account Manager at nFlo. His career demonstrates impressive growth, from client advisory in the banking sector to managing key accounts in the field of advanced IT security solutions.

Łukasz approaches his work with a focus on innovation, strategic thinking, and client-centricity. His method of managing key accounts is based on building strong relationships, delivering added value, and tailoring solutions to individual needs. He is known for his ability to combine technical expertise with business acumen, enabling him to effectively address clients' complex requirements.

Łukasz is particularly passionate about cybersecurity, including EDR and SIEM solutions. He focuses on delivering comprehensive security systems that integrate various aspects of IT protection. His specialization spans New Business Development, Sales Management, and implementing security standards such as ISO 27001.

He is actively committed to personal and professional development, continuously expanding his knowledge through certifications and staying updated on industry trends. Łukasz believes that the key to success in the dynamic IT world lies in constant skill enhancement, an interdisciplinary approach, and the ability to adapt to evolving client needs and technologies.

Other articles by the author