Cloud 9 Advisers
    Go

    SASE, the next-gen SD-WAN?

    10/15/2019 12:47 PM By Chuck F

    The Four Pillars of SASE: Why Your Legacy Network Architecture is Obsolete

    Gartner makes the claim that the shift to SASE will make obsolete existing networking and security models.


    Secure Access Service Edge (SASE): The Foundational Shift Driven by Cloud, Mobility, and the Demise of the Traditional Perimeter

    A true SASE framework moves security policy from the physical office location to the user’s identity, fundamentally transforming how enterprises connect and protect their digital assets.

    The SASE architecture is a fundamental shift, moving the security perimeter from a physical location to a cloud-native, identity-centric service edge.

    Secure Access Service Edge (SASE): The Foundational Shift Driven by Cloud, Mobility, and the Demise of the Traditional Perimeter

    In 2019, Gartner introduced the Secure Access Service Edge (SASE) model, describing it as a fundamental architectural shift that would eventually render existing networking and security models obsolete. While many in the industry initially treated it as hype, the events of the last few years—namely, the explosion of cloud application usage and the permanence of the dispersed, mobile workforce—have made this prediction an undeniable reality.


    Today, every enterprise is facing unprecedented pressure on its legacy network and security architecture. Users, applications, and data have migrated from the confines of the corporate network to the cloud and the edge. This digital transformation improves agility and competitiveness, but it requires a corresponding evolution in how we connect and, more importantly, how we secure those connections.


    The SASE category represents this necessary evolution. It converges the capabilities of the WAN edge (networking) with network security (security) into a single, unified, cloud-native service. However, the market is crowded with vendors claiming SASE capabilities, when, in reality, they are offering little more than traditional products loosely "service-chained" together.


    To cut through this noise and ensure you are making a strategic, future-proof investment, you must evaluate solutions against the four non-negotiable pillars of a true SASE architecture.


    The Problem: When SDWAN Alone Is Not Enough

    SDWAN is a critical part of the modern network, solving performance, resilience, and efficiency problems. But as valuable as it is, it is only one part of the larger SASE story.


    The traditional approach to security—regardless of whether you use SDWAN—was to backhaul all traffic from remote users and branch offices back to a central, on-premise security stack. This approach is fatally flawed today:

    1. High Latency: For users accessing cloud applications like Microsoft 365, forcing traffic halfway across the country just to hit a corporate firewall and then turn back to the cloud introduces unacceptable latency and degrades performance.

    2. Inconsistent Security: Creating a patchwork of appliances (VPN concentrators, firewalls, web gateways) and physically stringing them together via "service chaining" results in fragmented visibility, inconsistent policy enforcement, and complex management. As Gartner noted, service chaining is emphatically not SASE.

    3. The IP Address Conundrum: Legacy security is tied to a network anchor, typically the IP address of a device or location. In a world where the office can be a coffee shop, an airport, or a home network, an IP address is useless as a hook for security enforcement.

    To overcome these structural limitations, the architecture must evolve beyond the old data center and embrace the cloud-native design principles of SASE.


    Pillar I: Converged WAN Edge and Network Security

    A true SASE architecture is defined by convergence. It cannot be a collection of disparate appliances or services loosely managed by different dashboards.


    The Requirement: The WAN edge (SDWAN functionality, traffic optimization, and routing) and the comprehensive network security stack (Firewall-as-a-Service, Secure Web Gateway, CASB, ZTNA) must be folded into a single, cloud-native software fabric.


    The Pragmatic Benefit: This convergence delivers the simplicity, scalability, and pervasive security that customers demand. By operating as a single software stack, the platform can perform single-pass architecture inspection, where traffic is decrypted, inspected against all security and networking policies simultaneously, and then re-encrypted. This greatly reduces processing time and latency compared to chaining separate security devices, ensuring high performance while maintaining security coverage.


    In essence, SASE mandates that networking and security cannot be two separate domains managed by different tools; they must be a single, centrally controlled entity.


    Pillar II: Cloud-Native, Global Service Delivery

    The nature of cloud applications—specifically, their sensitivity to latency—demands that networking and security be delivered as close to the endpoint as possible. The edge is the new cloud, and it requires a distributed approach.


    The Requirement: SASE offerings must be purpose-built for scale-out, cloud-native, and cloud-based delivery. This means relying on a vast, globally distributed network of Points of Presence (PoPs) to minimize the physical distance between the user and the security enforcement point.


    The Pragmatic Benefit: The geographical footprint is critical. It is not sufficient to simply run the service on a hyper-scaler with a limited number of PoPs, as this still forces users in remote regions to connect over long distances. A true SASE solution requires providers with a deep, global footprint and the agility to instantiate a PoP in response to emerging customer demands. This optimized, low-latency delivery ensures that security inspection does not negatively impact the performance of real-time applications.


    Pillar III: A Network Designed for All Edges

    The traditional network focused almost exclusively on the site (the branch office or the headquarters). The modern enterprise must focus on securing all edges equally—the site, the cloud, and the individual mobile user.


    The Requirement: SASE services must be capable of connecting and securing more than just physical sites. This requires an agent-based capability, managed as a cloud service, that can be installed on laptops and mobile devices to extend the full security stack to the individual user, regardless of their connecting network.


    The Pragmatic Benefit: Offerings that rely solely on on-premises, box-oriented delivery or only cater to a limited number of fixed cloud PoPs will inevitably fail to meet the requirements of an increasingly mobile workforce and emerging latency-sensitive edge applications. A genuine SASE architecture ensures that an employee working from a home office or a client site receives the same level of security and performance optimization as if they were sitting in the corporate headquarters.


    Pillar IV: Identity and Real-Time Condition

    This is arguably the most revolutionary pillar of SASE, representing the complete departure from the legacy model.


    The Requirement: Security access and policy enforcement must be based on the user's identity and their real-time context (device type, time of day, location, and posture of the device), not the static IP address.


    The IP Address Conundrum: Anything tied to a physical IP address is useless for security policy enforcement when users and resources are constantly moving. The legacy data center is no longer the center of the network universe. The new center of secure access networking design is the Identity—with the policy following that identity wherever they go.


    The Pragmatic Benefit: SASE allows IT leaders to customize the security level and network experience based on risk. For example:

    • A user accessing a critical financial application from a corporate laptop in the office receives full access.

    • The same user attempting to access that application from an unmanaged personal device (different identity/condition) from a foreign country receives restricted, or zero, access.

    All policies are tied to the user's validated identity (which can be a person, a device, or an IoT entity), eliminating the vulnerability inherent in IP-based enforcement and fully embodying the principles of Zero Trust Network Access (ZTNA).


    A Pragmatic Call to Action

    The introduction of SASE is not marketing buzz; it is a true reflection of our times. The technologies have changed considerably, forcing a profound rethinking of legacy enterprise networks.


    As this market category matures, the marketing noise will continue to grow. Your responsibility as a technology leader is to move past the vendor claims and evaluate potential solutions against these four non-negotiable architectural pillars. If the solution cannot prove a cloud-native, globally converged architecture where policy is tied to identity, it will not deliver the simplicity, scale, or security your business needs to thrive in the cloud-first era.


    KITS: Keep IT Simple.

    Learn about "Sassy"

    Tags :
    Categories :
    Stop wasting time on complex IT decisions. Cloud 9 gives you the clarity and confidence to select the right providers and choose the right solutions, fast. 

    Make informed IT decisions that drive business growth.

    Cloud 9 helps you:
    • Reduce risk: Confidently choose the right solutions with comprehensive vendor analysis and solution validation.
    • Eliminate vendor fatigue: Say goodbye to endless research and sales pitches.
    • Streamline the buying process: Accelerate your IT projects and achieve your goals faster.

    Industries Served

    • Architecture/Engineering/Construction
    • Association/Non-Profit
    • Automotive/Auto Dealers
    • Banking/Credit Union/Finance
    • Education
    • Gov/Fed/DoD Contractors
    • Healthcare
    • Legal
    • Manufacturing
    • Mining & Agriculture
    • Retail & Restaurant
    • Small Business
    • Startups & Software
    • Trucking & Logistics 

    Matching you with the best in AI, security, cloud, and IT

    © 2009-2025 Cloud 9 Advisers, LLC    -    (202) 996-0757      Consulting@Cloud9Advisers.com