What is SASE (Secure Access Service Edge)?
SASE (Secure Access Service Edge) is a model that brings together, in a single cloud service, the network and the security that used to be separate boxes: connectivity, content filtering, firewall, and access control are now delivered together, close to the user, wherever they are. Instead of backhauling all traffic to a central data center, SASE applies the security policy at the nearest cloud edge.
How SASE works
SASE starts from a simple observation: if the work and the data moved to the cloud, security should be in the cloud too, next to the user, and not tied to a building. It combines an intelligent network with a set of defenses, all delivered as a service and driven by identity, not by location.
Connects to the nearest cloud point
Instead of sending all traffic back to the company's data center, the intelligent network (SD-WAN) takes the user straight to the nearest cloud point of presence, which cuts latency.
Identifies who and what
Before granting any access, SASE verifies the user's and the device's identity and evaluates the context (where it comes from, what state it is in). The decision is by identity, not by being 'inside the network'.
Applies the defenses together
At the same point, it applies web filtering, cloud access control, firewall as a service, and zero-trust access, without relying on several separate boxes with their own policies.
Manages it all from one console
Network and security are now configured and seen in one place, which removes the gaps that appear at the seams between products from different vendors.
Source: Gartner's definition, which coined the term SASE in 2019, and the N-able Cyber Encyclopedia (the five components: SD-WAN, secure web gateway, cloud access control, firewall as a service, and zero trust).
The problem SASE solves
- Work and data moved to the cloud, but security stayed tied to the data center. Sending all traffic back to a central point only to release it creates slowness and cost.
- Each function was a separate box with its own policy: firewall here, web filter there, remote access somewhere else. In the seams between them live the gaps no one sees.
- The user outside the office never passed through the perimeter. The old model protected those inside the building well, and those working from home or a client site poorly.
- Maintaining several appliances from different vendors is expensive and inconsistent. Each one needs updates, a specialist, and its own rules, and the sum rarely talks to itself.
The components of SASE
- SD-WAN (intelligent network) Routes traffic over the best path between locations and takes the user straight to the nearest cloud point, without the detour through the central data center.
- Secure web gateway (SWG) Inspects browsing and blocks malicious sites and downloads before they reach the user, at the same cloud point.
- Cloud access control (CASB) Gives visibility and control over what flows to cloud services and software-as-a-service applications, including unauthorized use.
- Firewall as a service (FWaaS) Delivers the firewall function through the cloud, with no physical box at the edge, and scales along with the company.
- Zero-trust access (ZTNA) Grants access application by application, with verification at every access, instead of the broad network access a VPN gives.
Why the old network model no longer holds
The traditional architecture was designed for a company that lived inside a building, with a data center at the center and all traffic passing through it. With the cloud and distributed work, that design became a bottleneck: slow, costly, and full of seams where attacks get in. It is no accident that exploitation of edge devices and VPNs jumped to 22% of vulnerability-based breaches (Verizon DBIR 2025), precisely the model of scattered boxes that SASE replaces. The market has read the direction: in Gartner's projection, by 2026 about 60% of new intelligent-network (SD-WAN) purchases would be part of a single-vendor SASE, up from 15% in 2022, and by 2030 more than 80% of enterprises are expected to adopt SASE platforms. What is at stake is cutting the attack surface and the cost of running dozens of boxes, while a data breach still costs, on average, $ 4.44 million (IBM 2025).
How to evaluate SASE without falling for the hype
SASE is an architecture, not an off-the-shelf product, and every vendor calls its bundle SASE. A few points separate a solid decision from a marketing label:
- Start from the pain, not the acronymSASE solves concrete problems: remote access that is too broad, slow branches, cloud without control. Define which one is yours before buying an entire architecture.
- Prefer fewer vendorsSASE's value is in joining network and security with no seams. A single-vendor bundle, or a few, delivers that; bolting ten products together and calling it SASE recreates the very problem it should solve.
- Insist on real zero trustZero-trust access is the heart of the model. Be wary of a 'SASE' that is, underneath, the same broad-access VPN with a new name.
- Migrate in phasesThere is no need to swap everything at once. Start with the point of greatest pain (remote access or a branch), prove the value, and move on, without switching off what still works.
- Rely on someone to operate itA cloud architecture delivered as a service still needs to be configured, monitored, and tuned. The value is realized in continuous operation, not in the subscription.
In practice
How many different boxes and consoles does your company use today for firewall, web filtering, VPN, and cloud access? Every seam between them is a place where a policy goes missing and an attack gets in. It is that pile-up that SASE tries to undo.
How Zamak handles network and access
Zamak Technologies treats network and security as one whole, not as loose boxes: zero-trust access, content filtering, an operated perimeter, and visibility over the cloud, alongside your team. A good starting point is the cybersecurity assessment, which shows where network and access are still fragmented. It is part of Cybersecurity in the Zamak Method, on top of the IT Operations that keeps everything running.