Skip to Content
Network and Access

What is SASE (Secure Access Service Edge)?

SASE (Secure Access Service Edge) is a model that brings together, in a single cloud service, the network and the security that used to be separate boxes: connectivity, content filtering, firewall, and access control are now delivered together, close to the user, wherever they are. Instead of backhauling all traffic to a central data center, SASE applies the security policy at the nearest cloud edge.

Zamak TechnologiesUpdated on July 11, 2026

How SASE works

SASE starts from a simple observation: if the work and the data moved to the cloud, security should be in the cloud too, next to the user, and not tied to a building. It combines an intelligent network with a set of defenses, all delivered as a service and driven by identity, not by location.

1

Connects to the nearest cloud point

Instead of sending all traffic back to the company's data center, the intelligent network (SD-WAN) takes the user straight to the nearest cloud point of presence, which cuts latency.

2

Identifies who and what

Before granting any access, SASE verifies the user's and the device's identity and evaluates the context (where it comes from, what state it is in). The decision is by identity, not by being 'inside the network'.

3

Applies the defenses together

At the same point, it applies web filtering, cloud access control, firewall as a service, and zero-trust access, without relying on several separate boxes with their own policies.

4

Manages it all from one console

Network and security are now configured and seen in one place, which removes the gaps that appear at the seams between products from different vendors.

Source: Gartner's definition, which coined the term SASE in 2019, and the N-able Cyber Encyclopedia (the five components: SD-WAN, secure web gateway, cloud access control, firewall as a service, and zero trust).

The problem SASE solves

  • Work and data moved to the cloud, but security stayed tied to the data center. Sending all traffic back to a central point only to release it creates slowness and cost.
  • Each function was a separate box with its own policy: firewall here, web filter there, remote access somewhere else. In the seams between them live the gaps no one sees.
  • The user outside the office never passed through the perimeter. The old model protected those inside the building well, and those working from home or a client site poorly.
  • Maintaining several appliances from different vendors is expensive and inconsistent. Each one needs updates, a specialist, and its own rules, and the sum rarely talks to itself.

The components of SASE

  • SD-WAN (intelligent network) Routes traffic over the best path between locations and takes the user straight to the nearest cloud point, without the detour through the central data center.
  • Secure web gateway (SWG) Inspects browsing and blocks malicious sites and downloads before they reach the user, at the same cloud point.
  • Cloud access control (CASB) Gives visibility and control over what flows to cloud services and software-as-a-service applications, including unauthorized use.
  • Firewall as a service (FWaaS) Delivers the firewall function through the cloud, with no physical box at the edge, and scales along with the company.
  • Zero-trust access (ZTNA) Grants access application by application, with verification at every access, instead of the broad network access a VPN gives.

Why the old network model no longer holds

60%
of new intelligent-network (SD-WAN) purchases would be part of a single-vendor SASE by 2026, up from 15% in 2022 (Gartner)
80%+
of enterprises are expected to adopt SASE platforms by 2030 (Gartner)
$ 28.5B
is the projected size of the SASE market in 2028, growing about 26% a year (Gartner)

The traditional architecture was designed for a company that lived inside a building, with a data center at the center and all traffic passing through it. With the cloud and distributed work, that design became a bottleneck: slow, costly, and full of seams where attacks get in. It is no accident that exploitation of edge devices and VPNs jumped to 22% of vulnerability-based breaches (Verizon DBIR 2025), precisely the model of scattered boxes that SASE replaces. The market has read the direction: in Gartner's projection, by 2026 about 60% of new intelligent-network (SD-WAN) purchases would be part of a single-vendor SASE, up from 15% in 2022, and by 2030 more than 80% of enterprises are expected to adopt SASE platforms. What is at stake is cutting the attack surface and the cost of running dozens of boxes, while a data breach still costs, on average, $ 4.44 million (IBM 2025).

How to evaluate SASE without falling for the hype

SASE is an architecture, not an off-the-shelf product, and every vendor calls its bundle SASE. A few points separate a solid decision from a marketing label:

  1. Start from the pain, not the acronymSASE solves concrete problems: remote access that is too broad, slow branches, cloud without control. Define which one is yours before buying an entire architecture.
  2. Prefer fewer vendorsSASE's value is in joining network and security with no seams. A single-vendor bundle, or a few, delivers that; bolting ten products together and calling it SASE recreates the very problem it should solve.
  3. Insist on real zero trustZero-trust access is the heart of the model. Be wary of a 'SASE' that is, underneath, the same broad-access VPN with a new name.
  4. Migrate in phasesThere is no need to swap everything at once. Start with the point of greatest pain (remote access or a branch), prove the value, and move on, without switching off what still works.
  5. Rely on someone to operate itA cloud architecture delivered as a service still needs to be configured, monitored, and tuned. The value is realized in continuous operation, not in the subscription.

In practice

How many different boxes and consoles does your company use today for firewall, web filtering, VPN, and cloud access? Every seam between them is a place where a policy goes missing and an attack gets in. It is that pile-up that SASE tries to undo.

How Zamak handles network and access

Zamak Technologies treats network and security as one whole, not as loose boxes: zero-trust access, content filtering, an operated perimeter, and visibility over the cloud, alongside your team. A good starting point is the cybersecurity assessment, which shows where network and access are still fragmented. It is part of Cybersecurity in the Zamak Method, on top of the IT Operations that keeps everything running.

Frequently asked questions about SASE

Is SASE a product or an architecture?
It is an architecture, a way of organizing network and security as a single cloud service driven by identity. Vendors sell platforms that implement SASE, but the concept is the model, not a box. That is why two 'SASE' offerings can be quite different underneath.
What is the difference between SASE and SD-WAN?
The intelligent network (SD-WAN) is the network part: it routes traffic over the best path. SASE is larger: it adds the security defenses (web filtering, cloud control, firewall as a service, and zero trust) to SD-WAN, all delivered together. SD-WAN is a component of SASE, not SASE itself.
Does SASE replace the VPN?
Yes, that is precisely one of the changes it brings. In place of the broad-access VPN, SASE uses zero-trust access, which grants application by application and reverifies at every access. For anyone with the problem of too-broad remote access, that is the part that fixes the pain at the root.
Do I need to replace my whole infrastructure at once?
No, and it is not recommended. SASE adoption is usually phased: it starts with the point of greatest pain, such as remote access or a slow branch, proves the value, and moves on. Swapping everything at once is risky and unnecessary.
Does SASE include a firewall?
Yes, in the form of firewall as a service, delivered through the cloud instead of a physical box at the edge. It coexists with the perimeter firewall where that still makes sense, and takes over protecting the traffic that is born and lives in the cloud, where there is no physical door to install.
Does a mid-sized company need SASE?
It depends on how it works. The more the team is remote, the more the data is in the cloud, and the more branches there are, the heavier the old model weighs and the more SASE makes sense. For a company concentrated in a single office, the urgency is lower; the decision follows the pain, not the trend.