In this article

It didn't take long for secure access service edge (SASE) to take the IT world by storm. One reason is that it was naturally time for an evolution of existing technologies — SD-WAN, for example. Another factor was the disruption IT departments experienced because of the COVID-19 pandemic. 

But now that the SASE dust has settled, IT leaders can begin to think about how SASE might align with their short- and long-term goals. The primary use case is providing secure connectivity and optimal consumer experiences—no matter the consumer's location or service (applications, computing and storage).

When determining a reference solution, a prioritized set of customer use cases must be defined and addressed by this reference solution effort, either in the initial launch or the subsequent roadmap. Here are areas where SASE finds a home in an overall IT strategy.

Business use cases

Facility to cloud

Prior to Gartner introducing SASE to the market, many organizations adopted SD-WAN solutions. While the business saw the performance and cost benefits of a direct internet access model, security teams faced new challenges. 

Teams suddenly had to provide services like firewalls, intrusion prevention, and URL filtering at every branch office. Often this meant deploying and managing hundreds or thousands of security appliances. In addition to being operationally inefficient, this approach risked causing bottlenecks in performance. 

Adding the Security Service Edge component of SASE allows teams to scale branch security by connecting offices to nearby cloud gateways. Security teams can apply policies from a centrally managed location in the cloud. SASE vendors can execute controls without slowing performance due to their proximity to public clouds and Infrastructure-as-a-service (IaaS) providers. 

The branch office and SD-WAN use case took a back seat when COVID-19 forced employees to work from home. However, as organizations make plans to reopen offices, the use case is regaining its place as a strong driver for SASE adoption. As it does, expect SASE vendors to emphasize integrating their services with SD-WAN solutions. 


In today's organizations, security is cloud-based, the workforce is distributed, the Internet is more reliable, and services and applications have moved to the cloud. Organizations are approaching WWT with the question, do you need an enterprise WAN? How can I reduce my WAN costs? ​Organizations have begun to deploy the SSE side of SASE, using only the Internet as the connectivity option replacing the enterprise WAN.

Hybrid workforce 

It could be argued that SASE wouldn't have become top of mind for IT leaders as fast as it did without the surge of employees working remotely in 2020. When offices closed, IT had no choice but to rethink its network and security architectures. VPN systems couldn't keep up with the demand from remote workers. 

Even though offices are reopening, Gartner predicts 48 percent of employees will continue to work remotely in some capacity after the pandemic. Organizations will still have to secure a significantly expanded attack surface.

A new approach was needed because the traditional remote work mechanism—VPN—is often prohibitively expensive at scale. Secure Access Service Edge offers secure remote access to your company's systems from any location in the world. SASE connects consumers to points of presence (PoPs) close to their location rather than routing them to a central data center. Instead of connecting one consumer with one network (as legacy VPNs do), SASE creates a Secure Network Perimeter (Software-Defined Perimeter). You can imagine SDP as your private company network where all your consumers and services meet securely – an environment that hides you from the public Internet. 

Companies are unlikely to return to their pre-pandemic business strategies, and the number of employees working from home will likely remain high. Investing in SASE is, therefore, a long-term consideration for most enterprises.


Many companies must support connectivity to applications and resources for partner businesses and 3rd party entities. Some example requirements include 3rd party VPN access for contractors to manage systems and API access for applications to access Platform as a Service (PaaS) offerings and application-to-application between companies. 

The SASE model can provide a solution incorporating a ZTNA adoption sequence for these types of 3rd party access use cases. In the case of B2B, these fall under the broader use case of service to service or application to application and can leverage a SASE offering that secures Autonomous Machine or Sensor (IoT) connectivity. In the case of 3rd party access, customers can leverage the consumer-to-service solution they provide to their workforce via a client deployed to the 3rd party workforce or, in some cases, a browser-based offering. Regarding the application-to-application use case, leveraging the SSE capabilities for DLP can provide more secure B2B connectivity.

Zero Trust Network Access

Organizations want a solution that reduces lateral movement and protects confidential data and the end-point. ZTNA includes identity, is context-based and establishes logical access boundaries around an application or set of applications.

A vital interest of the solution is the ability to hide the network from discovery, and access is restricted via a trusted broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network, removing the application assets from public visibility and significantly reducing the surface area for attack.

Initially, there was version 1.0 of ZTNA that supported only coarse-grained access controls, incorporated an "allow and ignore" approach for both consumers and app traffic, providing either little or no advanced security consistently across all apps – including rudimentary data loss prevention (DLP) – which violates the principle of least-privileged access and exposes organizations to increased risk of a breach. ZTNA 1.0 solutions only solve some of the problems associated with direct-to-app access. As ZTNA evolved, a new version improved the legacy approach and is labeled ZTNA Version 2.0. ZTNA 2.0 is an evolution of the original ZTNA approach that includes the latest features and capabilities, such as support for modern authentication protocols, extensive integration with other security tools and advanced risk analysis capabilities.

One of the core elements of ZTNA 2.0 is continuous trust verification: Once access to an app is granted, trust is continually assessed based on changes in device posture and consumer and app behavior. If any suspicious behavior is detected, access can be revoked in real-time.

Internet egress

Companies have increasingly adopted cloud-based Software as a Service for data applications and collaboration services. As this trend accelerates, traditional DC-centric proxy-based solutions no longer scale to the larger environment of a distributed workforce. Access to those SaaS applications requires a distinct set of security services, including web gateways, data loss prevention and remote browser isolation. SSE providers have located their data centers or Points-of-Presence (PoPs) close to the major ingress points for the SaaS providers, allowing for lower latency and greater user experience.

Acquisitions, mergers and divestitures

Mergers and acquisitions are a typical characteristic of a growing organization, and the ample number of disruptive technologies is ripe for the taking. M&A inherently creates opportunities for enterprises, companies that struggle to integrate their IT infrastructures will see those opportunities undermined with the potential benefits delayed, if not destroyed. 

Business outcomes

Manage organizational IT costs

While SASE can offer several benefits, including improved security, simplified network management and increased agility, it's essential to consider the cost implications.

Here are some ways SASE manages cost:

  • SASE typically follows an operational expenditure (OpEx) model, where organizations pay a subscription fee based on the number of users or sites rather than large upfront capital expenditures (CapEx). This subscription-based approach can provide cost predictability and easier budgeting, especially for businesses that prefer a pay-as-you-go model.
  • SASE combines various network and security services into a single cloud-based platform. This consolidation eliminates the need for multiple standalone appliances, reducing hardware and operational costs associated with managing and maintaining separate systems.
  • SASE's unified approach and cloud-native architecture can enhance employee productivity. Users can securely access applications and resources from anywhere without traditional VPNs or complex configurations. This increased productivity can translate into cost savings and business efficiency.
  • Organizations can offload the burden of maintaining and updating various network and security components by outsourcing network and security management to a SASE provider. This can lead to cost savings regarding IT personnel, training and infrastructure maintenance.

It's worth noting that while SASE can offer cost efficiencies, the actual cost will vary depending on factors such as the size of the organization, specific requirements, chosen service providers and deployment models. Conducting a thorough cost analysis and comparing different SASE offerings will help organizations evaluate the financial implications and choose the most suitable option for their needs.

Trusted Internet Connection (TIC) 

Just like enterprises, the U.S. federal government must secure end users, applications and data outside traditional networks' boundaries. TIC is a reference architecture that helps agencies secure internet connections. 

The latest iteration of TIC, TIC 3.0, encourages more flexible models for security enforcement. SASE slots nicely with TIC 3.0 architecture requirements due to the proximity of SASE vendors to specialized public cloud services like AWS GovCloud. 

Security consistency

The ability to apply a consistent security policy for on-premises, work-from-home, cloud-native and SASE-enabled workloads (or any other workload where data is moving from one point to another) is something that few companies can offer. Additionally, the ability to take the intelligence gathered from moving data and apply it to the integrity of the workloads housing that data (on-premises or in the cloud) takes consistency another step further. Correlate that business, threat and IT intelligence into a security operations platform. You now have a consistent approach to pushing packets and maintaining workload integrity, securing data within your organization.


SASE is a significant architectural shift. However, a SASE investment shouldn't start with architectural requirements. It should begin by identifying the use cases that make the most sense for your business. Our SASE briefing is designed to help you do just that. 

We also have tips about what to compare when evaluating SASE solutions. And, if you're ready to get hands-on with SASE, we have virtual, on-demand labs for Cisco UmbrellaPalo Alto Networks Prisma AccessZscaler Internet Access and Netskope's Guided Discovery Lab. Additionally, we have a community specifically tailored to accelerating TIC 3.0 network security architectures

Identify your SASE use case
Request Briefing