SASE Architecture: Is SD-WAN dead?

There is universal consensus in IT around the fact that network undergoing a dramatic transformation. New security concepts such as SASE (stands for Secure Access Service Edge, pronounced “sassy”) and ZTNA (we recently explained how Zero Trust Network Access can help to secure remote workers) promise to deliver on the architectural changes required to address the security requirements of the digital enterprise. In fact, Garnet, the first to describe these cybersecurity concepts, says that 40% of companies will look to adopt SASE in the upcoming years.

What is SASE architecture?

SASE is predominantly delivered as a “heavy cloud” solution, meaning that most functions can be provided in the cloud. SASE is the convergence of wide-area networking (WAN) and network security services such as CASB, FWaaS (Firewall as a Service), and Zero Trust, into a single, cloud-delivered service model. According to Gartner “SASE capabilities are delivered as a service-based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities or entities can be associated with people, groups of people (branch office), devices, applications, services, IoT systems or edge computing locations.”

Following this, the SASE architecture model can help your business in several ways:

  1. Cost Savings: a single platform, no need for managing multiple point products
  2. Simplicity: by minimising the number of security products to manage into a cloud-based network
  3. Flexibility: as cloud-based infrastructure, you can deliver multiple security services (DNS security, credential theft prevention, data loss prevention, next-generation firewall policies…)
  4. Performance: you can easily connect to wherever resources are located and access to apps, the Internet, and corporate data wherever you are
  5. Zero Trust: this approach removes trust assumptions when users, devices, and applications connect
  6. Threat prevention: SASE security solution bring more security and visibility into your network
  7. Data protection: SASE helps prevent unauthorised access and abuse of sensitive data


SASE and SD-WAN (Software-Defined Networking) are two networking technologies designed to connect geographically disparate endpoints to a central source of data and application resources.

SD-WAN uses a virtualised network overlay to connect and remotely manage branch offices. While SD-WAN can be adapted to connect to the cloud, it is not built with the cloud at its centre, so the focus is placed on connecting these branch offices back to a central private network.

On the other hand, SASE puts the cloud at the centre. Instead of focusing on connecting branches to a central network, SASE focuses on connecting individual endpoints (whether a branch office, individual user, or single device) to a centralised cloud.

What are the differences between SASE and SD-WAN?

There are three main differences between SASE and SD-WAN:

1. Their relation to the cloud

The cloud is its central point between remote workers, branch offices, and headquarters. However, cloud integration is more a feature of SD-WAN than a key component. In cloud-enabled SD-WANs, users connect to a virtual cloud gateway through the internet, making the network more accessible and supportive of cloud-native applications.

2. Location of Security and Networking Decisions

SASE’s focus is on providing secure access to centralised resources for the network and its users. SASE products have security tools that reside in a user’s device as a security agent, as well as in the cloud as a cloud-native software stack. SD-WAN technology was not designed with a focus on security, and security is often delivered via secondary features or by third-party vendors. In an SD-WAN, security tools are usually located at offices un CPE rather than on devices themselves.

3. Traffic Inspection

With SASE networks, traffic is opened one time and inspected by multiple policy engines at once. The engines run in parallel without passing the traffic between them. SD-WAN uses service chaining. Service chaining is where traffic is inspected by one security function at a time, one after the other. These individual functions handle one type of threat and are called point solutions.

SASE is just the first step in the WAN transformation journey. Both SD-WAN and SASE are designed to cover a large geographic area. What is different is in the infrastructure. SASE’s infrastructure has edge data centres, points of presence (PoPs), or a cloud acting as endpoints. These are where all of the networking, optimisation, and security functions run and are controlled. In an SD-WAN these functions run in boxes at a branch and headquarters. An SD-WAN is also controlled from the headquarters, unlike in SASE.

Different enterprises will always have specific security needs that need to be tailored to regulatory, compliance and overall enterprise architecture needs. Is your Security Architecture SASE-ready?

At RedSpam we have and the solutions and services to keep your business security up to date. Contact us today for a free assessment.