For decades, corporate security was built on a simple premise: there is an "inside" and an "outside." Inside were the employees, the servers and the data, protected by a perimeter of firewalls in the data center. Outside was the internet, treated as hostile territory. That architecture made sense when everything was physically in the office. Today, with applications in the cloud, a remote workforce and SaaS everywhere, the traditional perimeter has ceased to exist. SASE and SSE are the architectures Gartner proposed to respond to this shift, converging network and security into a service delivered at the cloud edge.

Why the perimeter died

The classic network-security model assumed that valuable assets were concentrated in a corporate data center, and that user traffic necessarily passed through that central point. The perimeter firewall inspected everything coming in and going out. VPNs extended that perimeter to the traveling employee's laptop. It worked well as long as three conditions held: applications lived in the data center, users worked mostly in the office and data did not leak to third-party services.

None of these three conditions is true today. Applications have migrated to IaaS and PaaS (AWS, Azure, Google Cloud) and software consumption has become SaaS: email, CRM, ERP, collaboration and storage now run outside the company's walls. The workforce has dispersed — home office, satellite offices, mobile devices and third parties accessing resources from anywhere. And corporate data has come to reside in dozens of cloud services that the security team often does not even know exist.

In this scenario, forcing all traffic to "come back" to the corporate data center before heading out to the internet — so-called hairpinning or backhaul — creates latency, raises link costs and degrades the user experience. Worse: much of modern traffic would never need to touch the data center, because it goes straight from a remote user to a SaaS app. The physical perimeter has not merely lost relevance; it has become a bottleneck. Security needed to move to where users and data actually are — at the cloud edge.

What SASE is

SASE (Secure Access Service Edge, pronounced "sassy") is a term coined by Gartner in 2019 to describe the convergence of wide-area network (WAN) functions with network-security functions, both delivered as a unified service from the cloud, close to the user. Instead of buying separate hardware boxes — an SD-WAN from one vendor, a firewall from another, a web proxy from a third — the organization consumes a single edge service that integrates connectivity and security.

The core idea is convergence. Historically, network and security evolved as silos, with distinct teams, vendors and consoles. SASE starts from the premise that, when policy is based on identity and context (who the user is, from which device, to which application, with what risk), it makes more sense to decide connectivity and security at the same point and with the same intelligence. Access is granted dynamically according to the entity's identity, real-time context and corporate policies — not according to physical location on the network.

Architecturally, SASE is delivered by a global mesh of points of presence (PoPs) in the cloud. User traffic — whether at home, in the office or in a café — travels up to the nearest PoP, where the security inspection happens once, and from there heads to the destination (internet, SaaS or private application) via the most efficient path. This eliminates the backhaul and places the security policy just a few milliseconds from the user.

The components of SASE

SASE is made up of a network side and a security side. The network side is essentially SD-WAN (Software-Defined WAN), which optimizes and intelligently routes traffic between branches, cloud and users, choosing the best path and applying quality of service. The security side is known as SSE (Security Service Edge) and brings together four main capabilities.

ComponentCategoryFunction
SD-WANNetworkIntelligent routing of traffic between sites, cloud and users; path optimization and QoS; replaces rigid MPLS with flexible links.
SWG (Secure Web Gateway)Security (SSE)Inspects outbound web traffic, applies URL/content filtering, blocks malware and enforces acceptable-use policies.
CASB (Cloud Access Security Broker)Security (SSE)Provides visibility and control over SaaS usage, discovers shadow IT, applies DLP and governs data in cloud applications.
ZTNA (Zero Trust Network Access)Security (SSE)Grants access to private applications by identity and context, application by application, without exposing the network — the modern replacement for the VPN.
FWaaS (Firewall as a Service)Security (SSE)Next-generation firewall delivered in the cloud, with inspection of all ports and protocols, IPS and segmentation, with no physical appliance.

SWG — Secure Web Gateway

The SWG is the guardian of web traffic. It brokers users' browsing, decrypts and inspects TLS connections, applies URL category and reputation filters, blocks malicious downloads and prevents access to phishing sites or those not compliant with policy. It is the evolution of the old corporate proxy, now delivered in the cloud and following the user wherever they are.

CASB — Cloud Access Security Broker

The CASB solves the problem of shadow cloud. It discovers which SaaS services are being used (including unauthorized ones), assesses their risk, applies data loss prevention (DLP) and controls sensitive actions such as external file sharing. To understand this layer in depth, see our dedicated guide to CASB.

ZTNA — Zero Trust Network Access

ZTNA is the materialization of Zero Trust principles in application access. Instead of placing the user "inside" the network — as a VPN does — ZTNA creates point-to-point connections between the user and only the specific application they are allowed to access, after verifying identity and device posture. The application is never exposed to the internet and the user never "sees" the network.

FWaaS — Firewall as a Service

FWaaS brings the capabilities of a next-generation firewall to the cloud: inspection of all ports and protocols, intrusion prevention, application control and segmentation, all delivered as an elastic service, without the need to size and maintain appliances at every site.

SSE vs SASE — what is the difference

Confusion between the terms is common, so it is worth fixing: SSE is the security part of SASE. Gartner introduced the term SSE (Security Service Edge) in 2021 precisely to name the security subset — SWG, CASB, ZTNA and FWaaS — separately from the network side (SD-WAN). In other words:

  • SASE = SSE + network (SD-WAN). It is the complete vision, converging connectivity and security.
  • SSE = only the security layer at the cloud edge. It is the most common adoption path for those who already have a defined WAN strategy or want to prioritize modernizing security.

In practice, many organizations start with SSE. Modernizing security — replacing the VPN with ZTNA, adopting SWG and CASB to protect access to the web and to SaaS — tends to have a faster return and fewer dependencies than a full WAN transformation, which involves link contracts and re-engineering branches. Adopting SSE first and converging with SD-WAN later is a perfectly valid journey toward SASE.

ZTNA replacing the VPN

Of all the components, ZTNA is the one that demonstrates value most quickly, because it attacks a concrete and universal pain: the VPN. The traditional VPN was designed for a world in which remote access was the exception. It works by placing the remote device "inside" the corporate network, granting — in most implementations — broad lateral access. This creates three serious problems: a user's compromised device becomes an entry point to the entire network; the attack surface of the VPN concentrator is exposed to the internet; and the experience is slow because of backhaul.

ZTNA inverts the model. Nothing is trusted by default. Each access request is verified individually based on the user's identity, the device's security posture and context (location, time, risk). Access is granted to one application at a time, following the principle of least privilege, and never to the entire network. Applications are kept "dark" — invisible to anyone not authorized — dramatically reducing the attack surface. It is the reason analysts project the progressive replacement of legacy VPNs by ZTNA as the standard for corporate remote access.

Benefits of the SASE/SSE model

Convergence brings gains that traditional silos could not deliver:

  • A single, consistent policy. The same identity-based security policy applies to the user in the office, at home or traveling, for web, SaaS and private-application traffic. It ends the fragmentation of rules across different appliances.
  • Unified visibility. All traffic passes through the same mesh, producing a consolidated record of who accessed what, from where and with what result — an essential input for detection, investigation and compliance.
  • Lower latency and a better experience. Inspection happens at the PoP nearest the user and traffic goes straight to the destination, eliminating backhaul and improving the performance of cloud applications.
  • Reduced complexity and cost. Fewer appliances to buy, size, update and replace. Capacity scales elastically in the cloud, keeping pace with remote-work spikes without new hardware investments.
  • A smaller attack surface. Private applications are no longer exposed to the internet and lateral access is contained by default, aligned with Zero Trust principles.

How to evaluate and adopt

Adopting SASE or SSE is a journey, not a one-off purchase. Some practical guidance for organizations of any size:

  • Map the starting point. Identify which applications are SaaS, which are private, where the users are and where traffic flows today. Without that inventory, it is impossible to size the solution.
  • Prioritize by pain. If the VPN is the biggest problem, start with ZTNA. If the risk lies in uncontrolled SaaS usage, start with CASB and SWG. SSE lets you adopt layer by layer.
  • Demand real convergence. Prefer platforms where SWG, CASB, ZTNA and FWaaS share a single console, a single policy and a single agent on the endpoint — not a set of products acquired and merely "wrapped" under the same brand.
  • Evaluate the global PoP mesh. The quality of the experience depends on the proximity of the points of presence to your users. Check coverage, capacity and availability SLA.
  • Anchor on identity. SASE only delivers its value when integrated with a robust identity provider (SSO, MFA) and with device-posture assessment.
  • Measure and iterate. Start with a pilot group, validate the experience and the effectiveness of the policies, and expand gradually. Convergence is a maturing process.

References

  • Gartner — "The Future of Network Security Is in the Cloud" (2019), the document that coined the term SASE.
  • Gartner — Market Guide and Magic Quadrant for Security Service Edge (SSE), which formalize the edge-security category.
  • NIST SP 800-207 — "Zero Trust Architecture," the conceptual basis for ZTNA and for the SASE trust model.

Edge security in practice, with Decripte

Migrating from the traditional perimeter to a SASE/SSE architecture is not merely a technical decision — it is a change in security posture that affects everything from a five-person team to operations with more than a hundred thousand employees. The right starting point depends on where your data, your users and your risks are. Decripte helps organizations of all sizes map that surface, prioritize the adoption journey and implement Zero Trust access controls incrementally and measurably.

Want to understand where your organization is exposed today? Start for free through our intelligence center and see your risk in minutes, or explore our plans for an end-to-end guided implementation.