SASE: A Practical Guide

• Rip-and-replace without a plan: turning off existing remote access before SASE policies are tested and tuned leads to outages and user lockouts.
• Treating SASE as a single product: SASE is a framework—vendors offer different combinations of SD-WAN, ZTNA, CASB, SWG, and FWaaS. Buying one component doesn't give you the full model.
• Ignoring identity integration: SASE relies on strong identity controls (MFA, device posture, conditional access). Weak identity undermines the entire architecture.
• No visibility into cloud app usage: deploying SASE without CASB or SWG means you can't see or control what users do in SaaS apps (shadow IT, data exfiltration).
• Underestimating change management: users expect remote access to "just work." Shifting access patterns requires clear communication, training, and support coverage.

SASE is best implemented in phases, starting with the highest-pain areas (remote access, SaaS security) and expanding to full network convergence over time.

1. Assess current state: map where users connect from, what apps they use, and where traffic flows today (remote access, direct internet, branch MPLS).
2. Start with identity and device posture: ensure strong identity controls (MFA, conditional access) and device management are in place—SASE depends on them.
3. Pilot ZTNA for high-value apps: start with identity-aware access to specific internal apps (finance systems, admin portals) to prove the model works.
4. Add SWG and CASB for cloud apps: route SaaS traffic through a secure web gateway to enforce DLP, malware scanning, and shadow IT visibility.
5. Expand to SD-WAN and FWaaS: once remote access is stable, migrate branch offices and data center connectivity to cloud-delivered networking and firewall services.

• Unified logging: SASE platforms should provide centralized logs for network traffic, security events, and user activity—no more stitching together logs from multiple point products.
• Policy consistency: security policies (web filtering, DLP, malware scanning) should apply uniformly whether users are on-site, remote, or at a branch office.
• Performance monitoring: track latency, throughput, and user experience metrics to ensure SASE isn't introducing new bottlenecks.
• Access reviews: regularly review who has access to what apps and data—SASE makes this easier with identity-driven policies, but it still requires operational discipline.
• Incident response integration: ensure SASE logs feed into your SIEM and SOC workflows for threat detection and response.

Further reading: Gartner SASE definition, NIST SP 800-207 (Zero Trust Architecture).

SASE is a convergence of multiple technologies. Here's what each component does:

• SD-WAN (Software-Defined Wide Area Network): intelligently routes traffic across multiple network paths (MPLS, broadband, LTE) to optimize performance and reduce costs.
• ZTNA (Zero Trust Network Access): identity-driven, application-level access with continuous verification. Users authenticate to specific apps with device posture checks, not blanket network access.
• CASB (Cloud Access Security Broker): monitors and controls access to SaaS apps (Microsoft 365, Salesforce, etc.), enforcing DLP and detecting risky behavior.
• SWG (Secure Web Gateway): filters web traffic to block malicious sites, enforce acceptable use policies, and scan for malware.
• FWaaS (Firewall-as-a-Service): cloud-delivered firewall that inspects traffic and enforces security policies without requiring on-premises hardware.

Not every organization needs all five components immediately. Start with the areas that solve your biggest pain points (usually ZTNA and SWG for remote users).

Not all VPNs are created equal. The limitations described above apply to legacy VPN architectures—centralized gateways with "authenticate once, trust forever" models.

Next-generation VPN solutions (like WireGuard-based mesh networks) implement Zero Trust principles at the network layer: identity-aware access, device posture checks, per-resource policies, and continuous verification. These can be powerful tools when combined with ZTNA—especially for legacy systems that can't run modern agents or don't support application-layer security.

The right approach often isn't "VPN vs. ZTNA" but rather layered security using both network and identity controls. VPN connection status can serve as a signal for conditional access policies, adding defense in depth.