Trace Id is missing
Skip to main content
Microsoft Security

What is secure access service edge (SASE)?

Learn how the secure access service edge (SASE) framework unites wide area networking and Zero Trust security to safeguard cloud-based enterprises.

Discover Microsoft’s Zero Trust Solution

SASE defined

Secure access service edge, often abbreviated (SASE), is a security framework that converges software-defined wide area networking (SD-WAN) and Zero Trust security solutions into a converged cloud-delivered platform that securely connects users, systems, endpoints, and remote networks to apps and resources.

SASE has four main traits:

1. Identity-driven:

Access is granted based on the identity of users and devices.

2. Cloud-native:

Both infrastructure and security solutions are cloud-delivered.

3. Supports all edges:

Every physical, digital, and logical edge is protected.

4. Globally distributed:

Users are secured no matter where they work.

The main goal of SASE architecture is to provide a seamless user experience, optimized connectivity, and comprehensive security in a way that supports the dynamic secure access needs of digital enterprises. Instead of backhauling traffic to traditional datacenters or private networks for security inspections, SASE enables devices and remote systems to seamlessly access apps and resources wherever they are—and at any time.

Key components of SASE

SASE can be broken down into six essential elements.

Software-defined wide area network (SD-WAN)

A software-defined wide area network is an overlay architecture that uses routing or switching software to create virtual connections between endpoints—both physical and logical. SD-WANs provide near-unlimited paths for user traffic, which optimizes the user experience, and allows for powerful flexibility in encryption and policy management.

Firewall as a service (FWaaS)

Firewall as a service moves firewall protection to the cloud instead of the traditional network perimeter. This enables organizations to securely connect a remote, mobile workforce to the corporate network, while still enforcing consistent security policies that reach beyond the organization’s geographic footprint.

Secure web gateway (SWG)

A secure web gateway is a web security service that filters unauthorized traffic from accessing a particular network. The goal of a SWG is to zero in on threats before they penetrate a virtual perimeter. A SWG accomplishes this by combining technologies like malicious code detection, malware elimination, and URL filtering.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access is a set of consolidated, cloud-based technologies that operates on a framework in which trust is never implicit and access is granted on a need-to-know, least-privileged basis across all users, devices, and applications. In this model, all users must be authenticated, authorized, and continuously validated before being granted access to company private applications and data. ZTNA eliminates the poor user experience, operational complexities, costs, and risk of a traditional VPN.

Cloud access security broker (CASB)

A cloud access security broker is a SaaS application that acts as a security checkpoint between on-premises networks and cloud-based applications and enforces data security policies. A CASB protects corporate data through a combination of prevention, monitoring, and mitigation techniques. It can also identify malicious behavior and warn administrators about compliance violations.

Centralized and unified management

A modern SASE platform allows IT administrators to manage SD-WAN, SWG, CASB, FWaaS, and ZTNA through centralized and unified management across networking and security. This frees IT team members to focus their energy in other more pressing areas and boosts the user experience for the organization’s hybrid workforce.

Benefits of SASE

SASE platforms offer significant advantages over traditional on-premises network options. Here are some of the primary reasons organizations may want to switch to a SASE framework:

Reduced IT costs and complexity

Legacy network security models rely on a patchwork of solutions to secure the network perimeter. SASE reduces the number of solutions necessary to secure applications and services—saving on IT costs and simplifying administration.

Greater agility and scalability

Because SASE is cloud delivered, both the network and security framework are completely scalable. As your enterprise grows, so can the system, making accelerating digital transformation truly possible.

Built to sustain hybrid work

Where traditional hub-and-spoke networks struggle to handle the bandwidth necessary to keep remote employees productive, SASE maintains enterprise-level security for all users, regardless of how or where they work.

Boosts user experience

SASE optimizes security for users by intelligently managing security exchanges in real time. This reduces latency as users try to connect to cloud applications and services and reduces the organization’s attack surface.

Improved security

In the SASE framework, SWG, DLP, ZTNA, and other threat intelligence technologies converge to provide remote workers with secure access to company resources while reducing the risk of lateral movement in the network. In SASE, all connections are inspected and secured, and threat protection policies are clearly defined up front—no question.

Learn more about proactive Zero Trust security

The difference between SASE and SSE

Security service edge (SSE) is a standalone subset of SASE that focuses exclusively on cloud security services. SSE delivers secure access to the internet by way of a protected web gateway, safeguards SaaS and cloud apps via a CASB, and secures remote access to private apps through ZTNA. SASE also features these components, but expands to include SD-WAN, WAN optimization, and quality of service (QoS) elements.

How to get started with SASE

Successful SASE implementation requires in-depth planning and preparation, as well as continuous monitoring and optimization. Here is some advice for how to plan for and implement phased SASE deployment.

1. Define SASE goals and requirements

Identify the problems in your organization that could be addressed through SASE—as well as expected business outcomes. Once you know why SASE is essential, clarify which technologies can fill the gaps in your organization’s current infrastructure.

2. Select your SD-WAN backbone

Choose an SD-WAN to provide networking functionality, then layer a SSE provider to create a comprehensive SASE solution. Integration is key.

3. Incorporate Zero Trust solutions

Access control should be governed by identity. Complete SASE deployment by selecting a suite of cloud-native technologies with Zero Trust at their core to keep your data as safe as possible.

4. Test and troubleshoot

Before going live with a SASE deployment, test SASE functionality in a staging environment and experiment with how your multicloud security stack integrates with the SD-WAN and other tools.

5. Optimize your SASE setup

As your organization grows and priorities evolve, look for new opportunities for continued and adaptive SASE implementation. Every organization’s path to mature SASE architecture is unique. Phasing implementation helps ensure you can move forward with confidence each step of the way.

SASE solutions for businesses

Every organization that wants to provide comprehensive threat and data protection, accelerate its digital transformation, and facilitate a remote or hybrid workforce should urgently consider adopting a SASE framework.

To get the best results, evaluate your current environment and identify pressing gaps you need to address. Then, identify solutions that allow you to leverage your current technology investments by integrating with current tools that already adhere to Zero Trust principles.

Get started

Learn more about Microsoft Security

Zero Trust solutions

Embrace proactive security with Zero Trust.

Learn more

Microsoft Defender for Cloud

Secure your multicloud infrastructure.

Learn more

Microsoft Entra Private Access

Enable users to securely connect to private apps from anywhere.

Learn more

Microsoft Defender XDR

Secure your end users with threat protection technology.

Learn more

Microsoft Entra Internet Access

Secure access to internet, SaaS, and Microsoft 365 apps.

Learn more

Microsoft Defender for Cloud Apps

Protect your cloud apps with a cloud access security broker.

Learn more

Cloud security

Get integrated protection for your multicloud apps and resources.

Learn more

Microsoft Sentinel

Gain visibility across your entire organization.

Learn more

Frequently asked questions

  • Secure access service edge (abbreviated SASE) is a cloud-based security architecture that converges software-defined wide area network (SD-WAN) with a consolidated cloud-delivered security stack that features SWG, CASB, ZTNA, and FWaaS.

  • SASE architecture is a leading architectural model, powered by a global scalable network, that boosts hybrid workforce productivity and reduces complexity in today’s distributed enterprise environments.

  • SASE differs from traditional network security approaches in the way it inspects and connects users, endpoints, and remote networks to apps and resources. Where traditional enterprise network security options backhaul traffic to private networks and corporate data centers through secure web gateways and firewalls, SASE provides a global, consistent presence at the point of access.

    This model eliminates the poor user experience, operational complexities, costs, and risk of traditional security models, reduces the enterprise attack surface, and enhances IT agility.

  • SASE solutions are made up of six essential elements, which provide a wide range of capabilities:

    1. Software-defined wide area network (SD-WAN): An overlay architecture that creates virtual connections between endpoints.

    2. Secure web gateway (SWG): A web security service that keeps unauthorized traffic from accessing a particular network.

    3. Cloud access security broker (CASB): A SaaS application that acts as a security checkpoint between on-premises networks and cloud-based apps.

    4. Firewall as a service (FWaaS): A solution that moves firewall protection to the cloud instead of the traditional network perimeter.

    5. Zero Trust Network Access (ZTNA): An IT solution that requires all users to be explicitly authenticated, authorized, and continuously validated to access company apps and data.

    6. Centralized and unified management: Policy management from a single console.

  • When properly implemented, SASE allows organizations to ensure secure access no matter where their users, devices, or applications are located. Additionally, SASE offers:

    1. Flexible, comprehensive security—from threat protection to next-generation firewall.

    2. Optimized performance and an improved user experience (for example, reduced latency and on-demand security).

    3. Reduced cost and complexity, thanks to the consolidation of key networking and security functions into fewer solutions.

    4. Agile, scalable network edge, which accelerates digital transformation and IoT adoption and enables the modern hybrid workforce with better productivity and reduce complexity across the organization.

Follow us