Gartner published its SASE definition in 2019. It envisaged a single cloud-native security and networking stack that would reduce the complexity of IT operations, reduce the need for physical firewalls and other appliances, simplify security management and improve security posture, writes Renuka Nadkarni, Chief Product Officer, Aryaka.
According to Metro Ethernet Forum principal analyst Stan Hubbard, commenting on the results of a survey three years later: “[Respondents] agreed the organisational challenge of integrating networking and security is ‘huge’ for customers migrating to a SASE solution.”
In other words, SASE appeared to exacerbate the problem it set out to solve: complexity. The irony won’t be lost on CIOs.
SASE adoption a priority, but...
In an IDC survey of European companies published in 2024, 40% of respondents identified SASE adoption as a top priority for their organisation. However, the survey noted many of the same challenges as the MEF poll, namely the complexity of integration, pressure on skills and training, and migration/deployment issues caused by legacy architecture.
Join peers following The Stack on LinkedIn
In 2025, CIOs face the same dilemma: how to plot a route to SASE nirvana while unwinding legacy investments and avoiding the twin monsters of cost and complexity.
SASE is an approach that integrates networking and security functions into a single solution. It addresses the challenges of securing distributed workforces, hybrid cloud infrastructures and modern application needs by combining software-defined wide area networking (SD-WAN) capabilities with security services such as secure web gateways (SWG), firewall as a service (FWaaS), zero-trust network access (ZTNA) and cloud access security brokers (CASBs).
Eliminating backhauling, but performance is...
SASE also promised to resolve performance issues, particularly for remote users and branches, by optimising routing and reducing latency. A basic design principle was to eliminate the backhauling of data for inspection by remote firewalls and the performance-sapping characteristics of traditional VPNs.
While SASE identified the right problem it came with a few of its own.
Firstly, SASE solutions are typically security-heavy and fail to deliver on their performance claims. The SD-WAN component of SASE depends on underlying Internet transport with variable performance. Nor does SD-WAN solve the connectivity problems faced by remote users particularly in the last mile. Expect to see performance challenges increase with bandwidth-intensive AI and GenAI workloads involving massive data transfers.
Secondly, the concept was converged but the platforms weren’t. The haste to assemble a full SASE offering often resulted in patchy, fragmented or poorly integrated solutions, negating the prime purpose that SASE should unify and simplify the management of networks and security.
What should a CIO ask about SASE?
So, with universal agreement that SASE is a great destination but with an equally broad consensus about the perils of the journey, what are the questions the CIO should ask?
Is it a single or multi-vendor platform? Most CIOs are trying to reduce the number of vendors they deal with to manage costs, improve accountability and simplify operations. This matters if you’re deploying an on-prem solution, but it also matters for managed SASE services. If the parts of the service are from different providers, that could affect the quality and reliability experienced by staff and customers.
Who runs the network backbone? Very few SASE providers have their own global network infrastructure. Most rely on multiple service providers with inconsistent service level agreements (SLAs), potentially affecting performance and reliability.
Where are points of presence (PoPs) located? The PoPs that connect the network to the Internet should be globally distributed and ideally co-located with the data centres of major cloud and SaaS providers to maximise proximity to cloud workloads and application performance.
Single or multi-pass architecture? This is critical. Single pass means that processing and inspection of packets is simultaneous. In a multi-pass architecture where there may be multiple steps expect lower performance and a higher risk of security policy inconsistencies.
What systems or processes that I run today could be retired because of this deployment? SASE as a service should obviate the need for much of the network hardware in use today. Moving to firewall as-a-service will not only present opportunities for consolidation of current branch firewall appliances but should improve overall security posture.
Is it available as a service? Just as compute and storage have been virtualised, it is inevitable that networking and security infrastructure will follow, for all the same reasons: cost, elasticity, operational simplicity and management control. SASE as a service is closer to the original SASE concept than DIY on-prem or hybrid deployments. It has greater flexibility, including the ability to turn capacity up or down according to demand. Buying SASE as a service also eliminates many of the operational overheads of deployment and ongoing management.
Is it unified? It’s a first principle of a fully converged networking and security architecture that all the elements of the platform should be fully integrated, but that’s a meaningless statement unless “unified” results in single policy control, universal ZTNA for secure remote user connectivity, one ‘pane of glass’ to replace multiple consoles for managing and provisioning, and single pass processing of networking and security. Finally, if the service you buy depends on elements from multiple providers, how many SLAs are you really signing up to?
What SASE should do
Any SASE platform should:
- Simplify IT operations by consolidating networking and security services
- Enhance performance and user experience through optimised connectivity
- Achieve zero trust principles for securing users, devices and data across any location
- Support compliance with evolving regulatory standards like GDPR and CMMC.
However, SASE often fails to deliver because technical, architectural and implementation limitations result in trade-offs between security and performance. Many existing SASE platforms are complex and hard to manage in global environments forcing enterprises to choose which of the four main benefits - performance, agility, security and simplicity – they can afford to do without.
A new industry category, Unified SASE as a Service, is emerging to redress the balance. The aim is not to offer an alternative to the original SASE goals, but to remove the cost and complexity barriers that have hindered adoption.
