What is SASE (Secure access service edge)?

SASE, or secure access service edge, is a cloud-delivered architecture that combines software-defined wide area networking with security services, so organizations can connect and secure users, devices, branches, and applications through one consistent policy framework.

Explore SASE

SASE brings together networking and security functions that have traditionally been delivered as separate products. These services extend secure access not only to users, devices, and applications, but also to branch and campus locations. On the networking side, SASE includes software-defined wide area networking (SD-WAN). On the security side, SASE includes at a minimum secure web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS), and zero trust network access (ZTNA). Many security providers deliver functionality beyond that core. These services are delivered from the cloud and applied at distributed enforcement points close to users and applications.

Gartner introduced the SASE category in 2019 to describe the convergence of wide-area networking and network security functions into a primarily cloud-delivered model for dynamic secure access. SASE is a key architecture that organizations use to operationalize the zero trust principles described in NIST Special Publication 800-207, which calls for verifying every user, device, and request rather than trusting based on network location.

Why is SASE needed?

Users, applications, and data no longer sit behind a single network perimeter. Employees, contractors, and vendors connect from branches, campuses, offices, homes, and the road. Applications run in private data centers, in software-as-a-service (SaaS) platforms, and across multiple public and private clouds. The traffic patterns that traditional network and security architectures were designed for, where users sat in offices and applications sat in data centers, no longer reflect how work actually happens.

Legacy remote access compounds the problem. Many organizations still rely on virtual private networks (VPNs) that grant broad access to a network segment after a user logs in, and that backhaul traffic to a central data center to apply security before sending it on to its destination. This approach is costly to scale, slow for cloud and SaaS access, and over-permissive in a world where any compromised account can become a path to lateral movement of a security threat.

The rapid growth of AI assistants and agentic AI adds a new dimension to this problem. Agentic AI and GenAI traffic introduce new traffic patterns, push more automated workflows to cloud services, and open new security gaps that perimeter-based controls were never designed to address. As more users, devices, and automated workflows reach cloud applications, organizations need a way to apply consistent security policy to this traffic wherever it originates and wherever it is bound.

SASE is one response to these pressures. By converging networking and security into a cloud-delivered architecture, SASE allows organizations to apply consistent security policy wherever users are, route traffic directly to the applications it needs to reach, replace broad network-level trust with identity- and context-aware access decisions, and protect this new AI-driven traffic. 

What does SASE converge?

SASE brings networking and security controls into one cloud-delivered architecture, so a single policy framework governs how users securely access applications across any location.

Component Role in SASEWhy it matters
SD-WANOptimizes traffic across branch, cloud, data center, and internet connectionsImproves application experience and reduces dependence on backhaul
SWGInspects web traffic and helps block malicious sites and risky downloadsProtects users accessing the internet from any location
CASBAdds visibility and control for SaaS and cloud application useHelps enforce data and cloud application security policy
FWaaSDelivers firewall controls from the cloudApplies network security policy without relying only on appliance enforcement
ZTNAVerifies user, device, and application context before granting accessLimits access to approved applications instead of full network access (least-privilege access)

Each of these services existed before SASE as a separate product category. What SASE changes is the delivery model and the integration. Instead of running separate appliances and consoles for SD-WAN, web filtering, cloud application control, firewalling, and remote access, organizations use cloud-delivered services that share identity, policy, and visibility. The result is fewer enforcement points to configure, fewer policy gaps between products, faster troubleshooting for IT teams, and a more resilient architecture, all of which lower overall risk and create a more consistent experience for users wherever they connect.

What are the core components of SASE?

SASE combines several networking and security services. Each is a category, with deeper detail available on its dedicated page.

Software-defined wide-area networking (SD-WAN). A network architecture that uses software to direct traffic across multiple connection types so that branch, cloud, data center, and internet traffic each take an efficient path.

Secure web gateway (SWG). A cloud-delivered service that inspects user web traffic and helps block malicious sites, risky downloads, and policy-violating activity.

Cloud access security broker (CASB). A service that adds visibility and security policy controls for use of SaaS and other cloud applications.

Firewall-as-a-service (FWaaS). Cloud-delivered firewall capability that applies network-layer policy without depending solely on appliance enforcement at each location.

Zero trust network access (ZTNA). A service that grants users access to specific applications based on continuously evaluated identity, device, and context signals, rather than placing them on a network segment.

Unified policy and visibility. A common control plane that lets administrators define access and security policy once and apply it across all of the services above, with shared logs and reporting.

What is the difference between SASE and SSE?

Security service edge (SSE) is the security-services portion of SASE. SASE is broader because it adds the SD-WAN networking layer that connects users, sites, devices, and agents, including branch-to-branch and branch-to-campus connections, to those security services where permitted by policy.

ComponentIn SASE?In SSE?
SD-WANYesNo
Secure web gatewayYesYes
Cloud access security brokerYesYes
Firewall-as-a-serviceYesYes
Zero trust network accessYesYes
Unified cloud security policyYesYes
Network and traffic optimizationYesLimited to security traffic paths

Organizations that already have a modern wide-area networking strategy in place sometimes adopt SSE first to consolidate their cloud-delivered security services and add the SD-WAN layer later. Organizations that want to address networking and security together, especially those modernizing branch connectivity at the same time, tend to adopt SASE as a single architecture. Both paths can lead to the same end state.

How does SASE work?

In a SASE architecture, user traffic is routed to a cloud-delivered enforcement point that evaluates each request against policy. Rather than sending traffic back to a central data center for inspection, the enforcement point sits close to the user, makes an access decision based on signals such as identity, device posture, application, destination, data sensitivity, and threat intelligence, and then forwards approved traffic to its destination.

SASE architectures share a common set of characteristics:

Cloud-native enforcement at distributed points of presence. Inspection and policy run in the cloud, close to users and applications, rather than in a central appliance.

Single-pass inspection. A request is evaluated by multiple security services in one traversal, instead of being routed serially through separate products.

Unified policy across access paths. The same policy framework applies whether a user is accessing the open internet, a SaaS application, or a private application.

Direct internet and SaaS access. Internet or SaaS traffic does not have to be backhauled to a data center for security before reaching the destination cloud applications, which reduces latency.

Centralized visibility. Logs, policy, and reporting are managed from a common control plane across networking and security functions.

How does SASE relate to Zero Trust?

SASE and Zero Trust are related but distinct. Zero Trust is a security model based on continuously verifying the identity of every user, device, and agent and granting only least-privilege access, the access needed for a specific request at that moment. SASE makes Zero Trust easier to enforce: it simplifies consistent policy enforcement everywhere while optimizing the user experience, so users are less likely to resort to workarounds that weaken security.

Within a SASE architecture, ZTNA is the capability that helps enforce least-privilege access to specific applications based on identity, device posture, and context. For the broader security model behind this approach, see What is Zero Trust? For a deeper explanation of ZTNA, see What is Zero Trust Network Access (ZTNA)?

Common questions about SASE

SASE is a cloud-delivered architecture that combines wide-area networking with security services such as secure web gateway, cloud access security broker, firewall-as-a-service, and zero trust network access. It allows organizations to apply one consistent policy across how users reach applications, regardless of where the user or the application is located.

SASE stands for secure access service edge. Gartner introduced the term in 2019 to name the convergence of network and security services into a primarily cloud-delivered model.

Security service edge (SSE) is the security services portion of SASE, including secure web gateway, cloud access security broker, firewall-as-a-service, and zero trust network access. SASE includes everything in SSE plus the SD-WAN networking layer that connects users, sites, devices, and agents, including branch-to-branch and branch-to-campus connections, to those services where permitted by policy.

SASE typically includes SD-WAN, secure web gateway, cloud access security broker, firewall-as-a-service, zero trust network access, and a unified policy and visibility layer that ties them together. Many SASE providers offer more than this core functionality set. Each component is a category in its own right; SASE changes the delivery model by combining them into one cloud-delivered architecture.

SASE is an architecture that can enforce Zero Trust principles across network and cloud access paths, while Zero Trust is the underlying security model. Within a SASE architecture, zero trust network access (ZTNA) is the component that grants application-specific access based on continuously evaluated identity and context.


Next steps

Start by mapping which users, devices, and applications need secure access, including where you have agentic workflows and GenAI app access to protect, then prioritize the locations where network and security convergence will have the most impact.

When you are ready to evaluate options, explore the Cisco SASE solution, which converges networking and security functions, including SD-WAN, SWG, ZTNA, DNS-layer security, and CASB. For the cloud-delivered security service edge (SSE) at the core of that approach, see Cisco Secure Access, a converged SSE solution grounded in zero trust for secure access from anywhere users work.