A new architecture model.

When the first SD-WAN solutions came on to the market a couple of years ago, the technology rapidly became synonymous with company-wide WAN transformations. Companies that wanted to patch the weaknesses of wide area networks saw no choice other than to introduce SD-WAN. But, as we know now, the first generation of SD-WAN simply ignored many of the network and security challenges that digital transformation brings with it.

A new architecture model, introduced in early 2020, is believed by analysts to master these challenges. The term SASE—pronounced “sassy”—was coined by Gartner analysts for the first time in 2019.

What do we need SASE for, and what are the differences to a traditional SD-WAN approach?

In traditional enterprise architectures, the data centre has always played the central role with internet access provided via internal security gateways. Replacing the industry standard MPLS with SD-WAN didn’t change this process—which was seen as a problem by many.

Since the introduction of cloud services, mobile end devices and IoT, the private data centre is no longer the centre of the company network. Backhauling data traffic from company locations to the data centre doesn’t always make sense and MPLS connection problems in the context of clouds also have to be addressed. This raises the necessity of finding out how to establish security checks all across the company network, whether directly in the data centre, at the location or—especially since Covid-19—at the workstations of remote workers. These checks have to be carried out consistently, regardless of their location.

SASE can help.

SASE combines network security functions such as SWG, CASB, FWaaS and ZTNA with WAN capabilities (hence the name SD-WAN) to provide organisations with dynamic and secure access. This new type of security and network architecture, the SASE platform, connects and provides company units the right protection based on their real-time context and in adherence with the company guidelines.

Instead of directing the data traffic back into the data centre via backhaul, where it is examined by firewalls and other security platforms, SASE brings the security checks to the location or a PoP (Point of Presence) nearby, where it checks and directs the traffic into the internet (cloud) or via a global SASE backbone to other SASE systems (meshed network).

A SASE system can be a mobile end device with an SASE agent, but it can also be an IoT device, a mobile user with clientless access or an appliance at a location. SASE combines these previously non-uniform network and security services for fixed and agile users—and IoT devices and cloud services—into one uniform service that is oriented towards the user context.

The best possible application performance.

SASE delivers the best possible network performance for all applications to every point of the company network. For this purpose, SASE provides a global SD-WAN service that interconnects different channels (broadband, leased lines, 4G/5G) to a private backbone. This private network solves well-known latency issues and quality-of-service restrictions of the global internet.

Connectivity is not everything.

The new SASE services not only connect devices, but are also capable of protecting the IT infrastructures behind them. This is where coding and decoding incoming data traffic plays an important role. In addition to SASE services such as next-generation firewalling, AV and malware scanning, and IPS (Intrusion Prevention System), the system also includes security-specific services such as DNS-based protection and DDoS protection (distributed denial of service). This allows company-specific and legal guidelines such as the GDPR to be implemented using the routing and security guidelines of a fully-fledged SASE solution.

Cloud-native architecture.

Ideally, a SASE service uses a cloud-native architecture without any specific dependencies on the hardware. On the same note, appliances shouldn’t be interconnected in one service chain. The SASE service software can be scaled as needed, is designed for maximum cost reduction, supports multitenancy and can be aggregated quickly for fast service expansion e.g. by using a global URL filter.

Customer-specific adjustments for customer premises equipment (CPE) can be realised locally. However, these SASE end devices should be turnkey and rolled out via zero touch deployment to make life easier for administrators.


In contrast to other managed network services, the SASE architecture provides services that are based on the identity and the context of the individual network sources. The identity covers a variety of elements, including the original user, the device used and real-time factors such as the time and the location of the device.

A clear picture of the threat at hand improves IT security.

This new perspective of our traffic networks also entails highlighting the threat at hand and including these insights into the design of new structures.

Just as managing vulnerabilities is much more complex than a corporate IT organisation would like it to be, so is defining what a vulnerability is in the first place, as this determines the threat a company is exposed to. Technical insufficiencies in the network are one thing, but there’s also another factor that is often overlooked—specific company, market and regional loopholes. The IT managers should not only check the status of internal assets but also the actors that are currently attacking a company’s IT from outside. This will provide a clear picture of the threat at hand and effectively improve security.

SASE’s advantages at a glance.

The SASE architecture can provide many advantages to your company. These include:

  • Less complexity and reduced costs by simplifying the WAN and reducing the equipment needed in branch.
  • Enhanced performance via latency-optimised routing and the bundling of different transport technologies.
  • Improved security via efficient content scanning and the implementation of an effective security guidelines policy for every user, regardless of the device or context.
  • Improved IT operation via centralised SD-WAN management, a uniform definition of guidelines, extensive scalability (in parts independent of the hardware), up-to-date security and more time to focus on core business.

Let our SD-WAN specialists from the BISS Competence Centre (Bechtle Internet Security and Services – E-mail: security@bechtle.com) educate you on SD-WAN and SASE, and help you prepare your digital transformation.

Also, read our blog on traditional SD-WAN.

Blog: Secure sd-wan