SASE — Secure Access Service Edge — is the convergence of network and security delivered as a cloud service. Done well, it dramatically simplifies operations. Done poorly, it is just a vendor's stack rebranded as architecture.
What SASE actually means
Network: SD-WAN, WAN optimisation, secure web gateway, cloud access security broker.
Security: zero trust network access, firewall-as-a-service, data loss prevention, browser isolation.
Identity: every decision in the SASE plane is identity-aware, not just network-aware.
Cloud delivery: the policy plane and enforcement plane are both cloud-native.
Evaluation criteria that matter
Single-vendor versus best-of-breed. Single-vendor is operationally simpler. Best-of-breed gives you better individual components and worse integration.
Point of presence density. SASE only works if there is a PoP within acceptable latency of every user.
Identity integration depth. The SASE platform must integrate cleanly with your identity provider — at scale, at speed, with logging.
Reporting and forensics. The data lake behind the SASE platform is what you will live in during an incident.
Common failures
Buying SASE without retiring the legacy stack. Now you operate two stacks instead of one.
Migrating without redesigning policy. Lift-and-shift policy from a perimeter firewall to a SASE platform produces a worse outcome than either alone.
Underestimating the change-management lift. Every endpoint needs a client; every user notices.
This piece is part of the Cylentrix Research Office series. For the deeper reference architecture and engagement model behind it, request a confidential briefing.