SASE: How Does It Work and How Does it Compare to SD-WAN?
Learn what secure access service edge (SASE) is, how it compares to SD-WAN, and why businesses are adopting it for better security and network performance.

Apr 3, 2025
SHARE
The software-defined wide area network (SD-WAN) has become the de facto standard for connecting dispersed offices so they can communicate with each other. Businesses with field offices, retailers or restaurants with multiple locations, and enterprises have come to rely on SD-WAN for connectivity between branch sites. However, a newer option has emerged: secure access service edge (SASE).
SASE works by delivering security and connectivity directly to users, regardless of their location. Rather than routing traffic through a centralized data center, SASE leverages a distributed cloud architecture, allowing users to access applications securely over the internet. This approach enhances performance and reduces latency by enabling direct connections to cloud resources.
How SD-WAN Works
SD-WAN has two primary elements: an underlay network and an overlay network. The underlay network may consist of only a single connection to the public internet, but in the majority of cases, it leverages different combinations of public and private WAN connections. Most often, companies use at least two different connections at each location to create redundancy. That way, if one connection is interrupted or fails, users can still access the network via the other.
The overlay network is created on top of the underlay network. This overlay creates a private, encrypted WAN that connects multiple sites, prioritizes and routes traffic, measures the network’s health, and tracks analytics. If a part of the underlay network fails, the overlay has the intelligence to reroute traffic over an alternative path. This is why SD-WAN is sometimes called a smart virtual private network.
SD-WAN has been the go-to network architecture because, overall, it makes it easy to build a reliable, flexible, and intelligent network. This is also why SD-WAN is rapidly taking share from MPLS, and the SD-WAN mergers and acquisitions market has been so hot!
Taking SD-WAN to a New Level with SASE
In the last few years, a new cloud- and security-focused networking option has grown in popularity. In 2019, Gartner named it “secure access service edge” and used the acronym SASE. (pronounced “sassy”) for the new approach to network architecture. At its most basic level, SASE is SD-WAN and network security elements rolled up into a single solution.
In light of the current cybersecurity landscape, it’s easy to see the appeal of security-centric SASE. Verizon’s 2020 Data Breach Investigations Report states that external attacks on network applications made up 43 percent of all cyberattacks in 2019. In addition, with more people working remotely in 2020 due to COVID-19, hackers targeted newly distributed organizations, betting that they didn’t have adequate security deployed. With SASE, which can include secure web gateway (SWG), cloud access security broker (CASB), firewall, and even zero-trust network access (ZTNA), attacks on the network can be more easily detected and mitigated without the added burden of deployment and management of multiple solutions.
Moreover, users can manage SASE, both WAN traffic and security, from a single pane of glass. Since SD-WAN requires an appliance at each branch office to aggregate multiple ISP/WAN links, SASE can just be a matter of layering in network firewall capabilities into the same box to accomplish basic firewalling. However, it can also go well beyond this by delivering analytics, unified threat management and even application layer policies. This is a particularly valuable feature, especially for companies with multiple branch offices or locations with different security solutions deployed at various sites. In addition to reducing the complexity of the network, bundling all of these solutions into one offering reduces the number of vendors the business has to manage.
As a primarily cloud-based offering, SASE requires less infrastructure onsite—which also means less investment in hardware, networking and physical appliances plus lower maintenance costs and less of a burden on in-house IT teams. Also, like other cloud-based solutions, it enables users to deploy a network more quickly and be more agile when making changes or scaling. In addition, users can connect via SASE using a variety of devices, securely accessing the business network from any location.
SASE vs. SD-WAN
To better understand SASE, it’s important to understand how it compares to SD-WAN. First, let’s look at some of the ways they’re similar:
Independent topology: SD-WAN and SASE are carrier agnostic “overlay” services, meaning the SD-WAn links and nodes are separate from the architecture of your internet service provider. This allows consumers to select the best available bandwidth option from any available carrier and still leverage the benefits of SD-WAN and / or SASE.
Connect geographically diverse sites: Both solutions allow users to securely connect far-flung locations for consistent transmission of data.
Provide access to corporate-network resources: Users can access any networked features and resources, like shared drives or local area network (LAN) portals.
Flexibility and scalability: As these are software-defined networks, they can be built out or reconfigured with comparative ease.
Centralized control: One of the great advantages of SD-WAN and SASE over multiprotocol label switching (MPLS) is the ability to roll out network-wide changes from a single control point.
Application visibility and control: Both software-defined topologies provide a centralized management portal with layer 7 application visibility and control.
Though SD-WAN and SASE accomplish many of the same things, they also differ in important ways.
SASE offers middle-mile networking as standard
To explain the middle mile, let’s imagine you’re sending something to a cloud-based app. Once the data leaves your device, it’s transferred to a local Point of Presence (POP). From there, it makes its way to the network server, via various other POPs in different physical locations. This second part of the journey is known as the middle mile.
A feature regarded as an essential component of SASE is managed-network infrastructure in the middle mile – which means that a SASE provider can offer optimizations beyond your Local Area Network (LAN).
By strategically installing carrier-specific gateways at different geographic POP locations, SASE providers can control connections and routing, and inspect traffic between different endpoints.
These Gateway POPs can be placed in data centers for maximum access to cloud service providers – which means if your business is heavily reliant on cloud-based apps and services, a SASE network can potentially offer you lower latency, packet loss, and jitter.
While some SD-WAN solutions incorporate middle-mile networking, it’s by no means a given.
SASE’s Cybersecurity Features
Middle-mile management means your SASE can also provide extensive security options (the “secure access” at the “service edge” that spawned the acronym).
Traffic can be inspected at the gateway POPs, which means SASE networks can include perimeter security along with endpoint and user-identity protections. As a result, SASE is often described (and marketed) as an all-in-one solution for both your network connectivity and security needs.
This can provide huge benefits for companies looking to simplify their network-management architecture. However, larger companies with comprehensive security measures already in place may find it difficult to assimilate multiple security systems and may be better served by a slimmer SD-WAN solution.
Points to Consider Before Choosing SASE Architecture
With the costs of cyberattack damage projected to nearly double by 2029, security has become mission-critical and top-of-mind for most organizations.
Because SASE is relatively new in the networking world, you need to ensure that the people designing and implementing the network and security policies have the expertise and experience required. Although many skilled IT professionals are more than capable of setting up an SD-WAN, they may not have the skills, knowledge, or resources to optimize all of the security elements to provide an organization with the best defenses.
If you choose to outsource SASE to a systems integrator or managed services provider, ask about other networks they’ve built and how they manage them. Those with experience in SD-WAN alone may not be the best partners for this project.
SASE may not be for everyone. For example, large enterprises that may have separate teams managing security and infrastructure may not be ready to merge the two. Additionally, organizations that have made recent investments in edge security infrastructure will likely want to consider SASE a bit further down the road.
However, if you’re looking for a simpler way to manage your network, address security, and decrease costs and the burden on your IT team, SASE may be the solution you’re looking for.
Featured Articles
Want to learn more about how Lightyear can help you?
Let us show you the product and discuss specifics on how it might be helpful.
Join our mailing list
Stay up to date on our product, straight to your inbox every month.