SASE Architecture

Learn what elements make SASE, SASE. Understand the relationship and difference between SASE, SD-WAN, SSE, and the role of Lifecycle Services.

What are the two main components of the SASE framework?

What is SASE’s architecture? The two main components of the SASE framework are SASE network and SASE security, both blended in a cloud-based model. This means that all the benefits of the cloud – scale, simplicity, scalability and optimal TCO (total cost of ownership) – can now be applied to networking and security. This introduces the ease of deployment and consumption demanded by enterprises of all sizes.

The core capabilities of SASE networking include SD-WAN (Software-Defined Wide-Area Network) for connectivity, application optimization and multi-cloud access, while the security includes FWAAS (Firewall as-a-service), SWG (Secure Web Gateway), CASB (Cloud Access Security Brokers), ZTNA (Zero Trust Network Access), antivirus and malware inspection among others. The winning attribute of SASE is that it manages to combine all of these and deliver it as one optimal cloud-based infrastructure. With SASE networking and SASE security blended into one technology, one doesn’t exist without the other.

Aryaka’s approach to the third component of SASE

Aryaka views the SASE framework as not a two-legged stool but a three-legged one. According to Aryaka, the SASE components include a third leg, which is just as crucial as the first two. And this element is called “Lifecycle Services.” This is often neglected within the SASE components and is critical in accelerating adoption, removing barriers, and enabling a more productive and secure hybrid workforce. A focus on integrated lifecycle services, from design, implementation to orchestrating and managing a SASE solution can make a significant difference. For instance, common troubleshooting that might take a traditional hub-and-spoke vendor team weeks and months can take a one-stop managed service partner just hours and days to identify and remediate, saving both time and money.

Managed SASE Architecture


  • How are the two connected?

The SASE v/s SD-WAN question is a common one. SD-WAN and SASE are connected more closely than we think. An SD-WAN is a foundational element of a broader SASE framework. It is designed greatly to simplify the management of enterprise WANs which grown increasingly complex and cumbersome to manage over time as workloads and workforces have shifted dramatically. What is clear is that SASE without SD-WAN for connectivity is a hollow promise, as recently emphasized by Gartner.

This connectivity, leveraging a solid and stable SASE network, is what is required to deliver the application performance and productivity enterprises demand. Building on a Services PoP-centric SD-WAN service, enterprises can easily consume additional security capabilities at the cloud edge as they become available. This type of edge control doesn’t all need to happen at once and can be phased in based on the enterprise’s unique requirements.

Managed SASE Architecture


  • What is SSE?

SSE (Secure Services Edge) is a subset of SASE capabilities, as defined by Gartner in the year 2021. It essentially is a collection of SASE security services that can be implemented together with network services like SD-WAN to provide a complete solution. In simple terms, SSE is the focused security aspect of SASE.

  • What are the core components of SSE?

SSE specifically refers to the edge of the network where security services are deployed. The SSE is the point where the enterprise network connects to the internet or cloud, and it is where security services are delivered to protect the enterprise network from external threats. Its core components include:

  1. Firewall: a network security system that monitors and controls incoming and outgoing network traffic based on predefined security rules.
  2. Secure Web Gateway: a security solution that provides web content filtering, malware protection, and URL filtering to protect against web-based threats.
  3. VPN: a secure way of connecting remote users or sites to the enterprise network over the internet. VPNs provide encrypted communication channels that protect data in transit.
  4. ZTNA: a security model that assumes no user or device should be trusted, and access should only be granted on a need-to-know basis. It uses identity-based access controls to ensure that only authorized users can access resources.
  5. CASB: a security solution that provides visibility and control over cloud services and applications. They enforce security policies and protect against cloud-based threats such as data leakage and malware.
  6. DLP (Date Loss Prevention): solutions designed to prevent sensitive data from leaving the enterprise network. They monitor data in motion, data in rest, and data in use to ensure that it is not leaked or stolen.

See our Solution Brief for more information how Aryaka Secure Service Edge enables an intelligent hybrid edge

  • Importance of ZTNA

The zero-trust approach of Aryaka to network access and security forms a critical component of SASE architecture. This security model requires verification of every user and device before granting access to an application or network resource, in contrast to the traditional perimeter-based security model, which assumes that anything inside the network is trustworthy. With ZTNA in SASE, secure access is provided to applications and services which are hosted in the cloud or on-premises. ZTNA essentially ensures that users and devices can access only the resources they are authorized to use and all connections are encrypted to protect against eavesdropping and other security threats. By combining ZTNA with other SASE components, such as SWG, CASB, SD-WAN, etc. organizations can build a comprehensive security architecture that delivers secure access to applications and services from any location and on any device.

One critical element of SASE is the application of Zero Trust Principles. For help decoding the many definitions of Zero Trust, for a watch the webinar and read the blog.