On This Page
What is SASE? Why Did SASE Emerge?Threat Landscape
Recent Breach DataZero Trust Foundation
Zero Trust: The Security Model Behind SASE SASE vs SSECore Capabilities
What's Inside SASE?Comparisons
Control Plane vs Data Plane How ZTNA Reduces Attack Surface over VPNArchitecture
Real-World SASE Architecture Which SASE Controls Matter for Your Use Case?Deep Dives
CASB: Securing SaaS and Shadow IT Data Loss Prevention (DLP) Remote Browser Isolation (RBI) Securing APIs: Why WAAP Is Now Part of SASEDecisions
Common Implementation Challenges Does Your Organization Need SASE? How to Choose a SASE / ZTNA VendorCompliance
India Compliance: DPDPA, RBI, SEBI, CERT-InLocking Ahead
What's Next for Zero Trust and SASE? SASE Key Facts: Summary01 — OVERVIEW
What is SASE? A Complete Guide to Secure Access Service Edge
SASE (Secure Access Service Edge) is a cloud-delivered architecture that converges networking and security into a single, identity-aware service. Instead of routing traffic through a data center to pass through stacked appliances—firewall, proxy, VPN concentrator—SASE pushes policy enforcement out to a global network of Points of Presence (PoPs), close to wherever the user, device, or workload actually is.
In practical terms, SASE combines two previously separate worlds:
SD-WAN
Intelligent, multi-link traffic steering between branches, users, and clouds.
SSE (Security Service Edge)
The cloud-delivered security stack: ZTNA, SWG, CASB, DLP, and FWaaS.

Cloud-Delivered
Security and networking policy are enforced at the edge—in cloud PoPs near the user—not backhauled to a central data center.

Identity-Centric
Access decisions are based on who the user is, what device they're using, and the context of the request—not which network they happen to be on.

Converged by Design
One policy engine, one console, multiple enforcement points—replacing a patchwork of point products with a single managed fabric.
02 — MOTIVATION
Why Did SASE Emerge? The Collapse of the Network Perimeter
For two decades, enterprise security assumed a simple rule: inside the firewall, you're trusted; outside it, you're not.
That assumption no longer holds. Apps, data, and users now live outside the four walls of the enterprise network almost by default.
What pushed enterprises toward SASE:
- Applications moved to SaaS and IaaS, so traffic is no longer primarily destined for the data center.
- Remote and hybrid work increased the need for direct internet access.
- VPNs grant broad network access after authentication, creating a major lateral movement risk.
- Point security products (firewalls, proxies, VPNs, CASB as separate tools) create inconsistent policy enforcement and high operational overhead.
- Cloud Points of Presence (PoPs) reduce latency compared to backhauling traffic to headquarters.
03 — THREAT LANDSCAPE
What Happens When Perimeter Security Fails? Recent Breach Data
The perimeter model assumed threats came from outside. In practice, stolen credentials, social engineering, and missing MFA routinely walk straight past the firewall—and once inside a flat network, attackers move laterally with little resistance.
Incident
Jaguar Land Rover
Change Healthcare
Marks & Spencer
MGM Resorts
Date
Sep 2025
Feb 2024
Apr 2025
Sep 2023
Impact
£1.9B UK economic impact; 5-week shutdown; 27% drop in UK car production
190M people affected — largest healthcare breach on record; $3.1B cost; $22M ransom paid
£300M lost profit; £700M wiped from market value; 46 days of halted online orders
$100M in losses; 10 days of disrupted operations
Entry Point
Stolen Jira credentials
No MFA on remote portal
Social engineering via supplier
Help-desk social engineering (Scattered Spider)
The pattern across all four: the perimeter didn't help.
- Credential theft — Valid credentials bypass firewalls entirely.
- Social engineering — Human manipulation consistently beats technical controls.
- Supply chain — Third-party and vendor access gets exploited.
- Missing MFA — A single password equals full access.
- Lateral movement — Once inside, attackers spread freely across flat networks.
Industry research backs this up: 34% of breaches involve internal actors, it takes an average of 287 days to identify a breach, 82% of breaches involve a human element, and the average cost of a data breach now sits at $4.45M(Verizon DBIR / IBM Cost of a Data Breach)
04 — ZERO TRUST FOUNDATION
Zero Trust: The Security Model Behind SASE
SASE doesn't invent a new trust model—it delivers Zero Trust at scale, from the cloud.
According to NIST Special Publication 800-207, Zero Trust requires strict identity verification for every person and device requesting access to a resource, regardless of whether they're inside or outside the traditional network perimeter.
Origins and evolution:
Zero Trust is not a product you buy—it's a strategy and architecture that guides every access decision. As the saying goes, it's a journey, not a destination.
Core principles:
- Never trust, always verify — No user, device, or network is inherently trusted; every request is authenticated.
- Least privilege access — Grant only the minimum access needed, just-in-time and just-enough.
- Assume breach — Operate as if attackers are already inside; minimize blast radius through micro-segmentation.
The five pillars of Zero Trust (per CISA's Zero Trust Maturity Model): Identity, Device, Network, Application, and Data—underpinned by cross-cutting visibility, analytics, automation, and orchestration. Organizations progress across all five pillars simultaneously, moving through maturity stages: Traditional → Initial → Advanced → Optimal.
The mindset shift is simple to state and hard to execute: from protecting the network to protecting the resource.
05 — SASE VS SSE
SASE vs SSE: What's the Difference?
These terms get used interchangeably, but they describe different scopes of the same architecture.
- ✓Secures access to web, cloud services, and private apps
- ✓Cloud-delivered enforcement via PoPs
- ✓Includes ZTNA, SWG, CASB, and data security/monitoring
- ✓Traffic steering and performance optimization
- ✓Multi-link resilience and intelligent path selection
- ✓Connects branches and users into the broader SASE fabric
06 — CORE CAPABILITIES
What's Inside SASE? Core Capabilities Explained

SWG (Secure Web Gateway)
Inspects and controls web traffic—URL filtering, malware detection, and TLS inspection—before it reaches the user.

CASB (Cloud Access Security Broker)
Governs SaaS usage via proxy or API: discovers shadow IT, enforces policy, and assesses posture across sanctioned and unsanctioned apps.

ZTNA (Zero Trust Network Access)
Grants per-application access based on identity and context—never broad network access the way a VPN does.

FWaaS / NGFW
Cloud-delivered firewalling and segmentation policy enforced at the PoP, not at a physical branch appliance.

Data Security (DLP)
Detects and blocks sensitive data exfiltration across web, SaaS, and private application traffic.

DNS Security, RBI & Monitoring
DNS-layer threat blocking, Remote Browser Isolation for risky web sessions, and centralized visibility and telemetry across the whole stack.
07 — ARCHITECTURE
Control Plane vs Data Plane in SASE Architecture
SASE separates what gets decided from where it gets enforced—a principle that makes consistent policy possible across a globally distributed workforce.
Control plane (policy & identity)
- Integrates with the identity provider, MFA, and device posture signals
- Defines access policies—who, what, and when
- Maintains data classification and acceptable-use rules
- Provides central analytics, alerts, and reporting
Data plane (traffic enforcement)
- PoPs enforce SWG, CASB, ZTNA, DLP, and FWaaS policy inline
- Steers traffic for performance and resilience
- Performs inline inspection—TLS, malware, exfiltration
- Generates telemetry that feeds back into the control plane
Practical implication: change policy once, centrally, and it enforces consistently across every user, branch, and cloud—without touching individual devices or sites.
08 — COMPARISON
How ZTNA Reduces Attack Surface by Up to 90% Over VPN
A traditional VPN was never designed to answer fine-grained access questions—it was designed to extend the network. ZTNA answers each of these explicitly, every time, using what's known as the Kipling Method (Who, What, When, Where, Why, How) applied to Data, Applications, Assets, and Services (DAAS):
Question
Who should access the resource?
What app can the identity use?
When is access allowed?
Where is the resource located?
Why is the user allowed access?
How is traffic processed?
VPN
✕ Partial (user role, MFA, device trust)
✕ Not evaluated
✕ Not evaluated
✕ Partial (workload tags, group membership)
✕ Not evaluated
✕ IDS/deep packet inspection only
ZTNA
✓ Full identity verification
✓ App identity, role, endpoint location
✓ Time, day, session duration
✓ Fully mapped
✓ Metadata, security groups
✓ Continuously inspected and policy-checked
The fundamental shift:
- ✕ Trust based on network location
- ✕ One-time authentication
- ✕ Broad access after login
- ✕ Flat internal network
- ✓ Trust based on identity + context
- ✓ Continuous verification
- ✓ Least privilege access
- ✓ Micro-segmentation
09 — ARCHITECTURE
Real-World SASE Architecture: How It All Connects
Edge / Users — Remote users (via a lightweight SASE client) and branches (via SD-WAN CPE) connect outward, not into a data center.
SASE PoP (Point of Presence) — The cloud edge runs four functions together: Identity (SSO/MFA), Policy (PDP/PEP), Security (the full SSE stack), and Network (SD-WAN traffic steering).
Destinations — Traffic is routed securely and directly to IaaS/PaaS, SaaS applications, or the private data center—whichever the policy and the destination require.
Common deployment models:
- Agent-based — full SASE client on managed devices; strong posture checks, full traffic steering; best for the core workforce
- Agentless (browser-based) — fast access for contractors and BYOD; minimal installation, but limited to browser flows
- Site/Branch tunnel (SD-WAN) — connects entire networks to PoPs; consistent policy for IoT/OT, but less per-user context
10 — COMPARISON
Which SASE Controls Matter for Your Use Case?
Not every use case needs every capability at full strength. Use this as a starting checklist when scoping a deployment.
























optional / depends on environment 11 — DEEP DIVE
CASB: Securing SaaS and Shadow IT Inside SASE
Gartner defines CASB (Cloud Access Security Broker) as a policy enforcement point that consolidates multiple security controls and applies them to cloud application access—both sanctioned and unsanctioned.
The four pillars of CASB:
Visibility
Shadow IT discovery, SaaS usage analytics, user/data flow mapping, app risk scoring
Compliance
Audit trails, policy enforcement, data residency controls, mapping to DPDPA/GDPR/HIPAA/PCI
Data Security
Inline and API-based DLP, encryption/tokenization, sharing controls, information rights management
Threat Protection
UEBA and anomaly detection, malware scanning, account-takeover defense, adaptive access control
Two deployment modes:
API-based
Out-of-band scanning of data at rest via SaaS APIs; broader retroactive coverage
Inline (proxy)
Forward/reverse proxy in the data path; real-time blocking at the point of access
For Indian enterprises specifically, CASB evaluation should weigh data sovereignty (PoPs and processing within India for BFSI/government mandates), DPDPA 2023 readiness, RBI Cybersecurity Master Direction and SEBI CSCRF alignment, shadow AI discovery (visibility into ChatGPT, Gemini, Copilot, and Claude usage), and local-language SaaS categorization.
12 — DEEP DIVE
Data Loss Prevention (DLP) in a SASE World
DLP is the set of technologies and processes that detect potential data breaches and prevent exfiltration by inspecting content and contextual signals against policy—across three states of data:
Data in Motion — email, web uploads, API calls, file transfers
Data at Rest — databases, file shares, cloud storage, endpoints
Data in Use — active sessions, screen capture, copy/paste, printing
Detection techniques: pattern matching (regex for PAN, Aadhaar, SSN, credit cards), Exact Data Match against structured databases, document fingerprinting, keyword/dictionary classifiers, and ML-based classifiers trained on labeled samples like contracts, source code, and PII.
A phased maturity model (crawl, walk, run) works best:

Discover
Scan endpoints and cloud, identify data owners, baseline current flows

Monitor
Run in audit-only mode, log all incidents, tune false positives

Block
Enforce on high-confidence, critical data with a user-justification flow

Adapt
Layer in UEBA, auto-classification, and ML-driven policy tuning
Regulatory drivers shaping DLP requirements today include DPDPA 2023, RBI Cybersecurity guidelines, SEBI CSCRF, the IT Act's Section 43A (SPDI), PCI-DSS, HIPAA, GDPR, and ISO 27001.
13 — DEEP DIVE
Remote Browser Isolation (RBI): Zero-Day Defense for the Browser
RBI runs browser sessions on a remote, ephemeral cloud instance—only a sanitized visual stream or safe DOM reaches the endpoint, and active code never executes locally. That single design choice neutralizes most browser-based zero-day exploits and drive-by downloads.
Isolation modes:
- Pixel streaming — a video-like stream of the rendered page; maximum isolation, lower fidelity
- DOM reconstruction — sanitized DOM elements delivered to the local browser; more native feel, requires careful filtering
Primary use cases: risky or uncategorized web destinations, phishing protection (render suspicious URLs read-only), privileged-user protection (executives, admins), and BYOD/contractor access without full endpoint controls.
Three deployment patterns:
Pattern
Universal
Selective (recommended)
User-based
Profile
Highest security, highest cost—all web traffic flows through RBI
SWG routes specific risk categories to RBI
Specific users/groups are always isolated
Best Fit
Defense, classified networks, air-gapped workstations
Most enterprises—BFSI, IT/ITES, manufacturing
VIP protection, finance/legal teams, contractors
Integration principle: RBI should be invoked selectively by SWG policy, not run always-on. Always-on RBI is expensive and degrades user experience; targeted RBI delivers the best return.
14 — DEEP DIVE
Securing APIs: Why WAAP Is Now Part of SASE
Modern applications are built on APIs, and APIs have become a primary attack surface in their own right:
WAAP (Web Application & API Protection) is the evolution of the traditional WAF for this reality, and it's increasingly delivered as part of the SASE/SSE edge rather than a standalone appliance:
- API discovery & inventory — automatically detect every API, including shadow and zombie APIs
- Schema validation — enforce OpenAPI/Swagger specs and block malformed requests
- Bot management — distinguish legitimate automation from malicious bot traffic
- Rate limiting & abuse prevention — protect against credential stuffing, scraping, and DDoS
- Runtime protection — ML-based anomaly detection for BOLA and injection attacks
15 — DECISIONS
Common SASE Implementation Challenges (and How to Solve Them)
Challenge
Legacy integration
Organizational silos
SSL/TLS inspection
User experience
Skill gaps
Vendor lock-in
Why It Happens
On-prem apps weren't designed for cloud-first access
Network and security teams operate independently
Privacy concerns, certificate pinning, compliance
Extra authentication steps, perceived latency
Teams unfamiliar with cloud-native security
Proprietary formats, migration complexity
Practical Solution
App connectors, reverse proxy, gradual migration
Cross-functional teams, shared KPIs, unified tooling
Selective decryption, bypass lists, documented user consent
Risk-based auth, local PoPs, SSO integration
Training, managed services, phased rollout
API-first vendors, data portability, multi-vendor options
Critical success factors: executive sponsorship, phased implementation, clear success metrics, structured change management, and continuous optimization—in that order of importance
16 — BUSINESS CASE
Does Your Organization Need SASE? Key Signs It's Time

You're still relying on VPN for remote access. VPNs grant broad network access once authenticated—exactly the lateral-movement risk that recent breaches (Change Healthcare, MGM) exploited.

SaaS sprawl has outpaced visibility. If you don't know every app your employees are using—including AI tools—shadow IT is already a live risk.

You operate a flat, unsegmented internal network. No micro-segmentation means a single compromised credential can spread freely, as in the Jaguar Land Rover and Marks & Spencer incidents.

Compliance pressure is increasing. DPDPA 2023, RBI Cybersecurity Master Direction, SEBI CSCRF, and CERT-In directives all expect auditable access control and data protection that point products struggle to deliver consistently.

Third parties, contractors, or M&A integrations need scoped access. ZTNA can grant access to a single app without ever placing an external party on your network.

Branch offices are backhauling SaaS and cloud traffic through a central data center, adding latency without adding meaningful security.
17 — VENDOR SELECTION
How to Choose a SASE / ZTNA Vendor: Key Evaluation Questions
Before committing to a platform, evaluate it against the dimensions that actually differentiate SASE vendors in production:
Consideration
Agent type
Deployment model
Data traffic pattern
Protocol support
ZTNA protection scope
Protocol technology
What to Ask
Agent-based or agentless—and does it support both?
Gateway mode or enclave model—which fits your network design?
Proxy-centric (dedicated or shared PoP), relay-dependent, or direct peer-to-peer?
Universal protocol support, or limited to HTTP(S), RDP, SSH?
North-South only (user-to-app), or does it also cover East-West (app-to-app)?
TLS-based, or UDP/TCP tunnels with pinholing?
Also confirm: Is there a single console for policy, analytics, and incident response? Does the vendor have PoPs in-region for data sovereignty? Can the platform discover shadow AI usage, not just shadow SaaS? And critically—does it integrate cleanly with your existing IdP, SIEM/SOC, threat intel, and EDR stack, or does it demand a rip-and-replace?
18 — COMPLIANCE
India Compliance and SASE: DPDPA, RBI, SEBI, CERT-In
For enterprises operating in India, SASE adoption increasingly maps directly to regulatory obligations rather than being a discretionary upgrade.
Regulation
DPDPA 2023
RBI Cybersecurity Framework
SEBI CSCRF
IT Act, Section 43A
CERT-In Directives
Data/Scope
Personal data, sensitive personal data
Customer financial data, PAN
Investor PII, trading data
SPDI (passwords, financial data)
Incident reporting, logs
Key Capability Required
Consent tracking, breach detection
Encryption, exfiltration controls
Activity monitoring, audit logs
Reasonable security practices
Auditable access logs, retention
Sector
All
BFSI
Capital markets
All
All
A SASE platform with auditable access logs, micro-segmentation, and DLP mapped to these frameworks turns compliance reporting from a quarterly scramble into a byproduct of normal operations.
19 — FUTURE DIRECTIONS
What's Next for Zero Trust and SASE?
Trend
AI-powered security
Passwordless & passkeys
Edge security
Data-centric security
Platform convergence
Post-quantum readiness
What It Looks Like
ML anomaly detection, automated response, predictive risk scoring, UEBA
FIDO2/WebAuthn adoption, biometric auth, phishing-resistant MFA
IoT edge processing, 5G integration, micro-PoPs, OT/IoT ZTNA
DSPM, automated classification, encryption everywhere, rights management
XDR + SASE + CNAPP unifying into single-vendor ecosystems
Quantum-safe algorithms, crypto agility, NIST PQC standards
Adoption timeline: AI/ML and passwordless are already mainstream now; edge and data-centric security are scaling through 2025–2026; post-quantum readiness becomes a board-level conversation from 2027 onward.
The broader shift underway: Zero Trust and SASE are moving from "network controls" toward measurable, adaptable trust systems—continuous risk scoring, event-driven session revocation, and policy that's tested and audited like code.
20 — SUMMARY
SASE Key Facts: What You Need to Know
SASE converges SD-WAN and a full cloud-delivered security stack—ZTNA, SWG, CASB, DLP, and FWaaS—into a single architecture enforced from global PoPs close to the user.

The traditional castle-and-moat model assumed inside the network meant trusted. Cloud, SaaS, and remote work dissolved that assumption—the perimeter is now identity, not location.

Zero Trust is the operating principle underneath SASE: never trust, always verify, least privilege access, and continuous re-evaluation of every request—not just at login.

ZTNA replaces VPN's all-or-nothing network access with per-application, per-context access—reducing attack surface by up to 90% in vendor benchmarks.

SASE is delivered in phases—most enterprises adopt SSE first (security) and converge SD-WAN in later phases, starting with high-value apps and a pilot group.

For Indian enterprises, SASE adoption increasingly doubles as a compliance accelerator for DPDPA 2023, RBI, SEBI CSCRF, and CERT-In requirements.