What is SASE, SSE, ZTNA, and CASB Security?

by | Jul 18, 2023 | Application Performance, Articles, Digital Experience, Network Performance

Learn how SASE combines SSE, ZTNA, SWG and CASB into a zero trust access and security solutions offered by Zscaler, Netskope, SD WAN and networking vendors



You’ve likely encountered terms like Zero Trust, Zscaler, Secure Access Service Edge (SASE), and Secure Service Edge (SSE) in the context of modern networks and security. Understanding the purpose and differences behind these concepts can be challenging. Let’s demystify these terms and explore how they can enhance the security, speed, and reliability of your organization’s networks and applications.

The Need for SASE Security

The rise of cloud computing, edge computing, and remote work has transformed access requirements for organizations. Today, more users, devices, applications, services, and data exist outside the enterprise network than within it. Traditional perimeter-based security approaches no longer suffice, resulting in complex network setups and security policies.

To address these challenges, a new network and security access fabric is needed – one that is identity-aware, context-aware, and connects users, devices, and locations to digital resources anywhere within a zero trust framework.

SASE combines software-defined networking capabilities with various network security functions, all delivered from a unified cloud platform. This approach enables secure authentication and connectivity for employees, while providing organizations with better control over network traffic and data.

SASE delivers secure access for hybrid workers, devices, and locations to digital resources in private applications (on-premises or cloud-based), SaaS, and the internet. It encompasses network edge capabilities, such as SD WAN, and a set of cloud-centric security service edge (SSE) capabilities, including SWG, CASB, and ZTNA.

SASE and SSE Adoption Growing Fast

Gartner’s 2023 Market Guide for Security Service Edge (SSE) reveals that over one-third of enterprises will have adopted a strategy to unify access to web, cloud services, and private applications deploy Secure Access Service Edge (SASE) by the end of 2022, increasing to 75% by 2024, and 80% by 2025. In their 2022 SSE Magic Quadrant, Gartner names Netskope and Zscaler as leaders in innovation and execution.

As a result, the SASE market is projected to grow at a compound annual growth rate (CAGR) of 32%, escalating to an approximate $15 billion value by 2025, while the broader Zero Trust Network Access (ZTNA) market will experience an annual growth rate of upwards of 60% during the same period.

A complementary study conducted by Axis in 2023 reported that 43% of organizations planned to implement a SSE solution by the end of 2023 as a top strategic initiative. Two-thirds of the survey respondents (67%) indicated that they would start their SASE strategy with an SSE implementation, while 33% preferred adding SSE capabilities to SD WAN.

Understanding SASE Components

SASE offerings provide multiple converged network and security as-a-service capabilities through a cloud-centric architecture. These include software-defined WAN (SD WAN), secure web gateway (SWG), cloud access security broker (CASB), network firewalling, and zero trust network access (ZTNA). A variety of SASE solutions are available from network and security vendors like Cisco, Palo Alto and Fortinet, and security-focused SSE providers like Netskope, Zscaler, and iBoss, each with their own blend of SASE components and capabilities.

Let’s explore the key components of SASE:

Secure Service Edge (SSE)

SSE is a subset of SASE functionality that focuses on security enforcement capabilities. It secures access to web, cloud services, and private applications through access control, threat protection, data security, security monitoring, and acceptable-use control. SSE is primarily delivered as a cloud-based service and includes elements such as Firewall as a Service (FWaaS), ZTNA, CASB, and SWG. Simply put, SSE = CASB + SWG + ZTNA + FWAAS.

SD WAN: Secure Access

SD WAN is often part of the “Secure Access (SA)” part of a SASE platform, where SSE + SD WAN = SASE. By consolidating networking and security functions into a cloud-based service, SASE enables secure access from anywhere for remote workforces and cloud-based infrastructures. SD WAN can be combined with SASE to provide seamless connectivity and unified security across users, optimizing WAN performance and reducing costs.

Zero Trust Network Access (ZTNA)

ZTNA is an IT security model that enforces strict identity verification for every user and device attempting to access resources on a private network. It adopts a “least privilege” strategy, meaning no access is permitted until explicitly authorized. ZTNA focuses on policy, identity, and content, following users’ identities wherever they are. When integrated into a SASE solution, ZTNA simplifies policy creation, management, and enforcement by accurately identifying users, devices, and applications, regardless of their location.

Cloud Access Security Broker (CASB)

CASB is an essential component of SASE that ensures secure traffic between an enterprise and its cloud providers. It offers data security, threat protection, data loss prevention, and application control. CASB provides visibility into software applications in use and the movement of sensitive data, regardless of user location.

Firewall-as-a-Service (FWaaS)

FWaaS, also known as cloud firewall, delivers firewall functionality as a cloud-based service. It includes advanced features like URL filtering, advanced threat prevention, intrusion prevention systems (IPS), and DNS security. SASE incorporates FWaaS as part of a unified, cloud-based security model, simplifying deployment and management. FWaaS is often incorporated into secure web gateways (SWG).

Secure Web Gateway (SWG)

SWG offers a comprehensive web security solution, protecting organizations from online security threats and enforcing corporate policies. It includes features like SSL Proxy, URL filtering, intrusion detection and prevention (IDS/IPS), next-gen antivirus (NG-AV), data loss prevention, and advanced threat protection. SWG ensures secure web access, applying policies and security measures to both web-based and non-web traffic.

Cost Savings with SASE

SASE offers cost savings by consolidating vendors, streamlining operations, and improving network performance. With cloud-based security, organizations can reduce expenses associated with managing multiple platforms. SASE’s scalability enables easy growth integration, while ensuring secure communication across network locations. These benefits contribute to a lower total cost of ownership (TCO).

The Evolution of SASE

As SASE continues to evolve, two key trends have emerged:

Unified Platforms

Vendors are integrating their discrete components into unified SSE platforms, providing comprehensive cloud service security, data security capabilities, and anti-malware defenses. SSE can be delivered through hyperscaler-based, private-cloud-based, or hybrid models, each with its own architectural approach.

Digital Experience Monitoring (DEM)

SASE vendors like Netskope, Zscaler and Palo Alto and Cisco are starting to introduce DEM capabilities into their solutions. This helps answer end users’ concerns about slow access by providing in-depth insights and analysis.

Integrated capabilities remain limited in their ability to to see across all users, endpoints and network segments compared to standalone DEM solutions that can see the performance of Wi-Fi, internet, third-party SD WAN and cloud networks outside the SASE footprint As a result SASE solutions are often monitored by more capable, dedicated DEM platforms as part of IT organizations’ broader observability strategies.

How Do You Monitor SASE Performance?

To effectively manage Secure Access Service Edge (SASE) performance, there is a crucial need for visibility into network services, applications, user experiences, and the overall health of the network infrastructure. This includes the capability to quickly detect and diagnose performance issues, from high latency to packet loss, as well as the ability to resolve these issues through appropriate solutions such as rerouting traffic or adjusting SASE configurations. Anticipating potential SASE performance bottlenecks before they significantly impact the user experience is vital for proactive network management.

SASE solutions, including Zscaler and Netskope, as seen by Kadiska’s digital experience monitoring (DEM) solution

Digital Experience Monitoring (DEM) offers a solution to these requirements. DEM, combining user experience and network performance monitoring, presents a comprehensive view of network performance and digital experience, covering both infrastructure and user perspectives. DEM can monitor the performance impact of SASE deployments, detecting anomalies and diagnosing their root causes, using AI-based auto-diagnostics by correlating network metrics with user experience data.

Kadiska’s real-time SASE connectivity path performance, latency and redirection optimization analytics

DEM can also detect when user and application traffic is not secured by the SASE solution, and whether SD WAN, ZTNA or secure web gateways degrade performance, allowing each capability to be optimized accordingly. Digital experience monitoring tools guide the resolution process while also proactively identifying potential performance issues, resulting in optimized SASE performance for employees and the applications they use.

How to Optimize SASE Performance

Gain insights from real-world experiences of leading Fortune 500 companies, as well as valuable knowledge from Zscaler and Netskope deployments, and learn proactive strategies and best practices for optimizing SASE, SSE, ZTN, and CASB performance.

‏‏‎ ‎‏‏‎ ‎‏‏‎ ‎‏‏‎ ‎

Share this post


All our latest network monitoring and user experience stories and insights straight to your inbox.


Kadiska is now part of Netskope
This is default text for notification bar