SASE vs. SD-WAN – It’s NOT Either Or!

SD-WAN is a foundational component and an integral part of a SASE architecture

system engineering concept engineers working in the office gui picture id1271619512

As I mentioned in my last blog, “Everything You Ever Wanted to Know about SASE – but Were Afraid to Ask!,” there are a lot of opinions, misconceptions, and questions about SASE.

  • SD-WAN is dead!
  • SASE is a replacement for SD-WAN
  • SASE is cloud-hosted security with basic SD-WAN functionality added
  • SASE and SD-WAN are different networking technologies

However, if you carefully read Gartner’s initial report, “The Future of Network Security is in the Cloud,” that introduced the term SASE (secure access service edge), you’ll see that it’s not “either” SASE or SD-WAN. Rather, SD-WAN is a foundational component and an integral part of a SASE architecture.[1]

In the second installment of our SASE video series, SASE vs. SD-WAN, we describe in detail the roles SD-WAN plays in delivering a fully-featured SASE architecture. One of the key capabilities the SD-WAN must support is adaptive Internet breakout. What this means is sending traffic from branch locations that is destined for the cloud directly to SaaS and/or IaaS providers, using the Internet, and without backhauling it to the data center for security inspection. This requires the ability to granularly steer traffic based on the application Quality of Service and security policy enforcement requirements driven by business needs.

For example, an enterprise may wish to send trusted traffic such as Microsoft 365 directly to the SaaS provider for the best user experience, all other cloud-destined traffic first to a cloud-hosted security service before being handed off to the SaaS or IaaS provider, and continue to backhaul traffic for apps still hosted in the corporate data center to a headquarters or hub site.

 Advanced SD-WAN Functionality for SASE

Ultimately, the goal of SASE is to deliver the best end user quality of experience for cloud-hosted applications without compromising security. After working with many enterprises that have designed and deployed their SASE architectures, we’ve learned that basic SD-WAN functionality falls short. An SD-WAN with advanced networking capabilities is required to fully enable SASE:

  1. Identify application traffic on the first packet and granularly steer it to enforce both QoS and security policies as defined by business intent
  2. Keep cloud application definitions and TCP/IP address ranges up to date, automatically, every day
  3. Automate orchestration between the SD-WAN and cloud-delivered security services from a single console to make it easy
  4. Automatically failover to a secondary cloud security enforcement point to avoid any application interruption
  5. Automatically reconfigure secure connections to cloud security enforcement points if a newer, closer location to the branch becomes available
  6. Enable customers to adopt cloud security services – and their SASE implementations – at their own pace
  7. And most importantly, provide the freedom of choice to deploy new security innovations as they become available from any vendor to easily address unknown future threats

To learn more about SASE and the benefits it delivers, tune in to our video series. Click here to watch our second installment, “SASE vs. SD-WAN 


Related Resources:

HPE (Aruba and Silver Peak) named a Leader 4 years in a row in 2021 Gartner Magic Quadrant for WAN Edge Infrastructure - Get the Report.


[1] “The Future of Network Security is in the Cloud,” Gartner ID G00441737, August 30, 2019


Copyright © 2021 IDG Communications, Inc.