Skip to main content

Key components of SASE

Matt Mair

06/12/2026

Blog post | SASE | Blog Entry

Secure access service edge (SASE) is not a single product. It is a converged architecture built from several distinct capabilities that work together to deliver both networking and security through a unified cloud-delivered platform. Understanding what those components are — and what each one contributes — is essential for evaluating whether a SASE deployment will meet enterprise requirements and where gaps may exist in a current architecture.

SASE combines two foundational layers: SD-WAN, which provides the networking infrastructure, and security service edge (SSE), which provides the cloud-delivered security capabilities. The SSE layer is where most of the security decision-making happens and where the key components reside.

SD-WAN: the networking foundation

Software-defined wide area networking (SD-WAN) is the connectivity layer that underpins SASE. It uses software to manage and optimize traffic across the wide area network, ensuring that users reach applications efficiently regardless of where they are connecting from.

In a traditional architecture, network traffic is routed through fixed paths that do not adapt to changing conditions. SD-WAN introduces dynamic traffic management, directing high-priority application traffic over the most efficient available path and adjusting in real time as network conditions change. For distributed enterprises with multiple branch locations and a large remote workforce, this translates directly into more consistent application performance and better user experience.

Without SD-WAN, the security components of SASE lack the networking foundation needed to deliver consistent performance at scale, increasing the risk that users will work around controls that negatively impact their experience.

Secure web gateway (SWG)

A secure web gateway filters internet-bound traffic to protect users from web-based threats and enforce acceptable use policies. It inspects traffic in real time, blocking access to malicious sites, preventing data exfiltration through web channels and enforcing corporate security policy regardless of where the user is connecting from.

In a SASE model, SWG capability is delivered through the cloud rather than through on-premises appliances. That means protection follows the user — an employee working from a home network or a public WiFi environment receives the same level of enforcement as one sitting inside the corporate office.

Without an SWG, users connecting outside the corporate perimeter are exposed to web-based threats that on-premises tools cannot reach.

Cloud access security broker (CASB)

A cloud access security broker sits between users and the cloud applications they access, providing visibility and control over how those applications are used. As SaaS adoption has grown, the volume of data moving through cloud applications — much of it sensitive — has expanded well beyond what traditional perimeter tools can monitor.

CASB addresses this by enforcing data loss prevention policies, identifying unauthorized or unsanctioned application usage and ensuring that access to cloud services complies with the organization’s security and compliance requirements. It can combine inline real-time controls with API-based visibility to govern user activity and data within SaaS applications, giving security teams what they need to govern cloud application usage at scale without blocking the productivity benefits that SaaS adoption is meant to deliver.

Without a CASB, organizations often have significant blind spots in how sensitive data is being accessed, shared and stored across their cloud application portfolio.

Firewall-as-a-service (FWaaS)

Firewall-as-a-service moves traditional firewall capabilities to the cloud, providing traffic inspection and policy enforcement without dependence on physical hardware at each location. Unlike hardware-based firewalls that are tied to specific sites, FWaaS can inspect traffic from any source to any destination and apply consistent policy across the entire enterprise footprint.

For organizations with multiple branch locations, FWaaS eliminates the need to deploy and maintain firewall hardware at each site. Policy is managed centrally and enforced at the cloud edge, reducing both capital expenditure and the operational complexity of maintaining site-specific infrastructure.

Zero Trust network access (ZTNA)

Zero Trust network access is the component that replaces the traditional VPN as the mechanism for remote access. Rather than connecting users to a network segment, ZTNA connects them to specific applications based on a continuously verified identity and device posture. Internal resources remain hidden from and inaccessible to users who have not been authorized for that specific application.

This approach significantly reduces the attack surface compared to VPN-based access, where a single compromised credential can expose broad network segments. ZTNA ensures that access is always scoped to the minimum required and that authorization is re-evaluated continuously rather than assumed after the initial login.

ZTNA is also the component that most directly enables Zero Trust policy within a SASE architecture, making it central to any organization that is building toward a Zero Trust security model.

How the components work together

Each of these core components addresses a distinct security or networking requirement. Their value in a SASE architecture comes from integration. When SD-WAN, SWG, CASB, FWaaS and ZTNA operate through a unified platform, policy is consistent, management is centralized and coverage follows users and applications rather than being anchored to physical infrastructure.

Organizations evaluating SASE should assess not just whether a platform includes each component but whether those components are genuinely integrated or simply co-located under a single vendor umbrella. The difference between the two has significant implications for policy consistency, operational efficiency and the overall security posture the architecture can sustain.

For a broader view of how SASE fits within a modern enterprise security strategy, see our SASE guide.

Keep up on the latest
Sign up now to get additional stories on connectivity, security and more.

Forms cannot be submitted at this time. Please call to speak with a representative.

By submitting your information, you agree to the collection, use, and disclosure of your information in accordance with the Spectrum privacy policy. For California consumers, visit the Spectrum California consumer privacy rights page.


Matt Mair

Matt Mair is a Senior Product Marketing Manager at Spectrum Business, specializing in networking and cybersecurity. He focuses on transforming technical innovation into strategic narratives that inform, engage, and accelerate growth.