Cybersecurity In-Depth

The Edge

What’s the Difference Between SASE and SD-WAN?

While SD-WAN is a key part of a hybrid workplace and multicloud operation, it should be treated as a stepping stone to SASE, not an alternative.

Question: What’s the difference between SASE and SD-WAN?

Shaila Shankar, SVP and general manager, Cisco Cloud Network and Security: At Cisco, we get this question a lot. A software-defined wide area network (SD-WAN) is key as we transition to a hybrid workplace environment. It is an inseparable component of secure access service edge (SASE).

Let’s first discuss SD-WAN, which addresses some of the challenges of a traditional WAN by improving traffic routing and network operations. In essence, SD-WAN decouples the networking hardware from the networking services and control. It is managed via a centralized controller that enforces a data policy across its connected devices. That said, it was not developed with security as a priority, and while it has some security capabilities, many SD-WAN vendors partner with security vendors to offer a more comprehensive solution. But this approach results in additional costs and is vulnerable to gaps in integration between the vendors.

In today’s workplace environment, many workers are entirely mobile and are likely to remain so. Remote and office workers are using multiple devices and accessing applications that are deployed on the public cloud and run by SaaS providers. It is not realistic for an SD-WAN that backhauls traffic to the data center to adequately handle the surge in data, network complexity, and resulting security challenges to provide a seamless and secure user experience. The increased network complexity and traffic, coupled with the increase in security risks, require a paradigm shift to a more distributed network model that centers on the endpoints and end-user devices.

So in comes SASE, which combines the organization’s network and security capabilities into a cloud-delivered service that operates closer to the endpoint. Rather than backhauling traffic to the data center like a traditional SD-WAN, SASE’s traffic inspection occurs closer to the endpoints across distributed points of presence (PoPs). The result is a better user experience, enhanced security, and simpler network and security management.