What is Secure Access Service Edge (SASE)?

A guide to implementing a secure network strategy

 

Traditionally, enterprises favoured a ‘castle and moat’ approach, building rigid protections around their corporate network. This method provided broad on-site security, enabling office teams to communicate safely.

 

These old methods, however, are no longer sufficient for the modern workforce, as the location of your people is now more fluid, your critical business applications have moved off-premise to the cloud and you need to accommodate a broader mix of end devices, dictated more by the end user than the IT department.

 

Person working on a laptop with a cloud security padlock icon, representing secure cloud access and data protection

 

The nature of work is changing and as a consequence so is the location of your end users.

 

40-44% of UK employees now follow fully remote or hybrid working patterns, according to the UK Remote Work Report 2026 from MyPerfectCV. The aim is to bring more flexibility, productivity and a happier workforce. Although there’s no denying these potential benefits, this shift also presents unique challenges.

 

Teams are distributed, working from remote locations without on-site protections. Traditional security methods no longer offer the full-proof protection enterprises need.

 

Teams connecting to company networks from home or the local coffee shop, introduce new points of entry for cybercriminals. Gone are the days when the IT department could simply mandate a business device for end users. Your employees now expect to be able to use the same tech they use in their personal lives, rise to Bring Your Own Device (BYOD) policies which in turn add new vulnerabilities.

 

The transition to cloud-based systems also brings newer, more diverse networking requirements. Employees must be able to connect securely from anywhere.

 

Accommodating these security challenges has in the past required the integration of multiple best of breed tools. However, this is a challenging integration task requiring expertise across multiple platforms and the management of multiple vendors.

 

These changes to end user location, cloud-based app working and device proliferation together with the complexity of a multi-security technology response, requires a new network security strategy that:

 

  1. Assumes zero trust to accommodate a work anywhere, multi-device cloud app access.
  2. Maintains high end user performance and experience.
  3. Simplifies the number of security tools required to provide comprehensive security.

 

Secure Access Service Edge (SASE) has proven to be a gamechanger, offering a single solution that secures communications, regardless of where your data and workforce are located.

 

Why traditional security breaks for enterprise-sized business

Diagram showing a protected group inside a secure boundary and vulnerable groups outside, illustrating network security and threat protection

Initially, organisations sought to use Virtual Private Networks (VPNs) to enable remote employees to connect to the company network. But even this method was limited.

 

A VPN generally routes traffic to the corporate network and reroutes it back via the internet to a cloud environment. With some VPNs, these extra steps impede network quality and throughput.

 

This means a slower, more frustrating experience for network users.

 

The SASE network eliminates these issues, routing all traffic through a cloud-based security platform. This protects identity, web traffic, and cloud applications.

 

Network users can enjoy a seamless experience regardless of their device, connection, or location.

 

But what is SASE, and how can it benefit your organisation? Let’s find out!

 

What is SASE?

Let’s begin with a simple explanation of what Secure Access Service Edge (SASE) means.

 

SASE bridges essential security features with key networking functionalities.

 

This framework combines Software-Defined Wide Area Networking (SD-WAN) with Secure Service Edge (SSE) to deliver capabilities such as Secure Web Gateway (SWG), Firewall-as-a-Service (FWaaS), Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA).

 

By unifying these features, SASE brings a simplified, reliable and more scalable approach to network security.

 

The difference between SASE vs. SSE

 

Secure Service Edge (SSE) is an umbrella term for the combination of security and cloud-based technologies.

 

SASE further converges these technologies with wide-area networking for a seamless user experience. This unified approach brings transformational benefits.

 

Instead of a fragmented security policy (offering lesser protection for employees working at home or using a VPN), all employees are protected equally.

 

SASE also brings unique benefits to application usage. The SASE architecture can be applied to all apps – whether in the cloud or not. This ensures that a zero-trust approach is applied to all application access.

 

Ultimately, SSE represented a big advancement in cloud-based security. SASE takes this to the next level, bringing simplified security, a more rapid transition to the cloud, and lower costs.

 

 
 

What is Secure Access Service Edge (SASE)?

Contents

9
 
 
Discuss my SASE strategy with an expert
  1. First name is required. Please enter valid first name. The name must contain at least 2 characters.
  2. Last name is required. Please enter valid last name. The name must contain at least 3 characters.
  3. Email address is required. Email address is invalid. Please use a valid Email address.
  4. Mobile number is required. Phone number is invalid. Please enter a valid UK phone number.
  5. Company name is required.
  6. please select your preferred option.
  7. Tick, if you are not a robot.
    Tick, if you are not a robot.

    8. By submitting this form, you agree to our privacy and cookie policies.

How SASE works

Having explored ‘What is SASE?’, let’s look at some of the ways the platform creates a safer, more user-friendly experience.

 

 

The network and security stack combined

 

The majority of cyberattacks occur when there is a network connection.

 

In the modern environment, both wide area networking (WAN) and security must be aligned to work effectively.

 

The SASE network combines enterprise SD-WAN with enhanced security features (SSEs). This brings major benefits to network security

 

By combining the network and security stack, SASE can intelligently route traffic based on application requirements and network conditions. This shields your network from would-be attackers while ensuring reliable network performance.

 

 

How SASE protects you against unknown threats

 

SASE uses a ‘zero trust’ architecture. This means that all network interactions are treated as suspicious, regardless of which user or device they come from.

 

Under traditional approaches to security, a user can gain network access simply with a username and a password. With SASE, every request must be validated and receive authentication before it can proceed.

 

A zero-trust approach means that employees only have access to the applications needed to carry out their jobs. This keeps sensitive information away from those who wish to cause harm.

 

It’s important to remember that a large proportion of breaches come from within organisations. By ensuring individuals can only access the parts of a network they need, SASE provides comprehensive protection from both inside and outside the network.

 

 
 
 
 

Core SASE Components

The SASE network provides unified management of various essential parts.

 

Diagram showing core SASE components including SD-WAN, Zero Trust network access, firewall as a service, secure web gateway, CASB, and digital experience monitoring

To understand how the different SASE components work together and what each provides, we’ll explore each of the components in detail.

 

1
 
 

SD-WAN

Software-Defined Wide Area Networking (SD-WAN) is a software-based networking approach. Enterprises use this solution to connect multiple locations, branch offices and data centres and bolster security.

 

SD-WAN improves application performance across your wide area network, connecting users to essential applications and resources. Upgrading to SD-WAN is essential to move away from on-site legacy infrastructure.

 

The technology is executed as a software overlay across multiple access types, including Fibre to the Cabinet (FTTC), Asymmetric Digital Subscriber Line (ADSL), Long-Term Evolution (LTE), cable modem and Ethernet.

 

SD-WAN deploys multiple transport options to select the best path for traffic in real-time. If a connection suffers from performance issues, traffic is seamlessly redirected.

 

With SASE, SD-WAN is combined with SSE to maximise cloud-based systems. Network functions such as firewall security, load balancing, traffic prioritisation, encryption, and network analytics are aggregated, ensuring ease of use and lower costs.

 

View our SD-WAN case study for a full account of how a switch to SD-WAN improved network performance, lowered complexity, and led to fewer network incidents.

 

 
 
 
 
2
 
 

Zero trust network access (ZTNA)

As mentioned, SASE uses the Zero Trust Network Access (ZTNA) security model. All network requests, regardless of their origin, must be validated before being carried out.

 

In effect, this creates a context-based, logical access boundary around applications in your network. Applications are hidden from access until users are verified via a ‘trust broker’.

 

SASE will follow multiple processes to validate users, including checking a user’s location, device health (software version, whether a device has endpoint protection or an up-to-date anti-virus), and using multi-factor authentication.

 

The zero-trust architecture follows the principle of least privilege, enabling operators to segment data into different ‘zones’. This ensures that users are limited to the data and applications they need to carry out their roles.

 

Zones reduce risk, keeping sensitive information out of the hands of bad actors within your network.

 

 
 
 
 
3
 
 

Firewall as a service / FWaaS

A firewall is the first line of defence in an enterprise’s network. Firewall as a Service (FWaaS) injects next-generation protections to reinforce your network.

 

FWaaS monitors all application-layer traffic, implementing security policies and blocking threats.

 

Your firewall can restrict which protocols are allowed in or out of the network. It can be set to allow or deny internet access from specific users, groups, or machines.

 

For example, imagine you have a device such as a water purification system in your network. If this device were connected to the internet, it would be vulnerable to attack. Using FWaaS, you can ensure that the system stays offline.

 

Another central element of FWaaS is the Intrusion Prevention System (IPS). Malicious third parties often exploit unpatched vulnerabilities in applications. The IPS blocks any connection that is trying to exploit a known security weakness in an app.

 

 
 
 
 
4
 
 

Secure web gateway (SWG)

Secure Web Gateways (SWG) act as a wall between users and the internet. They provide granular control over the traffic coming to and from the web.

 

SWG enables enterprises to restrict access to certain categories of websites or applications. For instance, an organisation could block gambling websites rather than blocking each site individually.

 

The solution also has a built-in anti-virus that blocks files deemed likely to contain malware. SWG utilises a ‘sandbox’ function to quarantine these potentially dangerous files.

 

In addition, SWG contains a Domain Name Service (DNS), protecting employees from scams and dangerous links. DNS blocks users from reaching malicious websites from phishing emails and denies access to known harmful websites. This goes beyond the capability of a firewall, blocking both dangerous files and sites with an exploitative intent.

 

 
 
 
 
5
 
 

Cloud Access Security Broker (CASB)

A Cloud Access Security Broker (CASB) is an enforcement point separating cloud users from cloud data. It offers greater visibility, protecting vital cloud data from malicious users.

 

CASB monitors the usage of apps and can detect when malicious behaviour is taking place.

 

Picture a cybercriminal attempting to steal a customer’s data by hacking an Office 365 account. CASB can register and prevent this threat before it becomes too damaging.

 

CASB also supports your customers with compliance-related issues, providing evidence about who has access to which apps and data. These records can be used as evidence of good cyber-hygiene and potentially lessen any fines an organisation might receive.

 

 
 
 
 
6
 
 

Digital Experience Monitoring (DEM)

Digital Experience Monitoring (DEM) provides detailed insights about application usage.

 

Employees likely have different experiences based on how they connect to your network. For example, users connecting via branch sites may have a poorer experience compared to those connecting through high-speed internet connections.

 

For smooth performance, cloud services require good-quality internet connectivity. DEM pinpoints connectivity issues, bringing a better experience for all users.

 

When deployed, DEM can:

 

  • Pinpoint the root cause of issues.
  • Quickly resolve performance issues, boosting employee efficiency.
  • Improve productivity and maximise the availability of services for users.
  • Browser isolation (avoids drive-by downloads of malicious content and blocks phishing sites).

 

There’s a risk that when accessing a legitimate website, a user could become victim to a ‘drive-by download.’ This occurs when hackers place malicious code inside a website. When a user connects, malware is downloaded via their browser.

 

Browser isolation acts as a barrier between users and the internet.

 

With this feature, a user connects to an isolated browser, rather than the public internet. In other words, they’re shielded from any dangerous content contained on the site.

 

Browser isolation also prevents users from accessing compromised sites, reducing the risk of phishing attacks and scams.

 
 
 
 
 
 
 
 

Why SASE matters for the modern enterprise network

Enterprises have shifted away from on-premises hardware and equipment. Digital transformation has introduced more flexible, cloud-based software.

 

But as enterprises evolve, so must their approach to network management and security.

 

Here are some of the ways SASE boosts modern enterprise networks:

 

Reduced attack surface

SASE segments the network, ensuring users only have access to areas needed to carry out their jobs.

It also resolves a vulnerability in traditional security which relies on public-facing VPNs, where anyone with the VPN credentials can access the network.

 
 

Consistent security for remote teams

The old method, with on-premises security as the focus, can’t provide consistent security or performance for remote teams.

Through secure connectivity solutions , SASE enables users to connect from anywhere and receive a smooth and secure experience.

 
 

Improved performance

Using SD-WAN, SASE can ensure that traffic is routed efficiently, based on application performance and network conditions.

Digital Experience Monitoring (DEM) enables operators to monitor network performance and address issues, ensuring an improved experience for all employees.

 
 

Simpler management

Instead of dealing with multiple, disjointed vendors each providing partial elements of the solution, enterprises can easily manage network security and performance from a single, unified Secure Access Service Edge platform.

 
 
 
 
 
 

Use cases

Use case – Security for an accountancy business

 

An accountancy business partnered with Virgin Media O2 Business to boost data security. The company followed a hybrid working model and wanted to ensure protection for sensitive information handled outside the office environment.

 

The partnership involved completing and security audit and on the basis of this, implementing:

  • Secure SD-WAN & Business Wi-Fi.
  • Microsoft Teams and Operator Connect licences.
  • Mobile and device management.
  • Voice recording.
  • Co-pilot licences.

 

The results

 

The company saw immediate benefits.

 

The introduction of SASE/SD-WAN's security features led to an 85% reduction in security incidents, protecting sensitive financial data and maintaining client trust, even with hybrid working practices in place.

 

Implementation also improved staff retention. Employees were no longer hampered by unreliable communication and collaboration and could deliver more consistent levels of customer service.

 

Use case - Virgin Media O2 Business

 

Like most modern businesses, Virgin Media O2 Business employs teams working in diverse locations. Our legacy systems weren’t built for hybrid working patterns.

 

We needed a cloud-based solution that could deliver high levels of security and performance.

 

After a thorough assessment of different security solutions, we chose to work with Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). We were impressed by their professionalism, technology’s resilience, and their 100% effectiveness score in the SSE threat protection test.

 

On completion of the project, we had:

  • An aligned security policy across Windows, iOS, Mac, and Android devices.
  • Cloud-based protection at scale, so no need for regular hardware updates.
  • Secure application access without needing a VPN.
  • Deep inspection of encrypted traffic.
  • High performance to meet the needs of our fast-growing internet use.

 

The introduction of Zscaler brought a marked difference for hybrid employees.

 

Teams now benefit from a single standard for everyone. They can now communicate securely and productively regardless of their location.

 

Best of all, merging was a quick and simple process. Normally, amalgamating different networks would be a lengthy, complicated task. Networks are now connected in hours.

Zscaler also provided us with greater control and visibility over our networks. We can now implement location-based access controls (e.g. only allowing UK-based access to certain systems).

 

The solution also protects us against risks related to Generative AI (GENAI), such as sensitive data being pasted into GENAI tools. The ability to monitor usage of these tools allows us to apply access controls and prevent leaks.

 

The results

 

By putting Zscaler to the test, we’ve seen transformational benefits. The results so far included:

 

  • Roughly 20,000 devices are protected.
  • A 33% reduction in hardware maintenance.
  • A 35% year-on-year increase in traffic, all handled securely and without slowdown.
  • As many as 2,600 devices are now enabled for secure on-the-go access.
  • The company is better prepared for audits due to unified visibility and zero-trust controls.

Zscaler is just one example of a security solution offered by Virgin Media O2 Business. We provide a comprehensive range of options, each tested to meet the needs of a modern, hybrid workforce.

 

View our cloud security case study for a full rundown of how Zscaler simplifies security, boosts productivity and scales with demand.

 

 
 
 
 

SASE solution models (single-vendor vs. multi-vendor)

There are two main SASE solution models: single-vendor and multi–vendor.

 

Each option brings unique benefits and offers optimal solutions based on different use cases. We’ll give a rundown of both options to help you make the best choice:

 

Single-vendor

  • Merges network and security features into a single service delivered via the cloud.
  • Both security and network management are handled by the same vendor.
  • A single-vendor model is often seen as simpler, ensuring centralised policy enforcement and network management.
  • Less flexible, as you're limited to the security and network components from a single vendor.
 
 

Multi-vendor

  • Involves working with different vendors to handle network and security functions.
  • A multi-vendor is more adaptable, allowing you to choose ‘the best of all worlds’.
  • You can pick and choose if you prefer the security options from one vendor and the networking features from another.
  • A multi-vendor is generally more complex and time-consuming to set up. Solutions from different vendors must be integrated to work together, which can result in reduced visibility.
 
 
 
 
 
 

How to implement SASE architecture

 

Introducing SASE involves a multi-step process, requiring careful planning before, during, and after adoption. Without the right support, it's easy to make mistakes that hinder your implementation.

 

That’s where Virgin Media O2 Business comes in.

 

We’ll work with you to identify the best SASE solution for your business. Here’s how we’ll help with the assessment, implementation, and management of SASE:

Assessment

 
 
  • Work alongside you to create a SASE strategy that includes KPIs and an adoption timeline.
  • Build a cross-functional team to include networks, office and workforce transformation and security.
  • Track contract expiry dates and plan to consolidate ZTNA, CASB, SWB and RBI.
  • Begin measuring end-to-end user-to-app experiences to reduce cost and complexity.

Implementation

 
 
  • Phase out network-level legacy VPNs and implement third-party access.
  • Phase out usage of legacy network-level VPN for remote access and keep ZTNA access for return to office.
  • Phase out residual dedicated network security appliances.
  • Introduce a full zero-trust security methodology.
  • Gradually phase out the majority of dedicated circuits.

Management

 
 
  • Use continuous monitoring and machine learning to detect unusual or unsafe activity.
  • Provide regular and on-demand reports of usage data and threats prevented.
  • Oversee policing and enforcement of contractual SLAs from your SASE providers.
  • Establish a permanent, joined-up function to remove complexity and cost.
  • Initiate continuous authorisation for access requests.
 
 

Network redesign considerations

 

SASE implementation is a significant move from older networks, which relied heavily on physical hardware and infrastructure. SASE shifts away from legacy connectivity towards a cloud-first strategy.

 

That means finding a vendor (or vendors) that can deliver unified security and networking features.

 

Of course, every network is different, and each enterprise has individual goals for SASE adoption.

 

Factors such as functionality, complexity, cost, security and resilience will be important for most organisations. Choosing the right vendors is critical if you want to avoid ‘buyer's regret’ further down the line.

 

When you work with a partner such as Virgin Media O2 Business, you can choose from a range of industry-leading vendors. We’ll bring the expertise and support to help you find the perfect solution that aligns with your needs.

 

Identity and access prerequisites

 

Part of transitioning to SASE is moving away from traditional network security methods. Instead of legacy VPNs, you’ll be using a zero-trust approach that bolsters security and ensures least privilege access.

 

This ZTNA model should include additional security such as two-factor authentication, network segmentation, and device posture checks.

 

But mistakes during configuration can lead to new risks. That’s why you need an experienced partner such as Virgin Media O2 Business to guide you through the transition.

 

We’ll help you move beyond network-level legacy VPNs for secure third-party access. We’ll audit and test your existing systems to set out a path for transitioning to a ZTNA framework.

 

Security effectiveness testing

 

When delivered correctly, SASE can be a game-changer for network security. That’s why it’s important to thoroughly test your implementation to ensure it's bringing the desired results.

 

This process should seek to simulate real-world network conditions. Throughout testing, you’ll monitor SASE’s ability to block threats, including malware and other exploits, and ensure access-based controls are working correctly.

 

Working with Virgin Media O2 Business dramatically simplifies this process. We’ll continuously monitor your network using machine learning to guarantee the best protection.

 

We also only work with vendors who have a proven track record of success. This includes Versa FlexVNF, Cisco Meraki and Viptela, Palo Alto Strata, Prisma Access, and Zscaler.

 

Migration planning

 

As we’ve discussed, moving towards a SASE framework can represent a big shift, especially if you’re running an older network. That’s why careful planning is essential before beginning any implementation.

 

You’ll need to create a cross-functional team to oversee migration. This should combine stakeholders from both security and networking teams to avoid silos and ensure broad agreement between departments.

 

Planning should also involve auditing your firewall, hardware, and other elements of your existing network. Consider where data is housed and the best paths to ensure traffic is routed efficiently.

 

Virgin Media O2 Business offers support at every stage of the planning process.

 

Below are just a few of the ways we’ll help you plan:

 

  • Create a team combining networks, office and workforce transformation and security.
  • Audit your existing network security setup.
  • Establish a SASE strategy that includes KPIs and an adoption timeline.
 
 
 
 

Checklist to evaluate SASE service providers

 

Before choosing a SASE solution, always carefully evaluate your own needs and match these to each provider’s offering.

 

Diagram showing core pillars of SASE provider evaluation: Pricing, Understanding, Cloud Architecture, Zero Trust, and SD‑WAN Performance.

 

The following checklist will make this process easier for you:

 

1
 
 

Understand your security and networking needs

 

Before assessing SASE providers, gain a full understanding of your enterprise’s needs. This should include:

 

  • Identifying essential security components for enforcing your security policy - For instance, features such as smart internet access, SD-WAN, ZTNA and FWaaS are essential for securing cloud environments.
  • Conducting environment mapping - This will help you to understand the needs of remote teams, branch offices, and other elements that connect to your network. Consider the policies and features needed for a smooth, secure experience.
  • Taking note of any regulations that apply - List the features needed to guarantee compliance on your network. For instance, how can SASE improve your audit readiness?

 

 
 
 
 
2
 
 

Assess cloud native architecture

 

When choosing a SASE vendor, a cloud native design should be a top priority. It should support the enterprise’s ability to scale globally and thrive in dispersed environments.

 

Assess the following factors relating to a vendor’s architecture:

 

  • Consider whether a provider offers multicloud support - This includes built-in redundancy for high-availability clusters to ensure network continuity if certain elements fail.
  • Always assess risks in a vendor’s architecture - A single-pass inspection model reduces latency and ensures equal performance for all users and devices. Avoid multi-pass inspection models, which increase response times and operational complexity.
  • Think about network performance - Review a provider’s latency Service-Level Agreement (SLA) and Point of Presence (PoP) footprint.

 

 
 
 
 
3
 
 

Evaluate the ZeroTrust framework

 

A zero-trust architecture is a critical element in every SASE framework. To ensure robust protection, make sure your network is reinforced with the following protections:

 

  • Access controls - You should be able to segment data and applications into zones, so that information is only accessed on a need-to-know basis. Similarly, network operators should be free to control access to certain applications based on a user’s role.
  • Continuous user verification - Users should be verified throughout their session, rather than only when logging in.
  • Device health checks - The zero-trust framework should monitor operating system version, anti-virus status, and other factors to make sure that devices are secure and up-to-date.

 

 
 
 
 
4
 
 

Consider SD-WAN performance

 

SD-WAN is key to delivering secure connectivity for remote employees.

 

Bear the following factors in mind when assessing SD-WAN performance:

 

  • Assess branch-to-cloud performance - Branch office users should be able to connect easily to the cloud via different PoPs.
  • Check traffic control features - Features such as dynamic path selection, link bonding, and application-aware routing ensure critical apps get priority.
  • Ensure resiliency - SD-WAN should ensure a smooth flow of traffic, even if a connection fails. Features such as smart path selection and active link utilisation will help you to maintain performance and minimise disruption.

 

 
 
 
 
5
 
 

Gauge the costs

 

Consider your organisational budget and the total cost of ownership. The best providers offer flexible pricing plans that fit within your budget.

 

Ask the following questions when gauging the costs of SASE ownership:

 

  • Are there any hidden costs? - Some vendors apply extra charges for add-on features or increase pricing for higher SSL decryption throughput limits.
  • What licensing models are on offer? - SASE pricing is usually user-based; however, some providers use bandwidth or usage-based pricing.
  • What is the renewal process? - Consider the price increase caps listed within your contract.

 

 
 
 
 
 
 
 
 

Zero Trust, full confidence

 

For modern enterprises, SASE isn’t just desirable, it’s essential.

 

But introducing SASE is a complex process. Any mistakes can lead your network to be open to cyberattacks, data leaks, and other risks.

 

That’s why you need a dependable partner you can count on.

 

Virgin Media O2 Business offers a one-stop solution for implementing SASE.

 

This includes a full-scale design, deployment and managed services from vendors including Versa FlexVNF, Cisco Meraki and Viptela, Palo Alto Strata, Prisma Access, and Zscaler.

 

Want to learn more about SASE and how we can build a solution around your needs?

 

Contact us today and speak to our support team.