This chapter covers Secure Access Service Edge (SASE), a transformative architecture that converges networking and security into a single cloud-delivered service. For the SY0-701 exam, SASE is tested under Security Architecture (Objective 3.6), focusing on understanding its components, benefits, and how it differs from traditional network security models. Mastering SASE is critical for modern enterprise security, as it addresses the challenges of remote work, cloud adoption, and distributed access.
Jump to a section
Imagine a company as a city with multiple branch offices (neighborhoods) and remote workers (individual homes). Traditionally, each office had a private road (MPLS) connecting it to a central security checkpoint (data center firewall). Remote workers used a VPN tunnel (a narrow, temporary road) back to the central checkpoint. This model created congestion, high costs, and a single point of failure. SASE is like building a new highway system with integrated security. The highway itself is the global SD-WAN fabric that connects all locations directly and efficiently using the public internet, but with encryption and QoS. At each on-ramp (the SASE PoP), there is a security gate that inspects every vehicle (packet) before entering the highway. This gate combines a firewall, secure web gateway, CASB for cloud apps, and ZTNA for user identity checks. The highway system also has a central traffic control center (cloud-based management) that updates policies in real time. As a car drives from a remote home to a corporate office, it enters the highway at the nearest on-ramp, gets inspected, takes the fastest route, and exits at the destination. The security follows the car, not the road. This eliminates the need for backhauling traffic to a central checkpoint, reducing latency and cost. The analogy captures SASE's convergence of networking and security into a cloud-delivered service, where identity and context drive access decisions, and the network itself enforces policy.
What is SASE and Why It Matters
Secure Access Service Edge (SASE, pronounced "sassy") is a framework defined by Gartner in 2019 that converges wide-area networking (WAN) and network security services into a single, cloud-delivered platform. The core idea is to provide secure, fast access to applications and data regardless of user location, device, or application hosting (on-premises, cloud, or SaaS). Traditional network security models rely on a centralized data center where all traffic is backhauled for inspection. This creates latency, scalability issues, and poor user experience for remote workers. SASE shifts security and networking to the edge of the network—points of presence (PoPs) distributed globally—so that security policies are enforced close to the user or branch.
For SY0-701, you need to know that SASE is not a single product but an architecture combining multiple technologies: SD-WAN (Software-Defined Wide Area Network), SWG (Secure Web Gateway), CASB (Cloud Access Security Broker), ZTNA (Zero Trust Network Access), and FWaaS (Firewall as a Service). These components work together to provide identity-driven, context-aware access while optimizing network performance.
How SASE Works Mechanically
SASE operates on a cloud-native model where a global network of PoPs acts as the enforcement points. Here is the step-by-step process:
User or Branch Initiates Connection: A remote user connects to the internet from home or a branch office. Their device has a client (for ZTNA) or the branch router (SD-WAN edge) initiates a connection to the nearest SASE PoP.
Traffic Steering via SD-WAN: The SD-WAN component determines the best path for the traffic based on policies (e.g., latency, cost, application type). Unlike traditional MPLS, SD-WAN can use broadband, LTE, or MPLS links and dynamically route traffic.
3. Security Inspection at the PoP: All traffic is inspected by the integrated security stack at the PoP. This includes: - SWG: Blocks malicious websites and enforces acceptable use policies. - CASB: Scrutinizes traffic to cloud applications (e.g., Office 365, Salesforce) for data loss prevention (DLP) and shadow IT. - FWaaS: Provides stateful firewall, intrusion prevention (IPS), and DNS filtering. - ZTNA: Authenticates the user and device, verifies identity and posture, and grants least-privilege access to specific applications (not network access).
Policy Enforcement: Policies are defined centrally in a cloud management console and pushed to all PoPs. Policies can include user identity, device health, location, time, and application sensitivity. For example, a contractor might only have access to a specific SaaS app, while an employee can access internal apps.
Direct-to-Net Traffic: Optimized traffic flows directly from the PoP to the destination (e.g., SaaS app) without backhauling to a central data center. This reduces latency and improves performance.
Key Components and Standards
SD-WAN: The networking backbone of SASE. It uses overlay tunnels (e.g., IPsec, GRE) over any transport. Key protocols: OMP (Overlay Management Protocol) in Cisco SD-WAN, or BGP for routing. SD-WAN provides application-aware routing, WAN optimization, and link load balancing.
SWG (Secure Web Gateway): Inspects HTTP/HTTPS traffic. Uses TLS interception (man-in-the-middle) to decrypt traffic for inspection. Blocks malware, phishing, and enforces URL filtering. Common SWG vendors: Zscaler, McAfee (Skyhigh), Symantec.
CASB (Cloud Access Security Broker): Acts as a gatekeeper between users and cloud providers. Provides visibility into cloud app usage, DLP for sensitive data, and compliance checks. CASB can be API-based (connects directly to cloud provider APIs) or proxy-based (inline).
ZTNA (Zero Trust Network Access): Replaces traditional VPNs. Users get access to specific applications, not the entire network. ZTNA uses a broker that authenticates and authorizes each connection request. Common implementations: client-initiated (user device has a client) or service-initiated (connector in the app's network).
FWaaS (Firewall as a Service): Next-generation firewall (NGFW) capabilities delivered from the cloud. Includes stateful inspection, IPS (using signatures and anomaly-based detection), and application control.
Cloud Identity Provider (IdP) Integration: SASE integrates with IdPs like Azure AD, Okta, or Ping for single sign-on (SSO) and multi-factor authentication (MFA). This ensures identity is the new perimeter.
How Attackers Exploit or How Defenders Deploy This
Defender Deployment: Deploying SASE involves: 1. Selecting a SASE provider (e.g., Zscaler, Palo Alto Prisma Access, Cisco Umbrella, Netskope). 2. Configuring SD-WAN at branches and deploying client software on endpoints. 3. Defining policies in the cloud console. 4. Integrating with existing IdP and DLP solutions. 5. Testing and gradually migrating traffic from legacy VPN/firewall.
Attacker Exploitation: Attackers may target SASE by: - Compromising the Identity Provider: If an attacker gains control of the IdP, they can impersonate users and access applications. Mitigation: MFA, conditional access policies. - Exploiting TLS Interception: If the SWG's TLS inspection is misconfigured, attackers could bypass inspection. Mitigation: proper certificate management and strict TLS policy. - PoP Compromise: Though rare, a compromised PoP could expose traffic. SASE providers use zero-trust architecture within their own network. - Client-Side Attacks: If the ZTNA client has vulnerabilities, attackers could exploit them. Mitigation: regular patching and endpoint detection and response (EDR).
Example Command/Tool: In a SASE environment, an administrator might use a cloud console to view traffic logs. For example, Zscaler's console shows logs for each transaction:
Timestamp: 2024-05-01 12:00:00 User: jdoe@company.com Action: Blocked Category: Malware URL: evil.comOr use API to extract logs for SIEM integration.
Real-World Example: Zscaler Internet Access (ZIA)
Zscaler is a leading SASE provider. ZIA provides SWG, FWaaS, and CASB. When a user browses to a website, the traffic is redirected to the nearest Zscaler PoP. The PoP performs:
DNS filtering (blocks known malicious domains)
SSL inspection (decrypts HTTPS)
Policy check (user identity, URL category)
Threat prevention (IPS signatures)
DLP (scans for credit card numbers)
If the traffic is allowed, it is forwarded to the internet. All this happens in milliseconds.
Exam Relevance
SY0-701 expects you to understand SASE as a modern alternative to traditional network security. Be able to identify the components (SD-WAN, SWG, CASB, ZTNA, FWaaS) and explain how they work together. Know that SASE is cloud-delivered, identity-centric, and supports remote access. Contrast it with traditional VPN and data center-centric models.
Identify the Need for SASE
The organization recognizes that traditional hub-and-spoke VPN architecture is insufficient for remote workers and cloud adoption. Traffic backhauling causes latency, poor user experience, and high costs. The security team identifies the need for a unified, cloud-delivered solution that provides secure access regardless of location. Tools: network traffic analysis shows high latency for remote users; cost analysis reveals expensive MPLS circuits. The decision to adopt SASE is made based on these pain points.
Select a SASE Provider
The organization evaluates SASE vendors like Zscaler, Palo Alto Prisma Access, Cisco Umbrella, or Netskope. Criteria include global PoP coverage, integration with existing identity provider (e.g., Azure AD), SD-WAN capabilities, and security features (SWG, CASB, ZTNA). A proof of concept is conducted. The chosen provider must support the organization's cloud applications (e.g., Office 365, Salesforce) and provide DLP for sensitive data. Contracts are signed, and the deployment scope is defined.
Deploy SD-WAN at Branches
SD-WAN edge devices (e.g., Cisco Meraki, VMware VeloCloud) are installed at each branch office. These devices connect to multiple WAN links (broadband, LTE) and establish encrypted tunnels to the SASE PoPs. Configuration includes defining application-aware routing policies (e.g., prioritize VoIP traffic). The SD-WAN orchestrator is configured to steer traffic to the nearest PoP. Logs show tunnel status and link utilization.
Install ZTNA Clients on Endpoints
Remote users install ZTNA client software (e.g., Zscaler Client Connector, Palo Alto GlobalProtect). The client registers the device, checks compliance (e.g., antivirus enabled, OS patched), and establishes a secure tunnel to the nearest PoP. The client integrates with the IdP for SSO. Admins can view device posture in the SASE console. If a device is non-compliant, access is blocked or restricted.
Configure Security Policies in Cloud Console
Security policies are defined centrally. Examples: - URL filtering: block gambling sites. - DLP: prevent credit card numbers from leaving via email. - IPS: block known exploit signatures. - App control: allow only approved cloud apps. Policies are tied to user identity and device posture. The console pushes policies to all PoPs globally. Logs show policy enforcement events, such as blocked downloads or allowed access.
Monitor and Tune the Environment
Security operations center (SOC) analysts monitor SASE logs and alerts. They look for blocked threats, policy violations, and performance issues. Tools: SIEM integration (e.g., Splunk) ingests SASE logs for correlation. Common tuning: adjusting DLP rules to reduce false positives, updating IPS signatures, and modifying routing policies for better performance. Analysts respond to incidents by blocking malicious IPs via the SASE console. A common mistake is failing to update policies as new cloud apps are adopted, leading to shadow IT.
Scenario 1: Remote Worker Access to Internal App
A company with 5,000 remote employees uses Zscaler SASE. An employee, Alice, connects from a coffee shop. Her ZTNA client authenticates via Azure AD (MFA enabled). The client checks device posture: OS updated, antivirus running. It then establishes a tunnel to the nearest Zscaler PoP. Alice requests access to the internal ERP system hosted in AWS. The PoP's ZTNA broker verifies her identity and grants access only to the ERP app (not the entire network). The traffic is proxied through the PoP, which also applies DLP and IPS. The SOC sees a log: User: alice@company.com, App: ERP, Action: Allow, Source IP: PoP IP, Destination: AWS. If Alice's device had malware, the PoP would block the connection. A common mistake: IT might have configured a VPN that gives full network access, increasing risk.
Scenario 2: Branch Office with SD-WAN and SWG
A retail chain with 100 stores uses Cisco Umbrella SASE. Each store has an SD-WAN router that connects to two ISPs. The router steers Office 365 traffic directly to Microsoft (optimized path) and web browsing traffic to the nearest Umbrella PoP for security inspection. The PoP blocks access to a phishing site that targets retail employees. The SOC receives an alert: Threat: Phishing, URL: fake-retail-login.com, Action: Blocked, Source: Store 42. The analyst verifies the block and updates the policy to block similar domains. A common mistake: not enabling TLS inspection on the SWG, allowing encrypted phishing traffic to pass through.
Scenario 3: Cloud Migration and CASB
A financial services firm migrates to Salesforce and Office 365. They deploy Netskope SASE with CASB. The CASB discovers that employees are using an unsanctioned file-sharing app (shadow IT). The policy blocks access to the app and alerts the SOC. Additionally, DLP rules prevent credit card numbers from being uploaded to Salesforce. The SOC sees a log: User: bob@firm.com, App: Unsanctioned Cloud, Action: Blocked, Data: None. A common mistake: not configuring DLP for all cloud apps, leading to data leakage. The correct response is to configure policies for all sanctioned apps and block unsanctioned ones.
Exactly What SY0-701 Tests on This Objective
Objective 3.6 (Security Architecture) expects you to explain the SASE framework and its components. Specifically:
Define SASE and its purpose (converge networking and security, cloud-delivered).
List and describe the five core components: SD-WAN, SWG, CASB, ZTNA, FWaaS.
Contrast SASE with traditional network security (e.g., VPN, MPLS, on-premises firewalls).
Identify benefits: reduced latency, improved user experience, scalability, centralized policy management.
Recognize that SASE is identity-centric and supports zero trust principles.
Common Wrong Answers and Why Candidates Choose Them
"SASE is a type of VPN" – Candidates confuse SASE with VPN because both provide remote access. But SASE is a comprehensive architecture; VPN is just one component (ZTNA replaces VPN). Wrong because SASE includes multiple security services and is cloud-delivered.
"SASE requires on-premises hardware" – Candidates think of traditional firewalls. SASE is cloud-native; the PoPs are cloud-based. However, SD-WAN edge devices are on-premises, but the security is in the cloud.
"SASE only applies to remote workers" – SASE also covers branch offices and cloud access. It is universal.
"SASE and SD-WAN are the same" – SD-WAN is a component of SASE. SASE includes security services on top of SD-WAN.
Specific Terms, Values, and Acronyms
SASE (Secure Access Service Edge)
SD-WAN (Software-Defined Wide Area Network)
SWG (Secure Web Gateway)
CASB (Cloud Access Security Broker)
ZTNA (Zero Trust Network Access)
FWaaS (Firewall as a Service)
PoP (Point of Presence)
MPLS (Multiprotocol Label Switching) – traditional WAN technology that SASE replaces.
IPsec – common encryption for tunnels.
TLS inspection – used by SWG to decrypt HTTPS traffic.
Common Trick Questions
Questions that contrast SASE with "traditional VPN" – SASE uses ZTNA, not VPN. If a question mentions "VPN" as a SASE component, it's wrong.
Questions that list SD-WAN as the only component – SASE must include security services.
Questions that say SASE is only for cloud applications – SASE also works for on-premises apps via ZTNA.
Decision Rule for Eliminating Wrong Answers
On scenario questions, identify if the scenario involves:
- Remote users needing access to internal apps → ZTNA (not VPN). - Branch offices connecting to cloud → SD-WAN with security at PoP. - Need for DLP for cloud apps → CASB. - Web filtering → SWG. - Firewall capabilities in the cloud → FWaaS. If the answer mentions "centralized data center" or "backhauling," it's likely wrong because SASE eliminates that.
SASE converges SD-WAN, SWG, CASB, ZTNA, and FWaaS into a single cloud-delivered service.
SASE uses global PoPs to enforce security close to the user, reducing latency.
ZTNA replaces VPN by providing application-specific, identity-based access.
CASB provides visibility and DLP for cloud applications like Office 365 and Salesforce.
SWG inspects web traffic, often using TLS interception to decrypt HTTPS.
FWaaS delivers NGFW capabilities (stateful inspection, IPS) from the cloud.
SASE supports zero trust principles: verify every request, least-privilege access.
These come up on the exam all the time. Here's how to tell them apart.
Traditional VPN
Provides full network access (layer 3/4)
Backhauls traffic to data center
High latency for remote users
No device posture check
Scales poorly with many users
SASE ZTNA
Provides application-specific access (layer 7)
Traffic goes to nearest PoP
Low latency due to local breakout
Checks device health before access
Elastic cloud scaling
On-Premises Firewall
Hardware-based
Limited to physical location
Requires manual updates
Single point of failure
High capital expenditure
SASE FWaaS
Cloud-based, software-defined
Distributed globally via PoPs
Automatic updates from provider
Redundant PoPs
Operational expenditure (subscription)
Traditional WAN (MPLS)
Expensive private circuits
Static routing
No application awareness
Centralized traffic backhaul
Long deployment times
SD-WAN (component of SASE)
Uses broadband/LTE/MPLS
Dynamic, policy-based routing
Application-aware traffic steering
Direct cloud access
Rapid deployment
Mistake
SASE is just another name for SD-WAN.
Correct
SD-WAN is a component of SASE, but SASE also includes security services (SWG, CASB, ZTNA, FWaaS). SD-WAN alone does not provide security; SASE converges both networking and security into a cloud-delivered service.
Mistake
SASE requires replacing all existing network hardware.
Correct
SASE can be phased in. SD-WAN edge devices may be needed at branches, but existing firewalls can be repurposed or gradually replaced. The security services are cloud-delivered, so no new hardware is required at the data center.
Mistake
SASE only works for organizations that are fully in the cloud.
Correct
SASE supports hybrid environments. ZTNA can provide access to on-premises applications via a connector (service-initiated ZTNA). The SASE PoP can also inspect traffic to on-premises resources.
Mistake
SASE eliminates the need for endpoint security.
Correct
SASE includes device posture checks (ZTNA client) but does not replace endpoint protection (antivirus, EDR). Endpoint security is still needed for offline threats and advanced attacks.
Mistake
SASE is only for large enterprises.
Correct
SASE is scalable and can benefit small and medium businesses. Cloud-delivered model reduces upfront costs. Many SASE providers offer tiered pricing suitable for SMBs.
SD-WAN is a networking technology that optimizes WAN connectivity using software-defined policies and multiple transport links. SASE is a broader architecture that includes SD-WAN plus integrated security services (SWG, CASB, ZTNA, FWaaS) delivered from the cloud. In short, SD-WAN is the network fabric; SASE adds security on top. For the exam, remember that SASE = SD-WAN + cloud security.
No, SASE replaces traditional VPN with ZTNA. ZTNA provides secure access to specific applications without granting full network access. However, some SASE implementations may still use IPsec tunnels for SD-WAN or for legacy compatibility, but the primary remote access method is ZTNA. On the exam, if a question suggests VPN is a core SASE component, it's likely wrong.
SASE can protect access to on-premises applications using ZTNA. In service-initiated ZTNA, a connector is deployed in the on-premises network that establishes outbound connections to the SASE cloud. Users connect to the SASE PoP, which then proxies traffic to the on-premises app via the connector. This avoids opening inbound firewall ports. Alternatively, if the app is already exposed via a reverse proxy, SASE can enforce policies before proxying.
A PoP (Point of Presence) is a geographically distributed data center that hosts the SASE security stack. When a user or branch connects, traffic is routed to the nearest PoP. The PoP performs security inspections (SWG, FWaaS, CASB) and applies policies. It also acts as a ZTNA broker for application access. PoPs are interconnected via a private backbone for optimal performance. The exam may test that PoPs reduce latency by localizing security enforcement.
Yes, but with caveats. IoT devices that cannot run a ZTNA client can be placed behind an SD-WAN edge device that enforces policies. The edge device can apply segmentation and direct IoT traffic to the SASE PoP for inspection. However, many IoT devices are headless and may not support modern authentication, so additional controls (e.g., network access control) may be needed. The exam may not cover IoT deeply, but understand that SASE can extend to any device that can be routed through a PoP.
SASE inherently supports zero trust by: (1) never trusting any user or device by default, (2) verifying identity and device posture before granting access, (3) providing least-privilege access to specific applications (not the network), and (4) continuously monitoring sessions for anomalies. The SASE cloud enforces policies consistently regardless of location. This aligns with the zero trust principle of 'never trust, always verify.'
Potential drawbacks include: reliance on internet connectivity (if the PoP is unreachable, access may fail; SD-WAN can failover to backup links), complexity of integration with legacy systems, data residency concerns (some countries require data to stay within borders, which may limit PoP choices), and vendor lock-in. Also, TLS inspection can impact performance and raise privacy concerns. For the exam, know that SASE is not a silver bullet and requires careful planning.
You've just covered SASE — Secure Access Service Edge — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?