Strategic Roadmap for SASE Convergence

23 June 2025 - ID G00806648 - 30 min read
By John Watts, Andrew Lerner,  and 1 more
The shift to cloud computing and hybrid work is driving secure access service edge demand, enabling secure access from any device. This research guides cybersecurity and I&O leaders on how to converge networking and security into one or two explicitly partnered SASE vendor offerings, and retire legacy perimeter systems.

Overview


Key Findings

  • Secure access service edge (SASE) frameworks enable a unified approach to connectivity and security for a hybrid workforce, as well as decentralized deployment of resources such as devices, branches, and enterprise applications and services.
  • Legacy siloed networking and security products struggle to secure modern applications and networks. This creates complexity for network and security administrators and inconsistent experiences for users.
  • Organizations accelerate SASE adoption by aligning their SASE roadmaps with existing IT skills, vendor contracts and hardware refresh cycles.
  • Organizations seek to converge and adopt SASE in one of three ways: using a single SASE platform; combining solutions from two vendors (dual-vendor SASE); or engaging a managed SASE service. In the second half of 2024, Gartner client inquiry for SASE evaluations shifted toward SASE platforms and away from dual-vendor or managed SASE alternatives.

Recommendations

Cybersecurity and I&O leaders aiming to create an effective and robust SASE convergence roadmap should:
  • Adopt SASE to modernize branch office connectivity, pursue a zero-trust strategy, enable migration of end users to cloud services and applications, and secure and connect hybrid workers.
  • Select unified SASE offerings with single pass inspection of traffic, flexible inspection points, and routing and customized logging to meet performance, simplicity and compliance requirements.
  • Consolidate existing networking and security contracts. Engage networking and security engineers before any technology evaluations to minimize duplicate spend.
  • Create a shortlist and evaluation criteria aligned with the preferred deployment option, and conduct a pilot before any purchase to validate key functional requirements and use cases.

Strategic Planning Assumptions


By 2028, 30% of large organizations with expiring dual-vendor SASE contracts will not renew and instead consolidate to a single SASE platform.

Introduction


Historically, most organizations designed network and security architectures around physical locations rather than end users and their device access requirements. However, new digital capabilities — such as cloud and edge computing, and flexible work initiatives — have inverted access requirements. Now, instead of end users being forced to connect to a secure, managed network, they can secure access regardless of their location. Network security designs based on a collection of perimeter security appliances are no longer adequate to support a location-independent, flexible workforce and computing environment when requirements dictate a need to shift away from fixed locations.
The 2024 Gartner Cloud and Hybrid Infrastructure Survey shows that all types of applications are increasingly located outside of an on-premises network and data center.1 At the same time, enterprises are increasingly pursuing zero-trust strategies and frameworks demanding technologies to implement zero-trust principles. This makes the implementation of SASE all the more important for organizations, given that delivering a zero-trust security posture is an integral part of a SASE architecture and emerging SASE offerings (see Quick Answer: Explaining Zero Trust Security Approaches to Tech Executives).
Consequently, demand for SASE continues to grow, with an estimated $15 billion in spending in 2025 (see Forecast Analysis: Secure Access Service Edge, Worldwide), prompting networking and security vendors to rapidly evolve their offerings.
SASE architecture (as illustrated in Figure 1) converges network, most notably, SD-WAN, and network security service edge services, most notably secure web gateway (SWG), cloud access security broker (CASB) and zero-trust network access (ZTNA).
Figure 1: Detailed SASE View
The secure access service edge (SASE) architecture converges WAN edge service and security service edge, cloud access security broker and zero trust network access. On the left side, users, devices and location are shown and on the right side, public cloud, data center and edge is shown. Connecting both together is SASE.
According to the 2025 Gartner CIO and Technology Executive Survey, while 14% of respondents reported their enterprise had already deployed SASE, an additional 47% said their enterprise would do so by 2027.2 The reality is that transition to a complete SASE framework takes time, and enterprises have existing investments in hardware and software that still offer value. Hardware refresh cycles at branch offices average four to seven years. Another factor is the relationships and expertise that staff have with incumbent vendor offerings. Moreover, most larger enterprises have separate network security and network operations teams, further complicating SASE adoption. Finally, many vendors claim to offer a SASE product but don’t deliver all of the required and recommended SASE capabilities, as not all of a vendor’s SASE capabilities are at the same level of functionality and maturity.
Cybersecurity and I&O leaders can use this research to analyze the gaps between the future state of SASE and the current state of their environment. This will enable them to construct a strategic roadmap, a migration plan and an implementation design for SASE adoption over the next several years (see Figure 2).
Figure 2: Strategic Roadmap Overview for SASE Convergence
Some of the gaps facing SASE convergence include organizational silos, existing investments and skills gaps, limited offerings, and traffic routing inefficiencies. The migration plan for convergence comprises four aspects: strategy for adoption, people, technology and measurements to enforce SLAs.

Future State


Many organizations are deploying more edge devices located anywhere and connecting users who need to access corporate resources from any network. Even on an internal network, a zero-trust security posture treats the network as untrusted. Users, branch offices and edge devices need secure access to data and applications spread everywhere throughout the cloud and data centers. SASE offerings deliver and protect this future state (see Table 1).

SASE Offerings Future State

Future state
Description
Consistent policy
enforcement and coverage for all types of access
, regardless of location, with support for local decision making
  • A SASE architecture enables distributed policy enforcement to the closest enforcement “edge.” Security teams enforce consistent security policies, such as sensitive data and malware inspection, across all access methods across and devices.
  • Public cloud, internet edge, vendor points of presence (POPS), branch appliances or even the endpoint itself enable enforcement points. This requires a software-based, hardware-neutral architecture deployed across globally distributed POPs, with policy enforcement as close to the point of consumption (typically users) as the enterprise requires.
  • Customers select traffic to be inspected and directed to specific enforcement points based on business policy, performance and compliance requirements. A fully distributed cloud architecture allows some security decisions to be made locally — addressing latency-sensitive, compliance, data sovereignty and local network access use cases — and other decisions to be made in the cloud based on advanced analytics.
  • For branch office and edge locations, small hardware or virtual appliances are deployed, but managed as part of a distributed cloud control plane and implemented with a thin-branch, heavy-cloud architecture.
  • Users receive the same policies remotely, in a branch location, or in a campus or main office.
Ease of administration via a unified policy control plane
  • The SASE management control plane is decoupled from the enforcement nodes, allowing centralized administration of unified policies, data storage and advanced analytics to be performed.
  • The administrative interface allows security and network policy to be managed from a single straightforward console and centralized dashboard for troubleshooting, reporting, analytics and configuration.
  • SASE supports a robust set of APIs for programmatic integration with other security tooling. It is part of a cybersecurity mesh architecture (CSMA) to consume and produce relevant security event, policy and configuration data shared with other security tools outside the scope of SASE, such as endpoint detection and response (EDR) tools.
  • Machine learning (ML), generative AI (GenAI) and other AI techniques suggest and implement policies based on observed behaviors.
Sensitive data visibility and control, as well as threat detection
  • Sensitive data visibility and control is a core competency of SASE. This is enabled using a combination of local agents, browsers or browser extensions, in-line traffic inspection and API-based inspection of cloud services.
  • Advanced data security techniques and data loss prevention (DLP) engines will detect and protect sensitive data with minimal false positive and false negative rates.
  • DLP is applied to data in motion and at rest across a range of services — such as SaaS, private applications and GenAI — and is extended natively or through integrations to support other data loss vectors, including endpoints, email and API payloads.
  • SASE provides visibility and protection from malicious content and network attacks.
Consistent coverage for all types of entities, including users and devices at branch office, campus and edge locations
  • For managed devices, organizations deploy software agents. However, SASE also supports unmanaged devices when needed without the use of an agent (for example, for contractor or third-party access). This is achieved via a web portal, public DNS with authentication via an identity provider and redirection through a reverse proxy, or by using a secure enterprise browser or extension to a browser.
  • At branch offices, a local appliance typically SD-WAN hardware acts as a shared agent for the branch for devices without agents (for example, printers). This provides traffic prioritization, connectivity failover, and local security capabilities such as firewalling and segmentation.
  • SASE offers support for securing agentic AI that operates on applications and services on behalf of end users, rather than securing end-user access directly.
Integrated SD-WAN, SSE and POPs
  • SASE implementation is via a single vendor, two explicitly partnered vendors (one for SD-WAN and one for SSE), or through a managed SASE service.
  • Regardless of deployment model, SASE must be fully integrated in the POPs to maximize the solution’s flexibility and scalability. This integration ensures users and devices can connect to the nearest cloud instance to facilitate single-pass inspection, minimize latency and maximize uptime.
Single-pass inspection of encrypted traffic and content at line speed in the cloud
  • Encrypted network sessions and content are inspected at line speed in the cloud and support Transport Layer Security (TLS) 1.3 natively.
  • Rather than scan a given piece of content once for malware/attacks, and again using a separate engine for sensitive data, the session and its content is decrypted once and scanned for malware and sensitive data using a single-pass, parallelized architecture.
  • SASE offers full support for postquantum resistant algorithms to encrypt and decrypt traffic, as well as native support for decrypting modern web technologies such as QUIC and Encrypted Hello (ECH).
  • SASE supports and protects a customer’s private certificate to use in decryption and reencryption of traffic.
Highly available, low-latency services with customer-controlled resilience options and contractually enforced SLAs
  • SASE offerings use an elastically scalable, composable architecture to deliver high performance and resilient service that can adapt to customer demand dynamically and support automatic and transparent failover.
  • Multiple and geographically dispersed enforcement points (most SASE vendors have dozens of POPs worldwide) enable the SASE provider to commit to contractual SLAs for high availability and low latency, without exceptions for inspecting encrypted traffic or sensitive data.
  • Digital experience monitoring (DEM) offers improved transparency for measuring latency and end-user experience.
  • Vendors support both virtual and hardware edge caching options to improve the operational resiliency of an organization’s SASE provider.
Delivery of zero-trust networking security posture
  • SASE offerings replace the implicit trust of legacy networking models with explicit, continuously assessed levels of adaptive risk and trust, based on the identity and context of devices and user accounts, where applicable.
  • This zero-trust security posture extends to all devices when connecting to enterprise resources, such as SaaS apps and private applications, regardless of location — remote, on campus, in a branch or at headquarters — i.e., it enables universal ZTNA.
  • Once connected, SASE monitors the entity, device, session and associated behaviors for anomalous or risky behaviors. Ongoing access is adaptive and modified based on risk.
Seamless end-user experience
  • SASE offerings provide the same user and access experience regardless of location or device by extending standard security policies and controls to managed and unmanaged devices, adjusting access based on user and endpoint context.
  • SASE offerings use a unified endpoint agent on managed devices that hides the access complexities from the user (e.g., forward proxy, tunnel creation where needed, device security posture).
  • All common OSs and device types are supported — Windows, macOS, Linux, iOS and Android.
Unified IT responsibility for access engineering
  • In a SASE architecture, a single cross-functional IT team is responsible for access design, selection, engineering and operationsspanning network security and networking and enabling secure access for all entities everywhere.
  • Wide-area network engineering and network security engineering evolve into an emerging composite role of “access engineering” (a complement to the emerging IT role of platform engineering supporting application creation).
Advanced AI and ML networking and security operational efficiencies
  • SASE vendors leveraging advanced ML and AI techniques, such as GenAI, enable better resilience and uptime by proactively suggesting both networking and security policy changes to improve the end-user experience.
  • Integrated AIOps capabilities enable administrators to maintain resilience and avoid downtime in the event of infrastructure failure.
  • More advanced SASE offerings proactively alert and prevent downtime with less need for manual intervention.
Source: Gartner

Current State


Organizations have a complex mix of legacy perimeter-based security appliances often from different vendors for CASB, SWG, ZTNA, firewall and SD-WAN functions. Early adopters of SASE find that some products have suboptimal implementations lacking fully unified, mature and streamlined capabilities. Separate organizational structures for networking and network security naturally create a complex and unmanageable collection of vendors, agents and consoles, as well as issues with optimizing network traffic (see Table 2).

SASE Offerings Current State

Current state
Description
Inconsistent policy enforcement that is location-dependent
  • Legacy appliance-based vendors continue to slowly deliver cloud-native and cloud-hosted solutions. Organizations using these products must define separate policies for enforcement across web, SaaS and private applications.
  • Existing point solutions or the immature cloud architecture of the SASE offering limits an organization’s ability to use the service (see Note 3).
Complex administration using disparate management consoles and policies
  • Administrators find separate consoles hard to use, increasing the chance of error and complexity, reducing security while limiting efficiency.
  • Organizations use vendors with service chaining to partners or network function virtualization (NFV) for services they don’t yet offer, or vendors that stitch together their acquired technologies, complicating administration and policy management.
Rudimentary or nonexistent sensitive data visibility and control, and basic threat detection capabilities
  • Organizations have separate or limited sensitive data discovery capabilities, such as basic pattern matching.
  • Sensitive data scanning for on-premises systems or endpoints is fragmented and is often not extended to email or SaaS applications.
  • Threat intelligence and detection capabilities vary across products and may not include dedicated threat intelligence feeds or the capability to incorporate feeds via standard interfaces such as STIX and TAXII.
  • Remote browser isolation (RBI) is stand-alone or part of a proxy chain, rather than something included in security policy for outbound proxy and securing SaaS and access to private applications.
Siloed security strategy separate from SD-WAN and edge strategy
  • Most larger enterprises have separate teams for network security versus networking. Some very large enterprises may even have separate teams for SWG, CASB and remote access (VPN and ZTNA).
  • While many SD-WAN implementations solicit security input, the branch office access transformation decisions are rarely from a unified cross-functional team.
  • Organizations use point solutions for securing IoT, OT and other nonhuman identities, such as agentic AI. These are completely siloed from securing and connecting employees and contractors using an organization’s managed devices.
Disparate SSE and SD-WAN
  • Many organizations have implemented both security service edge (SSE) and SD-WAN offerings, but these are lightly integrated using standard protocols such as IPsec. However, this approach does not provide the true benefits of minimizing duplicate management planes and dynamic traffic steering for improved and automated provisioning, improved troubleshooting and visibility, and proactive/reactive traffic steering.
  • Implementations of more than three vendors to achieve SASE minimizes the benefits of a unified SASE platform.
Inefficient architectures with multiple inspection points that ignore encrypted traffic or incur a significant performance hit
  • Implementations of disparate capabilities of SASE using monolithic architectures in the form of virtual appliances have difficulty dynamically expanding to support higher-throughput connections.
  • Use of SASE vendors that partner to fill out capabilities often pingpong traffic across different services en route to their final destination. SASE vendors have used different approaches to inspecting encrypted traffic, and enterprises need to test this functionality to determine its impact on latency and throughput.
Basic SLAs, rarely with contractual penalties or supported with resilient architectures
  • Organizations manage multiple SLAs from multiple vendors, each varying in terms of uptime and latency guarantees, as well as carve-outs for planned downtime or functions such as sensitive data inspection.
  • Existing products have limited operational resilience capabilities from edge to cloud and rely on differentiated cloud architectures as support of their SLA commitments.
  • DEM is either unavailable for remote users or requires a separate third-party product, rather than being integrated within existing deployments.
Basic or no zero-trust capabilities, lacking inspection and limited integration into endpoint security and management tools
  • Some ZTNA solutions don’t have the option to remain inline for the entire session across all inspection engines, which eliminates the ability to conduct sensitive data and malware inspection on these connections.
  • Some agent-based ZTNA offerings have only basic device security posture assessment capabilities on first connection. A few integrate with local endpoint protection platform (EPP) or unified endpoint management (UEM) agents.
  • Agent and agentless ZTNA may be from different vendors, creating additional overhead for employee, third-party or bring-your-own-device (BYOD) access use cases.
Fragmented and frustrating end-user experience
  • With disparate implementations of SASE capabilities, multiple agents may be required.
  • Organizations support ZTNA for remote users, but not when those remote users are on-premises. Different products may be needed to support users on different operating systems, as not all SASE agents support all OSs.
  • Some organizations ban BYOD outright or limit applications to SaaS and email to mitigate risks, yet still find themselves forcing the installation of VPN agents on risky contractor and third-party devices.
Manual intervention for networking and security policies and operations
  • Teams use limited, siloed automation capabilities to manage uptime and performance of networking and security infrastructures for end users.
  • Static, manual audits of policy are performed, and the team is mostly event driven, responding when downtime occurs and users are impacted using “all hands on deck” incident response measures to investigate and restore service.
Source: Gartner

Gap Analysis and Interdependencies


The following are some of the most significant gaps that will inhibit SASE migration:

Organizational Silos, Existing Investments and Skills Gaps

A full SASE implementation requires a coordinated and cohesive approach across security and networking teams. For midsize enterprises (MSEs), this problem is relatively easy to address, because there may not be separate security and networking teams. In large organizations, however, the organizational structures, budgeting processes and responsibilities can be quite rigid. Some organizations lack control of edge networking or security controls due to outsourcing or distributed budgets and technology ownership choices, which can limit their options for deploying SASE. Some vendors will be replaced, and the associated product skill sets will need to be repurposed toward policy creation in collaboration with business process and application owners.

Architecture and POPs

SASE solutions are primarily cloud-delivered, but vendors vary in the degree of “cloud nativeness” of their architecture. Legacy appliance and virtual appliance architectures need to be broken down into smaller, scalable components (see Note 2). Use of public cloud IaaS for points of presence (POPs), as opposed to owning POPs, is a difference among SASE providers that may impact adoption and costs for some regions (see Note 3). Locations of cloud POPs should be within a reasonable distance (e.g., 100 km) of branches and user locations to minimize last-mile latency. Hairpinning of traffic and ping-ponging across multiple POPs is an issue for non-SASE deployments, multivendor SASE implementations and even some single-vendor SASE offerings. Every enterprise has different requirements for compliance, and has privacy requirements for the inspection of data, storage of logs and routing of traffic. A lack of geographic dispersion, unified services and number of enforcement points will also impact the ability of a SASE provider to commit to availability and latency SLAs.

Sensitive Data Visibility and Control

This is a high-priority capability, but one of the most difficult problems for SASE vendors to address. Even vendors with strong data security may have gaps in coverage or require significant investment in resources by customers to tune and manage DLP alerts. Sending data to a third party for sensitive data identification is not a sustainable or cost-effective option. DLP inspection must be delivered natively by the SASE offering and provide options where native capabilities do not exist. DLP must extend to multiple inspection points for multiple file formats and sizes to catch sensitive data leakage, as any gap in inspection is an opportunity to bypass DLP controls.

SASE Maturity

SASE capabilities continue to vary widely across vendors as markets mature. Enterprises must balance their need for converged capabilities with the need for continued best-of-breed capabilities until the gaps are closed. Vendors using partnerships to fill SASE gaps may resort to service chaining or network function virtualization, but these are not sustainable long term. The maturity of SASE capabilities across its four core markets also varies greatly depending on the priorities of buyers in each market. Additionally, the rise of single-vendor SASE offerings and mergers across SD-WAN and SSE providers puts technology partnerships at risk long term.

Limited Support for Extended Use Cases

Most SASE providers focus on the core use cases: connecting branches and extended workforces (e.g., employees and contractors) to web, SaaS and private applications using managed devices. However, support for extended use cases varies, such as securing third-party privileged user access from unmanaged devices or securing IoT devices in the field to industrial edge compute platforms. This variable support increases complexity and diminishes the value gained from converging networking and security, as it requires more vendors to address the in-scope SASE use cases.

Migration Plan


Based on the gap analysis, we propose using the following roadmap and action items over the next several years as a template for SASE adoption and migration planning. This migration plan is suitable for most enterprises.
While a single-vendor approach for providing everything detailed in Figure 3 may be possible, every enterprise must determine if a fully converged approach makes sense for its requirements and, if so, in what time frame. The vast majority of cases of enterprise SASE adoption take three to five years. This involves prioritizing areas of greatest opportunity in terms of simplifying network security policy management, eliminating complexity and redundant vendors, and reducing risk through adoption of a zero-trust security posture.
Figure 3: Strategic Roadmap Timeline for SASE Convergence
A timeline is presented from 2024 to 2028 which is broken into three major sections across the five year time frame. Specific recommendations are given for each of the three sections and business and technical drivers for SASE convergence are listed for each of these sections.
Accordingly, we have divided the recommendations into higher-, medium- and lower-priority sections, based on the expected timeline for typical enterprise SASE adoption.

Higher Priority

Complete the following steps in the next 18 months.
Digital workforce transformation:
  • Adopt an architecture based on a unified vision to enable a “branch office of one” for all remote/mobile workers, regardless of both their location and the location of applications.
  • Jointly establish a vision for the secure digital branch of the future — one that embraces a thin-branch, heavy-cloud architecture.
  • Capitalize on every refresh opportunity of security and branch office appliances/hardware to adopt SASE:
    • Where physical network security appliances are used to secure egress traffic or grant access to networks from remote locations (e.g., legacy VPN), we advise enterprises to move off these appliances at the soonest refresh possible and shift to SASE or SSE.
    • If a branch refresh occurs in the near term, accelerate deployment of SSE and extend ZTNA to managed devices in the branch and adoption of firewall as a service (FWaaS).
SASE roadmap and strategy development:
  • Form a joint network and security team/task force to develop a three- to five-year roadmap for SASE transformation, covering secure access strategies for users, branches, edge locations and distributed applications.
  • Map and consolidate zero trust networking initiatives within the SASE roadmap.
  • Align SASE with cloud transformation journeys and roadmaps to migrate to SaaS from on-premises applications.
  • Include the personnel responsible for branch office transformation and WAN redesign for direct internet access and Multiprotocol Label Switching (MPLS) offload projects.
ZTNA implementation:
  • Set a two- to four-year goal to replace 95% of primary legacy network-level VPN access with the ZTNA capabilities of SASE, as well as a few point solutions such as remote privileged access management (RPAM) and secure remote access technologies for cyberphysical systems (CPS).
  • Use clientless ZTNA integrated with RBI or a secure enterprise browser as part of SASE to address high-risk VPN use cases that require unified DLP and threat prevention capabilities such as:
    • Contractor and third-party access
    • Unmanaged device access
    • Cloud administrator and developer access
Vendor and technology evaluation:
  • Pilot SASE offerings before purchase, addressing key functional requirements and testing relevant use cases with a team that includes both networking and security engineers. Evaluate adjacent and emerging capabilities as “nice to have” if you are unable to use them immediately, even if they are perceived differentiators.
  • Sign contracts no longer than three years with net-new providers that address your SASE roadmap. Set a goal to reevaluate the SASE provider landscape halfway through the contract to verify that the chosen SASE provider is still aligned with your long-term business needs. However, plan for high labor costs required to switch vendors. Make changes based on business needs, not just to reduce subscription pricing.
  • Evaluate SASE providers’ use of cryptography to identify gaps in support for modern web protocol decryption and postquantum resistant algorithm support. Request roadmap and delivery promises to close gaps by no later than 2029.
Cost management and vendor consolidation:
  • Cut costs and reduce complexity by consolidating vendors when renewing SWG, CASB and ZTNA. All three solutions are now commonly offered by a single vendor in a competitive market for SSE (the right side of the cloud services in Figure 1; see also Magic Quadrant for Security Service Edge).
Evaluation of single-vendor vs. multivendor solutions:
  • MSEs benefit from single-vendor SASE platforms or managed SASE offerings, rather than explicitly partnered vendors, because they simplify procurement, installation, configuration and ongoing operations for SASE.
  • Larger organizations start with a decision upfront to either use single-vendor SASE or adopt an explicit partnership approach between SD-WAN and SSE vendors. In both cases, factor in the timeline for consolidation, the time required to amortize investments and staff skills, and the maturity of each provider’s SASE capabilities.
Performance and resilience requirements:
  • Expand SASE RFI/RFP requirements with specific questions on the number and location of POPs mapped to enterprise requirements, peering relationships, encrypted traffic inspection performance and the ability to scale.
  • Evaluate SASE providers’ native resilience capabilities to survive downtime, such as providing edge or endpoint caching of policies.
  • Demand contractual SLAs with penalties. SLAs should address end-to-end latency, throughput and service availability, without exceptions.
Strategic considerations:
  • Require explicit partnerships with console integration and technical support when two vendors are used.
  • Ignore vendor hype, as rampant “SASE washing” is still occurring, and focus on delivering against specific business and user outcomes.
  • Evaluate vendors independent from technical and nontechnical product requirements. SASE is a long-term commitment to critical services and requires a strong vendor partner (see Streamline Evaluations to Optimize Your Cybersecurity Technology Stack for additional guidance).

Medium Priority

Complete the following steps in the next 18 to 36 months.
SASE strategy and vendor evaluation:
  • Reevaluate the SASE architecture and roadmap if multiple vendors are still used. Single-vendor SASE is rapidly maturing and viable for an increasing number of enterprises, although some organizations with separate network and network security teams will still pursue best-of-breed strategies and target consolidation to two providers.
  • If multiple vendors are used, require explicit partnerships with engineering and technical support backing up the integration.
  • Evaluate existing SASE provider capabilities to secure access to and from cyber-physical systems or if dedicated CPS protection platforms are required to secure the organization’s devices (see Magic Quadrant for CPS Protection Platforms).
Transition to cloud-based security solutions:
  • Retire stand-alone SWG, CASB and VPN appliances as they reach end of life, and replace them with cloud-based SSE if best-of-breed security is required. Some organizations may need to retain backup methods for access and security, but this is expensive and requires business justification to retain legacy hot or cold standby infrastructure.
  • Eliminate physical firewalls where possible, and use FWaaS for branch office protection, ideally for inbound and outbound traffic:
    • Phase out the use of separate physical firewalls at branch offices.
Network infrastructure optimization:
  • Phase out the use of MPLS where possible, and adopt internet-only transport for the majority of branches:
    • As an alternative to MPLS, evaluate managed internet connectivity services from carriers, or use SASE-vendor-provided networking backbones with tighter SLAs on performances and resiliency.
    • Evaluate emerging hyperscale offerings for WAN connectivity for branches, as they become an alternative for WAN services.
Zero-trust and security posture enhancement:
  • Adopt a deny-all, zero-trust security posture for branch offices.
  • In the context of a SASE or SSE deployment plan, move beyond initial ZTNA deployments, and implement a systematic and risk-based approach for phasing out all network-level VPN and DMZ-based services.
  • Expand ZTNA to more use cases, such as universal ZTNA, to unify on-premises and remote policy enforcement, cloud application access and IoT/OT access.
Data visibility and access control:
  • Extend sensitive data visibility and control to data at rest in endpoints, GenAI usage, public clouds and for cloud-to-cloud services where the enterprise has no visibility.
  • Integrate adaptive access controls for SaaS applications using integrations with the IdP, and controlling the unmanaged device access to SaaS via remote browser isolation (RBI) or reverse proxy methods.
Unified networking and security operations:
  • Coordinate networking and security teams into a unified approach to access engineering. Depending on the organization, this may be housed in a single team or be composed of existing team members who agree and align on operational outcomes for SASE.
  • Implement a single agent for all access needs by leveraging an SSE solution that converges CASB, SWG and ZTNA capabilities.
Advanced SASE capabilities:
  • Extend SASE capabilities to include integrated DEM.
  • Extend the enterprise SASE strategy to include OT/ICS and CPS type systems access.
  • Extend the enterprise SASE strategy to include edge computing use cases.
Note: The recommendations listed may be accelerated to coincide with hardware refresh cycles and branch office transformation initiatives.

Lower Priority

At three to five years out, the SASE future strategic target state is achievable for most organizations. Specifically, this involves a unified strategic approach for branch, edge, campus, headquarters and remote access needs covering private applications, the internet and cloud application access.
Strategic SASE migration and vendor selection:
  • Revisit the SASE migration plan, as the market will have matured and the technology is expected to be mainstream. In this time frame, most vendors will offer a single-vendor SASE platform that satisfies the majority of organizational requirements, with vendors differentiating on emerging requirements such as support for modern web protocol decryption and postquantum resistant algorithms.
  • Extend the SASE migration strategy to address the needs of distributed composite applications, which have similar network and network security policy requirements. These needs may be met by incumbent SASE vendors or new startups that focus on service-to-service, rather than end-user, perspectives.
Expansion and maturity of SASE capabilities:
  • As SASE matures, vendors will increasingly extend their SASE frameworks to address gaps such as edge computing, agentic AI security and wirelessly connected IoT devices.
  • Expand SASE as new capabilities come online to further unify security policy and visibility for the enterprise.
  • Evaluate the incumbent vendor’s ability to deliver on roadmap promises. Migrate if gaps are significant enough to require more than two vendors to meet all SASE requirements.
Achievement of defined SASE goals:
  • Deliver against defined, measurable SASE goals that were committed to at the beginning. Specific examples include:
    • 95% of network-level VPN access eliminated
    • 95% of DMZ services eliminated for internal and third-party services
    • 80% reduction in the number of dedicated circuits, as much of these shift to the internet
    • The percentage of applications isolated and secured with zero-trust access controls
    • Improvements in end-user satisfaction
    • Improvements and stability (e.g., reduced latency) from DEM
Network optimization and cost efficiency:
  • Optimize access for branch locations to rightsize branch architectures by use case: lowest cost, best performance, highest redundancy or optimal bandwidth.
  • Phase out expensive, inflexible connectivity options where possible.
  • Optimize end-user access — whether on-premises, on campus or at headquarter locations — by using the most appropriate ZTNA-based approach. This can be via agent, agentless or secure enterprise browsers or extensions, using the most logical enforcement point closest to the user or workload.
Comprehensive zero-trust networking:
  • Extend the enterprise zero-trust networking strategy “end to end” from the edge to the back end of applications.
  • Segment service creation based on identities using identity-based, zero-trust segmentation (microsegmentation).
Data visibility and unified policy management:
  • Extend sensitive data visibility and control to on-premises legacy data stores and to endpoints.
  • Create a single, unified team and role responsible for access engineering that unifies network and network security policy across all access methods (much like the emerging role for platform engineering with IaaS and DevOps).

Evidence


1 2024 Gartner Cloud and Hybrid Infrastructure Survey. This survey was conducted to analyze the attributes of the I&O function’s infrastructure technology environments and practices that contribute to success. It aimed to provide insights into how infrastructure and operations (I&O) leaders and their teams can implement targeted actions to improve the effectiveness of their function’s infrastructure technology environments. The survey was conducted through an online panel survey from October through December 2024. The survey included 300 senior I&O leaders and IT executive leaders from North America, EMEA and APAC, across industries and companies with $1 billion or more in annual revenue. All respondents reported being very or extremely involved in at least one of the following activities: designing and managing the I&O strategy, developing and managing the enterprise cloud strategy, driving enterprise cloud migration efforts, or optimizing infrastructure or cloud performance. Disclaimer: The results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.
2 2025 Gartner CIO and Technology Executive Survey. This survey tracked how senior IT leaders worldwide prioritize strategic business, technical and management objectives. It was conducted online from 1 May through 28 June 2024. The survey includes respondents who lead an IT function, with a total of 3,186 CIOs and technology executives participating. The survey participants are representative of various geographies, revenue bands and industry sectors, including both public and private organizations. Disclaimer: The results of the survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.

Note 1: SASE Capabilities


Core SASE capabilities:
(Note: remote browser isolation was originally an optional SASE capability in 2019, but its use has become widespread for certain use cases and its inclusion must now be considered core.)
  • Secure web gateway (SWG)
  • Cloud access security broker (CASB)
  • Zero-trust network access (ZTNA)
  • Software-defined WAN (SD-WAN)
  • Remote browser isolation
  • Firewall as a service (FWaaS), including intrusion prevention system (IPS)/intrusion detection system (IDS)
  • Sensitive data and malware inspection capabilities
  • Line rate operation
Recommended SASE capabilities:
  • Network sandbox
  • Domain Name System (DNS) protection
  • API-based access to SaaS for data context
  • Support for managed and unmanaged devices
  • Enhanced internet and/or private backbone transport
  • Content delivery network (CDN)
  • External DNS
Optional SASE capabilities:
  • Wi-Fi hot spot protection
  • Network obfuscation or dispersion
  • Web application and API protection
  • Legacy VPN
  • Edge compute protection

Note 2: Monolithic Versus Microservices Architectures


For example, monolithic virtual appliance architectures may have restrictions on the maximum bandwidth that can be inspected on a single connection. The use of virtual appliances may also affect the price/performance of the SASE offering, which may result in higher pricing for customers. SASE providers using public cloud IaaS also incur egress costs for traffic, which may result in higher pricing for customers and lower margins for the SASE provider.

Note 3: More POPS, More Coverage


The increasing fragmentation of the internet and increased requirements to maintain access and data processing within a specific geography favors providers that can offer local access and local inspection within a country separate from other countries by user or branch location. Ideally, this is done within the same tenant through logical rather than physical separation.