What is SASE? A complete guide to Secure Access Service Edge

Callum Sutton, Technical Director | Estimated Read Time: 13 minutes

What is SASE?

Secure Access Service Edge (SASE) is transforming how organisations approach network security and connectivity. For NHS trusts, local authorities, and public sector bodies navigating hybrid cloud environments and distributed workforces, understanding SASE isn't just helpful—it's essential for digital transformation.

This guide explains what SASE is, how it works, and why UK organisations are increasingly adopting this architecture to modernise their network infrastructure.

What does SASE mean?

SASE (pronounced "sassy") stands for Secure Access Service Edge. It's a cloud-native architecture that converges network connectivity with comprehensive security services into a single, unified platform.

Rather than managing separate point solutions for your WAN, firewall, web gateway, and access control, SASE delivers everything through one integrated service. This consolidation eliminates the complexity of juggling multiple vendors and reduces the security gaps that emerge when networking and security operate in silos.

Gartner first defined SASE in 2019, recognising that traditional hub-and-spoke network models no longer fit how organisations work today. With users accessing cloud applications from anywhere and data residing across multiple environments, the perimeter-based security model has become ineffective.

SASE addresses this by shifting security and connectivity to the edge, closer to users and applications, regardless of location.

How does SASE work?

SASE operates on a fundamentally different principle than legacy network architectures. Instead of forcing traffic through a central data centre for inspection, SASE delivers security services from distributed cloud-based points of presence (PoPs) positioned globally.

When a user attempts to access an application (whether at headquarters, working remotely, or at a branch site) their traffic routes to the nearest SASE PoP. At this edge location, the platform inspects the traffic, applies security policies, and validates the user's identity and device posture before granting access.

This approach eliminates unnecessary backhauling. A remote clinician accessing a cloud-based patient management system doesn't send traffic through a hospital data centre and back out again. Instead, SASE creates a direct, secure path from user to application.

The architecture combines SD-WAN for intelligent traffic routing with cloud-delivered security services (known collectively as SSE). Because SASE is cloud-delivered, it scales dynamically with your organisation's needs without deploying physical hardware.

The five core components of SASE

A complete SASE architecture integrates five essential technologies. It's helpful to understand that the security components (CASB, ZTNA, FWaaS, and SWG) collectively form what's known as the Secure Service Edge (SSE). In essence, SASE combines SD-WAN with SSE, unifying networking and security functions into a single, cloud-delivered framework.

Software-defined WAN (SD-WAN)

SD-WAN provides the connectivity layer, creating an overlay network that intelligently routes traffic across multiple connections, including any WAN type, such as —broadband, cellular, MPLS, and Satellite—based on performance, cost, and security requirements. It enables organisations to move away from expensive, inflexible MPLS contracts whilst maintaining network performance.

Secure Web Gateway (SWG)

Secure Web Gateway (SWG) protects users from web-based threats by inspecting internet traffic, blocking malicious sites, enforcing acceptable use policies, and preventing data leakage.

Cloud access security broker (CASB)

CASB extends security controls to SaaS applications and cloud services. It provides visibility into cloud app usage, enforces data loss prevention policies, detects threats, and ensures compliance across platforms like Microsoft 365, Salesforce and Google Drive.

Firewall as a Service (FWaaS)

Firewall as a Service (FWaaS) delivers next-generation firewall capabilities from the cloud, including deep packet inspection, intrusion prevention, and advanced threat detection. Unlike physical appliances, FWaaS provides consistent protection that follows users wherever they work.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) enforces the principle of "never trust, always verify." Rather than placing users on the network after VPN authentication, ZTNA creates secure, direct connections between verified users and specific applications based on continuous validation of the users identity and context.

Why UK organisations need SASE

The shift toward SASE is a response to genuine changes in how organisations operate:

Cloud adoption has fundamentally changed traffic patterns. NHS trusts now run electronic patient record systems in the cloud. Local authorities deliver citizen services through SaaS platforms. The majority of traffic flows to cloud destinations rather than internal data centres, making traditional architectures inefficient.

Hybrid working is permanent. Clinical staff access systems from hospitals, community sites, and home. Council employees work flexibly across locations. Security and performance must be consistent regardless of where people connect from.

Compliance requirements have intensified. NHS organisations must meet NHS Digital standards and HSCN requirements. Public sector bodies face PSN compliance obligations. Managing compliance across fragmented point solutions creates audit headaches and increases risk.

The threat landscape has evolved. Cyber attacks targeting healthcare and public sector organisations are increasing in sophistication. Ransomware, phishing, and data exfiltration attempts require defence-in-depth security that adapts in real-time.

IT teams are stretched thin. Managing multiple vendors, dealing with integration challenges, and coordinating upgrades consumes time better spent on strategic initiatives. SASE's unified management significantly reduces operational overhead.

What is sovereign SASE and why does it matter?

Sovereign SASE refers to a secure access service edge architecture built specifically to meet data sovereignty, regulatory compliance, and national security requirements. For UK public sector and healthcare organisations, sovereign SASE is essential.

Data residency requirements:

NHS patient data, citizen information, and government data must remain within UK borders. Standard SASE solutions that route traffic through international PoPs create compliance violations. Sovereign SASE ensures data never leaves the UK.

Regulatory compliance:

NHS Digital standards, PSN accreditation, and HSCN connectivity requirements demand UK-based infrastructure. A sovereign SASE platform is built from the ground up to meet these requirements.

Supply chain security:

UK government policy increasingly favours UK-based providers for critical infrastructure. Sovereign SASE reduces dependency on foreign technology providers and minimises supply chain vulnerabilities.

Transparent operations:

With sovereign SASE, organisations know exactly where their data is processed, stored, and transmitted - complete transparency for auditing purposes.

Key benefits of SASE for public sector and healthcare

Simplified network management: SASE provides a single pane of glass for connectivity, security, access control, and monitoring. Network changes deploy in hours rather than weeks. Policy updates apply consistently across all locations.

Enhanced security posture: Integrated security functions work together, sharing threat intelligence and eliminating gaps. Zero Trust principles ensure every access request is validated, significantly reducing breach risk.

Improved user experience: By processing traffic at the edge, SASE reduces latency and improves application performance. Users experience fast, reliable connectivity whether accessing on-premises systems or cloud applications.

Cost reduction: SASE eliminates expensive MPLS circuits at every location and reduces hardware refresh cycles. Operational costs decrease through simplified management and reduced vendor complexity.

Audit-ready compliance: Built-in reporting, comprehensive logging, and policy enforcement make compliance audits straightforward. Whether demonstrating HSCN compliance, PSN adherence, or ISO 27001 certification, SASE platforms provide the evidence auditors require.

SASE use cases: real-world applications

Connecting distributed NHS sites: A hospital trust with multiple sites uses SASE to create secure, high-performance connectivity across all locations. HSCN connectivity is built in, ensuring compliance whilst eliminating the complexity of managing individual connections per site.

Securing hybrid workers in local government: A county council supports staff working from home, hot-desking in council buildings, and visiting citizens on-site. SASE provides secure access without VPN performance bottlenecks.

Modernising branch networks for financial services: A wealth management firm uses SASE to replace expensive MPLS circuits with broadband and Direct Internet Access (DIA) connections whilst maintaining security. SD-WAN capabilities optimise traffic routing whilst CASB monitors cloud application usage for compliance violations.

Supporting digital transformation projects: An NHS integrated care system relies on SASE to securely connect GP practices, hospitals, social care providers, and community services whilst ensuring patient data remains protected and compliant.

SASE implementation: what to consider

Assess your current architecture: Document your existing network topology, security tools, and traffic patterns. Identify pain points - MPLS costs, VPN performance issues, or compliance gaps.

Define requirements clearly: What compliance standards must you meet? Which cloud services are business-critical? Clear requirements prevent choosing a SASE solution that doesn't fit your operational reality.

Evaluate provider capabilities carefully: Not all SASE platforms are equal. Some providers rebrand existing point solutions without true integration. Others lack UK-based infrastructure needed for sovereign requirements. Look for proven deployment experience in your sector and demonstrated compliance credentials.

Plan for phased adoption: Start with remote users or new sites where you're not replacing existing infrastructure. Prove the value before expanding deployment.

Consider the operating model: Do you want a fully managed service or self-service capabilities? The best SASE platforms offer flexibility - giving you control when you want it with expert support when you need it.

How Cloud Gateway delivers SASE differently

Whilst SASE principles apply universally, implementation matters enormously.- especially for UK public sector and healthcare organisations.

The only UK provider with integrated HSCN and PSN access

Unlike international SASE vendors adapting generic solutions, Cloud Gateway built its platform specifically to serve NHS and public sector requirements. HSCN and PSN connectivity are native capabilities, not bolt-on additions.

True sovereign SASE with UK-based infrastructure

Data never leaves the UK. Processing happens in UK data centres. Support teams are UK-based. This ensures your network infrastructure aligns with data sovereignty requirements from day one.

Managed service with self-service flexibility

Access a live portal for complete visibility and self-service configuration when you want it, backed by expert support when you need it. Your network, your choice.

Rapid deployment without vendor lock-in

Traditional networking projects take months and lock you into multi-year contracts. Cloud Gateway deploys SASE capabilities in days or weeks with flexible commercial terms.

Compliance built in, not bolted on

ISO 27001, ISO 9001, Cyber Essentials Plus, PCI DSS—Cloud Gateway maintains the certifications public sector and healthcare organisations require.

Common SASE misconceptions

"SASE is just SD-WAN with security features"

SASE represents a fundamental architectural shift, not an incremental upgrade. It's the convergence of networking and security into a unified cloud service.

"Only large enterprises benefit from SASE"

SASE's cloud-delivery model makes enterprise-grade security accessible to organisations of all sizes. Small NHS trusts and district councils benefit from the same capabilities as large departments.

"SASE means abandoning on-premises infrastructure"

SASE integrates with existing on-premises systems. Hybrid architectures are common, with SASE securing cloud and remote access whilst on-premises security remains for local resources.

"Implementing SASE means multiple vendors"

Single-vendor SASE platforms deliver integrated networking and security from one provider, eliminating the complexity of coordinating multiple vendors.

The future of SASE

SASE continues evolving as organisations' needs change and threats advance. AI and machine learning are enhancing threat detection and automating policy adjustments. Integration with broader security ecosystems (SIEM platforms, endpoint detection tools, identity providers) creates unified security operations.

For UK public sector and healthcare organisations, sovereign SASE capabilities will become table stakes as data sovereignty requirements intensify and government policy prioritises UK-based infrastructure for critical services.

Is SASE right for your organisation?

SASE makes sense when you're supporting hybrid or remote workers, relying heavily on cloud applications, facing compliance requirements like NHS Digital standards or PSN accreditation, managing multiple security vendors, or planning digital transformation that requires modern, flexible infrastructure.

Taking the next step

Understanding SASE is the starting point. The real value emerges when you translate these concepts into practical outcomes - whether enabling secure remote access for NHS clinicians, connecting council sites cost-effectively, or supporting digital transformation projects with confidence.

Cloud Gateway specialises in delivering SASE for UK healthcare, government, and financial services organisations that can't compromise on security, sovereignty, or service quality.

Discover how our platform delivers secure, flexible connectivity across your organisation, or speak with our team about your specific requirements.

-

Last Updated: 6 November 2025