SASE vs. SD-WAN comparison: How are they related?

Defining SASE and SD-WAN

What is SD-WAN?

SD-WAN combines software-defined networking concepts with traditional WAN technology to improve traffic routing and network operations. SD-WAN develops and acts as an overlay network -- a network that is built on top of another network, gets support from that network's infrastructure and separates network services from the underlying infrastructure. SD-WAN's overlay is built on top of an organization's existing WAN connections to improve how data travels across the network.

IT teams manage SD-WAN through a centralized controller that sends data and policy information to its connected devices. The controller also enables IT teams to remotely manage and program connected resources, as well as remotely configure routers. Some SD-WAN benefits include automatic failover and improved application performance.

What is SASE?

SASE is an emerging architecture that combines an organization's network and security functionalities into a cloud service that operates closer to endpoints and distributes traffic quicker than traditional network services. By uniting an organization's necessary network and security services -- firewall as a service, secure web gateways, etc. -- into one platform, SASE aims to simplify network and security management.

While SD-WAN concentrates mostly on connecting an organization's branch offices to the data center, SASE focuses on endpoints and end-user devices. SASE's traffic inspection occurs at various global points of presence (PoPs) rather than backhauling traffic to the data center, like SD-WAN. Some SASE benefits include ease of use, enhanced security and simplified IT management.

The key differences between SASE vs. SD-WAN include the following:

• deployment and architecture
• security
• traffic and connectivity
• remote access
• required expertise

Differences between SASE and SD-WAN

Deployment and architecture. A major difference between SASE vs. SD-WAN is how organizations deploy them. Organizations can deploy SD-WAN through physical, software or cloud connections, depending on their IT needs, but SASE is, by Gartner's definition, strictly cloud-based.

For SD-WAN, enterprises deploy the SD-WAN appliance or software client at each branch location, which enables connectivity to the organization's data center resources. Organizations can choose among managed, DIY or hybrid SD-WAN. With managed SD-WAN, the organization outsources control to a service provider. For DIY SD-WAN, IT teams deploy and manage SD-WAN services themselves. A hybrid model, where the organization and vendor share responsibility, also exists.

SASE platforms deliver combined network and security functionalities in a single as-a-service tool. This cloud functionality can make SASE more customizable for organizations. Enterprises can deploy SASE client software for mobile users, remote workers, applications, data centers and more.

Differences in deployment also mean differences in SASE and SD-WAN architectures. SASE is more distributed and cloud-based, whereas SD-WAN creates an overlay network through physical appliances, software or cloud-based vendor services. SD-WAN also follows the traditional networking concept that all network infrastructure centers around an organization's data center, while SASE considers the data center to be just another service edge -- the SE in SASE.

Security. In short, SD-WAN wasn't developed with security as a priority, while SASE has built-in security. When looking at SASE as an evolution of SD-WAN technology, one can see how SASE takes many of SD-WAN's benefits -- such as scalability and improved management -- and brings them into a more secure, fully cloud-based platform.

SD-WAN does have some security capabilities, but many SD-WAN vendors partner with security vendors to provide more comprehensive, integrated security services with their SD-WAN offerings. This can make SD-WAN more expensive for organizations, as it requires them to adopt -- and, therefore, spend more money on -- another service to get the security they require.

Traffic and connectivity. Because of their different architectures, SASE and SD-WAN handle traffic in different ways. SD-WAN primarily focuses on connecting branch offices to an organization's network and data center resources, following configured network policies to determine how to route traffic between endpoints and backhaul traffic through data centers.

SASE, on the other hand, focuses on cloud environments and connecting endpoints to the service edge. As SASE is cloud-based, it doesn't need to backhaul traffic through data centers. Instead, SASE sends traffic through globally distributed PoPs. The PoP inspects and then sends traffic over the internet or SASE architecture to its destination.

Remote access. Remote access has become a critical checkbox for business and enterprise technology services. Although Gartner coined the term SASE in late 2019, SASE is coming of age in a world affected by the COVID-19 pandemic and the resulting remote work boom. This makes SASE's built-in remote access capabilities a crucial component of the service.

SD-WAN doesn't have built-in remote access capabilities like SASE, so organizations must invest in third-party services to improve their SD-WAN's remote access. For this reason, SD-WAN is the more expensive route for remote access. If an organization uses SD-WAN to connect remote employees, it may only provide SD-WAN at home for select employees, rather than its whole workforce, due to cost.

Required expertise. SD-WAN is an evolution of traditional WAN technology, so primarily, networking skills are required to work with SD-WAN. Traditional, siloed network teams are well suited to handle SD-WAN deployment and management.

However, SASE touches networking, security and cloud technologies, so a broader level of expertise is required. SASE is less siloed than SD-WAN and may require network, security and cloud teams to overlap and work together.

Similarities between SASE and SD-WAN

Despite their differences, SASE and SD-WAN are often compared because the two share some similarities. In particular, both SASE and SD-WAN cover wide geographic areas and are virtualized technologies. SASE and SD-WAN also share the same goal: to connect geographically separate branch offices or end users to an organization's network resources in a way that's scalable and easy to manage.

In addition, many experts claim SASE is an evolution of SD-WAN because SASE combines SD-WAN capabilities with enhanced network security services, including cloud access security brokers and zero-trust network access. SASE brings SD-WAN's benefits and third-party security services together into a single platform.

Key takeaways

IT teams must understand the five key differences between SASE vs. SD-WAN before choosing which of the two better suits their business needs. Other key takeaways include the following:

• SASE and SD-WAN share similar goals but differ in terms of connectivity, architecture and security, among other factors.
• SD-WAN is an overlay network that backhauls traffic to data centers, while SASE is a cloud platform that inspects data at various PoPs at the edge.
• As remote work remains a part of everyday life, architectures like SASE are better suited for remote access than SD-WAN.