Not all SASE is created equal

Security Service Edge and SASE have become shorthand for “modern security”. The promise is attractive: a unified architecture that secures users, applications and data, regardless of where they are located. In many discussions, however, SASE is treated as a single, well-defined solution. In reality, it is not.

What is often overlooked is that today’s SASE platforms are built on very different architectural assumptions. Those assumptions matter. They determine which problems a platform solves elegantly — and which problems it was never designed to address in the first place.

Rather than asking which SASE solution is best, a more useful question is:
best for what?

Firewall DNA versus cloud-first design

Broadly speaking, current SASE offerings follow two architectural lineages.

The first originates from traditional network security. Vendors such as Fortinet and Palo Alto Networks have evolved SASE from their long-standing strength in firewalls, segmentation and traffic inspection. Their platforms extend familiar security controls into the cloud, while preserving a consistent policy and inspection model across physical locations, data centres and remote users.

This “firewall as DNA” approach is not a limitation; in many environments it is a deliberate advantage. It reflects the reality that networks, sites and local traffic flows still matter. Over time, both vendors have added mature Zero Trust capabilities, cloud-delivered security services and SSE components, but always anchored in a model where network control remains a first-class citizen.

A second group of vendors, including Zscaler and Netskope, took a different path. Their platforms were designed from the outset as global cloud security services, without a dependency on physical or virtual firewalls. Instead of extending network controls into the cloud, they abstract the network away and focus on users, identities, applications and data.

In these platforms, Zero Trust is not layered on top of existing controls, but embedded into the access model itself. Decisions are made per session and per application, with minimal emphasis on network topology.

Where firewall-centric SASE fits naturally

For organisations with a strong physical footprint, firewall-centric SASE architectures often align best with operational reality.

Industries such as hospitality, retail, healthcare and education typically operate large numbers of locations with local users, devices and services. In these environments, traffic does not flow exclusively to SaaS platforms. There is often significant east-west traffic, local breakout requirements, legacy systems and a need for tight integration between wired, wireless and security controls.

Here, platforms from Fortinet or Palo Alto Networks offer a coherent model. Firewalls at the edge, combined with SD-WAN, LAN/WLAN integration and cloud-delivered security services, allow organisations to extend Zero Trust principles without abandoning proven network architectures. Importantly, security teams do not have to choose between protecting sites and protecting users — both are part of the same design.

In short, when physical locations matter, bringing the firewall into SASE is not a compromise, but a necessity.

Where SSE-first platforms shine

Zscaler and Netskope tend to excel in a different set of scenarios.

Their architectures are particularly well suited for organisations that are cloud-first or SaaS-first, with a highly distributed workforce and relatively limited on-premise infrastructure. Technology companies, professional services firms and globally operating organisations with a high proportion of remote workers often fall into this category.

In such environments, network topology is less relevant than identity, device posture and data access. Users connect directly to cloud services, often from unmanaged or semi-managed devices, and traditional site-based security controls add little value. SSE-first platforms simplify this reality by placing enforcement in the cloud and applying consistent policy regardless of user location.

Another area where these platforms stand out is data security. Deep visibility into SaaS usage, inline and API-based controls, and a strong focus on data classification and protection make them particularly effective where data governance and compliance are primary concerns.

For organisations where users and data matter more than locations, abstracting the firewall away can reduce complexity rather than increase it.

A spectrum, not a binary choice

In practice, few organisations fit perfectly into one category. Many operate campuses and branches while simultaneously supporting a highly mobile workforce. As a result, hybrid SASE architectures are becoming common, combining firewall-centric solutions for sites with SSE-first platforms for remote access and SaaS security.

This trend underlines an important point: SASE is not a product category with interchangeable components. It is an architectural framework that forces trade-offs. Understanding the design assumptions behind each platform is therefore more important than comparing feature lists.

Conclusion

Not all SASE is created equal — not because some platforms are better than others, but because they were created for different realities. Firewall-centric SASE architectures bring network control, consistency and integration to environments where physical locations still play a central role. SSE-first platforms excel where identity, cloud access and data protection define the security challenge.

Choosing between them is less about technological maturity and more about organisational context. When architecture aligns with reality, SASE can simplify security. When it does not, it merely moves complexity elsewhere.