TL;DR
SASE (Secure Access Service Edge) is a Gartner-coined architecture combining SD-WAN networking and four security components: ZTNA, SWG, CASB, and FWaaS. SSE (Security Service Edge) is the security-only subset of SASE, introduced by Gartner in 2021. ZTNA (Zero Trust Network Access) is one of the components of both. In practice, a 50-person team rarely needs full SASE — the cost and complexity are shaped for enterprises. A focused ZTNA product plus a handful of discrete security tools usually covers the real need. This post explains the three terms precisely, shows where they overlap, and recommends what a small team should buy and in what order.
Who this is for
CIOs, security leads, and engineering managers at mid-sized organisations (30–500 people) trying to figure out which acronym applies to them and whether they need a full SASE platform. Also analysts and buyers writing RFIs who need the taxonomy straight.
Table of contents
- Origins of each term
- SASE — the Gartner definition, unpacked
- SSE — the narrower subset
- ZTNA — the component both share
- How the three relate, visually
- What a full SASE platform includes
- What a 50-person team actually needs
- Buying decisions for each team size
- Common confusions to avoid
- Recommended sequence for 2026
1. Origins of each term
SASE, 2019
Gartner published “The Future of Network Security Is in the Cloud” in August 2019, coining SASE. The argument: as applications and users moved to the cloud, the WAN and security stack had to follow. The paper described a converged architecture combining SD-WAN and cloud-delivered security services.
ZTNA, 2019
Gartner’s “Market Guide for Zero Trust Network Access” defined ZTNA as a product category. It formalised the architectural principles popularised by Google BeyondCorp and Forrester’s Zero Trust framing into a market-research-level product category.
SSE, 2021
Gartner introduced SSE in early 2021 to describe the pattern of buying SASE’s security components separately from the networking components. Many organisations already had SD-WAN or MPLS networking; they wanted to add the security half without replacing the networking half.
Timing matters: SSE is the more recent term and reflects how the buying decision evolved over the two years since SASE was introduced.
2. SASE — the Gartner definition, unpacked
SASE has five core components per Gartner’s original framework.
2.1 SD-WAN
Software-defined wide-area networking. Replaces traditional MPLS/router networks with software-defined overlays, enabling flexible routing policies, multi-path failover, and centralised management. Primarily a networking function.
2.2 ZTNA
Zero Trust Network Access. Per-request authorisation based on identity and device posture. See our What is ZTNA post.
2.3 SWG
Secure Web Gateway. Inspects web traffic for malicious content, enforces acceptable use policies, blocks prohibited categories. Modern SWGs are cloud-delivered and terminate TLS to inspect content.
2.4 CASB
Cloud Access Security Broker. Sits between users and SaaS applications, enforcing policy on data flowing to and from SaaS — DLP, activity monitoring, access control. Relevant when organisations use many SaaS applications that the traditional SWG does not cover.
2.5 FWaaS
Firewall-as-a-Service. Cloud-delivered firewall, typically next-generation firewall functionality. Replaces branch-office firewalls by terminating traffic at cloud PoPs.
A full SASE platform integrates all five. The claimed benefit is a single-pane management experience, shared policy across networking and security functions, and consistent identity-based enforcement.
3. SSE — the narrower subset
SSE strips SD-WAN from SASE. What remains is:
- ZTNA
- SWG
- CASB
- FWaaS
The SSE proposition: buy these four from one vendor; keep your existing SD-WAN or MPLS separately. This fits organisations that either already have mature WAN infrastructure or that use simple internet connectivity rather than SD-WAN.
4. ZTNA — the component both share
ZTNA is a component of both SASE and SSE. It is also a standalone product category — many vendors sell ZTNA without the rest of the SASE stack.
For teams that do not need full SASE (or full SSE), buying only ZTNA is a valid strategy. You get the identity-aware, per-request access control that matters most for remote work and cloud applications, without paying for CASB and SWG that may not fit your use case.
5. How the three relate, visually
┌──────────────────────────────────────────┐
│ SASE │
│ ┌───────────────────────────────────┐ │
│ │ SSE │ │
│ │ ┌─────────┐ ┌─────┐ ┌─────┐ │ │
│ │ │ ZTNA │ │ SWG │ │CASB │ │ │
│ │ └─────────┘ └─────┘ └─────┘ │ │
│ │ ┌─────────┐ │ │
│ │ │ FWaaS │ │ │
│ │ └─────────┘ │ │
│ └───────────────────────────────────┘ │
│ ┌───────────────────────────────────┐ │
│ │ SD-WAN │ │
│ └───────────────────────────────────┘ │
└──────────────────────────────────────────┘ZTNA is inside SSE is inside SASE. You can buy just the inner box (ZTNA), the middle box (SSE), or the full outer box (SASE). Most vendors sell one or two, not all three cleanly.
6. What a full SASE platform includes
A SASE vendor typically bundles:
- Global cloud fabric: PoPs in many geographies, carrying user traffic.
- SD-WAN connectors: branch-office appliances or virtual appliances that connect to the cloud fabric.
- Identity integration: SSO, SCIM, and identity-tied policy.
- ZTNA component: per-request authorisation for internal applications.
- SWG component: web filtering, TLS inspection, malware scanning.
- CASB component: SaaS application control.
- FWaaS component: network-level firewall in the cloud.
- Analytics platform: unified telemetry across components.
- Policy management: single policy language across all components.
The appeal is operational unification. The cost is significant — full SASE for a mid-market organisation is typically a six- to seven-figure annual commitment.
7. What a 50-person team actually needs
Most 50-person teams do not benefit from a full SASE deployment. Cost, integration overhead, and feature surface area all exceed the benefit at this size. What they typically need:
- Identity and MFA. Modern IdP (Okta, Azure AD, Google Workspace). FIDO2/WebAuthn for administrators. Phishing-resistant where possible.
- ZTNA for internal applications. Replace VPN with modern mesh or proxy ZTNA. See our alternatives posts.
- DNS-based filtering. Basic web category filtering via a DNS-layer service. Cloudflare, Quad9, NextDNS — cheap, easy, effective.
- CASB if SaaS usage is heavy. Only if the organisation is heavily dependent on many SaaS apps where data loss is a concern. Otherwise skip.
- Endpoint EDR. Baseline endpoint protection. Integrates with ZTNA device posture.
- SIEM or log aggregation. Cloud-native options are adequate at this scale; no need for a full SOC platform.
That stack is meaningfully cheaper than SASE and covers the real risks at 50-person scale.
8. Buying decisions for each team size
A rough guide.
Under 20 people
- Focus: basic identity + MFA, a simple mesh VPN or ZTNA free tier.
- Avoid: SASE or SSE. Overkill.
20–100 people
- Focus: ZTNA product with good SSO integration, DNS filtering, EDR, simple SIEM.
- Avoid: full SASE.
- Maybe: SSE if the organisation is in a regulated sector and needs CASB and SWG.
100–500 people
- Focus: ZTNA, consider SSE if the security vendor story consolidates well; SASE if also replacing WAN infrastructure.
- Avoid: piecemeal tools across too many vendors at this size — operational overhead starts to hurt.
500+ people
- Focus: SASE or SSE becomes a reasonable consolidation play. Full Gartner-scale buying process.
9. Common confusions to avoid
”ZTNA is SASE-lite”
Not quite. ZTNA is a component of SASE, not a lightweight alternative. A full ZTNA product can be more sophisticated than the ZTNA component of some SASE platforms; the difference is whether you also want the other three components in the same vendor’s cloud.
”SSE replaces SASE”
No. SSE is a subset of SASE. They address different scope. An organisation with mature SD-WAN can buy SSE rather than SASE and be well-served.
”We need SASE because we are going to the cloud”
The cloud migration case does not require SASE. It requires modern identity, modern remote access (ZTNA), and cloud-aware security tooling. Those can be assembled from components or bought as a platform. SASE is one packaging, not a requirement.
”SASE is Gartner marketing”
Gartner coined the term and popularised it, but the underlying trends — cloud consolidation of security, identity-aware policy, network-as-a-service — are real. The term is useful even if the vendor marketing around it is sometimes florid.
10. Recommended sequence for 2026
For a team building out from scratch in 2026, a sensible sequence:
- Month 0–1: Identity provider with MFA and SSO. Probably Okta or Azure AD.
- Month 1–3: ZTNA product. Mesh or proxy based on access pattern. See our comparisons. Replace legacy VPN.
- Month 2–3: EDR and device posture integrated with ZTNA.
- Month 3–4: DNS filtering. Cheap, fast, covers a wide threat surface.
- Month 4–6: SIEM or log aggregation with alerting.
- Month 6–12: CASB if SaaS footprint justifies it.
- Year 2+: SASE or SSE consolidation only if organisation size and vendor landscape warrant it.
This sequence delivers measurable security improvements early and defers the platform-level consolidation decision to when it actually matters.
Further reading
Primary sources. All links verified on the publish date.
- Gartner, “The Future of Network Security Is in the Cloud” (2019) — search Gartner for the current version. Note: Gartner content is often behind paywall.
- NIST SP 800-207 — Zero Trust Architecture (2020).
- CISA Zero Trust Maturity Model v2.0 (2023).
Related reading on this blog
- What Is ZTNA? A Plain-English Guide
- ZTNA vs VPN: 8 Real Differences
- The Best Tailscale Alternatives in 2026
- Open-Source vs Managed ZTNA
Try QuickZTNA
If the recommended sequence above starts with ZTNA, QuickZTNA is a natural first buy — it covers the ZTNA need without committing to the full SASE stack. Start on Free for 100 devices and 3 users.