SASE: The difference between a transit cloud and a destination cloud

Modern businesses are under pressure to deliver when it comes to the experience, they offer their employees and customers when accessing applications in the cloud. Digital-savvy users expect seamless and consistent access to applications and services, regardless of where they are connecting or which device they use. While the emergence of the internet as the new corporate network has myriad benefits for all concerned, it requires a fundamental overhaul of traditional network security. By Nathan Howe, director of transformation strategy at Zscaler.

  • Monday, 25th May 2020 Posted 4 years ago in by Phil Alsop

Coined by Gartner, secure access service edge (SASE) is a new security framework that has been designed with the requirements of the digital workplace in mind. Put simply, SASE is about making sure traffic is secured throughout its entire journey from a device to the requested destination application, regardless of where the user is or what network they are on. And this is the crucial point: the ‘edge’ – where services are provided – is where the user is going, rather than where they are. Formerly, security was provided at the corporate network or the data centre, or via the extension of an MPLS connection. In contrast, with the SASE model, digital businesses must provide security at all times regardless of the location of the user.


With growing staff mobility and the adoption of the cloud, boundaries for users have steadily broken down in recent years, and there will be fewer and fewer borders going forward as the traditional data centre and corporate network structure becomes obsolete. The SASE concept can be seen as a reaction to cloudification as it becomes critical in modern times to provide a secure path on the way from the user to the service they wish to consume, no matter where the applications are located.

The application landscape continues to grow and become ever more complex with multicloud scenarios being adopted. As such, the ability to deliver a simplified, streamlined service will become a key competitive differentiator for businesses. This service must be consumable by anyone from anywhere, regardless of the device used to connect, without compromising on security in the process. Indeed, at the heart of the SASE concept is the idea that it’s the security of the journey - not just the destination - that’s most important. And that’s where the notion of a transit security cloud comes in. As opposed to a destination cloud, which is being consumed to access the desired application, a transit cloud provides a security service along the journey and security policies are applied to the traffic between the user and the application. Rather than security being located in a physical location, a cloud service is always on and can be anywhere to secure the mobile user.

As Gartner stated: “In a modern cloud-centric digital business, users, devices and the networked capabilities they require secure access to, are everywhere. As a result, secure access services need to be everywhere as well.”

These days, it's often the apps themselves that dictate the type of cloud service used based on specific requirements, which is why multicloud scenarios are increasingly common in enterprises. A top priority for companies is to offer simplicity for users as a reaction to the growing complexity of the application landscape. With applications moving to the cloud, the network-less network can only become a reality when the access path becomes seamless for the user. Ideally, users won’t even realize where an application they are trying to access is being hosted.

Once the transition to the cloud is made, the network set-up should become easier to manage rather than more complex. A transit cloud for security control provides the solution for greater simplicity. The physical infrastructure requirements are reduced when security controls are merely based on the identity of the user and implemented in a transit layer. A transition cloud validates the user based on his or her identity, confirms the access is secure and lets the user through to the application regardless of the location of the cloud or data centre. Such a transit cloud service provides, in path, the security controls thus leveraging the cloud-based future for enterprises in which the user can follow the path of least resistance on the way to their destination.