uCPE MythBusters: Do uCPE and SASE fit together?

True or false? Your uCPE strategy has no relevance to SASE … Not true! Let’s find out how a sound uCPE strategy is going to put your organization ahead of the game as the transition to SASE happens over the next few years.
Rajesh Velliyatt
Jigsaw pieces

The uCPE transition in a nutshell

Universal customer premises equipment (uCPE) is currently powering a major transition for enterprise services. It’s changing the delivery of networking and network security functions from appliances and bare metal applications to virtualized and containerized functions running on distributed cloud infrastructure. Sales of uCPE hardware units are expected to grow to $1.8bn by 2024 (source: Omdia1). uCPE devices typically come with embedded micro-clouds and can run virtualized/containerized network functions on general purpose, commercial-off-the-shelf (COTS) hardware at branch offices, as shown in the image below.

uCPE edge cloud device with network services and customer workloads

We predict that uCPE will continue to replace custom bare-metal network appliances at branch offices. Here are some of the reasons:

  • uCPE reduces the total number of physical devices to be managed at the edge. Network services, networking applications and other custom workloads (like billing applications, print servers, etc.) can run in a dedicated “tenant space” inside the uCPE.
  • uCPE supports centralized management of remote network services. Addition of new network services, changing the wiring of network services (service chaining) and troubleshooting, all can be done from the central management platform. This reduces the need for on-site technician visits and can optimize operations logistics in the post-Covid world.

Now comes the SASE transition

Secure access service edge (SASE) is another major transition that’s called out by Gartner in their recent research report2. The emergence of cloud-based services and widespread adoption of remote working have turned the enterprise network inside-out. As a result, traditional network and network security architectures are becoming obsolete. The definition of the enterprise perimeter has changed – and moved.

Secure access service edge (SASE) is defined as: “The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.”

According to Gartner:

  • SASE will be primarily delivered as a cloud-based service. And the future of network security is in the cloud.
  • SASE offerings will provide policy-based “software-defined” secure access from an infinitely tailorable network fabric in which enterprise security professionals can precisely specify the level of performance, reliability, security, and cost of every network session based on identity and context.

SASE allows cloud-based centralized management of policy with distributed enforcement points logically close to the entity and including local decision-making where needed; for example, local to a branch office using a CPE appliance.


A sound uCPE strategy lets you start today with best-of-breed networking and security solutions.


How do uCPE and SASE fit together?

Now, let’s look at how a sound uCPE strategy is going to help SASE transition. You might ask: If SASE is delivering everything from the cloud, then does enterprise even need a uCPE at the edge running network services?

Can’t the enterprises jump straight to a SASE model, bypassing the need for network services at the edge deployed in a uCPE?

The SASE concept is new, and the capabilities required for a full-featured SASE offering are extensive. It’s going to be a sizeable transition for customers, vendors and service providers alike.

  • Customers: Need to plan for a merge and transition of networking and network security to a single vendor. To avoid vendor lock-in with all the networking and network security aspects, it’s reasonable to assume that a standardized intent-based configuration option is a must. This is to ensure that the policies are interoperable between different SASE vendors.
  • Product vendors: Since the goal is to provide an architecture that can inspect potentially encrypted traffic with a single pass using multiple policy engines in parallel, service chaining of different products is not an option. A lot of development to create new optimized architecture/solutions may be required.
  • Service providers: Need to think through offerings of multiple managed SASE offerings for the customers to choose from.

Gartner’s prediction is that it will take another five years before leading IaaS providers are offering comprehensive SASE capabilities. Even in the SASE model, there are requirements for thin networking and security services at the edge (see diagram below).

How does it all fit together?

  • uCPE provides the future-proofing and flexibility at the edge.
  • uCPE enables enterprises to be SASE-ready.
  • The corresponding thin-networking and security services can be run on uCPE. This can be done by swapping out existing network services as required.
  • Depending on how thin the SASE edge services end up, it may even help enterprises to free up some real estate in uCPE to run customer workloads.
SASE-enabled uCPE edge cloud device with SASE services and customer workloads
A sound uCPE strategy lets you start today with best-of-breed networking and security solutions. You then have the flexibility to switch to SASE thin clients in the future. It’s important to keep in mind that uCPE is not just for security or networking, even though they are the catalyst for the majority of uCPE deployments today. Many latency-sensitive or bandwidth-hungry applications such as VR, AR, IoT need local processing of data using gateways hosted in the uCPE edge cloud. And data privacy requirements mean that sensitive data must be kept local and not pushed to the cloud.
SASE deployment topology diagram with uCPEs running SASE end points at the edge

Related articles