Why Last-Mile and Backbone Design Determine Whether Your SASE Strategy Works

Part 2 of our Connectivity Series

In Part 1 of this series, we made the case that connectivity is no longer just a commodity. In Part 2, we get specific: How does SASE change what connectivity needs to deliver?

SASE brings networking and security together into a single architecture. That’s the right direction. But the conversation around SASE has understandably focused on the security side: Zero Trust, SSE, CASB, cloud-delivered enforcement. Connectivity design, in many cases, has become secondary.

The challenge is that SASE fundamentally changes traffic patterns. Every security component, from SWG to ZTNA to CASB, influences where traffic flows, how far it travels, and how much backbone capacity is required. When connectivity isn’t designed alongside security, performance suffers.

Here in part 2, we look at each major SASE component, its impact on connectivity design, and the practical trade-offs that arise when security and network architecture are not aligned.

How SASE Fundamentally Changes Connectivity Design

SASE is not just networking plus security. It reshapes traffic flows and inspection logic in ways that directly affect connectivity architecture.

Each major SASE component influences where traffic flows, how often it is inspected, how far it travels, and how much backbone capacity is required. Let’s take this component by component:

SD-WAN: The Overlay Depends on the Underlay

SD-WAN introduced flexibility and intelligence into WAN design. It allows enterprises to:

  • Combine MPLS, DIA, broadband and cellular links
  • Dynamically steer traffic based on application performance
  • Encrypt site-to-site communication
  • Prioritize critical workloads

But SD-WAN does not eliminate physical limitations.

If the underlying circuit suffers from packet loss, jitter, unstable latency, or insufficient bandwidth, application performance will degrade, regardless of how intelligent the overlay is.

Then application performance degrades, regardless of overlay intelligence. Connectivity design must therefore reflect business criticality.

For example:

  • A production plant running connected machinery may require dual diverse circuits and strict SLAs.
  • A regional sales office may tolerate brief performance dips.
  • A cloud-connected data center may require predictable backbone routing to major SaaS providers.

SD-WAN enables optimization. It does not replace physical resilience.

ZTNA: Zero Trust Reshapes Traffic Paths

Zero Trust Network Access enforces identity-based verification for every connection.

In practice, that means:

  • All traffic must pass through at least one ZTNA connector.
  • Policy enforcement occurs before access is granted.
  • Authentication services are frequently centralized.

In practice, all traffic passes through at least one enforcement point, with policy applied before access is granted. Where these enforcement points sit directly influences traffic patterns. Consider two scenarios:

  1. Centralized ZTNA enforcement in one global region.
  2. Distributed enforcement near major user and application clusters.

In the first case, traffic may travel thousands of kilometers for inspection before returning to a nearby destination. Latency increases and backbone utilization rises.

In the second case, inspection remains geographically aligned with users and workloads.

Granularity also matters. If Zero Trust is enforced down to machine-level segmentation inside production environments, internal traffic volumes increase and connectivity must be dimensioned accordingly.

This is why ZTNA architecture and connectivity planning need to happen together

SWG: Web Filtering Impacts Breakout Strategy

Secure Web Gateways protect and filter internet-bound traffic. Their placement determines breakout design.

Organizations typically choose between:

  • Centralized inspection in core data centers
  • Regional breakout with distributed enforcement
  • Cloud-only SWG with all traffic routed through cloud nodes

Each approach has performance implications: Centralized inspection increases backbone demand and latency. Local breakout improves performance but requires consistent global policy management. Cloud-only enforcement depends heavily on optimized backbone routing to avoid hairpinning. SWG placement is therefore not purely a security decision – it is a connectivity decision.

CASB: Cloud Control Requires Geographic Awareness

Cloud Access Security Broker solutions provide visibility and control over SaaS usage.

To design CASB effectively, organizations must understand:

  • Which cloud applications are used
  • From which geographies
  • With what performance sensitivity

If enforcement points are located far from cloud regions, traffic paths become inefficient.

For example, routing Asian SaaS traffic through European enforcement nodes increases latency and backbone load unnecessarily.

Connectivity and CASB placement must be aligned.

What Many Security-Centric SASE Architectures Get Wrong

When organizations design SASE with a security-centric lens, some common trade-offs emerge that affect connectivity performance.

Here are some common pitfalls:

1. Saving on Physical Circuits: Paying in Operations

When organizations choose lower-cost access lines and rely on SD-WAN to compensate, the operational reality often looks different. SD-WAN improves traffic steering, but it cannot create performance out of unreliable circuits.

The result? Organizations spend more on:

  • Continuous troubleshooting
  • Network operations effort
  • Monitoring and performance tuning

Instead of solving connectivity issues at the source.

2. Centralizing Enforcement Points to Save Licensing

To reduce licensing or management overhead, some IT teams choose minimal enforcement infrastructure – routing most traffic through a small number of centralized inspection nodes.

That seems efficient until network traffic must:

  • Travel longer distances
  • Consume backbone capacity inefficiently
  • Increase latency for users and applications

The money saved on enforcement nodes is often offset by increased backbone traffic costs and degraded user experience.

3. Thinking It’s Either Last-Mile or Backbone

A common assumption is that organisations must choose between:

  • Traditional last-mile circuits (as in legacy WAN)
    or
  • A backbone-only approach (cloud-first, backbone-centric)

In practice:

  • On-site production systems
  • Cloud and SaaS workloads
  • Regional offices
  • Remote users

They require both:

  • Reliable and diverse last-mile connectivity
  • A high-performance backbone that ties everything together

Backbone connectivity minimizes unpredictable internet middle-mile behavior. Last-mile circuits ensure local performance and redundancy.

Together they ensure consistent global performance.

4. Forgetting Operational Complexity

Connectivity is only “designed once” until it fails.

Real world experience shows that:

  • Local IT teams each managing ISP relationships leads to inconsistency
  • Cloud-only SASE products without operational support for connectivity degrade experience
  • Connectivity outages are inevitable unless there is proactive monitoring and incident handling

This is why managed connectivity with dedicated 24×7 support is essential. Handling ISP escalations, monitoring circuit health, and ensuring continuity without burdering internal teams..

Designing Connectivity for SASE Performance

A high-performance SASE architecture integrates connectivity at every layer – network and security.

1. Optimized End-to-End Paths: From Site to Cloud

Traffic routing and security inspection must be designed together, not separately.

That means:

  • Strategic placement of enforcement points aligned with connectivity paths
  • Backbone design optimized for predictable latency, packet loss and throughput
  • Intelligent SD-WAN path selection tied into security inspection points

This ensures security does not come at the expense of performance.

2. Managed Last-Mile Connectivity With Operational Support

What good is SD-WAN if there is no reliable last-mile backup when a circuit fails?

Effective last-mile design includes:

  • Strategic ISP sourcing and contract consolidation
  • Redundancy based on business criticality
  • 24×7 monitoring and incident support
  • Performance verification from the physical link up

For example, Open Systems’ Last-Mile Connectivity Service simplifies sourcing and management of ISP lines, bringing them under a single contract and operational oversight.

3. High-Performance Backbone Connectivity

A managed backbone avoids unpredictable internet middle-mile behavior.

With more than several hundred global Points of Presence (PoPs), backbone connectivity ensures:

  • Low jitter and packet loss
  • Intelligent routing near major cloud and SaaS endpoints
  • Geographically optimized paths
  • End-to-end SLAs across backbone and last-mile links

For example, the Open Systems Global Backbone Connectivity illustrates how backbone design can improve WAN performance and cloud access worldwide.

4. Hybrid Enforcement Deployment

A flexible SASE deployment blends:

  • Cloud-native inspection for remote users and SaaS
  • On-prem enforcement for datacenters and production systems

This hybrid model ensures that neither performance nor security is compromised.

Open Systems Global Connectivity Services

At Open Systems, we’ve built our connectivity services around the principles described above: integrated design, operational accountability and end-to-end performance.

Open Systems Global Connectivity Services include:

Learn more: • SD-WAN as a ServiceSecurity Service Edge (SSE)Cloud Access Security Broker (CASB)

Connectivity, security and operations are designed together – not layered separately.

Conclusion: Connectivity Is a Strategic Part of SASE

SASE promises convergence. But convergence only works when network and security are co-designed.

Last-mile stability ensures local resilience. Backbone performance ensures global consistency. Security enforcement shapes traffic patterns.

For SASE to truly deliver predictable performance and robust security, connectivity needs to be part of the architecture from the start.

In Part 3 of this series, we’ll explore connectivity as a managed service, and why technology alone is not enough without operations excellence.