Martin May, Business Development: Networking at Duxbury Networking
Look at most enterprise networks and you’ll see the same pattern. There’ll be a good firewall at the core, a VPN that’s outlived its design, some endpoint tools, and a significant amount of manual configuration. It works, until it doesn’t. The moment you add a new branch, roll out another SaaS app, or on-board a contractor at short notice, the seams show.
That’s the gap a unified SASE model closes. It’s not a new badge on the same kit, but rather a single policy fabric for how people and devices access applications, whether those apps reside in the data centre or the cloud.
Seeing the difference
Here’s what changes in real terms. A new branch in Gqeberha has gone online, allowing users to access Microsoft 365 directly without needing to go through headquarters. A contractor in Polokwane gets timed access to your ERP. A warehouse scanner only communicates with the WMS and update servers, and nothing else.
Most of the pain I see comes from piecemeal growth, for instance, a tool here, a license there, or another console to watch. Each decision made sense at the time. Together they create blind spots and admin you can’t afford. Unifying networking and security reduce the sprawl. One source of policy and one place to see what’s really happening.
HPE Aruba Networking’s approach is a practical example. EdgeConnect handles traffic engineering, while the security stack enforces policy close to users and applications. You don’t rebuild the network in a weekend. You address the most painful use cases first. For example, remote users who live in SaaS, a branch that overwhelms the VPN, and an app that should never be exposed to broad network access. Each move takes pressure off the old perimeter thinking.
Local thinking
South Africa’s constraints make this more urgent because links vary, teams are small, and sites are spread out. When access is enforced at nearby points of presence, you cut the delay that users feel in Teams or Zoom. When policies travel with the user instead of the site, you stop carrying the risk of “temporary” exceptions that never get removed. And when traffic is steered intelligently over fibre, fixed wireless, or LTE, uptime isn’t held hostage by a single link.
Start somewhere
If you need a place to start, pick one measurable outcome. For example, reduce standing remote access by half in three months. Put your riskiest two apps behind ZTNA, retire one VPN group, and track the real-world impact, such as fewer after-hours calls, faster logins, and a cleaner audit trail tied to identity and device posture. That data will carry more weight in a board discussion than any slide on “digital transformation.”
Of course, there are pitfalls. If you lift-and-shift the VPN mindset into a new platform, you’ll get the same problems with a shinier UI. If you create policy exceptions without owners and an expiry date, you’ll reopen the holes you set out to close. And if legacy or OT systems are in the mix, segment them and proxy them, but don’t exempt them from the process.
Making sense of it
What tells you the move is working? You revoke access for someone who leaves the company in minutes, not days. Remote sessions are per-app, not full-tunnel. East-west tests inside a branch fail more often than they succeed. Policy exceptions have owners and time limits. Your MDR/XDR sees the same identity-tied events across sites and remote users. These are small proof points and precisely what auditors and insurers ask about.
After five weeks of exploring this topic, my view is that unified SASE isn’t a silver bullet, but rather a cleaner way to run a network that already resides in the cloud era. If your current setup feels like a collection of workarounds, start small, measure the outcome, and keep going.
