The shift to cloud, SaaS, and hybrid work is no longer breaking news. What is surprising? How many IT and network teams are still trying to stitch together architectures that weren’t designed for today’s distributed world.

Data is everywhere. Users are everywhere. Applications live across SaaS, public cloud, and private data centers. Yet too often, traditional network and security architectures can’t keep up, creating bottlenecks, security gaps, and user frustration.

Modern SASE and SD-WAN architectures promise agility, resilience, and better performance, but only when they’re built on strong, intentional design.

In a recent ONUG webinar, Netskope’s Chief Platform Officer Joe DePalo and strategic advisor (and former Gartner Distinguished Analyst) Joe Skorupa shared real-world insights into what it takes to make SASE and SD-WAN work, without compromise.

Here are a few key takeaways from their discussion and why architecture still wins.

Architect for performance and security or risk losing both

The hub-and-spoke architectures of the past, designed for centralized users and apps, no longer fit today’s distributed environments.

As Joe Skorupa put it, “Your data, your apps, and your users are everywhere. The old model of dragging everything back to the data center just doesn’t make sense anymore.”

Modern architectures must prioritize direct-to-cloud access, resilient edge delivery, and distributed security without adding complexity.

But in a crowded market, it’s easy to be misled. Some vendors inflate their capabilities by advertising high numbers of Points of Presence (PoPs), even if those sites can’t actually inspect or process traffic. And while a service may be cloud-delivered, implementation still matters.

Joe DePalo made the distinction clear: “We focus on real regions, not inflated PoP counts. Our users know where their traffic is inspected, processed, and secured without hidden backhauling or unpredictable latency.”

At the end of the day, SASE isn’t just a service you buy; it’s an implementation of the architecture. And not all implementations are created equal. Where your traffic is actually processed, and whether your provider truly controls the infrastructure, has a direct impact on latency, resiliency, compliance, and user experience.

And as DePalo warned, “If the secure path is slow, the business will find a faster one.”

Performance problems quickly become security problems—as users bypass controls to stay productive—unless you architect for both, from the start.

Single vs. dual vendor: What really matters

One of the most common questions enterprises face when implementing SASE and SD-WAN is whether to consolidate under a single provider or mix-and-match best-of-breed components.

The truth is, there’s no universal answer. It depends on where you’re starting. As Joe Skorupa explained, “Whether you go single or dual vendor, networking and security teams must collaborate and build a phased, realistic deployment plan. For example, handling the creation and management of tens of thousands of tunnels.” Because in the real world, operational practicality beats perfect theory every time.

If your SD-WAN environment is relatively new, integrating it with a strong SSE solution might make sense. But if you’re approaching a major refresh or decommissioning legacy infrastructure, moving to a fully integrated SASE platform could simplify operations.

Flexibility matters, as Joe DePalo pointed out: “You need a partner that gives you as many options as possible because ripping and replacing everything at once just isn’t realistic.”

Regardless of path, tight integration, automation, and shared policy enforcement are what make strategies scale, not how many vendors you have.

Visibility, resiliency, and control are now non-negotiable

Delivering secure, high-performance connectivity on a global scale takes more than simply handing traffic over to a SASE vendor relying on a hyperscaler’s network. Enterprises today can’t afford blind spots. They need real-time traffic visibility, a provider with direct control over routing, the ability to reroute instantly when conditions change, and guarantees for data sovereignty, both for data in flight and at rest.

As DePalo explained, “We built the NewEdge network to control the entire network path, not trust carriers blindly. We make dozens of real-time routing changes monthly to avoid outages and optimize user experience.”

But true visibility requires more than dashboards and logs. Modern network teams need deep, session-level telemetry across the entire user traffic path, inside and outside the SASE cloud.

That’s where Netskope One Digital Experience Management (DEM) comes in, giving teams the insights they need to troubleshoot faster, reduce ticket noise, and maintain a great user experience.

Because if you can’t see what’s happening, you can’t fix it, or secure it.

AI-driven automation: From buzzword to business critical

In a world where seconds matter and complexity is rising, AI-driven automation isn’t optional anymore; it’s the foundation of modern network operations. Real-time adaptability is essential and manual intervention simply can’t scale.

At Netskope, AI is deeply embedded across the platform, powering proactive infrastructure monitoring, intelligent traffic steering, real-time optimization, and full API-driven visibility.

As Joe DePalo explained, “The overwhelming majority of our routing decisions, infrastructure adjustments, and policy enforcements are driven by AI, and haven been for years because in a cloud-first world, manual troubleshooting just can’t keep up.”

The real value of AI truly lies in what it enables for network teams on the ground. From predictive performance management to automated root cause analysis, AI helps network teams adapt in real time, improving application performance, enhancing resilience, and increasing user satisfaction, without sacrificing security.

The bottom line: Architecture is a competitive advantage

The organizations succeeding today are those who design intentionally, choosing partners who understand architecture, implementation, operations, and the realities enterprises face.

As Skorupa put it, “Pick a partner that understands architecture, implementation, and operational reality. And don’t pick a vendor for a single function, like ZTNA, only to realize in six months that you bought a dead end offering.”

And DePalo closed with a reminder to every enterprise IT leader: “Understand the architecture. Try before you buy. And make sure your vendor’s roadmap aligns with your future needs.”

The future belongs to those who architect for it today.

If you’re rethinking your SASE & SD-WAN strategy, or building one from the ground up, watch the full conversation: SASE & SD-WAN Architecture That Works: Maximizing Performance & Security