Legacy Infrastructure and SASE: Navigating the Transition
Secure Access Service Edge (SASE) promises a streamlined, cloud-native approach to networking and security — one that aligns with how modern organisations work and where their applications now live. But for many businesses, the journey to SASE runs straight into a familiar obstacle: legacy infrastructure and past investments.
Whether it’s on-premises firewalls, MPLS networks, or remote access VPNs, most organisations have spent years — even decades — building robust architectures based on technologies that pre-date cloud-first and hybrid work models. These systems still “work” — but they weren’t designed for today’s digital reality.
As a result, CIOs, CISOs, and Heads of Infrastructure or Security face difficult questions: How do you modernise without wasting prior investments? How do you balance agility with stability? And how do you phase out legacy systems without disrupting critical services?
This post explores the challenge of legacy infrastructure in the context of SASE, and how leaders can take a pragmatic, phased approach to unlock its full potential.
The Legacy Dilemma
Legacy infrastructure includes more than just outdated technology. It also includes the contracts, processes, team skillsets, and interdependencies that have grown up around it. Common examples include:
- On-premises firewalls and secure web gateways at branch sites or central data centres
- Remote access VPNs that support hybrid or mobile workforces
- MPLS circuits that provide predictable connectivity, often at high cost
- Traditional data centres still hosting key applications
- Separate network and security tools with minimal integration
In many organisations, these systems are reliable and deeply embedded — but they’re also becoming barriers to agility, harder to manage, and less effective at reducing risk in a cloud-first world.
Why Legacy Systems Clash with SASE
SASE represents a shift to cloud-delivered, identity-aware, policy-based access — applied consistently across users, devices, locations, and applications. This model directly challenges the assumptions behind many legacy architectures:
| Legacy Approach | SASE Model |
|---|---|
| Perimeter-based security | Zero Trust / context-based access |
| Centralised backhaul | Local breakout / edge enforcement |
| Hardware appliances | Cloud-native services |
| Static routes and policies | Dynamic, identity-driven policies |
| Tool sprawl and silos | Unified platform with shared policies |
In short, legacy infrastructure creates friction — both technical and organisational — when trying to implement SASE at scale.
The Risks of “Rip and Replace”
It’s tempting to think of SASE as a clean-slate opportunity. But for most large organisations, a full “rip and replace” approach is unrealistic and risky.
Common barriers to a clean cut include:
- Existing long-term contracts or lease agreements
- Business-critical apps running in legacy data centres
- Change management constraints in regulated industries
- Staff with skills tied to legacy technologies
- High-risk services that can’t tolerate disruption
For leadership, the challenge is not just technical migration — it’s strategic transition. The goal is to evolve without destabilising what already works.
A Phased, Risk-Aware Approach
Rather than forcing a single, sweeping transformation, successful organisations take a phased approach to modernisation. Here’s how that might look in practice.
1. Audit Your Existing Estate
Begin with a detailed inventory of:
- Current network and security tools
- Locations and endpoints served
- Contracts and renewal timelines
- Infrastructure dependencies (e.g. apps tied to specific data centres)
- Operational pain points (e.g. tool sprawl, policy inconsistency)
This baseline helps prioritise which systems to modernise first — and which to leave in place for now.
2. Identify “Low-Regret” Areas to Start
Look for parts of the organisation where legacy infrastructure is weakest or most costly — and where disruption is minimal. For example:
- Remote access VPNs with poor user experience
- Branch offices with outdated firewall appliances
- MPLS circuits nearing contract expiry
- Isolated business units with cloud-first operations
These can serve as pilot zones for introducing SASE components such as ZTNA or SD-WAN.
3. Layer SASE Over Legacy — For Now
SASE doesn’t require you to rip out existing systems overnight. Many cloud-delivered SASE services can co-exist with legacy firewalls or VPNs. This allows a gradual transition while preserving business continuity.
Examples include:
- Deploying SWG and CASB in parallel with existing proxies
- Using ZTNA to replace VPNs for specific user groups
- Routing select traffic via SD-WAN while maintaining MPLS for critical paths
4. Align With Natural Refresh Cycles
Plan your transition around contract renewals, hardware refreshes, or major IT initiatives such as cloud migrations. This avoids sunk cost dilemmas and reduces resistance.
For instance:
- Replace on-prem firewalls with Firewall-as-a-Service when appliances reach end-of-life
- Swap legacy VPNs for ZTNA during identity platform upgrades
- Introduce SD-WAN when WAN contracts expire
5. Retire Legacy Systems in Phases
Once cloud-native SASE components are in place and stable, legacy systems can be phased out — ideally with clear exit criteria:
- Traffic volume drops below a threshold
- All key apps and users are migrated
- Support or patching becomes unviable
- Policy duplication creates unacceptable overhead
Be mindful that retirement plans need stakeholder buy-in, particularly from operational teams who’ve built confidence in existing tools.
Managing Leadership Concerns
For executive leaders, legacy modernisation raises important questions about risk, ROI, and business continuity. Here’s how to address them:
Concern: “Won’t we waste prior investments?”
Response: A phased approach lets you extract value from legacy systems while transitioning on your terms. Many SASE capabilities deliver benefits long before full replacement.
Concern: “What if the new model doesn’t perform?”
Response: Pilots in targeted environments reduce risk. Cloud-native SASE services can often outperform legacy systems — particularly for remote and cloud-based users.
Concern: “How do we control costs?”
Response: Modernising legacy infrastructure can reduce total cost of ownership by consolidating tools, cutting MPLS spend, and simplifying operations.
A Strategic Role for Leaders
Legacy infrastructure is a reality — not a problem to be eliminated, but a factor to be managed. Leadership plays a crucial role in:
- Framing the modernisation effort as a business enabler, not just a tech refresh
- Creating a clear roadmap that aligns with budget, risk appetite, and operational maturity
- Bringing together teams across networking, security, procurement, and operations to collaborate effectively
- Measuring progress through user experience, policy consistency, and operational simplicity — not just cutovers
SASE is a journey. Organisations that treat it as a strategic transition — not just a technical swap — are far more likely to succeed.
Conclusion: Respect the Past, Plan for the Future
Legacy infrastructure is not the enemy. It reflects real investments, delivers critical services, and underpins trust in IT. But clinging to it indefinitely can limit your ability to adapt, protect, and grow.
SASE offers a forward-looking model that matches the demands of modern work — but getting there requires thoughtful navigation of what you already have. By taking a phased, risk-aware approach that respects legacy while enabling progress, leaders can ensure a smoother and more successful SASE transformation.
If your SASE strategy is on hold due to legacy constraints, start by mapping where legacy hurts the most — and where modernisation can deliver quick wins. Every successful transformation begins with clarity and confidence in the path forward.