FCA-regulated firms running hybrid workforces on legacy MPLS and VPN concentrators are hitting a wall. The Operational Resilience rules under PS21/3, fully in force since 31 March 2025, demand firms can identify, remediate, and evidence recovery within impact tolerances for Important Business Services. Yet most network architectures still hairpin remote traffic through congested data centre firewalls, creating exactly the brittle dependencies the FCA wants eliminated.
Secure Access Service Edge — SASE — promises to fix this by converging networking and security into a cloud-delivered fabric. The architecture is sound. The adoption record in UK financial services is patchy. Our team has seen well-funded SASE programmes stall for eighteen months, leak budget into shelfware, and leave CISOs explaining to boards why the "transformation" hasn't transformed anything.
This post sets out what SASE actually is, why FCA-regulated firms cannot keep deferring the decision, and the five adoption pitfalls that most consistently derail SASE architecture adoption in UK financial services. We will close with a practical sequencing checklist and how Pyralink supports firms through the programme.
What SASE actually is — beyond the vendor marketing
Secure Access Service Edge, a term Gartner coined in 2019, describes the convergence of SD-WAN with a stack of cloud-delivered security services: Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and Firewall-as-a-Service (FWaaS). The point is not the acronyms. The point is that identity becomes the new perimeter, policy follows the user and workload, and inspection happens at a Point of Presence close to the user rather than backhauled to a corporate data centre.
For a UK asset manager with traders in London, operations in Edinburgh, and a third-party administrator in Mumbai, this matters operationally. A user in Edinburgh accessing a SaaS order management system should not traverse a London firewall to reach an Azure tenant in West Europe. That hairpin adds latency, creates a single point of failure, and produces the exact "concentration risk" the FCA flags in its Operational Resilience guidance.
SASE done properly replaces three things: the VPN concentrator, the MPLS-anchored hub-and-spoke topology, and the assumption that "inside the network" equals "trusted". It does not replace your identity provider, your endpoint detection, or your data classification programme. Firms that conflate SASE with "Zero Trust" as a whole end up disappointed.
Why the timing pressure is real
Three forces are squeezing UK financial services on network security transformation right now.
First, FCA PS21/3 Operational Resilience. Firms must map Important Business Services, set impact tolerances, and demonstrate they can remain within those tolerances during severe-but-plausible scenarios. Legacy VPN architectures consistently fail this test — when the concentrator dies, every remote worker dies with it. The March 2025 deadline has passed; supervisory attention is now shifting to evidence.
Second, the Cyber Security and Resilience Bill, currently progressing through Parliament, will tighten obligations on managed service providers and expand the regulator's powers. Firms whose security depends on MSPs accessing flat internal networks will be exposed. ZTNA-led architectures address this directly.
Third, supply chain reality. Bring-your-own-device contractors, offshore administrators, and SaaS-first applications have already broken the perimeter model. SASE is the architecture that reflects how work actually happens. Firms running CloudAuditX scans through CloudAuditX regularly find dozens of SaaS tenants with no policy enforcement between user and data — a CASB-shaped hole.
The five adoption pitfalls that derail SASE programmes
1. Treating SASE as a procurement exercise, not an architecture decision
The most common failure mode: a CIO signs a three-year deal with a single-vendor SASE platform after a two-week bake-off, then hands implementation to a network team that has never operated identity-based policy. Eighteen months later, the platform is deployed in monitor mode, no policies are enforcing, and the VPN is still carrying production traffic.
SASE is an operating model change. Network engineers must learn identity. Security engineers must learn SD-WAN. Procurement-led adoption skips the operating model conversation entirely. Run the architecture workshop before the RFP, not after.
2. Skipping the identity prerequisites
SASE policy is only as good as the identity signal feeding it. If your Entra ID tenant has stale guest accounts, no Conditional Access baselines, weak MFA, and no privileged identity management, your SASE platform will faithfully enforce policy on a broken identity graph. Garbage in, segmented garbage out.
Before SASE rollout, fix Conditional Access, enforce phishing-resistant MFA for privileged roles, implement Privileged Identity Management, and clean up service principals. This work is unglamorous and non-negotiable.
3. Underestimating the application discovery problem
You cannot write ZTNA policies for applications you have not catalogued. UK financial services firms routinely discover, mid-rollout, that they have 40% more internal applications than the CMDB suggests — legacy thick clients, finance department Access databases, a Bloomberg terminal nobody documented. Each requires a policy decision: publish via ZTNA, retire, or refactor.
Run a four-to-six-week application discovery sprint before policy design. Tag each application by Important Business Service mapping (this dovetails directly with PS21/3 work), data classification, and user population. Without this, your SASE rollout will stall at the first finance month-end.
4. Ignoring the third-party access redesign
Most firms have a graveyard of site-to-site VPNs, jump hosts, and "temporary" firewall rules for third parties. SASE is the moment to rebuild this on ZTNA — but only if you sequence it correctly. Migrating internal users first and leaving third parties on legacy access leaves the largest risk population on the oldest architecture.
Our consultants recommend a parallel workstream: internal user migration and third-party access redesign run together, with third parties prioritised by data sensitivity. This is also where firms should re-examine contracts — the insights we publish on third-party risk go into the contractual mechanics.
5. No measurement framework, no board narrative
SASE programmes that cannot articulate progress in operational resilience terms lose funding at the eighteen-month mark. "We migrated 3,000 users" means nothing to a board. "We reduced mean time to revoke access from 4 hours to 90 seconds, eliminated the VPN single point of failure for our Important Business Services, and reduced our attack surface by retiring 47 inbound firewall rules" — that lands.
Define five to seven outcome metrics before kickoff. Tie each to either a PS21/3 impact tolerance or a board-level risk appetite statement.
A practical sequencing checklist
- Weeks 1–4: Identity hygiene baseline. Conditional Access, MFA uplift, PIM, service principal review.
- Weeks 3–8: Application discovery and IBS mapping. Tag every application against PS21/3 Important Business Services.
- Weeks 6–10: Architecture workshop and vendor selection. Single-vendor versus best-of-breed decision, with operating model implications.
- Weeks 10–20: Pilot with one IBS end-to-end. Internal users plus third parties. Prove the model before scaling.
- Months 6–18: Phased rollout by business unit, with VPN decommissioning as the explicit success criterion for each phase.
How Pyralink helps
Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science) as Founder & Managing Director. Our team supports FCA-regulated firms through SASE architecture adoption from board case through to operating model handover.
Where firms need ongoing security leadership without a full-time hire, our fractional vCISO service (from £497/month) provides the architectural authority to make the trade-offs SASE programmes demand. For firms building the underlying control environment, our ISO 27001 certification support aligns SASE controls with Annex A directly, avoiding duplicate work. Our CloudAuditX platform — available with a free trial — gives continuous visibility into the multi-cloud posture that SASE policy enforces against. Pyralink holds £5M professional indemnity insurance.
If your SASE programme is stalled, has not started, or is heading toward a board conversation you would rather not have, two next steps: