Sovereign SASE: A Comprehensive Analysis of Customer-Controlled Security and Data Routing Solutions

The emergence of Sovereign Secure Access Service Edge (SASE) represents a significant evolution in cybersecurity architecture, allowing organizations unprecedented control over how their data is routed and where security inspections occur. This comprehensive report examines the development, implementation, and strategic advantages of Sovereign SASE solutions, with particular focus on offerings from industry leaders like Fortinet and Versa Networks.

The Evolution and Definition of Sovereign SASE

Sovereign SASE has emerged as a critical innovation in response to increasing regulatory requirements and organizational needs for greater control over data and security processing. Traditional SASE solutions have typically been deployed through a software-as-a-service (SaaS) model, with security services delivered from vendor-controlled cloud environments. However, this approach presents challenges for organizations operating in highly regulated industries or those with strict security and compliance requirements.

Sovereign SASE fundamentally transforms this paradigm by enabling organizations to deploy SASE platforms within their own on-premises or private cloud environments, rather than depending on shared cloud-based services. This approach provides organizations with complete control over where their data is inspected, how it is routed, and where logs are stored—critical factors for ensuring compliance with increasingly stringent data sovereignty regulations worldwide.

The concept of Sovereign SASE has gained significant momentum as organizations seek greater autonomy over their security architectures. According to Gartner, "Buyers are increasingly demanding more options for data and cloud sovereignty, including where traffic is routed, where it is inspected, and where logs are stored." This growing demand reflects broader concerns about data privacy, regulatory compliance, and the need for customized security implementations that align with specific organizational requirements.

SASE, in its traditional form, consolidates networking and security functions into a cloud-delivered service. Sovereign SASE maintains this consolidation while transferring operational control to the customer, creating a paradigm shift in how organizations approach security architecture deployment and management.

Fortinets Sovereign SASE Implementation

Fortinet introduced its Sovereign SASE solution in August 2024, positioning it as an extension of its unified SASE approach2. Fortinet's implementation provides organizations with a comprehensive SASE delivery option that enables local control over inspection and logs, ensuring robust data privacy and compliance while offering enhanced security and flexibility.

Fortinet's Sovereign SASE architecture is distinguished by its integration with the company's broader security ecosystem. The solution provides complete integration between Fortinet's Secure SD-WAN solution and cloud-delivered security service edge (SSE) under a single console for seamless management, visibility, and security. This integrated approach addresses a common challenge in the SASE landscape—the fragmentation of solutions that require multiple management consoles and agents, creating complexity and potential security gaps.

With Fortinet Sovereign SASE, customers gain granular control over data routing and security inspection locations. Organizations can determine how their data is routed and where security inspections occur, with options including data centers owned by Fortinet, partners, or the customer themselves2. This flexibility ensures that organizations can maintain compliance with regional regulations while still benefiting from Fortinet's full security stack.

The solution is delivered as a turnkey private SASE offering designed for service providers, large organizations, and governments. It enables these entities to create their own private cloud to offer customized, comprehensive SASE services while maintaining full control over features, architecture, and deployment4. Fortinet Sovereign SASE includes all core SASE features, such as Secure Web Gateway (SWG), Firewall-as-a-Service (FWaaS), Zero Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), and Digital Experience Monitoring (DEM).

In February 2025, Fortinet enhanced its Sovereign SASE offering with GenAI capabilities through FortiAI for SD-WAN. This integration accelerates and enhances operations, including visual and configuration assistance, consultation, and troubleshooting, enabling customers to deploy and manage their SD-WAN solutions more efficiently.

Versa Networks Sovereign SASE Approach

Versa Networks announced the general availability of its Sovereign SASE solution in February 2025, challenging the traditional cloud-only security model35. Versa's approach allows enterprises, governments, and service providers to deploy customized networking and security services directly from their own infrastructure in a "do-it-yourself" model5.

Versa's implementation is distinctive in that it runs entirely on customer-controlled infrastructure. The solution is built on the Versa Operating System (VOS), which integrates networking and security functions through a single-stack architecture3. This design provides organizations with complete operational control over deployment locations, SASE features, and security infrastructure.

Unlike some private SaaS offerings that simply provide organizations the ability to deploy and run from inside a virtual private cloud (VPC), Versa's sovereign SASE is more comprehensive. The solution is highly customizable, allowing customers to choose their own compute resources, whether on-premises or in a private cloud. Versa provides the software and recommends the hardware, but the customer maintains full control over the deployment.

Versa's system supports both containerized and virtual machine deployments, giving organizations flexibility in their preferred infrastructure model. Importantly, all components—including advanced security features like sandboxing and malware detonation that traditionally required cloud services—can run within the customer's environment.

Over the past two years leading up to its general availability, Versa Sovereign SASE has been deployed by organizations in the defense, financial services, maritime, energy, and retail industries5. The solution is particularly targeted at organizations operating in highly regulated industries or those operating critical infrastructure that require the highest levels of protection, with the ability to deploy a cutting-edge "air-gapped" infrastructure model ensuring unmatched security.

Comparing Deployment Models and Control Mechanisms

Both Fortinet and Versa Networks offer Sovereign SASE solutions with distinct deployment options that provide organizations with varying levels of control over their data and security infrastructure. Understanding these deployment models is essential for organizations evaluating Sovereign SASE implementations.

Fortinet's Sovereign SASE consists of four key components that offer a combination of customer-hosted security inspection and data sovereignty with Fortinet-hosted orchestration6. These components include:

1. Sovereign SASE Cloud Orchestrator and Web Portal (hosted in Fortinet datacenter)
2. Security Inspection by FortiGate (customer premise)
3. Data Sovereignty by FortiAnalyzer (for regional log storage and archiving)
4. Sovereign SASE User Licensing (including FortiClient EPP/ATP licenses for endpoint security and connectivity)

This architecture enables organizations to maintain control over security inspection and data while leveraging Fortinet's expertise for orchestration and management.

Versa Networks' deployment model offers three distinct options for deploying their VersaONE Universal SASE Platform:

1. Public – Shared, managed by Versa or a partner in public cloud infrastructure
2. Private – Dedicated, managed by Versa or a partner in public or private cloud infrastructure
3. Sovereign – Delivered via dedicated gateways in customers' infrastructure under customer management and control – completely air-gapped5

The Sovereign option provides the highest level of control and security isolation, making it particularly suitable for organizations with strict security and compliance requirements.

Both vendors emphasize the importance of control over data routing and security inspection locations. Fortinet allows customers to determine how their data is routed and where security inspections occur, with options including data centers owned by Fortinet, partners, or the customer themselves2. Similarly, Versa's Sovereign SASE gives organizations complete control over deployment locations and security infrastructure, ensuring they can manage their environments according to their specific requirements5.

Regulatory Compliance and Data Sovereignty Considerations

The growing emphasis on data sovereignty and regulatory compliance is a primary driver behind the development and adoption of Sovereign SASE solutions. As regulatory requirements tighten worldwide, organizations must ensure secure data processing within designated jurisdictions.

Fortinet's Sovereign SASE ensures compliance with regional data residency and sovereignty laws by keeping sensitive data within designated jurisdictions. It provides organizations with full control over their data and logs, ensuring they remain private within their own environment4. This approach is particularly valuable for organizations operating in highly regulated verticals with sensitive data, such as finance, government, and healthcare2.

The solution enables customizable security and network policies to align with local regulations and unique business needs, enhancing compliance and efficiency. Service providers can create tailored offerings for different market segments, delivering maximum flexibility to meet diverse customer requirements while maintaining security and control4.

Versa's Sovereign SASE similarly addresses regulatory concerns by allowing organizations to deploy a cutting-edge "air-gapped" infrastructure model, ensuring unmatched security5. This approach is particularly valuable for organizations operating in highly regulated industries or those operating critical infrastructure that require the highest levels of protection.

Both solutions recognize that data sovereignty is not merely about where data is stored but encompasses the entire security processing pipeline, including routing, inspection, and logging. By providing organizations with control over these aspects, Sovereign SASE solutions enable compliance with increasingly complex regulatory landscapes.

Implementation Considerations and Market Impact

Implementing Sovereign SASE requires careful consideration of infrastructure requirements, management capabilities, and integration with existing security architectures. Organizations must evaluate their specific needs and resources to determine the most appropriate Sovereign SASE solution.

Fortinet provides a turnkey solution with all necessary components for a comprehensive SASE service, offering flexible purchasing options and bundled packages designed to meet diverse security performance needs and user counts4. The innovative architecture ensures customers control the core capabilities and data, while orchestration and management are handled in Fortinet's network, enabling cost-effective, secure, and fast deployment.

Versa's solution is highly customizable, allowing customers to choose their own compute resources. The company provides the software and recommends the hardware, but the customer maintains full control over the deployment3. This flexibility enables organizations to align their Sovereign SASE implementation with their existing infrastructure and security requirements.

The market impact of Sovereign SASE is significant, challenging the traditional cloud-only security model that has dominated the SASE landscape. Both Fortinet and Versa Networks are positioning their Sovereign SASE solutions as alternatives to public SASE offerings, targeting organizations with specific security, compliance, and control requirements.

Versa's CEO, Kelly Ahuja, noted the growing trend of customers asking to deploy SASE in their own air-gapped infrastructure, citing increased privacy and control as primary motivations3. This trend reflects a broader shift in the market toward solutions that provide organizations with greater autonomy over their security architectures.

Service providers are also recognizing the value of Sovereign SASE for delivering differentiated managed services. Andrew Winney, General Manager and Head of Products, SASE, at Tata Communications Limited, highlighted that "By integrating Versa's Sovereign SASE solution into our network backbone, Tata Communications ensures superior user experiences and enhanced manageability, which is a key factor in delivering differentiated managed services."

Future Developments and Challenges

As Sovereign SASE continues to evolve, several key developments and challenges are likely to shape its future trajectory. The integration of advanced technologies, such as artificial intelligence and machine learning, is already beginning to enhance Sovereign SASE capabilities.

Fortinet has integrated GenAI capabilities through FortiAI for SD-WAN, enabling more efficient deployment and management of SD-WAN solutions. This integration represents a broader trend toward using AI to enhance security operations and decision-making.

Both vendors are committed to continuous innovation in their SASE offerings. Fortinet releases monthly updates to its Unified SASE solution, enabling organizations to address changing needs and stay ahead of attackers. Recent updates include remote browser isolation (RBI), improved network performance for on-demand full mesh networks, native SCIM support, and Universal ZTNA updates.

However, implementing Sovereign SASE also presents challenges. Organizations must balance the benefits of increased control with the potential complexity of managing their own SASE infrastructure. They must also ensure they have the necessary expertise and resources to effectively deploy and maintain their Sovereign SASE solutions.

Furthermore, as regulatory landscapes continue to evolve, Sovereign SASE solutions must adapt to meet new compliance requirements. This ongoing adaptation will require continued innovation and collaboration between vendors and their customers.

Conclusion

Sovereign SASE represents a significant evolution in the SASE landscape, providing organizations with unprecedented control over how their data is routed and where security inspections occur. Both Fortinet and Versa Networks have developed comprehensive Sovereign SASE solutions that enable organizations to maintain control over their security infrastructure while benefiting from the integrated networking and security capabilities that define the SASE approach.

The growing demand for data sovereignty and regulatory compliance has driven the development of these solutions, reflecting a broader trend toward greater organizational control over security architectures. As traditional cloud-only SASE models face challenges in highly regulated environments, Sovereign SASE offers a compelling alternative that balances the benefits of SASE with the control and compliance requirements of modern organizations.

As the SASE market continues to evolve, Sovereign SASE is likely to play an increasingly important role, particularly for organizations in regulated industries, government agencies, and service providers. The flexibility, control, and compliance benefits of Sovereign SASE position it as a key component in the future of secure network architecture, enabling organizations to navigate the complex landscape of global regulations while maintaining robust security postures.