Tata Communications’ Andrew Winney on why SASE is now non-negotiable

As enterprises accelerate towards hybrid work, cloud-native applications and artificial intelligence driven workflows, the traditional idea of a secure perimeter has quietly collapsed. Applications no longer live in a single data centre, users work from anywhere, and access now spans partners, contractors and ecosystems. Security architectures designed for a different era are struggling to keep pace.

Few leaders sit at the intersection of connectivity, cloud and security as closely as Andrew Winney, Global Head of Product Management for Software-Defined Wide Area Network (SD-WAN), Secure Access Service Edge (SASE) and Security Service Edge (SSE) at Tata Communications. He oversees the company’s global SASE portfolio and leads its strategy around hosted and hybrid SASE platforms. With a background spanning corporate strategy, product management, business development and mergers and acquisitions across the Tata Group, including Tata Consultancy Services and Tata Advanced Systems, Winney brings both architectural depth and enterprise perspective. An alumnus of IIM Ahmedabad and part of the Tata Administrative Services leadership programme, he now plays a central role in shaping Tata Communications’ secure access roadmap globally.

In this conversation with Dataquest, Winney explains why perimeter-based security is fundamentally broken, how Zero Trust must be implemented without degrading user experience, and why Tata Communications’ global network, which routes over 35 percent of global internet traffic on-net, offers a distinct advantage in building secure access architectures for the artificial intelligence era.

Enterprise security was historically designed around clearly defined perimeters. As cloud-native applications, distributed workforces and partner ecosystems dissolve those boundaries, how do you see the very notion of enterprise security architecture being redefined today?

If we look back, enterprise environments were built around a simple assumption. Applications sat within a data centre, everything inside that boundary was managed by IT, and users largely operated from offices. Remote access existed, but it was the exception, handled through VPNs. Security was about protecting the perimeter.

That model has completely changed over the last few years. Applications are now everywhere, across hyperscalers, software-as-a-service platforms and edge environments. Users are distributed globally and may work from multiple locations. Enterprises also need to connect securely with partners and ecosystem providers, which further extends access beyond internal boundaries.

What this means is that the perimeter-based security model is effectively broken. In response, enterprises tried to patch the gaps by deploying siloed tools. Proxies for web access, VPNs for private applications, firewalls for branches. Each of these technologies operates with its own policy set and control plane. The result is fragmentation, inconsistent access enforcement and a lack of unified visibility. Security teams struggle to answer basic questions such as who is accessing what, from where, and under what context.

Virtual Private Networks and appliance-led security models were conceived for a very different threat landscape. As enterprises stretch these constructs into cloud-first environments, what fundamental security assumptions begin to fail?

VPNs assume implicit trust. Once a user logs in successfully, they are granted access to a broad set of applications for the duration of the session. That assumption no longer holds in today’s threat environment.

Zero Trust security starts from the principle of assume breach. Even trusted users and devices can be compromised. Malicious code can exist inside endpoints, and threats can move laterally within the environment. That means every access request must be verified, not just the first one.

Each transaction needs to be authenticated and authorised based on identity and context. Access should be limited strictly to the specific resource required. Traditional VPNs are not designed to enforce this level of granular, continuous verification. They cannot dynamically evaluate identity, device posture and access context for every request. In a cloud-native, distributed enterprise, this limitation becomes a critical security gap.

Zero Trust has rapidly become a board-level mandate, yet implementation remains uneven. From your vantage point, what distinguishes symbolic adoption from a genuinely enforceable Zero Trust architecture at enterprise scale?

Zero Trust is often discussed as a product decision, but in reality it is a journey. Many enterprises start with a few use cases, such as securing internet access or enabling remote access to private applications. But they do not always extend those principles across contractors, third-party users, software-as-a-service applications and hybrid environments.

Practical Zero Trust requires enterprises to rethink access fundamentally. Every request must be evaluated based on who the user is, the context from which they are accessing, the device they are using and the resource they are requesting. Access must then be granted only to that specific resource.

Consistency is key. A user working from an office today and from another country tomorrow should experience the same security posture. That level of consistency is difficult to achieve with fragmented, legacy architectures, and that is where many implementations fall short.

One persistent concern among CISOs is that stronger security controls inevitably degrade user experience. How can organisations reconcile Zero Trust principles with the need for seamless, high-performance access for legitimate users?

This concern typically stems from experiences with older architectures. In traditional environments, user traffic is often backhauled to a central firewall or branch where policies are enforced. That introduces latency, particularly when applications are hosted elsewhere.

Modern Secure Access Service Edge architectures operate differently. Policy enforcement points are distributed closer to users and workloads. Identity and context are validated at these locations, and access decisions are made locally rather than forcing traffic through a central choke point.

By bringing enforcement closer to the user, performance often improves. Authentication still happens, but users no longer need to route traffic across long distances to reach applications that may be physically closer to them. This allows enterprises to strengthen security without compromising user experience.

Secure Access Service Edge represents a structural convergence of networking and security rather than a simple technology swap. What are the most critical architectural and change-management considerations enterprises must address during this transition?

SASE is not a one-time technology change. It represents the convergence of networking and security under unified orchestration and policy management. That transition takes time and must be managed carefully.

We typically work with enterprises through phased transition plans. If an organisation’s immediate priority is securing internet access or private application access for remote users, we begin there and expand to additional use cases over time.

Integration is critical. Enterprises have existing investments in cloud platforms, local area networks and security tools. New architectures must integrate seamlessly with those environments. During the design phase, we use digital twin capabilities to simulate customer architectures and validate how new technologies will fit.

We also automate significant parts of the migration and post-deployment process, including policy checks, health monitoring and migration workflows. Over time, artificial intelligence driven capabilities help with change management, proactive fault detection and continuous policy optimisation.

Tata Communications operates at the intersection of global connectivity, cloud and security. As these layers converge, how are you shaping your SASE strategy, and what differentiates your approach in a crowded market?

Security has been part of Tata Communications’ portfolio for many years. We have delivered network security capabilities such as proxy services and distributed denial of service protection for over a decade.

What changed around 2020 was the emergence of SASE as a cloud-native architecture designed for hybrid work and distributed enterprises. We recognised this shift early and began aligning our capabilities and customer engagements accordingly.

Our differentiation comes from the depth of our network. We route over 35 percent of global internet traffic on-net through our backbone. That scale gives us early visibility into emerging threats and allows us to generate our own threat intelligence, which we embed directly into our Zero Trust and SASE solutions. Combined with globally distributed enforcement points, this enables earlier detection and faster mitigation of threats.

As artificial intelligence introduces both unprecedented automation and entirely new attack surfaces, how should secure access architectures evolve to remain effective?

Artificial intelligence impacts security in two ways. On one side, we use AI and agentic capabilities to improve security operations. For example, in change management, tasks that previously required multiple engineers and manual validation can now be largely automated, with AI providing recommendations that experts review and approve.

On the other side, AI itself becomes an attack surface. As enterprises deploy generative and agentic AI in production environments, they face risks such as prompt injection and jailbreak attacks. Protecting these interactions requires new guardrails, governance models and policy enforcement mechanisms.

Our approach is to address both sides holistically, embedding AI into security operations while also securing AI-driven business workflows.

From a CISO’s perspective, looking ahead to the next 12 to 18 months, which strategic security priorities will matter most?

First, completing the Zero Trust journey. Many organisations have started, but few have extended it comprehensively across all users, contractors, software-as-a-service applications and third-party access.

Second, data protection. Artificial intelligence initiatives depend on strong data pipelines, and protecting data across environments is becoming increasingly critical.

Third, measuring security posture. CISOs need unified ways to quantify improvements and demonstrate impact to boards and leadership teams.

Finally, artificial intelligence governance. As AI moves into production, organisations must identify shadow AI usage, understand what is happening in their environments and design policies that balance innovation with control.