The growth of cloud computing, software-as-a-service (SaaS), and remote working is changing network architecture. Companies must ensure that diverse device communities are secure. They must protect cloud-hosted data located outside traditional network perimeters.

SASE and Zero Trust Network Access (ZTNA) have emerged to solve these problems. But which security approach should companies choose? Is there even a choice to make, or are we talking about two interrelated concepts?

SASE and ZTNA are often seen as competing ideas. However, they are natural allies and should form complementary aspects of a modern cloud security system.

Let’s now explore the scope and focus of both SASE and ZTNA.

How does SASE differ from Zero Trust?

Secure Access Service Edge (SASE) is a network security approach designed to lock down remote devices, IoT sensors, and cloud-based data. It rose to prominence during the Covid pandemic when home-working rapidly multiplied network endpoints. SaaS and the IoT have sustained this growth, making SASE a popular option for modern network security.

SASE employs a series of technologies to protect critical resources and enable efficient user access:

  • Software Defined Wide Area Networking (SD-WAN): provides dynamic, policy-based application path selection across multiple WAN connections and supports service chaining for additional services such as WAN optimization and firewalls.
  • Firewall-as-a-Service (FWasS): cloud-optimized firewalls screen traffic to block malicious agents, enabling network micro-segmentation.
  • Cloud Access Security Broker (CASB): CASB solutions recognize and safeguard sensitive data, identify and neutralize threats, and establish robust cloud governance and compliance measures.
  • Secure Web Gateway (SWG): SWG solutions filter unwanted software or malware from user-initiated internet traffic and enforce company and regulatory policy compliance.
  • Zero Trust Network Access (ZTNA): is a part of SASE, and it creates a secure access boundary around applications, verifying user identity and context before granting access to the network.

It’s also worth remembering that SASE is more than just a security solutionit's a holistic approach to network protection. At its core are various elements, each serving a distinct purpose in safeguarding your organization's digital assets. One of these components is ZTNA, a critical layer focusing on multi-layered authentication. With ZTNA, your network security is fortified, ensuring only authorized access and mitigating risks effectively.

The principal goal of SASE in the network

SASE aims to secure networks while simplifying network architecture and boosting efficiency. It combines hardware-based network systems (SD-WAN) with cloud-based alternatives (SSE).

When it comes to SSE solutions, traffic is no longer back-hauled via central data centers and flows to security tools close to cloud applications. Cloud-optimized traffic flows eliminate network bottlenecks, making remote access smoother.

Security policies apply throughout the network, not just at the perimeter. Authentication is needed when users access all cloud resources. Firewalls enable precise network segmentation to limit east-west movement. Secure web gateway solutions ensure secure internet browsing. The result is security that protects cloud architecture without compromising user experience.

What is Zero Trust?

ZTNA solutions, security frameworks with multilayered authentication, emerged as a response to the rise of cloud-based SaaS tools and remote or hybrid working. ZTNA’s rule, "Trust no one, verify all," stresses the rigorous identity verification process from many perspectives. This approach ensures enhanced network security.

Networks engineered on ZTNA lines do not confer trust until systems authenticate users. When access systems grant authorization, users can access the resources they need. Until then, their ability to roam freely across network infrastructure is limited.

ZTNA has become a popular security paradigm since the publication of NIST SP 800-207, Zero Trust Architecture, in 2018. This document outlines the governance and compliance requirements for a ZTNA configuration and informs many network security transformations worldwide.

The key role of Zero Trust in the network

Why do we need ZTNA network and security solutions? Older moat and castle security models are now irrelevant. Network perimeters reach into multiple cloud-based SaaS applications across dispersed geographic environments. They extend into every device used by a remote workforce.

ZTNA assumes that threats exist both inside and outside the network perimeter, so it authenticates users as they navigate complex network architectures.

Since in a Zero Trust architecture, access to resources is granted through strict identity verification, security teams can secure sensitive data on cloud storage services and detect unauthorized agents on networks before they cause harm, and they can accommodate rapidly changing network endpoints.

As in today's remote work landscape, the risk of leaving devices unattended is high, increasing the potential for data leaks if a device is lost or stolen. Periodical authentication can help mitigate this risk by requiring users to re-authenticate regularly, enhancing security and protecting sensitive information.

How does SASE differ from Zero Trust?

SASE is a suite of security technologies that locate security close to users and applications. Cloud-based security tools operate wherever users, devices, and apps come together. This contrasts with older approaches, which focus on basic perimeter security.

SASE requires network transformation, including retooling security stacks to accommodate cloud-based tools. It is best conceptualized as a long-term security goal, not an off-the-shelf solution.

Zero Trust is an approach to network security focused on controlling user access. Zero Trust Network Security is often a requirement for a robust SASE implementation. It is a component of wider security solutions and often performs a complementary role to SASE tools.

SASE and Zero Trust: two pieces of the same puzzle

Seeing SASE and Zero Trust as competitors is not helpful. Instead, the two security concepts must be blended together when seeking network security solutions.

Think of SASE and ZTNA as ideas contributing to a security vision. They are part of a mindset based on dynamic perimeters, user authentication, segmentation, and the protection of cloud-based assets.

SASE seeks to minimize complexity and re-engineer networks to reflect cloud transformations. ZTNA focuses on multi-layered authentication. It responds to a more complex threat environment, offering simple solutions beyond traditional security measures.

There is no need to see friction between the two approaches. They are two pieces in the same puzzle–and network security teams need to harness both.

How SASE and Zero Trust support each other

Zero Trust security is the foundation of SASE architecture. It focuses on user identification, authentication, and monitoring. Security managers can add other aspects of SASE when ZTNA measures are in place. However, moving ahead with SASE makes no sense without a plan to create trust zones.

The Zero Trust model is a basis for visualizing security during transformation processes. Robust Zero Trust authentication systems facilitate the addition of cloud brokers and bring branches online without adding security risks. Planners can manage transitions to SASE, knowing users are properly tracked and limited to role-based resources.

Aspect

SASE

Zero Trust

Similarities

Focus

A suite of security technologies close to users and applications

Control over user access that focuses on identification, authentication, and monitoring

Both enhance network security and are essential in modern, dynamic environments

Implementation

Requires stacks for cloud-based tools

A foundational requirement for robust SASE implementation

Both contribute to a security strategy based on dynamic perimeters and cloud-based asset protection

Concept

Considered as a long-term security goal, not a quick-fix solution

As a part of SASE, it is a component of comprehensive security solutions

They are integral parts of a larger network security solution, which are not completely

Benefits of implementing SASE and Zero Trust together

Blends of Zero Trust Network Access and SASE have many benefits:

  • Secure cloud access: when deploying ZTNA, organizations can control access to their cloud environments and applications based on operational needs. Within ZTNA, each user and application can be assigned specific roles with appropriate privileges to connect to the company's cloud infrastructure.
  • Network segmentation: it aligns seamlessly with the Zero Trust approach, requiring access verification for every network segment, enhancing security around individual resources. Zero Trust enables segmentation up to layer 7, ensuring protection at the application level and extending up to the top of the OSI model to thwart hacking attempts.
  • Mitigating insider threats: traditional security solutions are ineffective against the threats of rogue employees. The Zero Trust model limits the impact of these threats by enforcing the principle of the least privileged access for each user and providing visibility to identify malicious insiders.
  • Protecting internal applications: ZTNA restricts access to internal applications over the public Internet, mitigating risks such as data leaks and ransomware attacks.
  • Reducing account breach risks: the Zero Trust framework confines each user within their micro-perimeter, minimizing the risk of account breaches. Access is granted strictly on a need-to-know basis, reducing the unauthorized movement of users and safeguarding organizational data.
  • Ensuring compliance: following the principle of the least privilege facilitates compliance with organizational and industry standards. Organizations can ensure authorized usage by controlling how employees access applications and data.

Combine SASE and ZTNA to build a secure future

Find the right blend of security tools for your network. SaaS, IoT, and remote devices pose major headaches to network security. Zero Trust and SASE approaches offer solutions that accommodate dynamic perimeters and provide secure access to cloud applications. But they are even more effective in combination.