How To Use SASE To Establish & Enable Zero-Trust Network Access

As working environments evolve, we must rethink our network security approach. The traditional “castle-and-moat” network security model, where everyone inside the network is trusted by default, but no one outside can access the data inside, is no longer fit for purpose. Faced with cloud computing, virtualization, and remote working, having a clear perimeter protecting a trusted inside zone no longer works. Today, users work within and outside the trusted zone, and our networks are becoming increasingly complex.  

To combat this issue, a growing number of organizations are adopting zero trust network access (ZTNA) and secure access service edge (SASE). Crucially, this isn’t about an either/or approach, pitting the two against each other and deploying the winner. Instead, tight integration between ZTNA and SASE can deliver a whole host of benefits and safeguard organizations against attack.  

What Is Zero-Trust Network Access (ZTNA)?

Coined by Forrester Research in 2010, zero-trust network access is a set of technologies and functionalities that provides secure remote access to an organization’s applications, services, and data, based on clearly defined access control policies. In simple words, ZTNA eliminates the concept of implicit trust for network access control (NAC). In practice, this means that no user or device will ever be granted access to network resources based solely on their location on the network. So, for example, using IP addresses as a basis for granting access wouldn’t be allowed in ZTNA.  

ZTNA emerged out of a need for a more robust approach to network security in a world where users and sensitive data may be located anywhere – at home, in the cloud, in the corporate office, and so on. It replaces traditional approaches to NAC with solid authentication and authorization tools. As a result, network administrators can apply granular access controls, fine-tuning access control lists based on the concept of least privilege. For example, they can limit or grant users access to an application based on their role or leverage contextual information to authorize access.  

What is Secure Access Service Edge? 

Coined by Gartner in 2019, SASE is an emerging network security approach combining several cloud-native security technologies to connect users, endpoints, and systems securely. It combines ZTNA, SD-WAN, cloud access security brokers (CASB), secure web gateway (SWG), firewall-as-a-service (FWaaS), SaaS, and more, into a single, integrated cloud-based platform.  

The SASE model allows companies to do away with siloed infrastructure that may leave gaps in security. It also enables complete visibility across hybrid environments, provides consistent monitoring and reporting, is less complex, and often cheaper.  

Why SASE and ZTNA Are Better Together 

Both SASE and ZTNA are crucial components of modern security architecture, but they’re not the same thing. You can think of SASE as a higher-level design philosophy that encompasses ZTNA in addition to other technologies. So, while SASE is a comprehensive and multi-faceted security framework, ZTNA is much more narrowly focused. For example, ZTNA is primarily concerned with limiting network resource access, which is one component of SASE, but not all of it.  

When used together, SASE and ZTNA can provide a more robust and comprehensive solution that protects applications and data no matter where the end user is located. But how? Let’s look at some specific benefits of using both SASE and ZTNA.  

Supporting Remote Access 

The dramatic shift toward remote access over the last several years is one of the primary drivers of both ZTNA and SASE. In the past, companies would rely on multiple solutions like firewalls, SWGs, and remote access VPNs. However, with more and more applications moving to the cloud, this approach was no longer working. Cloud traffic no longer needs to go through a VPN, and companies were struggling to get complete visibility over their applications and data due to the sheer number of cloud-based apps in use. In addition, VPNs are often prohibitively expensive at scale.  

SASE offers a better approach to remote access because it connects users to points of presence (PoPs) close to their location instead of routing them to a central data center. At the same time, ZTNA enables more granular and extensive network access control policies, improved scalability, and greater simplicity.  

Boosted Agility and Resilience 

With a SASE-based solution, companies only have one configuration repository to update – there’s no switching between solutions to ensure everything is patched and working correctly. This supports greater agility and allows network teams to focus on other tasks. Similarly, ZTNA provides boosted resiliency against attacks because it ensures total session protection, regardless of whether a user is on or off the corporate network. 

Easier to Scale 

As we mentioned earlier, application and device sprawl makes VPNs challenging to manage as the network grows. SASE and ZTNA combat this issue by bringing the scalability of a multitenant cloud-native platform.  

Reducing the Attack Surface 

SASE and ZTNA can help reduce the attack surface and mitigate the risk of data breaches. These solutions allow organizations to establish a hardened perimeter that cyber criminals can’t easily penetrate. At the same time, ZTNA ensures that only authorized devices and users can access sensitive data and systems and that users only have access to the resources they need to do their jobs.  

Policy Enforcement Across the Network 

Together, these solutions help companies with policy enforcement across their entire network. This means stronger network security, lower costs, a single view of the whole network, and streamlined network management.  

Significant Cost Savings 

Deploying security at scale can be expensive, particularly when buying and managing multiple products. Instead, using a single SASE solution with robust ZTNA dramatically reduces costs while ensuring robust and comprehensive security.  

Final Thoughts on SASES & ZTNA

Faced with an increasingly severe cyber threat landscape and constantly evolving workplace environments, the castle-and-moat approach to security is becoming increasingly risky. Instead, organizations are moving toward more modern and robust approaches, like ZTNA and SASE. When used in unison, these approaches protect organizations today and prepare them for the future.