Zero Trust Network Access Capabilities of SASE

June 7, 2020

Last year, Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main driver of ZTNA adoption is the changing shape of enterprise network perimeters. Cloud workloads, work from home, mobile, and on-premises network assets must be accounted for, and point solutions, such as VPN appliances, aren’t the right tool for the job.

At a high-level, we can summarize the advantage of ZTNA over VPN with a single word: granularity. Zero Trust Network Access enables enterprises to restrict access at a level VPN and other “castle-and-moat” approaches to network security simply cannot.

This granular-level control is also why Zero Trust Network Access complements the identity-driven approach to network access SASE (Secure Access Service Edge) demands. With Zero Trust Network Access built-in to a cloud-native network platform, SASE is capable of connecting the resources of the modern enterprises — mobile users, sites, cloud applications, and cloud datacenters — with just the right degree of access. But how exactly do ZTNA and SASE come together to deliver on this promise? Let’s take a look…

What is Zero Trust Network Access?

Zero Trust Network Access, also known as software-defined perimeter (SDP), is a modern approach to securing access to applications and services both in the cloud and on-premises. How ZTNA works is simple: deny everyone and everything access to the resource unless it is explicitly allowed. This approach enables tighter overall network security and micro-segmentation that can limit lateral movement in the event a breach occurs.

Today, with legacy network security point solutions once a user gets past a security appliance, they implicitly gain network access to everything on the same subnet. This inherently increases risk and attack surface. ZTNA flips that paradigm on its head. With ZTNA, IT must explicitly allow access to network resources and can apply restrictions down to the application level.

How Zero Trust Network Access & SASE work together

ZTNA is a small part of SASE. SASE restricts access of all edges — sites, mobile users, and cloud resources — in accordance with ZTNA principles. In other words, SASE’s NGFW and SWG capabilities are how SASE restricts access; ZTNA is the degree to which SASE edges have access restricted.

SASE bundles Zero Trust Network Access, NGFW, and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. This means that enterprises that leverage SASE architecture receive the benefits of Zero Trust Network Access, plus a full suite of network and security solutions that is both simple to manage and highly-scalable.

The benefits of SASE and Zero Trust Network Access

The first benefit of SASE and Zero Trust Network Access is that an identity-driven default-deny approach to security greatly improves security posture. Even if a malicious user compromises a network asset, ZTNA can limit the damage done. Further, SASE security services can establish a baseline of normal network behavior, which enables a more proactive approach to network security in general and threat detection in particular. With a solid baseline, malicious behavior is easier to detect, contain, and prevent.

Beyond the security benefits, the coupling of SASE and ZTNA solve another set of problems point solutions create for modern enterprises: appliance sprawl and network complexity. With VPN point solutions, enterprises are forced to deploy additional appliances for functionality like SD-WAN and NGFW. This means opex and capex grow with each additional site that needs an appliance. It also means integrations between appliances, mobile users, and cloud services greatly increase network complexity.
SASE & ZTNA abstract these problems away by providing a cloud-native solution that works for all network edges. This means cloud services, mobile users, IoT, branch offices, and corporate networks all receive the same level of security without drastically increasing deployment complexity or cost.

To summarize, compared to traditional point solutions, Zero Trust Network Access with SASE is:

  • Easier to scale. Appliance sprawl makes VPN point solutions difficult to manage as a network grows. SASE brings the scalability of a multitenant cloud-native platform to network security.
  • More granular. With traditional point solutions, enterprises can implement policies that restrict access based upon IP addresses. SASE and Zero Trust Network Access enable access control and network visibility down to the level of specific applications and identities.
  • More secure. Point solutions were good enough in the era where a “castle-and-moat” paradigm provided sufficient network security. However, modern networks have topologies that simply don’t fit into this paradigm. By ensuring all network edges are accounted for (e.g. by enabling clientless mobile access) and using security solutions purpose-built for modern network topologies, SASE and ZTNA can drastically increase security posture.
  • Faster and more reliable. Often, VPN appliances become bottlenecks that slow down a WAN and negatively impact performance. This is because individual appliances have CPU and resource limitations. With a cloud-native approach, SASE abstracts these away resource limitations and further improves WAN performance by also delivering WAN optimization as part of the underlying network fabric.

The first true SASE platform with Zero Trust Network Access

The SASE market is still maturing, and many vendors fall short of delivering on the true promise of SASE. In addition to being labeled as a sample vendor for SASE in Gartner’s 2019 Hype Cycle for Enterprise Networking, Cato Networks is also the world’s first true SASE platform.

Cato’s SASE platform was built from the ground up with modern enterprise networks in mind. The platform combines security features such as Zero Trust Network Access, SWG, NGFW, and IPS with networking services such as SD-WAN and WAN Optimization as well as a global private backbone with a 99.999% uptime SLA. As a result, Cato is the only vendor currently capable of delivering the true promise of SASE from a performance, security, and scalability perspective.

If you’d like to see the Cato SASE platform in action, sign up for a demo or contact us today. For a deeper dive on SASE, check out the “The Network for the Digital Business Starts with the Secure Access Service Edge (SASE)” eBook.