SASE and ZTNA: Zero Trust Network Access Capabilities of SASE

SASE and ZTNA: How SASE Strengthens ZTNA?

Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main driver of ZTNA adoption is the changing shape of enterprise network perimeters. Cloud workloads, work from home, mobile, and on-premises network assets must be accounted for, and point solutions, such as VPN appliances, aren’t the right tool for the job.

At a high-level, we can summarize the advantage of ZTNA over VPN with a single word: granularity. Zero Trust Network Access enables enterprises to restrict access at a level VPN and other “castle-and-moat” approaches to network security simply cannot.

This granular-level control is also why Zero Trust Network Access complements the identity-driven approach to network access SASE (Secure Access Service Edge) demands. With Zero Trust Network Access built-in to a cloud-native network platform, SASE is capable of connecting the resources of the modern enterprises — mobile users, sites, cloud applications, and cloud datacenters — with just the right degree of access. But how exactly do ZTNA and SASE come together to deliver on this promise? Let’s take a look…

What is SASE?

Secure Access Service Edge (SASE) is a cloud-native security solution that converges Security Service Edge (SSE), SD-WAN, and a Cloud network into a unified service. SASE’s integration of SSE security capabilities — including Firewall as a Service (FWaaS), Zero Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), Cloud Secure Web Gateway (SWG), and Data Loss Prevention (DLP) — provides granular network visibility and control within a single solution, enhancing security visibility and reducing the risk of data breaches and other security incidents.

What is Zero Trust Network Access?

Zero Trust Network Access, also known as software-defined perimeter (SDP), is a modern approach to securing access to applications and services both in the cloud and on-premises. How the zero trust model works is simple: deny everyone and everything access to the resource unless it is explicitly allowed. This approach enables tighter overall network security and micro-segmentation that can limit lateral movement in the event a breach occurs.

Today, with legacy network security point solutions, once a user gets past a security appliance, they implicitly gain network access to everything on the same subnet. This inherently increases risk and attack surface. ZTNA flips that paradigm on its head. With ZTNA, IT must explicitly allow access to network resources and can apply restrictions down to the application level.

How Does Zero Trust Network Access Implement the Zero Trust Model?

The zero trust model implements the principle of least privilege. Access to corporate resources should only be granted to a user or device if it is needed for their role. A zero-trust architecture implements least privilege access by inspecting each access request and explicitly verifying that it is authorized.

Zero Trust Network Access is a modern approach to securing access to applications and services both in the cloud and on-premises. ZTNA implements the explicit verification and least privilege access required by the zero trust model. This approach enforces tighter overall network security and adds micro-segmentation to limit lateral movement in the event a breach occurs.ZTNA is a dramatic paradigm shift from the traditional perimeter-centric security model, which is no longer adequate for today’s dynamic Work-From-Anywhere (WFA) environment, to models emphasizing unique data access requirements. With ZTNA, IT must explicitly allow access to network resources and can apply restrictions down to the application level.

What is the difference between SASE and ZTNA?

ZTNA is a small part of SASE. SASE restricts access of all edges — sites, mobile users, and cloud resources — in accordance with ZTNA principles. In other words, SASE’s NGFW and Secure Web Gateway (SWG) capabilities are how SASE restricts access; ZTNA is the degree to which SASE edges have access restricted.

SASE converges networking and network security , including Zero Trust Network Access and NGFW, into a cloud-native platform. This means that enterprises that leverage a SASE architecture receive the benefits of Zero Trust Network Access, plus a full suite of network and security solutions that is both simple to manage and highly-scalable. Deploying ZTNA within SASE enables companies to utilize a converged platform to consistently apply and enforce security policies throughout their entire network, effectively achieving Zero Trust principles.

The benefits of SASE and Zero Trust Network Access

The first benefit of SASE and Zero Trust Network Access is that an identity-driven default-deny approach to security greatly improves an organization’s security posture. Even if a malicious user compromises a network asset, ZTNA can limit the damage. Furthermore, SASE establishes a baseline of normal network behavior, which enables a more proactive approach to network security in general and threat prevention in particular. With a solid baseline, malicious behavior is easier to prevent.

Beyond the security benefits, the coupling of SASE and ZTNA solves another set of problems created by point solutions: appliance sprawl and network complexity. With VPN point solutions, enterprises are forced to deploy additional appliances for functionality like SD-WAN and NGFW. This meant opex and capex grew with each additional site was added. It also meant integrations between appliances, mobile users, and cloud services greatly increased network complexity.

SASE & ZTNA eliminate these problems by providing a cloud-native solution that works for all network edges. This means cloud services, mobile users, IoT, branch offices, and corporate networks all receive the same level of security without drastically increasing deployment complexity or cost.

To summarize, compared to traditional point solutions, Zero Trust Network Access with SASE is:

  • Easier to scale. SASE brings the scalability of a multitenant cloud-native platform to network security.
  • More granular. SASE and Zero Trust Network Access enable access control and network visibility down to the level of specific applications and identities.
  • More secure. By ensuring protection for all network edges and deploying security solutions purpose-built for modern enterprises, SASE and ZTNA can dramatically improve their security posture.
  • Faster and more reliable. SASE’s cloud-native approach improves WAN performance with WAN optimization as part of the underlying network fabric.

The first true SASE platform with Zero Trust Network Access

It is important to understand what a true SASE platform delivers. Cato’s SASE platform was built from the ground up with the  modern digital enterprise in mind. These enterprises require a platform that provides 360-degree threat prevention and enables them to easily scale their security service as their business grows. This is what SASE was meant to be, and Cato is the only vendor capable of delivering the true promise of SASE.If you’d like to see the Cato SASE platform in action, sign up for a demo or contact us today. For a deeper dive on SASE, check out the “The Network for the Digital Business Starts with the Secure Access Service Edge (SASE)” eBook.

  • How is ZTNA better than VPNs?

    Both ZTNA and VPNs offer secure access for remote users. However, ZTNA implements zero trust network access, while VPNs have no built-in access controls. ZTNA offers the ability to prevent unauthorized access, minimize the impact of breached accounts, and achieve regulatory compliance, while VPNs do not.

  • What is the difference between zero trust and Security Service Edge (SSE)?

    Zero trust is a security model that limits implicit trust by implementing least privilege access controls. SSE is a cloud-native solution that converges several security functions, such as FWaaS, CASB, and Cloud SWG. SSE can be used to help implement a zero trust security model by inspecting network traffic containing access requests and applying least privilege access controls to those requests.

  • What is the difference between zero trust and least privilege access?

    Least privilege access is one of the core principles of the zero trust security model, stating that users and devices should only have the permissions and access needed for their role. The zero trust model implements least privilege access via micro-segmentation and explicit validation of requests for corporate resources.

  • Is ZTNA part of SASE?

    Yes, ZTNA is one of several security and network optimization functions integrated within a SASE solution. Along with ZTNA, SASE also incorporates solutions such as Software-Defined WAN (SD-WAN), Firewall as a Service (FWaaS), Web Application and API Protection (WAAP), Cloud Access Security Broker (CASB), Cloud Secure Web Gateway (SWG), and Data Loss Prevention (DLP).

  • How does the SASE model help enable Zero Trust in a customer environment?

    SASE combines SD-WAN with a full network security stack to ensure that all WAN traffic is inspected by a SASE solution. During this inspection, SASE can identify access requests and apply least privilege access controls to enforce zero trust security in a customer environment.

  • What role does a CASB play in a SASE environment?

    CASB offers unified visibility, security, and control over cloud applications as part of SASE’s converged security stack. SASE offers CASB the visibility into traffic flows required to inspect and filter traffic flows to cloud resources. CASB applies access controls and corporate policies to requests for those resources.