Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) have been around long enough to prove they’re more than a passing trend. Both have proven their value over the past five years, staying just as relevant and popular as they were during their initial hype.
While these frameworks are generally well-understood, the recurring debate over how they compare and which is superior suggests a deeper misunderstanding of their respective roles and inter-relationship. This comparison itself is flawed. It’s time to shift the perspective and view ZTNA and SASE as complementary rather than competing models, leading to a broader understanding of ZTNA – UZTNA.
The Differences Between ZTNA and SASE
ZTNA is a security framework that challenges the traditional perimeter-based approach to network security. Instead of trusting everything inside the secure network perimeter, ZTNA assumes that all users and devices are a potential threat. It grants access to specific resources only after rigorous verification of identity and device health. It focuses on granular access control and continuous authentication.
SASE, on the other hand, is a converged networking and security architecture. It combines network functions, like SD-WAN, with security services such as ZTNA, next generation firewall (NGFW), cloud access security broker (CASB) and data loss prevention (DLP), within a single cloud-based platform. Like ZTNA, SASE also dispenses with the traditional network and security perimeter. It provides secure, consistent access to applications and data, regardless of the user’s location.
SASE’s consolidated approach to network and security brings two enormous benefits to IT leaders. Since all SASE engines enrich the same data lake, admins and security solutions can develop a clearer understanding of what’s happening on the network and the ability to correlate all the networking data with security incidents. It allows SASE to bring high-quality, contextualized data for more comprehensive threat prevention and detection. In addition, SASE in its purest form should be managed from a single-pane-of-glass with the same look and feel for all capabilities, simplifying the network and security operations.
In essence, ZTNA centers on access control, whereas SASE encompasses a wider range of network and security functions. While ZTNA can be deployed independently, it is an integral component of the SASE architecture as well.
How SASE Fills the Gaps for ZTNA
Put simply, ZTNA focuses entirely on providing remote users with access to the right resources at minimal risk. However, it doesn’t inherently address the hybrid work paradigm, where employees may be accessing corporate resources from within the organization’s premises. Universal Zero Trust Network Access (UZTNA) extends the principles of ZTNA to enable a single set of ZTNA policies for users in and out of the office. While it guarantees a unified approach to access management, this latest evolution of ZTNA falls short in preventing threats presented by an authorized entity, such as a malicious insider, negligent employee, malware-laden device, or compromised SaaS application. It can prevent lateral movement and limit the damage in the event of a breach but it cannot protect the compromised assets.
SASE includes UZTNA but also addresses the issue of protecting the network and resources once an entity has been given access. For instance, UZTNA will fail if an authorized employee or application with access to sensitive personally identifiable information and protected health information (PHI) exfiltrated it to a malicious server. However, tools such as NGFW, CASB and DLP within SASE can identify sensitive and confidential information in outgoing traffic and apply the necessary policies to stop the breach attempt in its tracks.
For ZTNA to enforce dynamic access controls, access permissions must be continuously evaluated based on changing context and situations. With its holistic overview of network and security functions, SASE provides ZTNA with real-time contextual awareness, rich networking insights, and the latest threat intelligence needed to enforce continuous authentication. This allows ZTNA to revoke access as soon as authorized entities demonstrate anomalous behaviors.
Beyond security, SASE goes the extra mile to optimize traffic routing, enhance application performance, implement failover, and ensure high availability through its global networking backbone. With SASE, ZTNA’s stringent controls do not come at the cost of network and application performance.
Exploring ZTNA/UZTNA and SASE Synergies
It’s important to understand how SASE and ZTNA lag and how they complement each other. This can help organizations make informed decisions about their network and security strategies. Universal ZTNA and SASE are both critical to a strong security posture, but together they’re better. For example, UZTNA can restrict access to sensitive customer data to only the right individuals, while SASE can protect those individuals from malware and other types of attacks. Standalone ZTNA and UZTNA can fit seamlessly into existing IT infrastructures for organizations looking to tackle the secure access challenge. On the other hand, SASE offers a path to address secure access,, reducing appliance sprawl, minimizing feature bloat, and cutting down on operational costs and complexity. In any case, ZTNA frameworks and SASE are best viewed as complementary allies rather than competing assets.
Related: Understanding LOTC Attacks and How ZTNA Can Prevent Them