FYI: SASE and ZTNA are not the same thing


FYI: SASE and ZTNA are not the same thing

Steve Brown Thumbnail



Following a 2021 Forrester report which referred to Secure Access Service Edge (SASE) as “the zero-trust edge (ZTE) model for security and network services”, many in the industry incorrectly began conflating ZTE with Zero Trust Network Access (ZTNA).  

SASE and ZTNA are two emerging cybersecurity paradigms that aim to improve security in today’s cloud and mobile world. And as an increasing number of businesses choose to adopt these new models, it’s important to understand how the two differ and, in some cases, complement each other. 

What is SASE?

As outlined in our recent blog, SASE converges wide area networking and network security into a single, cloud-based service model. It brings together SD-WAN capabilities with cloud-delivered security functions such as secure web gateways, firewalls, cloud access security brokers, and more. 

Netskope research indicates that by 2024, at least 40% of enterprises will have explicit strategies for adopting SASE. Keen to join them? Leading vendors in the market include Cato Networks, Juniper and Cisco. 

Benefits of SASE include: 

  • Simplified architecture which reduces the complexities of managing separate networks and security appliances. 
  • Consistent policies and unified security/access controls for users across all edges. 
  • Scalable, cloud-delivered security that can adapt easily as needs change. 
  • Agile IT that can set up new offices quickly with simplified provisioning. 
  • Cost savings thanks to the redundancy of on-premises security stacks – you only pay for what you use. 

What is ZTNA?

In comparison, ZTNA takes a software-defined approach to securely connecting users to applications, whether on-premises or in the cloud. It’s based on the Zero Trust model, which states that no user or device should automatically be trusted on the network.  

According to Gartner, by 2025, at least 70% of new remote access deployments will be served predominantly by ZTNA. This figure is up from less than 10% at the end of 2021. For those wanting to do their reading prominent ZTNA vendors include Palo Alto, Akamai, Zscaler, and Cloudflare.  

Key principles of ZTNA include: 

  • Granular access controls, verified and granted on a per-session basis based on identity and context such as device health. 
  • Least privilege access: Users only get access to specific applications and resources required for their role. 
  • Cloud-delivery for simplicity and scalability. 
  • Agent-based validation of device posture and control access, which removes the need for VPNs. 
  • Microsegmentation controls which isolate access across apps, users, and environments. 

What's best for my business?

SASE and ZTNA share some similar goals around improving security and access. But SASE is a broader approach that combines networking and security, while ZTNA focuses specifically on access control and segmentation.  

Organisations may adopt them together as complementary parts of an overall security strategy, with SASE providing the broader network security architecture and ZTNA delivering much finer levels of access control.  

As security architectures evolve, understanding how SASE and ZTNA align will only serve to improve security and meet modern IT demands. To learn how you could benefit, contact the Highlander team.