What are SASE and ZTNA?

Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA) are two different approaches to protecting modern IT environments from threats. Together, SASE and ZTNA help organizations simplify and secure network architecture, protecting it from a rapidly evolving threat landscape.

ZTNA is a technology that secures remote access to applications and services both on-premises and in the cloud. ZTNA adopts a “trust nothing, verify everything” approach to security, denying access to everyone and everything access unless a user or device has been authenticated and access has been explicitly allowed. ZTNA applies the principle of least privilege, which means that users, applications and devices are granted the bare minimum permissions required to perform a task at the moment. 

SASE is a cloud-based model for security architecture that converges networking and security functions into a single, integrated, comprehensive platform. The SASE framework enables organizations to deliver security functions via the cloud to wherever end users and devices need them, providing greater protection in highly distributed, cloud-based IT environments. While there are a few interpretations of SASE architecture, most deployments combine Software-defined Wide Area Networking (SD-WAN) with ZTNA technology, Secure Web Gateways (SWGs) and Cloud Access Security Brokers (CASBs) solutions.

Organizations that adopt SASE and Zero Trust Network Access solutions can enhance security posture, streamline network management, reduce network and security costs and provide IT teams with greater visibility into network activity and security.

Deployments of SASE and ZTNA technologies have risen sharply in recent years as organizations respond to transformational changes in IT environments. The rise of cloud computing, the shift to hybrid workforces, reliance on SaaS applications and increased use of personal and mobile devices has presented IT teams with significant new challenges when managing and securing networks.

Traditional approaches to managing networks and providing security were built on a castle-and-moat approach: everything inside the network perimeter was considered safe and everything outside the perimeter needed to be authenticated and validated before access was granted to the network. 

In today’s highly distributed, cloud-based IT environments where both IT assets and workers may reside almost anywhere in the world, the network perimeter has disappeared. That makes traditional security solutions – like securing remote access with VPNs or performing security inspections in data centers – both too costly and ineffective at defending organizations, their data and users.

SASE and ZTNA offer more effective and cost-efficient ways to secure the network. Rather than centralizing security functions and backhauling traffic to the data center, SASE moves security to the network’s edge, closer to users, applications and devices. 

In addition to inspecting traffic, SASE improves security by focusing on authenticating identities. Zero-Trust Network Access supports these efforts by strictly controlling access to the network and IT resources. By granting very narrow access rather than blanket access to IT resources, ZTNA security stops attackers who have breached a network from moving freely within it.

Along with ZTNA, SASE architecture includes several other technologies that help to simplify network management and provide a multilayered approach to protecting modern IT networks against a broad array of threats.

• Software-defined Wide Area Networking (SD-WAN) uses software-defined networking principles to distribute network traffic across a wide area network more efficiently and cost-effectively. To simplify network management, SD-WAN creates a virtual overlay for WAN infrastructure that automates and centralizes WAN management functions. By enabling organizations to combine standard MPLS connections with multiple, low-cost commodity connections like fiber, LTE and DSL, SD-WAN helps organizations reduce networking costs, enhance performance and increase resiliency.
• Secure Web Gateway (SWG) solutions inspect and filter web activity to block unwanted internet traffic from entering a network and to prevent users from accessing malicious websites or downloading malicious files. Secure web gateways provide technology for filtering URLs, controlling applications, detecting malware, preventing data loss, stopping viruses and more. 
• Cloud Access Security Broker (CASB) technology serves as a security checkpoint between an organization’s users and the cloud services they access. CASBs authenticate users, devices and applications and encrypt data flowing to the cloud. CASBs also provide tools for security prevention, monitoring and mitigation to block malware and other threats.

ZTNA solutions apply Zero Trust principles to the task of allowing or denying remote connections to an organization’s network and the IT resources within it.

• Trust nothing by default. With ZTNA and other Zero Trust solutions, trust is never automatically granted to any user, device or application inside or outside the network. Rather, everything and everyone must be authenticated and continually revalidated when seeking access to the network and IT resources.
• Grant least-privilege access. ZTNA solutions grant users and devices the minimum amount of access required to complete a task at a specific moment. This limits the potential for security breaches by preventing unauthorized users or attackers from gaining access to broad areas of the network.
• Minimize the attack surface. As the traditional network perimeter disappears, ZTNA technology relies on microsegmentation to create individual perimeters around small areas of the network or individual assets and workloads. This type of segmentation tightly controls access with granular security policies to further reduce the attack surface and limit the damage of cyberattacks.
• Monitor devices. ZTNA technologies monitor traffic to devices on the network to ensure that each device is authorized and has not been compromised. 
• Continuously search for threats. A Zero Trust approach to network access assumes that threats are already present, encouraging security teams to take a more aggressive approach to detecting threats and limiting the damage they can cause.

As a leading provider of solutions built to protect the enterprise, Forcepoint offers solutions that combine SASE and ZTNA to modernize connectivity and simplify security. 

Forcepoint ONE is a cloud-native, all-in-one security platform that offers a single-vendor solution for Zero Trust and SASE. When combined with Forcepoint FlexEdge Secure SD-WAN, Forcepoint ONE provides a complete SASE solution with simple, safe and scalable ZTNA solutions.  

As a leader among SASE and ZTNA providers, Forcepoint enables organizations and IT teams to:

• Empower faster and safer work from anywhere. Forcepoint SASE and ZTNA solutions enable users to work where and how they want. ZTNA, CASB and SWG provide security in the cloud and on the web, safeguarding access to private apps through both agent-based and agentless deployment.
• Support Zero Trust security. Forcepoint ONE employs identity-based access control that allows employees, contractors and guests to access the apps they need for any device.
• Improve compliance visibility. Over 190 pre-defined policies available out-of-the-box, Forcepoint helps organizations implement strong controls for global data and privacy regulations. Forcepoint provides continuous visibility of how users interact with data, enabling a clear view of compliance across the organization.
• Reduce networking costs. Forcepoint Secure SD-WAN slashes networking costs and improves reliability with real-time mixing and matching of local ISP broadband and private MPLS connections.