Is ZTNA Your First Stop to SASE?

By, Mor Ahuvia, Product Marketing Manager

More than just another security buzzword, secure access service edge (SASE) is rapidly taking over the network security industry. According to Gartner, “By 2024, the majority of midsize and large enterprises will prefer a subscription-based, primarily cloud delivery model for networking and security.”[1] In addition to networking-as-a-service, SASE incorporates the best of current network security technology, to protect access to cloud-based apps — CASB, enforce zero trust access to enterprise apps — ZTNA, secure branch office connections — FWaaS for SD-WAN security, and secure internet access — SWG, all under a single umbrella.

Network vs. Application Security in a Zero Trust World – Download White Paper

On paper, SASE sounds great. It promises to radically simplify security, creating unified policies in a cloud-native solution that adapts and scales easily — perfect for the era of remote and hybrid work. But in practice, it can be hard to find a roadmap and understand which steps to take first.

Let’s make things very simple. If your most sensitive applications or servers…

  • reside in prem-based datacenters and are frequently accessed remotely; or
  • are hosted in the public cloud (AWS, GCP, Azure, ); or
  • require access by third parties like contractors and partners then zero trust network access should be at the top of your priorities.

For certain organizations, securing Internet and cloud access is a higher priority. Direct branch-to-internet connections can be secured using FWaaS. Remote users can be secured using a cloud-delivered Secure Web Gateway (SWG).

A complete and successful implementation of SASE also revolves around one essential step, securing access to applications. This can be achieved with Zero Trust Network Access (ZTNA). Once ZTNA is in place, you can rest assured that your most sensitive internal assets and resources are safeguarded, when being accessed remotely by internal or external personnel and also from BYOD and non-managed devices.

Let’s take a look at what exactly SASE involves, and then see why ZTNA is such a central part of the journey.

What Is SASE?

The term secure access service edge (SASE) was coined by Gartner in 2019, in light of the challenges of modern security in a diverse, distributed environment. It unifies a number of critical network security services with networking capabilities to create a model for secure access that is highly secure, yet flexible and scalable.

SASE extends the benefits of software-defined wide area networks (SD-WAN) networks, like fast, reliable network performance and lower infrastructure costs. Many organizations are already using SD-WAN to improve their users’ network experience by virtualizing network paths across MPLS, traditional VPN, broadband and wireless connections. On top of the networking advantages of SD-WAN, SASE adds several important network security functions within its umbrella:

  • Access to enterprise apps: Zero Trust Network Access (ZTNA)
  • Access to cloud-based apps: Cloud Access Security Broker (CASB)
  • Secure Internet access: Secure Web Gateway (SWG)
  • Network security as a service, replacing a traditional perimeter firewall with a FWaaS

While all of these elements are important, ZTNA isn’t just another piece of the SASE puzzle. For many organizations, it’s the starting point for evolving and scaling their network security to address the new perimeter, which is defined by the need for agility, cloud, remote work and BYOD.

Where Does Zero Trust Fit In?

Zero Trust Network Access (ZTNA), as the name suggests, removes implicit trust from your network, so no connection or access attempt is trusted by default. Instead ZTNA builds explicit trust in people, devices, assets, and data wherever they are located. With zero trust access, only the right user, in the right context, is given least privilege access to the right resources, in the right role.

With traditional perimeter-based security, once users are authenticated, they are often able to roam freely within the network, and there’s little granular control over their actions. This type of setup has become increasingly unwieldy to maintain with employees, third parties, and others logging in remotely and accessing a range of data and applications; on-premises and various cloud, hybrid, and multi-cloud.

Simply put: In today’s IT security environment, a VPN-based infrastructure that offers broad access permissions is not sufficient. Nor is a security strategy that solely relies on access controls such as username and password.

With a ZTNA model, on the other hand, every stage of a user’s session is verified, both pre-login and post-login. At first, a user is authenticated, for example using a current identity provider or IdP such as Okta, OneLogin, Ping, etc.. After successfully authenticating to the service, the user session is monitored by the trusted security broker, e.g. a cloud-based ZTNA service through which all traffic is routed and inspected, allowing policy enforcement during the application session with granular in-app controls at the command and query level. This also allows for things like session recording, and real-time termination following unauthorized actions within admin SSH access to terminals and DevOps access to production environments.

Removing Implicit Trust

The central assumption of ZTNA is that every interaction must be checked prior to granting access. ZTNA also incorporates the principle of least privilege, meaning that users gain access only to resources they need for business purposes. This creates a higher level of security around the entire organization and its digital assets.

With the identity plane authenticating users, and the data plane securing the stream of traffic from the individual to the datacenter or cloud, true zero trust is maintained and network-layer risks are eliminated, including the risk of lateral movement.

The principle of least privilege access implemented by a zero trust architecture is why enterprises considering a SASE model often find ZTNA a logical starting point.

Endpoint vs. Service-Initiated Zero Trust

Furthermore, with what’s called service-initiated Zero Trust architecture, no agent is required. In the realm of Zero Trust Network Access, Zero Trust can be endpoint-initiated or service- initiated. Endpoint initiated connections rely on a client installed on the user’s device for providing authentication and authorization information to the cloud-based trust broker. As explained by Tech Target, “A service-initiated architecture uses a connector appliance to initiate an outbound connection to the ZTNA provider’s cloud where identity credentials and context requirements are assessed, eliminating the need for an endpoint software agent.”

By deploying a single connector for each datacenter, network segment or virtual private cloud (VPC), all access attempts to the resources behind the connector are vetted and controlled by the cloud trust broker.

Another fun fact is that service-initiated Zero Trust makes use of what’s called port-knocking or single packet authorization. As explained by Network World, “an alternative method called single packet authorization or port knocking uses the client browser or application to send a set of packets to the Software-defined Perimeter (SDP) controller that identifies the user and their device,” with the SDP controller referring to the identity plane.

Service-initiated zero trust means that overheads related to installing and maintaining agents is eliminated for administrators, while users are spared the fuss of client synchronization and authentication issues.

No less important, service-initiated zero trust is the best choice for a frictionless user experience. This is because any browser, on any device, can be used, so that third party contractors and partners can securely access sensitive portals and applications from their own devices, and employees can choose to work from BYOD or company-issued devices.

How ZTNA Works

ZTNA works as follows:

  1. First, the user authenticates to the control plane. The control plane (aka the service controller) then verifies the user’s identity based on a number of attributes e.g. multi-factor authentication, IP address, device and location.
  2. This can also be completed using an integrated identity provider (IdP).
  3. After authentication, the control plane opens a single sign-on user portal showing the apps the user is authorized to access.
  4. When the user clicks on an authorized app, the request goes through the gateway (which controls the data plane).
  5. The gateway returns the authorized application. If the request is not authorized, it will be blocked at the gateway level.

The controller and the gateway are in constant communication so that any change in permissions propagates in real time. Permissions at the app and in-app level are dynamically enforced as policies change from one minute to the next.


ZTNA Architecture


Benefits of Zero Trust Network Access

Whether or not implementing ZTNA is part of your move towards SASE or simply the next step in your organization’s strategic security evolution, ZTNA brings a fleet of benefits of its own.

Immediate benefits of implementing ZTNA include:

  • Reduced attack surface for your corporate resources on-prem and in the public cloud with least privilege application-layer access, removing network-level risks
  • Improved user experience thanks to clientless access (that does not require an agent to be installed), single sign-on (SSO), and BYOD support for both employees and third parties
  • Quick rollout as the service deploys with your current infrastructure (no hardware is required, and no agent is installed)
  • Instant scalability thanks to cloud-native architecture
  • Full visibility into user activity, including auditing and session recordings
  • Granular in-app policy controls with real time enforcement

While ZTNA is certainly appealing, there is also the perception that with IT department budgets and personnel stretched to the limit, it’s too complicated and time consuming to implement right away. But when properly deployed, ZTNA will start lightening the load almost right away, allowing for a very good ROI. To see how this works, watch how to deploy ZTNA in 15 minutes.

ZTNA can almost immediately reduce both capital and operating expenditures (CAPEX and OPEX); make regulatory compliance far simpler for industries handling sensitive data; and encourage the creation of universal access policies to better secure the entire organization.

Taking the First Step

With the right tools, ZTNA does not have to be difficult to implement. Harmony Connect gives you a ZTNA solution that rolls out easily across your entire organization:

  • Swift deployment: Five-minute setup, lightning-fast rollout providing immediate scalability and high cloud availability
  • Breezy access: Headache-free support for users and third parties such as contractors, with an easy-to-implement clientless architecture
  • Simple management: Clear visibility into network traffic and granular control at the app, command, and query level, full audit trail, and customizable up-to-the-minute segmentation

When you’re ready for a modern security solution that simplifies your organization’s journey to SASE, Harmony Connect is a logical first step.

Here are some resources to help prepare your entire organization:

[1] Gartner Forecast Analysis: Secure Access Service Edge,

Worldwide, Joe Skorupa, Nat Smith , 27 July 2021 forecast-analysis-secure-access-service-edge-worldwide