Holistically, Zero Trust is often described as a strategy or a framework, not a product sold by specific vendors. This is true; Zero Trust is a new way of security thinking that permeates several areas, not just architecture or technology. However, there are practical implementations from vendors, like Zscaler, that have built their solutions around Zero Trust. Once deployed, this technology provides secure access for users, things, and workloads to public or private destinations based on Zero Trust principles.

When considering solutions based on a Zero Trust architecture, it is essential to understand how this market is described and categorized. The most common taxonomy is called Security Service Edge or SSE (defined by Gartner), an umbrella description for solutions offering Zero Trust architecture, among other functions.

Gartner’s SSE provides a framework that combines the main elements of network security–including the Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), a Cloud Access Security Broker (CASB), and firewall as a service (FWaaS), among other components–as provided from the cloud at a location near the end user. ZTNA, in this context, relates merely to user-to-private application access. The main point is that once hosted on-premises, the security stack moves to the cloud or the “security edge.” This affords security operations all the benefits of cloud-hosted solutions, including simplified complexity, scalability, easier maintenance, architecture, etc.

How do Zero Trust architecture concepts relate to the broader concepts of SSE? They are closely intertwined. Think of SSE as a practical implementation of zero trust architecture and other ecosystem components like identity, EDR, or SIEM/SOAR.

Is Zero Trust a passing fad, or is it here to stay?

Zero Trust, as delivered by an SSE vendor, has already enormously impacted several organizations. It proved especially valuable as the pandemic moved workers home, expanded the network, taxed VPN resources, and opened new doors to attackers. Organizations that transitioned to ZTA were able to send workers home seamlessly while avoiding the common bottlenecks and security concerns that generally accompany such a massive workforce shift. That being said, many organizations are still in various stages of their transformation journey.

A Zscaler survey results show that today, more than 90% of organizations migrating to the cloud have a Zero Trust security strategy in place or plan to in the next 12 months. Respondents indicated that zero trust network access (ZTNA) is their No. 1 priority, based on providing a secure hybrid work environment. They cite their employees’ inconsistent access experiences for on-premises and cloud-based applications and data as a top reason to implement a zero trust-based hybrid work infrastructure. In addition, 68% of IT leaders also admit that cloud migration requires a rethinking of traditional security models.

In our survey, the reasons to move to zero trust security were ranked by respondents in this order:

Improve detection of advanced threats Improve detection of web application attacks Broaden security to protect sensitive data

Gartner publishes the Magic Quadrant and Critical Capabilities research on the Security Service Edge, and as of this writing, is working on the 2023 version. They made the following prediction about ZTA and SSE, highlighting movement toward a consolidated SSE approach over point solutions:

“By 2025, 80% of organizations seeking to procure SSE-related security services will purchase a consolidated SSE solution, rather than stand-alone cloud access security broker, secure web gateway, and ZTNA offerings, up from 15% in 2021.”

The data shows that traditional network and security architectures must be equipped to provide adequate security and connectivity for the rapidly evolving hybrid workplace. Globally, IT and security leaders have or are actively planning to replace their legacy architectures with a Zero Trust solution based on an SSE platform.

So, to answer the question, ZTNA is one component of a comprehensive SSE framework. Zero Trust and SSE are not synonymous, but without ZTNA any SSE is incomplete.

