Initially, SASE adoption focused on enabling secure access for remote users to cloud applications. However, as the pandemic subsided and employees returned to physical offices, organizations discovered gaps between the security architecture designed for remote users and the security requirements of on-premises locations. These challenges included the difficulty in securing the growing number of IoT devices, which traditional Zero Trust Network Access (ZTNA) policies were not designed to protect. The expanding attack surface introduced new security vulnerabilities, making IoT devices potential entry points for cyberattacks. Hybrid employees using ZTNA while in the office often experienced inefficiencies due to unnecessary hairpinning of traffic through the cloud. Additionally, many organizations continued to rely on legacy network architectures that backhauled all branch traffic to data centers rather than routing it directly to the cloud, impacting both performance and security.
As businesses continue their transition to a cloud-first model, they face increasing threats from malicious web traffic, phishing attacks, and data breaches. Many IT teams lack visibility into employee usage of SaaS applications and associated data flows, which exacerbates security risks.
To address these challenges, organizations must take an integrated approach that secures both remote and on-premises access. This requires adopting SASE with a universal ZTNA approach, ensuring comprehensive security across all environments. When combined with SASE, universal ZTNA enables seamless connectivity, optimized performance, and enterprise-wide security. Below are four critical steps for effectively implementing SASE with universal zero trust principles.
The steps to build SASE with universal ZTNA principles
Step 1: Modernize branch networks with secure SD-WAN
The first step toward implementing SASE with zero trust is replacing legacy networking equipment with a secure SD-WAN solution. Traditional networks, reliant on MPLS circuits, lack agility and are ill-suited for cloud-first operations. Secure SD-WAN solves these challenges by leveraging internet links with advanced optimization techniques. Dynamic path selection enables intelligent traffic routing across multiple links, including MPLS, broadband, LTE, and 5G, ensuring optimal performance. Tunnel bonding aggregates multiple connections to improve network reliability, while integrated security consolidates routing, firewalling, and WAN optimization into a unified solution. By modernizing branch networks with secure SD-WAN, organizations eliminate inefficient data center backhauling by intelligently steering traffic to the cloud based on first packet identification, improving application performance. Also, deploying SD-WAN virtual instances in cloud providers like AWS, Azure, and Google Cloud, “ruggedizes” the first mile and optimizes the connection to these cloud service providers.
Step 2: Simplify zero trust with secure SD-WAN and ZTNA
The next step is integrating ZTNA with secure SD-WAN to simplify zero trust implementation. For remote users, traditional VPNs pose security risks due to broad network access, increasing the likelihood of unauthorized lateral movement. Additionally, branch offices often suffer from a sprawl of security appliances that are difficult to manage.
ZTNA enhances security by enforcing least-privilege access, ensuring users can only reach authorized applications without gaining full network access. On-premises, advanced ZTNA solutions offer local edge capabilities, eliminating inefficient traffic from hairpinning to the cloud. Meanwhile, secure SD-WAN consolidates security functions by integrating next-generation firewall capabilities, including intrusion prevention (IDS/IPS) and DDoS protection. By combining ZTNA and secure SD-WAN, organizations reduce the attack surface while enabling secure, seamless access for both remote and on-premises users.
Step 3: Achieve universal zero trust across your infrastructure
To fully realize the benefits of zero trust, organizations must extend its principles across all environments, including branch offices, data centers, campuses, and IoT deployments. Achieving universal zero trust requires continuous monitoring and identity verification, ensuring that every device and user in the network is identified and continuously verified before accessing resources.
AI-driven tools help profile devices, analyze behavior, and automatically adjust security policies to prevent unauthorized access. Network segmentation is also essential, as it enforces fine-grained access control based on role and identity, limiting lateral movement and reducing attack vectors. End-to-end security integration ensures that security policies apply consistently across switches, access points, and SD-WAN, providing comprehensive protection across the entire network. Real-time threat detection, enabled by intrusion detection systems, helps prevent unauthorized access and detect malicious activity.
Step 4: Transform and unify secure connectivity with SASE
With universal ZTNA and secure SD-WAN as the foundation, the final step is securing cloud access and preventing data breaches. This is achieved by integrating security technologies such as Secure Web Gateway (SWG), which blocks malicious websites and enforces content filtering policies. Cloud Access Security Broker (CASB) solutions secure SaaS applications and prevent unauthorized data access, while Data Loss Prevention (DLP) solutions monitor and control data transfers to prevent sensitive data leakage.
By following these four steps, organizations establish a scalable, efficient, and secure network architecture that meets the demands of modern hybrid work environments. The evolution of the scope of SASE initially focusing on remote access to a comprehensive security framework highlights the need for universal ZTNA integration. Organizations must ensure that security policies seamlessly extend across remote users, on-premises locations, and IoT devices. By modernizing branch networks with secure SD-WAN, simplifying zero trust implementation with ZTNA, extending security across all infrastructures, and unifying cloud security with SASE, businesses can achieve a resilient, high-performance network that meets today’s security and connectivity demands.
HPE Aruba Networking provides a comprehensive platform that goes far beyond the narrow focus of traditional solutions, which often address only specific areas of zero trust protection. Our edge-to-cloud zero trust solution delivers a seamless integration of a single-vendor SASE solution and advanced machine learning-based NAC capabilities. This approach empowers organizations to adopt a universal ZTNA approach, applying zero trust principles consistently across all devices, whether they are remote or on-premises.
Build SASE and zero trust from edge to cloud with HPE Aruba Networking holistic platform
To learn more please visit our website on SASE.
Other resources:
- Solution overview: Delivering SASE and universal zero trust
- Glossary: Universal ZTNA glossary page
Microsoft Azure is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. Google Cloud is a trademark of Google LLC. All third-party marks are property of their respective owners.
Gabriel_Gomane
Gabriel Gomane has more than 15 years of experience in product marketing and product management, focusing primarily on networking, security and digital transformation. He has broad international experience, having held marketing positions based in Europe and in the US. Before joining HPE Aruba Networking, Gabriel worked for various high tech companies including Meru Networks and MEGA International. Gabriel holds a BS in engineering from Grenoble INP and an MBA from HEC Paris.
