sase.cloud
February 6, 2026by Kevin Malmgren

Zero Trust is not a product — it's an architecture

Vendors sell Zero Trust as a SKU. It's actually a design philosophy. Here's what Zero Trust really means and how ZTNA fits into your SASE architecture.

"We bought Zero Trust last quarter." I hear this from IT leaders more often than I'd like. You can't buy Zero Trust. You can buy products that help you implement a Zero Trust architecture — but the architecture itself is a set of design principles, not a license key.

What Zero Trust actually means

Zero Trust is a security philosophy built on one principle: never trust, always verify. Every access request — whether it comes from inside the network or outside — must be authenticated, authorized, and continuously validated. There is no trusted zone. The perimeter is identity, not the network edge.

This was formalized by NIST in SP 800-207 and has three core tenets: all resources are accessed securely regardless of location, access is granted on a per-session basis using least privilege, and trust is continuously evaluated (not just at login time).

Where ZTNA fits

Zero Trust Network Access is the specific SASE component that implements Zero Trust for application access. It replaces VPN by providing per-app connections (not network-level access), enforcing identity verification plus device posture checks before every session, and continuously re-evaluating trust during the session.

But ZTNA alone isn't Zero Trust. You also need SWG to inspect web traffic (because Zero Trust means you don't trust the internet either), CASB to control SaaS access, DLP to prevent data exfiltration, and identity infrastructure (IdP + MFA) as the foundation for everything.

The maturity spectrum

Most organizations are somewhere on this spectrum:

Level 1 — Identity-based access: MFA everywhere, SSO, basic conditional access. Most organizations are here. Level 2 — Per-app segmentation: ZTNA replacing VPN, no more network-level access, lateral movement blocked. This is where the real security gains start. Level 3 — Continuous verification: Device posture checked continuously (not just at login), session risk scored in real-time, automatic step-up authentication. This is ZTNA 2.0. Level 4 — Data-centric: DLP policies tied to identity and context, encryption enforced at the data layer, access decisions based on data sensitivity classification. Very few organizations are here.

What to tell your CISO

Zero Trust is a journey, not a purchase. SASE gives you the platform to implement it — ZTNA for access, SWG for inspection, CASB for SaaS, DLP for data. But the architecture decisions (what gets segmented, what posture checks to enforce, how to handle exceptions) are yours. No vendor can sell you that.

← Previous
Five SASE deployment mistakes that cause rollbacks
Next →
SASE vs SSE: What's the difference and which do you need?
Stay current
SASE moves fast. We'll keep you sharp.

One email when we publish. No spam. Unsubscribe anytime.