WHITE PAPER

SASE or SSE
The Different Pathways to Zero Trust

By John Grady, Principal Analyst

Enterprise Strategy Group
March 2024

This Enterprise Strategy Group White Paper was commissioned by Zscaler

and is distributed under license from TechTarget, Inc.

© 2024 TechTarget, Inc. All Rights Reserved.

1
 White Paper: SASE or SSE: The Different Pathways to Zero Trust

Contents
Executive Summary ...............................................................................................................................................................3
Exploring the SASE Contradiction ........................................................................................................................................3
The Reality of SASE ..........................................................................................................................................................4
Why the Disconnect? .........................................................................................................................................................5
What’s Needed to Realize the Potential SASE Can Offer? ...............................................................................................6
Flexibility ..............................................................................................................................................................................7
A Truly Unified Architecture ...............................................................................................................................................7
A Platform Predicated on Zero Trust ................................................................................................................................7
The Ability to Deliver Business Outcomes Along With Security Outcomes ..................................................................8
Zscaler Supports Customers on Their Zero-trust Journey With Flexible SSE and SASE ..............................................8
Conclusion ..............................................................................................................................................................................9

© 2024 TechTarget, Inc. All Rights Reserved.

2
 White Paper: SASE or SSE: The Different Pathways to Zero Trust

Executive Summary
Secure access service edge (SASE) has emerged as the leading technology to combat the new security
challenges enterprises face as their workforce and workloads become more distributed. Organizations have turned
to SASE architecture to help strengthen security, improve operational efficiency, and support network
transformation. However, challenges abound in implementing a comprehensive SASE architecture, leading many
organizations to use multiple vendors—increasing complexity and risk—or start with security service edge (SSE) to
overcome organizational roadblocks.
Regardless of the strategy organizations choose to arrive at SASE, there are four requirements necessary to
realize SASE’s full potential. Flexibility, a unified architecture, a zero-trust foundation, and a focus on business
outcomes are factors organizations should consider when evaluating vendors. Zscaler Zero Trust SASE is flexible
enough to meet customers where they are on their journey, from SSE through to consolidated single-vendor SASE.

Exploring the SASE Contradiction

As organizations have become more distributed, traditional, siloed security and networking approaches have
become less effective and operationally inefficient. SASE was specifically introduced to modernize and converge
the network and security stacks into a unified, cloud-centric architecture from a single vendor, which provides
consistent connectivity and protection for users and resources, wherever they reside. Organizations cite a variety of
drivers pushing them toward a SASE architecture, even as challenges persist. (see Figure 1).1

Figure 1. SASE Drivers

What are the drivers of your organization’s interest in SASE? What is the
primary driver of its interest? (Percent of respondents, N=390)
Supporting network edge transformation 30%
Improving security effectiveness 29%
Reducing security risk to organization 28%
Better supporting hybrid work models 27%
Becoming more operationally agile 26%
Simplification of infrastructure and processes 26%
Becoming more operationally efficient 26%
Accelerating adoption of zero trust 24%
Delivering better user experiences 23%
Reducing network costs 23%
Reducing solution costs 20%
Vendor consolidation 17%

Source: Enterprise Strategy Group, a division of TechTarget, Inc.

1 Source: Enterprise Strategy Group Research Report, Security Services Edge (SSE) Leads the Way to SASE, November 2023. All
research references and charts in this white paper are from this research report.
© 2024 TechTarget, Inc. All Rights Reserved.
3
 White Paper: SASE or SSE: The Different Pathways to Zero Trust

These drivers can loosely be grouped into three buckets:

• Strengthening security. While defense-in-depth has been an accepted practice for years, the increasing
sprawl and costs—especially of physical devices—associated with point tools has led to diminishing returns.
Inconsistent policies and enforcement have made it easier for attackers to find gaps in defenses and
propagate an attack.
• Improving operational efficiency. The procurement, deployment, and ongoing management of so many
disparate tools puts strain on already over-taxed teams. The skills shortage in IT is universal but particularly
acute in cybersecurity, making it important to enable teams to do more with less. While vendor consolidation
specifically may not always be a primary driver for SASE, it can directly support many of the goals
organizations have for the initiative.
• Supporting network transformation. Both the traditional network and security stack were designed for when
employees and resources were primarily located in corporate offices, linked via dedicated connectivity such as
MPLS and remote access tools such as VPN. This model breaks down when applications move to the cloud
and users access resources from non-office locations, affecting user experience and, ultimately, productivity.
Additionally, VPNs lack security capabilities and are often subject to vulnerabilities attackers can exploit, issues
that have been highlighted as more and more employees now have to access resources remotely.

The Reality of SASE

Yet, while many organizations are moving forward with SASE, most are not adopting a fully converged, single
vendor architecture from the start. Specifically, the vast majority are choosing a specific path from which to begin;
most start with security. According to research by TechTarget’s Enterprise Strategy Group, 72% of respondents
have focused on or will focus on the SSE side of SASE first, 25% on the SD-WAN side of SASE, and only 4% on a
fully converged SASE approach from the beginning. Additionally, most organizations believe they will need to add
vendors over time (see Figure 2).

Figure 2. SASE Vendors Used Initially and When Complete

How many technology vendors do you believe your organization will

work with to support its SASE architecture? (Percent of respondents,
N=390)
52% Initially When complete

36% 38%

24%
10% 2% 13% 13% 1% 9% 1% 2%

1 technology 2 technology 3 technology 4 technology 5 or more Don’t know

vendor vendors vendors vendors technology
vendors

Source: Enterprise Strategy Group, a division of TechTarget, Inc.

Since its introduction, SASE has revolved around vendor consolidation, and the specific idea of “single-vendor
SASE” has been increasingly promoted by some vendors and industry pundits. Yet, according to Enterprise
Strategy Group research, 10% of organizations anticipate beginning with a single SASE vendor, and only 2%
believe they’ll use one vendor when the project is complete.

© 2024 TechTarget, Inc. All Rights Reserved.

4
 White Paper: SASE or SSE: The Different Pathways to Zero Trust

Even the idea of two-vendor SASE seems to be unrealistic to most, with just 13% indicating their organization will
use two SASE vendors when the project is complete, leaving 83% leaning toward a SASE architecture using three
or more vendors. Unfortunately, this strategy leads to a situation similar to that which gave rise to SASE—bolting on
vendors and trying to integrate a sprawl of siloed tools. This increases the risk of security gaps that may lead to
breaches, and round and round the cycle goes.

Why the Disconnect?

Why do organizations feel this way, and what is leading to the disconnect between what SASE is supposed to be
and how practitioners believe they’ll implement it? There are a variety of reasons, but three stand out.
First, IT teams remain siloed with different priorities (see Figure 3). Technology convergence is only one piece of the
equation, and the IT organization must be rethought to support this new technology stack relative to strategy,
budgets, and management. Networking teams focus on making connections and ensuring that every employee can
connect to needed applications and remain productive, while security teams focus on restricting access to only
those who require it. While these goals don’t have to conflict, the reality of team dynamics in large organizations
shows that friction does occur between these teams since they often have differing leadership structures with
differing KPIs for success. Additionally, organizations frequently cite issues related to the chain of command within
networking and security teams as a challenge. Agreeing on a strategy and the vendors to support it can be
challenging when teams remain siloed. As a result, the security team may move forward with an SSE strategy in
isolation from the network team and a broader SASE roadmap.

Figure 3. Top 10 Organizational Challenges Between Networking and Security

Which of the following challenges between your organization’s network and security
groups in relation to the convergence of network and security have you experienced or
would you expect to experience? (Percent of respondents, N=390, three responses
accepted)
The groups are measured and compensated on
28%
conflicting goals
Issues related to the chain of command that is ultimately
28%
responsible for network security and collaboration…
Balancing security functions and network performance to
24%
ensure positive and safe experiences
Workflow issues related to the timeliness of collaborative
24%
tasks

Communications issues related to collaborative tasks 23%

Determining how budget allocations are split between

21%
security and networking
Teams not keeping one another apprised of new
20%
developments/projects

Getting cross-functional agreement on strategy 19%

Inconsistent visibility because the groups maintain

19%
separate tools and reports

Getting cross-functional agreement on vendors 17%

Source: Enterprise Strategy Group, a division of TechTarget, Inc.

© 2024 TechTarget, Inc. All Rights Reserved.
5
 White Paper: SASE or SSE: The Different Pathways to Zero Trust

Second, different priorities and transformational initiatives result in a variety of starting points and drawn-out
timelines. Network transformation and security modernization are significant undertakings in their own right, and
can be supported by SASE, but have other considerations as well. As a result, organizations may initially
incorporate a piece of SASE to support that broader transformation initiative. Zero trust, in particular, is a key focus
for many organizations, with SSE serving as a key component of operationalizing the strategy. Additionally, there
may be a need to move quickly in one area without considering the broader architecture. A common example of this
is rolling out zero-trust network access (ZTNA) to support expanding remote access needs. Ultimately, the criticality
of security leads many to start with SSE.
Finally, vendor solutions haven’t always delivered. Arguably, a significant part of the prevalence of multi-vendor
views is based on perception. Organizations simply find it hard to believe that they can get a broad set of leading
security capabilities from a single vendor. This is evident in the cycle of adding new tools to address new threat
vectors and protect additional parts of the environment. Additionally, vendors often simply bolt on an SD-WAN
solution to an SSE platform and call it SASE (and vice-versa), which doesn’t deliver the expected benefits.

What’s Needed to Realize the Potential SASE Can Offer?

To address these realities and ensure both short- and long-term success, organizations exploring SASE solutions
should prioritize a few critical attributes when assessing vendors to work with. These attributes can directly address
some of the top challenges organizations cite with regard to SASE implementation (see Figure 4).

Figure 4. SASE Challenges

What challenges has your organization faced, or would it expect

to face, when implementing SSE? (Percent of respondents, N=390,
multiple responses accepted)

Supporting multiple architectures for different types

36%
of traffic
Ensuring user experience is not impacted 34%

Aligning SSE with our zero-trust initiative 33%

Transitioning existing on-premises controls to the
29%
cloud
Getting actionable, usable technical advice 27%

Becoming locked in with a vendor 26%

Ensuring interoperability between vendors 26%

Migrating existing security policies 25%

Determining a starting point 24%

Assessing and comparing vendor capabilities 24%

Source: Enterprise Strategy Group, a division of TechTarget, Inc.

© 2024 TechTarget, Inc. All Rights Reserved.

6
 White Paper: SASE or SSE: The Different Pathways to Zero Trust

Flexibility
Vendors need to have the flexibility to meet an organization where it is to address a variety of use cases and
expand over time. This requires support for both single and multi-vendor SASE approaches. For example, a vendor
could provide a purpose-built SSE platform and SD-WAN capabilities to support customers looking for
comprehensive SASE. However, customers should be able to use each separately while transitioning to a full
SASE architecture.
Over the short and medium term, many organizations will rely on multiple vendors for a SASE implementation.
More than one quarter (26%) of survey respondents say ensuring interoperability between vendors is a challenge.
Strong technology partnerships to ease integration burdens and simplify deployment can help organizations using
different SSE and SD-WAN providers continue to successfully advance their SASE implementation until they’re
ready to embrace a single vendor for SASE.
In the long run, however, a single-vendor approach will make sense for many organizations. Standardizing with one
vendor simplifies procurement and training, as staff can focus skill development on a single platform. Components
are pre-integrated, easing the burden of deployment and ensuring interoperability. Additionally, networking and
security policies can be tightly interwoven to ensure both strong security and effective connectivity.

A Truly Unified Architecture

The most common challenge reported by organizations was supporting multiple architectures for different types of
traffic, cited by 36% of research respondents. While some vendors have bolted on additional capabilities to round
out their SASE offering, other vendors have been building cloud-native SSE and SASE solutions for years (some
even before the category was introduced).
Even when provided by a single vendor, SASE Spotlight: How Centers of Excellence
solutions that are not truly unified—both from a Can Bridge Organizational Divides
management and architectural perspective—lead to Rearchitecting the IT organization is not an
the same risks associated with multiple vendors: undertaking many companies can take. To
inconsistent management, performance impacts from bridge the gap, some are pulling a page
multiple cloud hops, and so on. Solutions that have from the cloud playbook and forming a
been pieced together via acquisition may not be fully center of excellence (CoE) to better
unified on the back end relative to management or formalize and foster collaboration across
supporting a single-pass scanning architecture. This different IT teams without fully rebuilding the
can negatively impact performance, user experience, organization. This remains a work in
and administrator efficiency. progress for most but is on the radar of
many organizations.
A Platform Predicated on Zero Trust Enterprise Strategy Group research has
found that while 44% identify creating a CoE
The critical relationship between SASE/SSE and zero as an action to improve the collaboration
trust cannot be overstated. In fact, 33% of survey across the different groups responsible for
respondents cite aligning SSE with a zero-trust networking and security, only 11% have
initiative as a top challenge. Zero trust is often overly implemented or are actively implementing
simplified to zero trust network access (ZTNA) and the CoE model. While not a capability a
providing access to remote users. However, a true vendor can provide, this is important for
zero-trust architecture must account for users along organizations to consider when planning a
with workloads, locations, devices (IoT/OT), and third SASE initiative.
parties. Further, by default, implicit access must be
denied and should be decoupled from the network to
ensure entities have access to resources only when explicitly allowed by policy.

© 2024 TechTarget, Inc. All Rights Reserved.

7
 White Paper: SASE or SSE: The Different Pathways to Zero Trust

Enforcing this model on legacy network architecture is incredibly difficult because zero-trust enforcement is typically
bolted on as an afterthought, increasing complexity and creating the potential for policy gaps. SASE and SSE
solutions that support zero-trust strategies by default are better positioned to help security teams effectively
implement the initiative.

The Ability to Deliver Business Outcomes Along With Security Outcomes

The second most common challenge cited by organizations was ensuring user experience is not impacted, cited by
34% of respondents. Overcoming this requires a performant network with globally distributed points of presence
(PoPs) to process security functions closer to the user. Routing intelligence to determine the fastest path and avoid
introducing latency is also a critical aspect, especially for geographically distributed organizations. Ensuring all
employees can access the required resources to perform their functions is a core tenet of a successful SASE
implementation.

Zscaler Supports Customers on Their Zero-trust Journey With

Flexible SSE and SASE
Zscaler Zero Trust SASE provides a flexible SSE and SASE architecture built on a zero-trust framework.
Customers can unify security—delivered in the cloud and with zero trust at the core via SSE—and can then unify
security and networking with single-vendor SASE when ready. The solution is powered by the Zscaler Zero Trust
Exchange, a cloud-native platform that securely connects the workforce, workloads, devices, and third parties,
helping organizations support holistic zero-trust initiatives.
The Zero Trust Exchange runs across more than 150 data centers worldwide, putting the service close to users and
applications and using the shortest path between users and their destination to provide consistent security and
performance for a strong user experience.
Zscaler’s Zero Trust SASE solution supports zero-trust-based network transformation across three key areas:
• Secure the workforce. To address the user-to-application use case, Zscaler for Users provides secure and
performant internet and SaaS access while protecting against advanced threats and data loss via Zscaler
Internet Access (ZIA). It connects users seamlessly and securely to private applications, services, and OT
devices through Zscaler Private Access (ZPA). Further, it ensures a strong user experience, optimizing
performance and quickly identifying and remediating application, network, and device issues via Zscaler Digital
Experience (ZDX).
• Secure workloads. For non-user connectivity, Zscaler for Workloads helps organizations securely enable
application-to-application communication across clouds, the internet, and on-premises environments. Policies
for cloud workloads are managed centrally in the same ZIA and ZPA consoles administrators use to protect
users, helping to improve operational efficiency and reduce the likelihood of human error when writing policies.
• Secure devices. Finally, Zscaler for IoT and OT provides device visibility across all connected devices,
servers, and unmanaged devices across the business. Based on this visibility, organizations can create zero-
trust policies to secure connectivity to OT equipment from any location, secure access for IoT devices to the
internet, secure device-to-device communications, and protect device-to-application connections.
Zscaler’s newest capability, Zero Trust SD-WAN, provides branches and data centers with fast, reliable access to
the internet and private applications without the implicit trust present in traditional SD-WAN, offering strong security
and simplified operations. Branch communications are securely forwarded to the Zero Trust Exchange, where
policies can be applied. This includes full security inspection and identity-based access controls for all branch and
data center communications.

© 2024 TechTarget, Inc. All Rights Reserved.

8
 White Paper: SASE or SSE: The Different Pathways to Zero Trust

Through this approach, Zscaler meets customers where they are, enabling them to progress as quickly or slowly as
they need to, to achieve success.

Conclusion
SASE promises a unified, integrated approach to providing security and network connectivity across a distributed
architecture, enabling workforces, devices, and workloads to communicate securely. However, the reality is that a
single-vendor option isn’t always feasible or even desired. And when a single-vendor option presents itself,
organizations may need time to prepare their architecture to support such a vendor.
Navigating this challenging environment requires vendors to become flexible to meet organizations where they are
in their unique journey. Zscaler Zero Trust SASE provides a unified, integrated approach with zero trust at the core,
without sacrificing flexibility. Customers still working on building a strong foundation for SASE can use SSE until
they’re ready to implement Zscaler Zero Trust SD-WAN, a secure and simplified SD-WAN experience. Zscaler Zero
Trust SASE provides secure connectivity for the workforce, devices, workloads, and third parties using centralized
management and ample PoPs, ensuring consistency in security and performance. With Zscaler, customers can
secure their networks while building a clear path forward on the journey to a complete, single-vendor SASE
implementation.

© 2024 TechTarget, Inc. All Rights Reserved.

9
©TechTarget, Inc. or its subsidiaries. All rights reserved. TechTarget, and the TechTarget logo, are trademarks or registered trademarks of TechTarget, Inc. and are registered in
jurisdictions worldwide. Other product and service names and logos, including for BrightTALK, Xtelligent, and the Enterprise Strategy Group might be trademarks of TechTarget or its
subsidiaries. All other trademarks, logos and brand names are the property of their respective owners.

Information contained in this publication has been obtained by sources TechTarget considers to be reliable but is not warrant ed by TechTarget. This publication may contain opinions of
TechTarget, which are subject to change. This publication may include forecasts, projections, and other predictive statements that represent TechTarget’s assumptions and expectations
in light of currently available information. These forecasts are based on industry trends and involve variables and uncertainties. Consequently, TechTarget makes no warranty as to the
accuracy of specific forecasts, projections or predictive statements contained herein.

Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the
express consent of TechTarget, is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any
questions, please contact Client Relations at cr@esg-global.com.

About Enterprise Strategy Group contact@esg-global.com

© 2024
TechTarget’s Enterprise Strategy Group provides focused and actionable TechTarget,
market Inc. Allresearch,
intelligence, demand-side Rightsanalyst
Reserved.
advisory services,
GTM strategy guidance, solution validations, and custom content supporting enterprise technology buying and selling. www.esg-global.com
10