Zero Trust is the model that assumes the network is hostile. Every request—whether it comes from a contractor in another country or an engineer in headquarters—gets evaluated based on user identity, device posture, and the sensitivity of the target. SASE (Secure Access Service Edge), coined by Gartner in 2019, bundles the network and security functions that Zero Trust depends on: ZTNA, secure web gateway, CASB, firewall-as-a-service, often delivered from points of presence close to the user. Zscaler, Netskope, Palo Alto Prisma, Cloudflare, and Cisco are among the names that show up in most RFPs.
The migration from “VPN plus perimeter firewall” to “Zero Trust plus SASE” rarely happens cleanly. Legacy applications that expect a flat network, contractors with unmanaged devices, and acquisitions that arrive with their own security stack all complicate the rollout. Teams that succeed phase the change application by application: start with the highest-risk SaaS, move internal applications behind an identity-aware proxy, then retire the VPN once the long tail is small enough to negotiate one application at a time.
The marketing temperature on Zero Trust ran hot for years, which made it easy to dismiss. The architectural ideas—verify explicitly, assume breach, segment everything—are durable even when the buzzword fades. Practical adoption looks less like a product purchase and more like a multi-year program that touches identity, endpoints, networks, applications, and the security operations team, with measurable reductions in lateral movement risk as the goal rather than a vendor logo on a slide.