WHITE PAPER

How to Deliver Successful AI Projects by Reducing Risk and Boosting Performance

Pathways To A Zero
Trust Branch

Delivering Accelerated and SecureConnectivity
With the Power of SD-WAN and SASE

How to Deliver Successful AI Projects by Reducing Risk and Boosting Performance

By Jim Frey, Principal Analyst
Enterprise Strategy Group
January 2025

Introduction

Branch connectivity might seem straightforward, when considering the basic needs of extending WAN connectivity and providing secure access, but trying to do so at scale and in the face of mixed, dynamic application and threat environments is anything but simple. The pace of change in applications and the ever-growing nature of the threat landscape demand careful consideration and accommodation.

From a security perspective, Zero Trust strategies are becoming a focal point for helping to align and tune efforts to protect branches and the enterprises of which they are part. Zero Trust is not the only dimension of a branch security strategy, but it has become an essential pillar.

From an operational performance perspective, branch security must be balanced with network optimizations that can improve and ensure user experience and, by doing so, improve productivity and customer satisfaction. This requires network acceleration and traffic management that can adapt to a mix of cloud, SaaS, and business applications and that can intelligently accommodate specific work activities and behaviors with those applications.

Done successfully, organizations can realize the benefits of a Zero Trust Branch, addressing the combined networking and security needs within a single, integrated branch connectivity solution. Palo Alto Networks has this exact Zero Trust Branch end goal in mind when bringing the best of networking and security technologies together, binding advanced software-defined WAN (SD-WAN) functionality with cloud-based secure access service edge (SASE) that includes Zero Trust capabilities, delivered as Prisma SASE®.

Applying Zero Trust to the Branch

Key Objectives for Branch Connectivity

Design and deployment of branch network connectivity provides both a platform and an opportunity to employ Zero Trust strategies, but it must be done in way that accommodates the broader context of essential operational goals and constraints. The overall business purpose of branch connectivity is to deliver reliable and efficient access to remotely hosted resources, such as cloud and SaaS-based data and applications. This can be decomposed further into a few key objectives:

1. Maximizing user experience. The key focus here is ensuring that employees can reach and use the applications and resources they need to execute work processes and that customers (as applicable) can easily reach and engage the services they need to have a good experience. This requires not only access but also optimized performance—particularly for remotely hosted applications that will be accessed from the branch.
2. Maintaining operational efficiency. On this front, it is important to realize that there are lots of great technologies out there to address branch security and performance, along with many individual functions to be covered. Best-of-breed approaches can be alluring, but deploying a fragmented best-of-breed blueprint across dozens or hundreds of branches does not scale gracefully from either a logistical or cost perspective. In addition, the lack of management cohesion can significantly lengthen the time required to troubleshoot and diagnose issues and incidents. This can be further aggravated by a lack of skilled personnel at branch sites.
3. Accommodating growth and change. Finally, any approach taken must make it possible to readily enable both the addition of new branch sites as well as the constantly growing and changing application mix that is common in today’s digital enterprises. All of this must be handled as much as possible, without requiring infrastructure upgrades or manually intensive reconfigurations.
Achieving a Zero Trust Branch requires considering solutions that can provide direct value in addressing these three priority areas while balancing cost and effectiveness for both networking and security. Emphasis should be placed on broad capability coverage but also tight integration across technologies as well as operational simplicity and efficiency.

Understanding Zero Trust

The ongoing challenges of ensuring network security, including at the branch level, has led to the evolution of Zero Trust, which is a security model operating on the principle of “never trust, always verify.” On the network side, zero trust network access, or ZTNA, continuously verifies user, application, and device identity and continuously inspects application traffic before granting network access to any applications. This creates a “logical boundary” around each application via strict policies set for allowing authorized user access.
While Informa TechTarget’s Enterprise Strategy Group has found that organizations consider the broader topic of Zero Trust to be as much a strategy as a specific set of tools and technologies, the bottom line is that Zero Trust is emerging as an essential approach to be leveraged across the enterprise, including at the branch level, for a variety of reasons (see Figure 1). Top among those reasons are program modernization and incident reduction, and overall there is a healthy mix of security, operational, and business drivers in play. Many organizations will start with the objective of securing user access to applications, particularly from remote locations, and then find and embrace the other benefits along the way.
Figure 1. Top Reasons for Considering or Adopting a Zero Trust Strategy
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
Zero Trust strategies can span a wide range of tools and technologies, according to Enterprise Strategy Group research (see Figure 2). Not all relevant tools are built solely for Zero Trust, and many have been around for some time, but a few are recent arrivals that are purpose-fit for the strategy. For instance, ZTNA as a specific set of capabilities has only been around a few years, whereas unified endpoint management and cloud access security brokers (CASBs) have been around many years longer. Others, such as data loss prevention, next-generation firewall, network access control, and multifactor authentication have been around for decades. All of these tools and technologies have influence or control, in some form, over network usage, what will be accessed over the network, and the ways in which access will be managed or granted. As such, they are relevant components of a Zero Trust strategy.
Figure 2. Most Effective Tools and Technologies for Achieving Zero Trust Objectives
Source: Enterprise Strategy Group, a division of TechTarget, Inc.

SD-WAN Role in a Zero Trust Branch

Branch connectivity is a classic example of wide area networking, and the current state of the art in WAN dictates the use of a software-defined approach, known as SD-WAN. While the primary role of SD-WAN is to provide flexible, reliable, and highly-available connections across traditional or hybrid infrastructures, it also commonly includes the ability to accelerate and segment network traffic by application to improve throughput and user experience. But the total scope of current expectations around SD-WAN is broader still, as evidenced by the range of deployment drivers shown in Figure 3.
Figure 3. Drivers for Deploying SD-WAN
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
It’s clear from the many of cited drivers that organizations are looking to SD-WAN not only for traditional networking objectives but also for integrated security. In fact, modern SD-WAN solutions typically offer some embedded security features. For instance, it is not unusual to find traffic encryption, firewalling, and microsegmentation capabilities included within an SD-WAN solution. However, SD-WAN by itself has never been considered a complete security solution for the branch, and no standalone SD-WAN offerings include ZTNA.
Overall, the expectations around SD-WAN align well with the three primary objectives of branch network connectivity. There is a specific focus on maximizing user experience via traffic acceleration and optimization and on operational efficiency via consolidating multiple functions into a single solution as a means of reducing cost and complexity. In addition, SD-WAN solutions bring a level of configurable flexibility that is a significant step up from traditional fixed WAN service architectures, so change and growth become naturally more manageable.

SASE for a Zero Trust Branch

SASE solutions incorporate multiple network security technologies and apply them to remote, WAN, and branch connectivity in a manner that is meant to reduce complexity and improve consistency of security controls. This is accomplished by placing security functions in a cloud delivery model and combining them with cloud-based management that can centralize configuration and monitoring functions across all connected sites, locations, and endpoints.
Figure 4. Benefits Experienced by Deploying SASE
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
The benefits of deploying SASE are many and are not solely restricted to improved security. As can be seen in Figure 4, organizations utilizing SASE have seen improved collaboration, reduced costs, improved agility for growth, reduced complexity, faster incident resolution, and even improved user experience.
Typical SASE solutions will bring together functions such as ZTNA, firewalling, CASB, and secure web gateway (SWG)—all capabilities considered important to Zero Trust strategies, as we saw in Figure 2. This makes SASE a powerful approach to achieving a Zero Trust Branch from a security perspective. The benefits listed in Figure 4 highlight other advantages that are beneficial to the operational objectives of branch network connectivity, including maximizing user experience, maintaining operational efficiency, and accommodating change and growth.
An Ideal Approach: Tightly Integrated SD-WAN Plus SASE
Given the primary objectives for branch networking and the goal of applying Zero Trust strategies, it should be clear by now that both SD-WAN and SASE bring important and highly relevant capabilities to the table. The question then becomes how to acquire and deploy these technologies in the best way to achieve a Zero Trust Branch. While it is possible to select and deploy best-of-breed SD-WAN and SASE products separately, integrated solutions offer the opportunity to reduce complexity and improve manageability. Many SASE solutions available in the industry today already include some SD-WAN capabilities in attempts to address such convergence, but there are wide variations in terms of feature completeness and effectiveness due to factors such as solution maturity, scope of functionality, or solution architecture.
The ideal answer for a Zero Trust Branch is to find a tightly integrated solution that offers best-in-breed capabilities on both the SASE and SD-WAN sides. This means coverage of leading-edge Zero Trust feature sets, including ZTNA, while also delivering advanced, best-in-class network performance optimization. In this context, tight integration means interlocking networking and security features as well as a single management platform for deploying, configuring, and maintaining technology and policy elements. Such integration enables rapid assessment and resolution of incidents and issues on both the operational and security sides of the equation.

The Palo Alto Networks Approach for a Zero Trust Branch

Based on a long and proven history of success in advanced network security and network connectivity technologies, Palo Alto Networks has developed the Prisma SASE solution, a fully integrated SASE-plus-SD-WAN answer for secure branch network connectivity. Prisma SASE represents a comprehensive approach to the challenge and features the following capabilities:
• Fast and flexible deployment at branch sites via physical or virtual appliance footprints with built-in capabilities like 5G and switching.
• Advanced SD-WAN application traffic acceleration for cost-efficient optimization of available bandwidth.
• Innovative autonomous digital experience management (ADEM) technology for enhancing individual users’ experiences via intelligent, automated, behavior-based session controls and optimizations.
• Native integration with Prisma Access that delivers best-in-class network security, including end-to-end encryption, SWG, next-generation firewall, and CASB functions from the cloud.
• Leading-edge ZTNA 2.0 features for continuous trust verification and continuous security inspection.
• Tightly integrated management and monitoring for easy deployment and effective minimization of operational disruptions.
The full-scope nature of Palo Alto Networks Prisma SASE, bringing together best-in-class SASE and SD-WAN with best-in-class ZTNA, represents a clear path for achieving a Zero Trust Branch, readily covering all three primary requirements for secure branch network connectivity, including maximizing user experience, maintaining operational efficiency, and accommodating growth and change.

Conclusion

With enterprises striving to balance the needs to deliver high-performing, reliable networking connectivity to branch sites while making sure that no corners are cut on the security front, integrated networking and security approaches are becoming the mandate. Zero Trust strategies have also emerged as an essential guiding set of principles and objectives, introducing continuous trust verification as a means of significantly reducing both network and application security risks.
Applying Zero Trust to the branch brings some unique challenges when it comes to selecting appropriate tools and technologies. However, it also represents an opportunity. Finding options that can fully integrate Zero Trust into existing branch network and security infrastructure can reduce both cost and complexity, resulting in better flexibility for growth, better operational efficiency, and better user experience. Palo Alto Networks offers exactly such an integrated branch connectivity solution via Prisma SASE, which brings together SASE, SD-WAN, and ZTNA features, paving the path to a Zero Trust Branch.

This Enterprise Strategy Group White Paper was commissioned by Palo Alto Networks and is distributed under license from TechTarget, Inc.

©TechTarget, Inc. or its subsidiaries. All rights reserved. TechTarget, and the TechTarget logo, are trademarks or registered trademarks of TechTarget, Inc. and are registered in jurisdictions worldwide. Other product and service names and logos, including for BrightTALK, Xtelligent, and the Enterprise Strategy Group might be trademarks of TechTarget or its subsidiaries. All other trademarks, logos and brand names are the property of their respective owners.

Information contained in this publication has been obtained by sources TechTarget considers to be reliable but is not warranted by TechTarget. This publication may contain opinions of TechTarget, which are subject to change. This publication may include forecasts, projections, and other predictive statements that represent TechTarget’s assumptions and expectations in light of currently available information. These forecasts are based on industry trends and involve variables and uncertainties. Consequently, TechTarget makes no warranty as to the accuracy of specific forecasts, projections or predictive statements contained herein.

Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of TechTarget, is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact Client Relations at cr@esg-global.com.

About Enterprise Strategy Group

TechTarget’s Enterprise Strategy Group provides focused and actionable market intelligence, demand-side research, analyst advisory services, GTM strategy guidance, solution validations, and custom content supporting enterprise technology buying and selling.

www.esg-global.com | contact@esg-global.com