TL;DR
SASE, SSE, Zero Trust, and ZTNA are not four ways of saying the same thing. They differ in scope, in when Gartner (or Forrester) defined them, and — most importantly — in which team owns them inside an organisation.
When a vendor calls itself a “SASE platform”, they are talking about network + security. When they say “SSE”, they are talking about the security layer without WAN. When they say “Zero Trust”, they are talking about a design principle — not a product. When they say “ZTNA”, they are talking about one way to implement Zero Trust for access control.
The thesis of this post:
Picking the right term determines the right budget scope, the right vendor shortlist, and the right team on the hook. Using the wrong term in a design doc or RFP drags in scope creep and internal arguments.
This is Part 2 of the Cloudflare One Handbook, establishing the vocabulary used across the rest of the series.
Who this is for
This post is written for:
- Security engineers or architects drafting a design doc or RFP touching Zero Trust, SASE, or SSE.
- IT leads who need to align scope between network and security teams before selecting a vendor.
- Platform engineers reading Cloudflare, Zscaler, or Netskope documentation and getting lost in the buzzwords.
- Consultants and sales engineers who need to explain these distinctions to non-technical stakeholders.
Reading Part 1 — What is Cloudflare One first is recommended but not required.
After this post, you will have:
- A compact definition of each term and when it originated.
- A scope comparison table across all four.
- A decision tree for choosing the right word in a specific context.
- Five common misuses to watch for.
- A checklist to run before committing a term to an official document.
What this post does not cover
This is not a product overview of Cloudflare One, Zscaler ZIA/ZPA, or Netskope. It is not a vendor selection guide. It is not a full history of Zero Trust — that would fill a textbook.
This post is about working vocabulary. The goal is that when you sit in a meeting, read a vendor deck, or write a proposal, you pick the right word and do not have to stop to explain it.
Why the distinction matters
The concern sounds pedantic. In real enterprise projects, mixing these terms produces concrete consequences:
- Wrong scope. An RFP that asks for a “SASE solution” attracts vendors pitching SD-WAN, network transformation, and a long list of capabilities the network team never asked for. If the actual need is a VPN and SWG replacement, the right term is “SSE” or “ZTNA + SWG” — smaller scope, clearer budget, shorter timeline.
- Wrong shortlist. “Zero Trust vendor” is a meaningless category. Okta, Cloudflare, Zscaler, and CrowdStrike all call themselves Zero Trust vendors while solving entirely different layers. “ZTNA vendor” produces a shortlist that makes sense.
- Unclear ownership. A “SASE project” leaves open the question of whether it belongs to the network team or the security team. There is no correct answer, which is why these projects stall. An “SSE project” is security-owned by default, with network in a supporting role.
- Misread design docs. A junior engineer reading “we are implementing Zero Trust” expects to find a product in the dashboard. When they can’t, they open a ticket. Zero Trust is a concept, not a SKU.
Each of these happens regularly enough in practice to cost security and platform teams a measurable amount of time.
Concepts — compact definitions
The four terms, ordered by when Gartner or Forrester first defined them:
Zero Trust (2010, popularised 2014)
A security model built on the principle “never trust, always verify”. No user, device, or network is trusted by default. Every request is evaluated against signals: identity, device posture, context, resource sensitivity.
Zero Trust originated at Forrester (2010, John Kindervag), not Gartner. Gartner later adopted and extended the concept.
Zero Trust is not a product. It is a design philosophy. You do not “buy Zero Trust” — you design a stack around Zero Trust principles and use several products to realise it.
SASE (Gartner, 2019)
Secure Access Service Edge. An architecture that combines network (SD-WAN, WAN optimisation) and security (SWG, CASB, ZTNA, FWaaS) on a cloud-native platform delivered from an edge network instead of backhauling through a datacentre.
SASE is the architectural answer to work-from-anywhere: rather than route traffic to a fixed perimeter, enforce policy at an edge close to the user.
Gartner’s original SASE definition includes five core capabilities:
- SD-WAN
- SWG (Secure Web Gateway)
- CASB (Cloud Access Security Broker)
- ZTNA (Zero Trust Network Access)
- FWaaS (Firewall as a Service)
SSE (Gartner, 2021)
Security Service Edge. The security slice of SASE, carved out because many organisations want the security layer without touching WAN.
Gartner defines SSE with four capabilities:
- SWG
- CASB
- ZTNA
- FWaaS (vendor-dependent)
Put simply: SSE = SASE − SD-WAN.
Why the split? Replacing SD-WAN is an expensive project that requires sign-off from multiple parties, touches the network team, and involves finance. Replacing the security stack is something the security team can drive on its own. Gartner carved out SSE so enterprises could buy the security layer without being forced into a network refresh.
ZTNA
Zero Trust Network Access. A way to apply Zero Trust principles to access control for private applications. Instead of granting users an open tunnel into the corporate network through a VPN, ZTNA grants access on a per-application basis, scoped by user group, device posture, and context.
ZTNA is one of the four capabilities inside SSE, and the primary replacement for traditional VPN.
Concrete example:
- VPN: the user authenticates, gets routed into the full corporate network, can ping internal DNS, jump via SSH, reach file shares.
- ZTNA: the user authenticates, gets proxied only to application X through Cloudflare Access, and never sees any other internal IP.
Scope matrix
This is the reference table to consult before committing to a term:
| Dimension | Zero Trust | ZTNA | SSE | SASE |
|---|---|---|---|---|
| Type | Principle | Product category | Product category | Product category |
| Scope | Every request in the organisation | Access to private apps | Security layer (SWG + CASB + ZTNA + FWaaS) | SSE + SD-WAN |
| Replaces | Old thinking | VPN | Point security products | Point security + network products |
| Includes network? | N/A | No | No | Yes (SD-WAN) |
| Includes SWG? | N/A | No | Yes | Yes |
| Includes SD-WAN? | N/A | No | No | Yes |
| Owning team | Cross-functional | Security + Identity | Security | Security + Network |
| Example vendors | (no vendor) | Cloudflare Access, Zscaler ZPA | Cloudflare One (subset), Netskope, Zscaler | Cloudflare One (full), Cato Networks, Versa |
| Year defined | Forrester 2010 | 2016 | 2021 | 2019 |
Read left to right, the table narrows in scope: Zero Trust is broadest (a concept), ZTNA is narrowest (a single product category), SSE and SASE sit in the middle.
Mental model — how the four terms nest
Reading inside-out:
- ZTNA is a specific product, replacing VPN.
- SSE aggregates ZTNA + SWG + CASB + FWaaS into a security category.
- SASE = SSE + network (SD-WAN).
- Zero Trust encompasses all of the above plus identity, endpoint, micro-segmentation, and data security. Zero Trust is broader than SASE.
A common mistake is assuming that buying a SASE platform equals achieving Zero Trust. It does not. SASE is a partial Zero Trust implementation at the network and access layers. Identity governance, endpoint hardening, data classification, and micro-segmentation still have to be addressed elsewhere.
Where Cloudflare One fits
Against this framework, Cloudflare One positions itself as a SASE platform:
| Capability | Cloudflare One | Product |
|---|---|---|
| ZTNA | Yes | Cloudflare Access |
| SWG | Yes | Cloudflare Gateway |
| CASB | Yes | Cloudflare CASB |
| DLP | Yes | Cloudflare DLP |
| FWaaS | Yes | Gateway + Magic Firewall |
| SD-WAN | Partial | Magic WAN |
| RBI | Yes | Browser Isolation |
| Email Security | Yes | Email Security (formerly Area 1) |
| DEX | Yes | Digital Experience Monitoring |
In practice, most teams adopting Cloudflare One start with an SSE subset (Access + Gateway, sometimes CASB + DLP) and only add Magic WAN when there is a real network transformation requirement. That is the pragmatic approach — buy the capability you need, not the entire umbrella.
Zscaler’s positioning is similar: ZIA + ZPA form the SSE, with Zscaler Digital Experience and adjacent features extending into SASE. Netskope’s strength is CASB and DLP, so it leads with SSE and reaches SASE through partnerships.
Decision tree — picking the right word in context
When drafting a document and unsure which term to use, walk this sequence:
Applied examples:
- “We are implementing Zero Trust” → correct when referring to an organisational principle. Wrong when referring to a concrete project with deliverables.
- “We need a ZTNA solution” → correct when the goal is a VPN replacement.
- “We need an SSE platform” → correct when the goal is consolidating security point products.
- “We need a SASE solution” → correct when the goal includes network transformation.
Five common misuses
These are phrases that turn up in real documentation and reliably cause confusion:
1. “Zero Trust is a product”
False. Zero Trust is a concept. No SKU is named “Zero Trust”. There is ZTNA, there is Access, there is Zero Trust Network Access as a Service — but there is no “Zero Trust”.
Correct phrasing: “We are following Zero Trust principles, implemented via Cloudflare Access (ZTNA) and Gateway (SWG).“
2. “SASE is next-generation VPN”
False. Next-generation VPN is ZTNA. SASE is a much broader category covering both network and security.
Correct phrasing: “We are replacing VPN with ZTNA (Cloudflare Access). Expanding to the full security and network stack would bring us to SASE.”
3. “Buying SASE equals achieving Zero Trust”
False, as covered in the mental model section. SASE covers the network and access layer of Zero Trust; it does not cover identity governance, endpoint, data, or micro-segmentation.
Correct phrasing: “A SASE platform implements Zero Trust at the access layer. IdP, SIEM, and endpoint tooling are still required to complete the picture.”
4. “ZTNA fully replaces the firewall”
False. ZTNA replaces VPN for ingress access. Firewalls are still required for internal, east-west, and inter-segment traffic. ZTNA is an additional layer, not a replacement layer.
Correct phrasing: “ZTNA reduces dependence on VPN. Firewalls and micro-segmentation remain necessary for east-west traffic.”
5. “Vendor X is a Zero Trust vendor”
Meaningless without a qualifier. Zero Trust is a set of principles that many vendors each implement a slice of. Okta is Zero Trust identity. Cloudflare is Zero Trust access/network. CrowdStrike is Zero Trust endpoint. Every vendor owns only one layer.
Correct phrasing: “Cloudflare is a Zero Trust access vendor” — add the qualifier that names the layer.
Trade-offs — which term to use in your own documents
There are practical trade-offs when picking a term:
| Context | ”Zero Trust" | "SASE" | "SSE" | "ZTNA” | Recommendation |
|---|---|---|---|---|---|
| Executive-facing title | Broad, easy buy-in | More concrete | Less familiar to non-security execs | Too narrow | Zero Trust for senior audiences, SASE/SSE for security-focused ones |
| RFP | Too broad, attracts everything | Pulls in network vendors | Focuses security vendors | Focuses ZTNA vendors only | SSE when scope = security layer, ZTNA when scope = VPN replacement |
| Technical design doc | Too abstract, needs a qualifier | Fits multi-layer projects | Fits security-only projects | Fits a specific component | Use the narrowest accurate term |
| Marketing / blog | Popular, good SEO | Popular, good SEO | Newer, lower search volume | Niche, narrower audience | Zero Trust or SASE for reach, SSE/ZTNA for precision |
Rule of thumb: use the narrowest term that remains accurate. Narrow means clear scope, clear ownership, clear budget.
Related terms that get mixed in
Beyond the four core terms, a few adjacent phrases show up in real documents:
- Zero Trust Architecture (ZTA) — the reference architecture in NIST SP 800-207. Same concept as Zero Trust, standardised by NIST; common in compliance documentation. In practice, ZTA ≈ Zero Trust for most purposes.
- ZTNA 2.0 — Palo Alto Networks branding for ZTNA with continuous inspection. Not a Gartner-defined term, just marketing.
- SSE vs SASE vs SSPM vs CNAPP — SSPM (SaaS Security Posture Management) and CNAPP (Cloud Native Application Protection Platform) cover cloud workload posture, not user access. They are in a different category and not covered here.
- Gartner Magic Quadrant for SASE / SSE — Gartner maintains separate MQs for SASE (unified from 2024) and SSE. The MQ used for shortlisting should match the project scope.
Explaining this to non-technical stakeholders
When presenting to a non-technical CFO, CIO, or legal/compliance audience, the following analogy holds up:
- Zero Trust is the philosophy “don’t trust anyone by default, verify every time”. Like a bank’s internal security policy.
- SASE bundles “the road” (network) and “the guards” (security) under one provider. Like switching from a separate highway operator + security firm to a single provider for both.
- SSE is just “the guards”. The highway is still someone else’s.
- ZTNA is a new type of guard, replacing the old gatehouse (VPN) with per-application checkpoints.
The analogy is imperfect, but it is enough to convey scope and budget to an executive audience.
Checklist — before committing a term to a document
Before writing “Zero Trust”, “SASE”, “SSE”, or “ZTNA” into a title, abstract, or any other load-bearing section:
- Is the term defined on first use?
- Does the term match the project scope — neither too broad nor too narrow?
- If a vendor reads this document, will they pitch the thing you actually need?
- If a junior engineer reads this, will they know whether this is a concept or a product?
- Is ownership clear? (Zero Trust is cross-functional, SSE is security-led, SASE is security + network.)
- Does the term implicitly include a capability you do not actually want? (Using “SASE” when you don’t want SD-WAN, for example.)
- Has the term shifted in the last 12–24 months? (Gartner regularly splits and merges categories — check the latest MQ.)
If the answer to three or more questions is “no” or “not sure”, choose a narrower term or define it more carefully before publishing.
Practical lessons
A few observations after running several design docs and RFPs through these terms:
- A “Zero Trust project” never scopes cleanly. If you are naming a project “Zero Trust Project”, rename it to “VPN Replacement Project” or “SWG Rollout Project” so it has measurable deliverables.
- Executives prefer “Zero Trust”; engineers prefer “ZTNA”. A single document can use “Zero Trust” in the executive summary and “ZTNA” in the technical section. That is fine, as long as it is consistent.
- A “SASE RFP” pulls in vendors you don’t need. If the requirement is SSE, write an SSE RFP. Otherwise SD-WAN vendors (Cisco, VMware, Aruba) will pitch and the qualifying process wastes cycles.
- Terminology drift across teams. Security uses one word, network uses another, the consulting partner uses a third. Spending 15 minutes every quarter aligning vocabulary is far cheaper than the cost of the misalignment that follows.
Summary
The four terms have distinct origins and scopes — they are not synonyms:
- Zero Trust: design principle, broadest, cross-functional.
- SASE: platform category, bundles security and network.
- SSE: the security subset of SASE, without network.
- ZTNA: a product category inside SSE, replacing VPN for private application access.
The principle for writing documents: use the narrowest term that remains accurate. Narrow means clear scope, clear ownership, clear budget. Go broader only when reach matters (marketing, executive summaries) or when the scope is genuinely broad.
If a single line has to be remembered:
Zero Trust is the principle. SASE is the architecture. SSE is SASE without SD-WAN. ZTNA is the VPN replacement.
Part 3 will go deeper into the mental model Client → Identity → Policy → Resource — the framework used throughout the rest of the series to place every Cloudflare One feature into its architectural slot.
References
- Gartner — Definition of SASE
- Gartner — Definition of SSE
- NIST SP 800-207 — Zero Trust Architecture
- Cloudflare — What is Zero Trust?
- Cloudflare — What is SASE?
- Forrester — Zero Trust Model (original, John Kindervag)
In this series:
