SASE + Microsegmentation = Zero Trust
Published May 29, 2025
Arik Diamant Product Marketing Manager
In early 2025 Gartner identified two strategies that, when combined, achieve a full zero trust architecture: Microsegmentation and Secure Access Service Edge (SASE). (see Gartner Strategic Roadmap for Zero Trust Implementation, 2025)
In this short post we’ll explain why SASE alone is not enough, and why to achieve a truly comprehensive Zero Trust architecture, SASE must be combined with microsegmentation.
SASE: An Incomplete Zero Trust Strategy
SASE focuses on user access, ensuring users and devices are authenticated before accessing network resources. But once inside, it assumes that authenticated users are trusted. That’s a big assumption. If a legitimate device or account has been compromised, SASE has no mechanism to prevent the threat actor from escalating their attack.
SASE was never designed to stop lateral movement. A compromised account with valid credentials can traverse the network, gain control of more devices and accounts, access sensitive data and disrupt operations—all under the radar of traditional SASE enforcement.
Some SASE implementations route all traffic between clients and servers through a reverse proxy. It is wrong to believe that such a proxy is equivalent to microsegmentation. While reverse proxies enhance security (at a price of reduced performance), they can't detect all attacks, mainly because SASE proxies have limited visibility into admin protocols like RDP, RPC and SMB which are commonly used in ransomware attacks.
In addition, if an attacker exploits a vulnerability at the network or transport layer, a SASE proxy—which operates primarily at higher layers—may miss the malicious payload entirely.
Better Together: SASE and Microsegmentation
To truly implement Zero Trust, SASE must be paired with microsegmentation at the network level, affecting all communication protocols used in the network—especially admin protocols like RDP and SSH. A true microsegmentation solution enforces least-privilege permissions to all network devices and identities, effectively stopping lateral movement and preventing threat actors from moving inside the network or escalating their attacks. Because Zero Trust isn’t just about who gets in—it’s about what they can do once they’re inside. Trust nothing. Verify everything. Always.
See for yourself how modern microsegmentation can accelerate your Zero Trust journey – take a self-guided product tour.