Enterprise Network Security 2026: SASE, ZTNA & NDR Guide
The global SASE (Secure Access Service Edge) market will reach $15.54 billion in 2026, with a compound annual growth rate of 29% according to Gartner. In parallel, 65% of large enterprises plan to replace their corporate VPNs with ZTNA solutions before the end of the year, according to the same source. These figures reflect a structural shift in enterprise network security: the traditional perimeter no longer exists, and the tools designed to protect it are no longer sufficient.
Today's corporate networks are hybrid, distributed, and multicloud. Employees working from any location, applications hosted across multiple cloud providers, IoT devices connecting directly to the operational network. In this context, relying on a perimeter firewall as the primary line of defense is the equivalent of protecting a city without walls through a single gate.
This guide provides a practical network security architecture organized across six layers: microsegmentation, next-generation firewalls (NGFW), SASE/SSE, ZTNA, NDR, and specific controls for hybrid environments. Each section includes selection criteria, implementation steps, and references to recognized standards. For broader context on your overall cybersecurity strategy, see our comprehensive enterprise cybersecurity guide.
The Network Perimeter No Longer Exists
For decades, network security was built on the castle-and-moat model: a clearly defined boundary between the trusted internal network and the hostile outside world. Perimeter firewalls, DMZs, and VPNs were the primary defenses. This model worked reasonably well when all employees worked from corporate offices and all applications resided in company-owned data centers.
Three forces have dismantled that perimeter. First, the mass adoption of cloud: workloads no longer reside in a single data center but are distributed across AWS, Azure, GCP, and on-premise environments. Second, remote and hybrid work, which has turned every home and coffee shop into an extension of the corporate network. Third, the proliferation of IoT and OT devices connecting to the network with limited operating systems and minimal security capabilities.
The Verizon DBIR 2025 report documents that 30% of security breaches originate from third parties with access to the corporate network. A vendor, contractor, or partner with legitimate VPN credentials accessing from a compromised device represents a direct attack vector that the perimeter firewall cannot detect.
The fundamental problem with flat networks is lateral movement. Once an attacker gains initial access — whether through phishing, stolen credentials, or exploiting a vulnerability — a network without segmentation allows them to move freely between servers, databases, and critical systems. According to ENISA Threat Landscape 2025, the average time from initial access to data exfiltration has shrunk to hours in sophisticated attacks, while detection still takes days or weeks. The only way to stop that lateral movement is to design the network so that each segment is isolated and every communication requires explicit authorization.
Network Microsegmentation: The Foundation of Defense in Depth
Microsegmentation divides the network into granular security zones where each workload, application, or service operates in an isolated segment with specific access policies. Unlike traditional segmentation based on VLANs and subnets, microsegmentation applies controls at the level of individual workloads, regardless of their location in the network.
Macrosegmentation vs. microsegmentation. Macrosegmentation divides the network into broad zones: production, development, DMZ, users. Microsegmentation goes further: within the production zone, each application or group of services has its own virtual perimeter. A web server can only communicate with its corresponding application server, which in turn only accesses the database it needs. If an attacker compromises the web server, they cannot reach other databases or other services in the same zone.
CIS Controls v8, Control 12 (Network Infrastructure Management), establishes segmentation as a fundamental measure for limiting the scope of an incident. NIST SP 800-207 considers it an essential component of Zero Trust architecture.
Implementation in five steps.
- Map east-west traffic. Before segmenting, it is essential to understand how workloads communicate with each other. Traffic analysis tools generate a dependency map that reveals legitimate communications and, frequently, unexpected flows that represent risk.
- Define policies by data classification. Segmentation zones must align with the sensitivity of the data they process. Systems handling financial data, personal data, or intellectual property require segments with more restrictive controls.
- Deploy via SDN or host agents. Microsegmentation can be deployed at the network level via SDN (Software-Defined Networking) or at the host level via agents installed on each workload. The agent-based approach offers greater granularity and works across multicloud environments.
- Test with lateral movement simulation. Before enabling policies in blocking mode, verify that the rules do not interrupt legitimate communications and that they effectively prevent unauthorized lateral movement.
- Monitor continuously. Microsegmentation policies must evolve with the infrastructure. New services, dependency changes, and updates require periodic review of the rules.
In the financial sector, microsegmentation is particularly relevant for PCI DSS 4.0 compliance, which requires isolating the cardholder data environment (CDE) from the rest of the corporate network. Proper microsegmentation significantly reduces the PCI DSS compliance scope and, by extension, the cost of audits.
Next-Generation Firewalls (NGFW)
Next-generation firewalls (NGFW) go beyond the capabilities of a traditional firewall by integrating functions that previously required separate devices. An NGFW combines stateful packet filtering, deep packet inspection (DPI), an intrusion prevention system (IPS), encrypted TLS traffic inspection, user and application identification, and integration with threat intelligence feeds.
| Dimension | Traditional Firewall | NGFW |
|---|---|---|
| Inspection | Packet headers (L3/L4) | Full content (L7) |
| Identification | IP and port | User, application, context |
| Intrusion prevention | Requires separate device | Integrated IPS/IDS |
| Encrypted traffic | Not inspected | TLS decryption and inspection |
| Threat intelligence | Manual, signature-based | Automatic, real-time |
IDS vs. IPS: a necessary clarification. An IDS (Intrusion Detection System) detects and alerts on suspicious activity but does not block it. An IPS (Intrusion Prevention System) detects and automatically blocks it. Modern NGFWs integrate IPS with the ability to operate in IDS mode when visibility without blocking is required during testing phases.
However, an NGFW alone does not constitute a complete network security strategy. The NGFW protects the network's entry and exit points (north-south traffic), but does not control internal communications (east-west traffic) where microsegmentation is essential. Furthermore, in an environment where users access cloud applications directly without going through the corporate network, the perimeter NGFW does not even see that traffic. This is where ZTNA and SASE complete the architecture.
NGFW selection criteria. When evaluating solutions, the three most relevant metrics are: real-world performance with all inspection functions enabled (not just raw throughput), the IPS false positive rate (which determines the operational load on the security team), and the ability to natively integrate with the corporate SIEM for event correlation.
SASE and SSE: The Convergence of Networking and Security
SASE (Secure Access Service Edge), a concept defined by Gartner in 2019, represents the convergence of networking functions (SD-WAN) and security functions (SWG, CASB, ZTNA, FWaaS) into a unified service delivered from the cloud. According to Gartner, 60% of enterprises with an SD-WAN strategy will have migrated to a full SASE architecture by the end of 2026.
The five components of SASE.
- SD-WAN (Software-Defined Wide Area Network). Intelligent WAN traffic management that optimizes performance and reduces costs compared to MPLS. Incorporates traffic encryption, segmentation, and dynamic path selection based on application policies.
- SWG (Secure Web Gateway). Inspection of outbound web traffic to block access to malicious sites, filter content, and enforce acceptable use policies. Replaces traditional web proxies.
- CASB (Cloud Access Security Broker). Visibility and control over cloud application (SaaS) usage. Detects shadow IT, applies DLP policies in cloud applications, and monitors anomalous user activity.
- ZTNA (Zero Trust Network Access). Secure remote access based on identity and context, without exposing the underlying network. Detailed in the next section.
- FWaaS (Firewall as a Service). Firewall functionality delivered from the cloud, applying security policies to traffic regardless of user location.
SASE vs. SSE. SSE (Security Service Edge) is the security subset of SASE, without the SD-WAN component. Organizations that already have a significant investment in WAN infrastructure can adopt SSE to gain cloud security capabilities (SWG, CASB, ZTNA, FWaaS) without replacing their existing connectivity solution.
SD-WAN security. At remote sites, SD-WAN integrates IPsec/TLS encryption across all tunnels, per-application traffic segmentation, and — in more advanced deployments — integrated NGFW functionality in the branch device. This eliminates the need to backhaul all remote office traffic to the central data center for inspection, reducing latency and improving the user experience.
| Criterion | On-Premise Architecture | SASE Architecture |
|---|---|---|
| Latency for remote users | High (backhauling to datacenter) | Low (PoP close to user) |
| Operational complexity | High (multiple devices) | Medium (unified console) |
| Scalability | Requires additional hardware | Elastic, on demand |
| Cost model | High CAPEX + maintenance | Predictable OPEX |
| Security for direct cloud access | Limited | Native |
SASE migration should be approached incrementally. A common approach starts with ZTNA to replace the VPN, adds SWG and CASB for cloud traffic control, and finally integrates SD-WAN to optimize WAN connectivity. Our cybersecurity consulting team supports organizations through each phase of this transition.
ZTNA: The Definitive Replacement for the Corporate VPN
65% of large enterprises plan to replace their VPNs with ZTNA solutions during 2026, according to Gartner. The reasons are both security-related and operational: traditional VPNs have structural vulnerabilities that ZTNA resolves by design.
Risks of the traditional VPN. A corporate VPN grants users full access to the internal network once authenticated. If the user's credentials are compromised, or if their device is infected, the attacker gains the same access as a legitimate employee: visibility into all network resources. Furthermore, VPN platforms themselves are frequent targets of attack. CVEs published against major VPN vendors in 2024 and 2025 demonstrate that VPN concentrators exposed to the internet represent a significant attack surface.
How ZTNA works. ZTNA (Zero Trust Network Access) inverts the access model. Instead of connecting the user to the network and allowing them to browse it, ZTNA establishes an encrypted tunnel between the user and only the specific application or resource they need. The underlying network remains invisible. Each session requires identity verification, device health assessment, and access context validation. There is no implicit access: every resource requires explicit authorization.
NIST SP 800-207 (Zero Trust Architecture) defines the fundamental principles of this model: continuous verification, least privilege, assumed breach, and access decisions based on multiple signals (identity, device, location, behavior).
Two deployment models. ZTNA as a Service (ZTNAaaS) is deployed from the provider's cloud, with no additional on-premise infrastructure. It is the most common option and offers the shortest implementation time. On-premise ZTNA deploys control components on the organization's own infrastructure, offering greater control but requiring more management resources. Many organizations opt for a hybrid approach.
| Dimension | Traditional VPN | ZTNA |
|---|---|---|
| Access model | Full network after authentication | Specific resource per session |
| Network visibility | Full for the user | Hidden |
| Verification | Once, at connection | Continuous throughout the session |
| Attack surface | Exposed VPN concentrator | No exposed infrastructure |
| Lateral movement | Possible | Prevented by design |
| Scalability | Limited by hardware | Elastic in the cloud |
Implementation prerequisites. ZTNA requires two prior capabilities that many organizations underestimate. First, robust multi-factor authentication (MFA): without MFA, ZTNA loses its strong verification capability. Second, a complete and up-to-date device inventory: ZTNA assesses device health on every access, which requires knowing which devices are authorized and what their minimum acceptable security configuration is.
NDR: Detection and Response at the Network Layer
The NDR (Network Detection and Response) market will reach $3.68 billion in 2026, with 9.6% annual growth according to market estimates. This growth reflects an operational reality: organizations need visibility into what is happening inside their network, not just at entry and exit points.
The detection gap. SIEMs aggregate and correlate logs from multiple sources, but depend on devices generating the right events and correlation rules being well defined. NDR operates differently: it analyzes network traffic in real time, without relying on logs, and uses machine learning models to establish baselines of normal behavior and detect deviations that indicate malicious activity.
How NDR works. NDR sensors are deployed at strategic points in the network to capture and analyze traffic. Machine learning algorithms build a normal behavior profile for each network segment, each server, and each communication pattern. When a server that normally communicates only with three internal services initiates connections to an external IP or begins scanning ports in other segments, the system generates a high-priority alert.
Sensor placement. Effective coverage requires sensors at three points. North-south traffic (between the internal network and the internet) to detect communications with command-and-control servers, data exfiltration, and connections to malicious domains. East-west traffic (internal communications) to identify lateral movement, internal network scanning, and malware propagation. Cloud environment network flows (VPC Flow Logs in AWS, NSG Flow Logs in Azure) to extend visibility to cloud workloads.
NDR and SIEM: complementary, not substitutes. NDR provides visibility into network traffic that the SIEM does not capture: encrypted communications analyzed by metadata, non-standard protocols, and behavioral patterns that do not generate logs. The SIEM, in turn, correlates events from endpoints, applications, identities, and the network in a unified view. Integrating both offers the most comprehensive detection coverage.
NDR's analytical capability benefits directly from advances in artificial intelligence. Anomaly detection models improve with data volume, and organizations that integrate NDR with their artificial intelligence solutions achieve detection capabilities significantly superior to those based on static rules.
Network Security in Hybrid and Multicloud Environments
Most organizations operate in hybrid environments where workloads are distributed across on-premise infrastructure, one or more public cloud providers, and in many cases edge computing. This reality introduces three specific network security challenges that did not exist in centralized architectures.
Challenge 1: east-west traffic in the cloud. Communications between services within the same cloud provider or between cloud regions are invisible to on-premise network security controls. A perimeter firewall does not see traffic between two EC2 instances in AWS or between two Kubernetes pods in GKE. Without specific controls for this traffic, an attacker who compromises a cloud workload can move laterally without restriction.
Challenge 2: cloud interconnections. Connections between cloud providers (peering), between cloud and on-premise (site-to-site VPN, ExpressRoute, Direct Connect), and between cloud and partners (APIs) create interconnection points that require specific security policies. Each interconnection is a potential point of failure and a vector for incident propagation.
Challenge 3: encrypted traffic. More than 90% of web traffic is currently encrypted with TLS. While encryption protects confidentiality, it also hides traffic content from inspection tools. Attackers use encrypted channels for command-and-control communication and data exfiltration, knowing that many organizations do not inspect this traffic.
Controls for hybrid environments. Cloud-native microsegmentation (Security Groups in AWS, Network Security Groups in Azure, firewall rules in GCP) must be complemented with third-party solutions that provide unified visibility and policies in multicloud environments. Each provider's native tools are effective within their own ecosystem but do not offer a consolidated view or consistent policies across providers.
Interconnection policies must follow the principle of least privilege: each connection between environments only allows strictly necessary traffic, with mandatory encryption and anomaly monitoring. TLS inspection must be applied selectively, prioritizing higher-risk connections while respecting privacy implications and performance impact.
The NIS2 Directive establishes explicit requirements on the security of interconnections with third parties and cloud providers, requiring organizations to assess and manage the risk of these connection points. Organizations operating in multicloud environments need a specialist cloud and DevOps partner that integrates network security into cloud architecture design from the outset, not as an afterthought.
Roadmap: How to Strengthen Network Security
Before investing in technology, every IT leader should answer five diagnostic questions about the current state of their network security.
- Can a user with VPN access reach systems they do not need for their work? If yes, the network lacks adequate segmentation.
- Do you have visibility into communications between internal workloads (east-west traffic)? If not, lateral movement will go undetected.
- Do you know how many SaaS applications your employees use without authorization (shadow IT)? If not, you urgently need a CASB.
- Does your firewall inspect encrypted TLS traffic? If not, more than 90% of web traffic passes through your controls uninspected.
- Do you have an up-to-date inventory of all devices accessing the corporate network? Without an inventory, ZTNA and any device-based control will be ineffective.
Priority matrix by organization size.
Small organization (fewer than 250 employees). Priority: NGFW with IPS enabled, ZTNA to replace the VPN, and basic NDR for network visibility. These three measures provide significant protection with manageable investment and operational complexity.
Mid-size organization (250–2,000 employees). Priority: microsegmentation by sensitivity zone, full ZTNA, progressive migration to SASE, and NDR with SIEM integration. Network segmentation and traffic visibility are critical at this scale due to the larger attack surface.
Large organization (more than 2,000 employees). Priority: full SASE architecture, advanced workload-level microsegmentation, NDR with north-south and east-west coverage, and specific controls for multicloud environments and third-party interconnections. The complexity of the environment requires an integrated architecture with centralized policy management.
Regardless of size, organizations subject to NIS2 should keep in mind that the first audit deadline is 30 June 2026. Implementing network security controls is a process that takes months of planning, deployment, and fine-tuning. Organizations that have not yet begun planning face very tight timelines.
Conclusion
Enterprise network security in 2026 demands a layered architecture where each control complements the others: microsegmentation to limit lateral movement, NGFW for deep traffic inspection, SASE/SSE to protect access from any location, ZTNA to eliminate the inherent vulnerabilities of VPN, NDR to detect threats that evade preventive controls, and specific policies for hybrid and multicloud environments.
None of these technologies solves the problem in isolation. Their value lies in coherent integration within a security strategy that adapts to each organization's reality: its size, sector, maturity level, and regulatory requirements.
At Technova Partners, we help organizations design and implement network security architectures tailored to their specific context. From initial assessment to operational deployment, our team brings technical expertise and regulatory knowledge so that network security becomes a business enabler, not a barrier.
Ready to assess your corporate network security? Request a network security assessment and receive a clear diagnosis with prioritized recommendations for your organization.
