Zero Trust has become a foundational concept in enterprise security, but many implementations focus on only one part of the problem: application access. Zero Trust must be enforced at multiple layers of the network.
Versa’s architecture delivers Zero Trust across three coordinated layers:
Each layer enforces trust decisions at a different stage of the connection lifecycle.
The simplest way to understand the model is to divide Zero Trust into two categories:
Network Trust
Controls whether a device or user should be allowed onto the network and what part of the network they can access.
Application Trust
Controls whether a user or device can access a specific application under current conditions.
Versa maps these directly to its architecture:
Together they form a layered Zero Trust system.
A useful way to visualize Versa’s layered security model is the two-sieve analogy.
Network trust with SD-LAN acts as the broad sieve.
It quickly filters obvious threats by:
Devices that pass through the first layer can still be restricted further.
SSE or NGFW acts as the small sieve.
This layer performs deeper inspection to determine whether a specific application should be accessible.
The combination ensures threats are filtered both broadly and precisely.
The first Zero Trust checkpoint occurs when a device connects to the network. Versa SD-LAN enforces Zero Trust at the LAN edge, determining how devices are admitted and segmented.
Key capabilities include:
Because Versa can perform full security inspection—including IPS, malware detection, AV, CASB, DLP, and other UTM functions directly at the access switch, threats can be detected at the first switch port where traffic enters the network. This is particularly important for ransomware and other lateral-movement-based attacks. By identifying malicious activity immediately at the network edge, Versa can isolate the compromised host through dynamic micro-segmentation before the attack spreads. In effect, the potential blast radius of a ransomware infection can be reduced from an entire subnet or branch network to a single host.
In effect, SD-LAN implements granular Zero Trust Network Access. Based on identity, device posture, and real time risk signals (from Versa UEBA), the system places the user/device into an appropriate network microsegment. Versa UEBA continuously calculates dynamic risk scores using multiple behavioral attributes, including application usage patterns and web browsing activity. These real-time risk signals allow SD-LAN to automatically tighten micro-segmentation or restrict access when suspicious behavior is detected.
If any of the parameters change, the device is moved to an appropriate micro-segmentation dynamically, providing access to appropriate network resources. If required, full security inspections like UTM, URL filter, IP reputation, Malware detection etc. can be performed for certain high-risk microsegments.
A user with low risk might receive normal access.
A higher-risk device may be placed into a restricted segment with limited connectivity.
This approach prevents lateral movement and protects sensitive resources inside the branch or campus network or data centers.
Once traffic leaves the branch network, Versa SSE enforces application-level Zero Trust.
This layer evaluates whether a user or device should access a particular application at that moment.
Capabilities include:
This layer answers a more precise question: Should this specific user or device access this specific application right now?
SSE delivers this capability globally, ensuring consistent policy enforcement regardless of user location.
While SSE provides centralized security, Versa’s Secure SD-WAN and integrated NGFW capabilities also play an important role.
Many Zero Trust enforcement functions can be performed locally at the branch when necessary. This includes:
Branch-level enforcement offers two important advantages:
Performance
Security decisions can be made locally without sending traffic to a cloud security point first.
Resilience
If the SSE cloud becomes temporarily unreachable, the branch still maintains strong security enforcement.
This distributed model allows organizations to apply the right inspection layer depending on traffic type, performance needs, and architecture.
Handling Special or Legacy Devices
There are scenarios where full SSE inspection is not possible or desirable, particularly for legacy or sensitive systems.
Examples include:
These devices often cannot tolerate TLS inspection or deep packet inspection.
In these cases, SD-LAN segmentation and SD-WAN security controls can enforce protection on selected traffic flows, isolating these devices while still allowing necessary communication.
This flexibility ensures Zero Trust principles can still be applied even in environments with legacy infrastructure.
| Security Function | Versa SSE | Secure SD-WAN / NGFW | Versa SD-LAN |
|---|---|---|---|
| ZTNA (User → Application) | ✔ | ✔ (branch enforcement) | ✘ |
| Identity-based application access | ✔ | ✔ | ✘ |
| TLS inspection | ✔ | ✔ | Selected traffic |
| IPS / IDS | ✔ | ✔ | Selected traffic |
| Malware protection | ✔ | ✔ | Selected traffic |
| URL filtering | ✔ | ✔ | Selected traffic |
| DLP / CASB | ✔ | ✘ | ✘ |
| Zero Trust Network Access | ✘ | ✘ | ✔ |
| 802.1X / NAC | ✘ | ✘ | ✔ |
| Dynamic segmentation | ✘ | ✘ | ✔ |
| IoT profiling and isolation | ✘ | ✔ | ✔ |
| East-west microsegmentation | ✘ | ✘ | ✔ |
| WAN path steering | ✘ | ✔ | ✘ |
| High availability / redundancy | ✘ | ✔ | ✔ |
When the full architecture is deployed, security enforcement happens in stages.
Step 1 — Device joins the network
SD-LAN enforces network trust:
Step 2 — Traffic leaves the branch
Secure SD-WAN determines the optimal path
Step 3 — Application access is evaluated
SSE or NGFW/Secure SDWAN enforces application trust
Versa’s layered approach delivers several advantages.
1. Branch networks enforce Zero Trust locally
Even if the cloud security layer is temporarily unavailable, segmentation and identity controls remain active.
2. IoT and unmanaged devices are protected
SD-LAN can identify and isolate devices that cannot run endpoint agents.
3. Security inspection can occur at multiple points
Traffic can be inspected:
This allows organizations to balance security, performance, and resilience.
Versa extends Zero Trust across the entire enterprise network stack:
The result is a complete Versa Zero Trust architecture where network trust and application trust work together to enforce security everywhere traffic flows.
Subscribe to the Versa Blog
Trial
ROI
Contact