Why it’s SASE and zero trust, not SASE vs. zero trust
Network security architectural best practices are undergoing a dramatic shift. The long-forecasted move away from perimeter protection as a primary focus of network architectures seems to finally be underway as zero trust and secure access service edge shift into the consciousness of cybersecurity professionals.
Simply put, the old network security method of using a drawbridge and moat to protect the castle doesn’t cut it nowadays. Virtualization, cloud computing and remote workers have shifted the placement of the moat, which doesn’t necessarily protect against risks from inside the castle itself.
Zero-trust network access (ZTNA) and secure access service edge (SASE) are two approaches gaining steam as organizations seek to better secure their increasingly dispersed remote workforces. Let’s look at each of these architectural approaches and how they might work together to enhance your organization’s cybersecurity posture.
What is zero-trust network access?
Zero trust, coined in 2010 by Forrester Research, applies the longstanding security principle of least privilege (POLP) to network access. It does so in a manner that doesn’t make the same assumptions about trust used in past architectures.
Specifically, the core operating principle of ZTNA is that no user or device should ever be granted access to resources based solely on location on the network. Gone are the days of granting application access based on IP addresses or other network-based criteria.
Instead, ZTNA recognizes that, in today’s operating environment, both users and sensitive data can be located anywhere: in a corporate office, at home, in the cloud or on the road. The zero-trust model replaces the network-focused access control approach with strong authentication and authorization technology that enables administrators to apply granular access controls.
Such access controls permit users to access specific applications based upon their specific role(s) in the organization. The controls also are instrumental in protecting the network from external risks, as well as malicious and negligent internal threats.
A zero-trust network security approach not only simplifies network requirements, but also adapts to the flexible nature of today’s technology environment. ZTNA enables users — regardless of their network location — to access services — regardless of their network location — while strictly enforcing POLP.
What is secure access service edge?
SASE is an approach to networking and network security that builds on the ZTNA model to deliver a fully integrated network. This cloud architecture model, introduced by Gartner in 2019, integrates multiple cloud network and cloud security functions, delivering them as a single cloud service.
SASE combines software-defined WAN (SD-WAN) and the following networking services and functions:
SASE’s aim is to blend these services and technologies to build a cloud-aware and cloud-based secure network.
The SASE model is especially appealing to organizations that abundantly use the cloud and cloud services or are migrating to the cloud. This includes distributed organizations — for example, those with branch locations and dispersed end users — as well businesses with IoT and edge deployments.
SASE is built on the core identity principles of zero trust. Another common service model is security service edge (SSE), which is similar to SASE but does not include SD-WAN.
Not ZTNA vs. SASE, but ZTNA and SASE
Think of SASE as a higher-level design philosophy than ZTNA. They are not separate or competing network security models; rather, ZTNA is part of an overall SASE architecture.
Note, however, that, while zero-trust implementation might be a short- to medium-term objective for network architects, SASE is a long-term goal. Organizations might decide today that they buy into the SASE approach and then slowly evolve their network and network security stacks toward the SASE model. This takes time as designers replace outdated security technologies and better integrate those that remain. Moving to a SASE model both requires and enables a zero-trust approach to network security.
The bottom line for today’s cybersecurity professionals is that both zero trust and SASE are important to integrate into forward-looking architectural decisions. Organizations should plan to adopt zero-trust principles in the short term to better secure remote workforces accessing both cloud-based and on-premises services. At the same time, they should view all new networking projects through the lens of creating an environment to support SASE down the road.
Benefits of using zero trust and SASE together
Consider the following key reasons to implement ZTNA and SASE together:
- Implementation of common policies can centralize control of end-user and branch office connectivity.
- They enable content filtering and malware protection for all types of internet access.
- They improve monitoring capabilities through more granular behavioral access control for any geographic locations.
- They shift on-premises availability and redundancy controls to a cloud-based hub-and-spoke model. Access to cloud services and on-premises applications are managed through a cloud service provider instead of a traditional data center, potentially reducing Opex and Capex.
Organizations that haven’t yet should consider a centralized, consolidated cloud brokering controls model. As zero trust continues to gain traction, SSE and SASE tools will become more prevalent to facilitate the move from traditional data centers as the central point of security control implementation.
Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.
Mike Chapple is academic director of the Master of Science in Business Analytics program and teaching professor of IT, analytics and operations at the University of Notre Dame.