As discussed in the last edition of KC Navigator, public sector organizations are increasingly early adopters in digital identity, digital transformation, and cybersecurity, providing the opportunity for private sector organizations to learn from public sector implementations and follow their lead.
Within cybersecurity, government adoption of a Zero Trust approach to security, particularly in the US, is a prime example of where the public sector is providing a lead for the private sector to follow because both sectors are potential targets of the same cyber threats.
Zero Trust is not a new concept, but developments in technological capabilities, changes in the way people are working, accelerated adoption of cloud and Edge computing, and the continued evolution of cyberthreats have resulted in Zero Trust rising to prominence.
As organizations seek to improve their security capabilities, many are considering Zero Trust, but they are also looking at the concept of Secure Access Edge (SASE) which has risen to prominence for the same reasons as Zero Trust.
As a result, organizations are evaluating both Zero Trust and SASE to determine whether to adopt either, one, or both. It is therefore important to understand what each can potentially deliver and the exact nature of the relationship between them.
SASE refers to a concept that combines cloud-based software-defined wide area networking (SD-WAN) with a range of security services and unified management functionality for delivering security and SD-WAN capabilities to any edge computing location, such as branch offices, home offices, cloud services and storage, OT, and IoT.
SASE is designed to address the performance bottleneck issues of traditional networks that rely on traffic backhauling. Additionally, by integrating identity, business context and real-time risk assessment into every connection, SASE architectures promise to prevent a variety of cyber-attacks.
As per the definition, SASE solutions typically include a networking component such as a software-defined wide area network (SD-WAN) plus a wide range of security components.
These security components are added to secure the communication on the network from end to end, provide consistent policy management and enforcement, add security analytics, and enable an integrated administration capability to manage every connection from everything to every resource.
These components typically include Zero Trust Network Access (ZTNA), which means a Zero Trust approach to security is one of the security components that enables SASE. In a sense, then, SASE is dependent on Zero Trust.
Zero Trust is widely regarded as critical to protecting IT systems, data, and infrastructure because it is imperative that all organizations shift away from the traditional perimeter-based approach to security, which is no longer fit for purpose in an era of cloud computing and remote working.
The most important point to be understood about Zero Trust, is that it is not a product or solution that can be purchased and retrofitted over existing systems. Zero Trust is an approach to security based on the assumption that networks can and will be breached, and the principle of “never trust, always verify”. Zero Trust, therefore, is essentially a concept and an architecture model.
Unlike the traditional approach of verifying once at the perimeter and then implicitly trusting everything and everyone within the perimeter, Zero Trust is about continual verification of each user, device, application, and transaction.
Implementing a Zero Trust approach, therefore, is about shifting to a trusted identity-based model of security that secures data, while ensuring it is accessible to those who need it. This increases security, boosts productivity, blocks lateral movement by attackers, and therefore often involves restructuring how resources are secured and accessed.
While this shift can involve the deployment of new tools, it often simply requires a focus on reusing existing tools, and redesigning security processes and policies. Therefore, Zero Trust is not something that can be implemented overnight. It is a journey that begins with a long-term business strategy and focuses on a step-by-step implementation, using existing or readily available tools and technologies, while avoiding adding even more complexity to the existing architecture.
Because Zero Trust is one of the security components that enables SASE, they appear to be complementary, but their relationship is a little more complicated. SASE solutions often include ZTNA as one of the capabilities, but it may be debated whether the reliance on SD-WAN as the underlying infrastructure does not stand in contrast to the basic principles of Zero Trust.
The risk is to assume that SD-WAN is always secure and can be trusted, but trusting a single element in the multi-layered security stack is the exact opposite of what zero trust is about. Therefore, is it important to consider this risk in any SASE implementation.
That said, the relationship between SASE and Zero Trust is largely complementary, so much so, that a well implemented Zero Trust strategy may address the security needs that some organizations might seek to address with SASE.
Another risk associated with SASE is the risk of supplier lock-in. If SASE is a one-stop shop, then the risk of being locked into the approach of a single supplier – sometimes with few selected partners – is great. SASE needs to evolve to become an open, flexible, standards-based architecture, where different services from different providers can be easily combined.
Considering these risks, it is recommended that organizations adopt a use case-based approach to any potential SASE implementation. Once the use cases are identified and understood, they may well be met by Zero Trust alone, which may be a better overall fit for your organization’s needs.
Generally speaking, SASE solutions may be a better fit for a traditional heterogeneous organization, however, even organizations with a lot of traditional IT are well advised to think about the use cases where they really will benefit from SASE, which is essentially an “old school” approach. For cloud-native startups, there really need to be very good reasons to opt for a SASE solution, which is likely to foster a tendency to conserve traditional approaches rather than moving to a more modern approach.
If, however, after the use cases have been carefully considered, SASE still seems like the best way to go, it is important to understand the risks of SD-WAN and supplier lock-in, and then ascertain exactly what is included in any prospective SASE solution to ensure that it contains everything necessary to meet current and future requirements.
Before going ahead with a SASE implementation, verify that it is a viable solution in your context and be clear whether SASE is a tactic to solve an immediate problem in the short term, or whether it is a strategic solution with benefits in the longer term.
In the final analysis then, where SASE implementations make sense and Zero Trust alone is not enough to meet specific security requirements, SASE and Zero Trust are perfect twins with Zero Trust enabling and complementing SASE, but the risk of SD-WAN should not be overlooked.
Zero Trust is not a single architecture but a set of guiding principles for workflow, system design, and operations that can be used to improve the security posture of any classification or sensitivity level.
— US National Institute of Standards and Technology
Because we understand the importance of having the correct security architecture, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.
This includes live events such last week’s European Identity and Cloud (EIC) conference, which included several sessions focusing on Zero Trust and SASE.
Of greatest relevance to today’s topic is the following session entitled: SASE vs. Zero Trust: Perfect twins or antagonists?
Discover important consideration for implementing a Zero Trust approach to security by having a look at these sessions entitled:
- Strategic Approaches for deploying Zero Trust
- Lessons Learned from Implementing Zero Trust at Siemens
Understand more about the security benefits and practical considerations of adopting a Zero Trust approach to security in these sessions:
- You Can’t Trust Me - What kind of madness is zero trust’s “it’s not a destination, but a journey”?
- By embedding zero-trust networking into apps we can make them multi-cloud native while stopping external network attacks
- Navigating Enterprise Enablement and Zero Trust
- Zero Trust Best Practices from CISOs
And find out more about technologies that support Zero Trust by having a look at these sessions:
- OpenID SSE, CAEP and RISC - Critical standards that enable Zero-Trust security
- The Path to Zero Trust by Securing Privileged Identities
Advisories
A key recommendation for organizations considering SASE is to adopt a use case-based approach to ascertain its viability. For detailed information on how to go about doing that, have a look at this Advisory Note entitled: Implementing SASE. Alternatively, have a look at this presentation: Implementing SASE: A Quickstart-Recommendation.
Audio/video
Hear what our analysts have to say about various aspects of Zero Trust by listening to the following Analyst Chats:
- Zero Trust Means Zero Blind Spots
- The Project Road Towards Zero Trust - What to Do and Where to Start
- What Keeps Organizations From Adopting Zero Trust
- NIST’s Zero Trust Architecture
- Zero Trust as a Concept for … Trust and Security
Discover the views of our analysts and industry practitioners from a recent KC Live event in presentations entitled:
- Practical Zero Trust: From Concepts to Quick Wins to a Strategy
- Identity as the Key to Zero Trust Maturity
- Best Practices to Get Started on Your Zero Trust Journey
- Pitfalls in the Road to Zero Trust
- Standards and Zero Trust
- Enterprise Readiness for Zero Trust
Choose from the following list of presentations from past events the topics that are of most interest or relevance to your organization:
- The Power of Convergence With Palo Alto Networks Prisma SASE
- Applying Zero Trust to Humans and Things
- Zero Trust Use Cases
And this panel discussion on: Zero Trust Paradigm for the Future of Security.
Blogs
For a short, incisive perspective on Zero Trust with reference to SASE, have a look at this blog post entitled: Zero Trust: We’re Nowhere Near the End of the Story Yet and for a broader perspective on Zero Trust, have a look at this blog post entitled: A Look at NIST’s Zero Trust Architecture.
Webinars
Zero Trust will continue to play a crucial role in cybersecurity and identity management. For a discussion on In this session on how to apply Zero Trust thinking to converge IAM, UEM, MDM, XDR, SIEM, SOAR to a seamless and holistic cybersecurity infrastructure, have a look at this Webinar entitled: Zero Trust: The Next Level.
Topic Overview
For quick refreshers on the basics, have a look at these Insights:
Tech Investment
Organizations interested in adopting a Zero Trust approach to security can find out more about supporting technologies by looking at the following Market Compass reports on:
For a perspective on technologies that relate to SASE, have a look at this Market Compass report on: Cloud-delivered Security.
Organizations investing in technologies to support Zero Trust, can have a look at some of the related technology solutions that we have evaluated:
- PortSys Total Access Control July 2021
- Nucleon Smart Endpoint June 2021
- Cisco Zero Trust Security Nov 2020
- ARCON PAM SaaS Nov 2020
- Akamai Zero Trust Security Sept 2019 AB
For SASE, have a look at this Executive View report on: Oracle Data Safe.