Customers often ask me: What is the difference between Zero Trust and SASE? My answer is almost always the same: Nothing….and, everything. Both have taken the industry by storm over the last couple of years, and even more so with the security and access demands on the business driven by the existing remote workforce, but both have different implementation approaches. It is important to understand, however, that one does not fully provide the other; in fact, they reinforce each other. As you read through Gartner’s research that introduced SASE to the network and cybersecurity world, you’ll note that there are a number of similarities that can lead you to believe that implementing SASE can also implement Zero Trust. While that may be the case in part, it is not a complete approach. And just as there is not one product that will get you to Zero Trust, there is also not one product that fully meets Gartner’s vision for SASE.
Zero Trust Network Access (ZTNA)
One key area of similarity is in ZTNA. ZTNA focuses in on providing whitelisting capability for access to services. This is undoubtedly why it is considered one of the core components of SASE. Zero Trust is based on a set of principles, or tenets. One of these tenets is that all network flows are authenticated before being processed, and that access is determined by dynamic policy. Another tenet requires authentication and encryption applied to all communications independent of location and that security must be performed at the application layer closest to the asset. These alone are foundational to ZTNA. ZTNA secures access to services at the application layer (layer 7), rather than a complete network, like traditional remote access VPN implementations. Therefore, it provides for the means to only provide authorized and authenticated users with access to approved applications.
Monitoring for risk and trust levels
Gartner lists core components of SASE to include SD-WAN, secure web gateway (SWG), ZTNA, firewall-as-a-service and cloud application security broker (CASB). One thing that often does get overlooked in their whitepaper is that a SASE solution needs to have the ability to identify sensitive data, and have the ability to encrypt and decrypted content with continuous monitoring for risk and trust levels. Zero Trust eliminates trust from all network communications and seeks to gain confidence that the communications are legitimate. This level of confidence is applied using trust levels (ironically) and scoring techniques. Therefore, the implementation of a trust / risk engine that applies contextual scoring capabilities is crucial in a Zero Trust Authorization Core , and SASE provides a means to accomplish this through core component technology.
Dynamic secure access
As stated earlier, a tenet of Zero Trust is that access is determined by dynamic policy. Another tenet of Zero Trust is that technology is utilized for automation in support of user/asset access and other policy decisions. This monitoring of user and device behaviors along with automation that drives policy changes is an important part of SASE. Gartner writes that emerging leaders in SASE will embrace a strategic approach to ensure their solution monitors sessions continuously, analyzing for risk levels referencing user entity behavior analytics (UEBA) capabilities, and are “capable of adaptive responses as a user’s behavior is analyzed and subsequent risk increases, or as a device’s trust decreases.” Gartner stops short of detailing what should be done to establish trust and how trust levels should be scored, but they do document that the trust level should be context-aware, which is a recommended approach of Zero Trust.
Identity at the heart
The word “identity” appears 21 times within Gartner’s SASE research, even depicting “The SASE Identity-Centric Architecture”. Since Zero Trust eliminates trust from all access attempts, one may think that identity doesn’t play a role in any Zero Trust strategy. To gain confidence in the communications, and provide access to the appropriate data set, trust algorithms must have access to historical data stores and identity engines. SASE requires identity to be able to drive policy changes based on access requirements. For example, an IoT device accessing a cloud resource versus a business user accessing a private banking application require different levels of identity. In all access cases, knowing who is accessing what requires that the ‘who’ and ‘what’ be identified. As Gartner states: “The identity of a user/device/service is one of the most significant pieces of context that can be factored into the policy that is applied.” They then mention other sources of context that should be evaluated, such as the location of the identity, time of day, risk/trust level, and data / application sensitivity being accessed, which align perfectly with a Zero Trust strategy.
These are just a few of the similarities between SASE and Zero Trust, but there are differences as well. Zero Trust is an enterprise-wide strategy to eliminate risk to the business, whereas SASE provides guidance for vendors to design effective security solutions for the future. While SASE outlines what a solution should have in order to provide secure access at the edge, other Zero Trust requirements around effective monitoring of threats to the business, continuous maintenance of the environment, and aligning solutions to governance and compliance requirements goes beyond any single technical solution.
SASE is essentially built upon the principles of Zero Trust making Zero Trust a key cornerstone to SASE. An implementation strategy for Zero Trust will also lead to many SASE elements falling into place, and a SASE implementation plan will require Zero Trust principles in developing the security policies that drive access. And since SASE policies go beyond security to also govern quality of service (QoS), path selection, dynamic routing, traffic shaping, cost and latency optimization among other network-centric policies, SASE cannot be seen solely as the fast-lane approach to implementing Zero Trust.