First introduced in 2009 by John Kindervag during his time with Forrester, the zero-trust model sets forth the concept that nothing is to be trusted—either inside or outside of the network—and that verification must always occur before access is granted.
The cybersecurity industry embraces this model, and it is a rallying cry for leaders who want to move their organizations toward the most secure posture possible.
As the understanding of zero trust and the importance of verifying all device and user access gained traction, so did the “marketability” of the term. An increasing array of solutions has entered the market with zero-trust messaging. While there is no doubt that technology solutions are instrumental in moving toward a zero-trust architecture, overuse of the term may be causing confusion on the core concept of zero trust and the steps that an organization can take to achieve it.
Understanding the core of zero trust
Forrester, Gartner, and others have made efforts to provide guidelines for a zero-trust framework. The most recent was produced in 2020 by the National Institute of Standards (NIST) and is a good resource for building your understanding of zero trust and zero-trust architecture. NIST Special Publication (SP) 800-207 centers the zero-trust discussion on the “core logical components” that can advance zero-trust architecture.
At the heart of zero trust is the understanding that networks are no longer static and users are no longer guaranteed to be inside the network perimeter when accessing corporate assets. Zero trust focuses on protecting resources such as data and users. Without ties to a physical footprint, security needs to move to where access is occurring—cloud and mobile are advancing this understanding, and the remote workforce demands it.
The NIST basics of zero trust include:
- Identity for users and devices
- Access management
- Hosting environments
- Interconnecting infrastructure
They align around a strategy of using zero-trust architecture to protect critical assets and resources in a digitally-transformed enterprise that has adopted cloud or hybrid delivery of access, applications and data. There are NO trust zones with properly applied zero-trust methodology.
Securing your user edge with SASE solutions
New and emerging technologies continue to advance and align with zero-trust methodology and architecture. One such development is what Gartner termed as secure access service edge or SASE (pronounced sassy).
With more user requests destined for cloud networks, SaaS applications, and the Internet, SASE solutions take security to the user—at the service edge. SASE combines Network as a Service and Network Security as a Service capabilities to improve access and security for remote users across endpoints, SaaS applications, and cloud environments—and reduce complexity for the IT teams.
Many factors can contribute to an organization’s decision to adopt a SASE solution. With workloads migrating to the cloud, there is less need for traditional multiprotocol label switching (MPLS) backhaul.
Today’s branch offices use direct internet access (DIA), which is now the standard for branch connectivity. Cloud migration creates a global redundancy framework—something that traditional, on-premises data centers can’t match. The global pandemic accelerated the adoption of remote workforce capabilities. With any of these factors comes security challenges that require a different approach. SASE enters the breach to push security to the edge and create a centralized security framework in the cloud. Security teams benefit from greater visibility and control.
You can see zero trust from here
Discussions and strategies around the zero-trust framework have naturally evolved to include SASE. The market is moving toward less complexity and more comprehensive security for cloud access. Like The O’Jay’s song says, “you’ve got to give the people what they want,” and what they want is fewer appliances, less strain on resources, and less staff to do what’s needed.
SASE solutions on the market continue to evolve, and new solutions are entering the field—all designed to give the people what they want. It’s predicted that by 2024, 30% of enterprises will have adopted the combined capabilities of SASE from a single vendor. By 2025, it’s thought that over 60% will have developed timelines and strategies for adopting SASE.
If those predictions are true, it’s likely there will be a large swell of adoption in the coming months since only 12% of enterprises worldwide currently have SASE solutions in place. Slow adoption isn’t uncommon for emerging technologies, and rather than ringing alarm bells that the solutions aren’t accepted, it should be seen as notice of an advancing wave.
Now is the right time to learn more about SASE and what you should look for as your organization considers a SASE architecture as part of a zero-trust strategy.
The truth about SASE and zero trust
With any of the SASE adoption factors mentioned earlier, the most notable gain is the security provided anywhere users and devices access the Internet. In the not-too-distant past, VPN was the primary method for securing user remote access. While VPN was a giant leap forward at the time, its effectiveness is now being challenged. Access connections are more varied than ever and where VPN falls short, SASE rises to the task. As workloads and apps move out of the corporate data center, SASE provides users with a secure connection to those assets.
The leading SASE solutions offer similar functionality and features. Cloud access security broker (CASB), secure web gateway (SWG), cloud firewall, and data loss prevention (DLP) are generally provided, in addition to other features. Many SASE vendors also list zero trust alongside these capabilities. A limited view of zero trust has the potential to hinder efforts to reach a more advanced security posture.
Here it is, the crucial truth: zero trust is not a feature that can be included in a solution, and it cannot be achieved with a single solution.
The market continues to debate what constitutes zero-trust architecture, but most experts agree that securing the network edge also requires validating user identity and establishing device trust. Both are core to the zero-trust framework and not included in any SASE solution currently available.
SASE benefits align with zero trust
The deployment of a SASE solution helps organizations bring together SWGs, DLP, DNS layer protection, SD-Wan, and other capabilities into a single platform and increases their security posture. All are reasonable and warranted steps to secure the edge.
And while SASE doesn’t equal zero trust, achieving zero trust is at the core of SASE.
Zero trust is a philosophy, a journey, a progression, an evolution. Differentiating the methodology from the product is necessary. This doesn’t mean that SASE manufacturers have gotten zero trust wrong. Most SASE solutions do an excellent job of building toward a zero-trust framework. But it’s important to understand that implementing SASE doesn’t mean your journey to zero trust is over.
SASE adoption improves zero-trust maturity
When considering a SASE solution, organizations should examine their zero-trust posture and consider how well the SASE solution complements the existing network architecture. If your organization operates critical infrastructure that remains on-premises, a SASE offering that has zero-trust components to securely connect to cloud apps and cloud infrastructure but lacks integration for legacy infrastructure might not be the right choice. Look for a SASE solution that doesn’t require a lift-and-shift in your on-premises environment.
It’s also important to consider that the foundational principle of zero trust isn’t just about stopping potential threats. It’s also about limiting the harm caused by a breach. Implementing micro-segmentation, identity and access management, patching, and sandboxing are additional ways to improve your zero-trust maturity.
Many of the breaches reported in industry news and national news coverage could have been better contained if a zero-trust policy had been in place.
SASE solutions align with zero trust and can also help with containment. Consider solutions from vendors that back their performance claims with references, statistics, and third-party tests and efficacy reports. And choose a vendor whose SASE solution builds on the bedrock of zero trust. It’s not a guarantee that a breach won’t occur, but the overall impact can be reduced when used as part of a planned, thoughtful zero-trust policy.
SASE and your zero-trust journey
Implementing a SASE solution isn’t just for advanced zero-trust journeys. SASE can be instrumental in initiating your organization’s path to zero trust. Regardless of an organization’s zero-trust maturity level, SASE implementation can help NetOps and SecOps teams regain some of the control lost when the workforce went remote. SASE can also empower these same teams to deliver improved services and user experiences as the organization shifts to cloud infrastructure and public apps.
Evaluating SASE solutions using a zero-trust lens can help to speed your organization toward the ultimate goal of a zero trust security stance. Consider working with a security integrations partner to help you speed this process with a level of expertise and experience with both SASE and zero trust.