The zero-trust security model was developed in response to the evolution of corporate infrastructure and cybersecurity risk. In the past, companies widely adopted a perimeter-focused security model designed to prevent external attackers from gaining access to the protected internal network. As companies increasingly embrace cloud computing, traditional perimeter-focused security models no longer make sense, especially when critical components of an organization’s IT infrastructure lie outside of these perimeters.
Zero trust updates these security models by constricting the perimeter to cover individual apps and devices. All requests for access to corporate assets are evaluated on a case-by-case basis. By implementing zero trust, an organization eliminates the inherent trust extended to users inside the corporate network which creates significant security risks. To be effective, zero trust must be capable of enforcing granular, universal access controls. With corporate infrastructures sprawling across on-prem, remote, and cloud-based systems, this can be difficult to achieve.
This is where Secure Access Service Edge (SASE) enters the picture. SASE solutions are cloud-based virtual appliances that combine software-defined WAN (SD-WAN) with an integrated network security stack. Since all network traffic flows through at least one SASE appliance, they can apply the access controls needed by zero trust.
Below, we clarify a few key terms, and explain how SASE and zero trust work together.
What is SASE?
In the past, most corporate security architectures were built on a collection of standalone point solutions. Each of these solutions was designed to provide a particular capability or address a specific threat. However, these architectures were difficult to manage and often included solutions with overlapping capabilities or blind spots.
SASE is an effort to update network security architectures to meet an organization’s evolving security needs. By combining a range of network and security functions in an integrated, cloud-based solution, SASE simplifies security management, reduces blind spots, and offers a single solution that can protect all of an organization’s IT infrastructure.
One of the core benefits of SASE is its integration of multiple security and network technologies within a single solution. Some SASE cyber security and networking capabilities include the following:
- Zero-Trust Network Access (ZTNA)
- Cloud Access Security Broker (CASB)
- Firewall as a Service (FWaaS)
- Secure Web Gateway (SWG)
- Software-Defined WAN (SD-WAN)
- Data Loss Prevention (DLP)
What is Zero Trust?
Zero trust is a security model proposed by John Kindervag of Forrester Research to address the limitations of traditional, perimeter-focused security strategies. As its name suggests, the focus of zero trust is to eliminate implicit trust within an organization’s security program.
In a traditional security model, anyone inside the organization was considered trusted and granted wide-reaching access to corporate systems, applications, and data. However, this created significant issues due to a lack of internal network visibility, insider threats, and the rapid expansion of corporate perimeters.
With zero trust, an organization implements micro-segmentation, defining a trust boundary around each individual application or system. When an authenticated user requests access to a particular asset, the access management system determines whether the permissions assigned to them allow the requested access. If so, the request is granted; if not, it is denied.
With a zero-trust security model, the core focus becomes access management and user authentication. Zero trust models implement the principle of least privilege, which states that a user, application, computer, etc., should only be granted the permissions needed to do its job. By minimizing permissions, zero trust reduces the potential that they can be abused and the damage that can be caused by a compromised account.
If an organization has the least privilege access controls in place, it also needs to ensure that they are being applied correctly. This is why zero trust systems commonly incorporate strong user authentication mechanisms — such as multi-factor authentication — to strongly verify the identity of a user making a request.
Zero Trust vs Least Privilege: Similarities and Differences
Zero trust and least privilege are related concepts. In fact, least privilege is a core tenet of a zero-trust security strategy.
The principle of least privilege states that a user, application, etc. should only be granted the minimum set of privileges needed for their role. The goal of this is to minimize the risk of excessive permissions, which play a role in many large-scale data breaches. A user with limited access can only do so much damage through negligence, malicious intent, or a compromised account.
Zero trust incorporates the principle of least privilege as a central part of its philosophy. A zero-trust security model eliminates trust by implementing micro-segmentation and individually validating each request for access. Least privilege access controls ensure that these protections are not undermined by granting every user full access to everything.
What benefits does a combined SASE and Zero Trust approach bring?
Zero trust is a core component of a SASE solution. In fact, zero-trust network access (ZTNA) is one of the solutions integrated into a SASE virtual appliance. SASE and zero trust are synergistic because the design of a SASE network architecture provides the visibility and micro-segmentation that zero trust needs to do its job.
The combination of SASE and zero trust can bring significant benefits to an organization. Some examples include:
- Improved Network Security: SASE solutions integrate a full network security stack in a single virtual appliance. This improves network security by eliminating network blind spots and ensuring that all network traffic is properly inspected and secured.
- Reduced Cost at Scale: SASE’s integrated design can also help to reduce the cost of security at scale. A network of integrated, cloud-based security solutions is likely cheaper to acquire, operate, and maintain than an array of standalone point solutions.
- Holistic Network Visibility: With SASE all network traffic flows through at least one SASE appliance en route to its destination. Since these solutions are centrally managed and monitored, this provides an organization with comprehensive visibility into its network traffic.
- Streamlined Network Management: SASE eliminates the point security solutions that are difficult to manage and contribute to security alert overload. Security integration simplifies and streamlines an organization’s network and security management.
What is the difference between SASE and Zero Trust?
SASE and zero trust differ because one is a security technology, and one is a security model or philosophy. Zero trust states how security should be implemented in an organization by eliminating the implicit trust of the perimeter-focused security model. SASE helps to implement this model by implementing the network segmentation and ZTNA capabilities that zero trust needs to operate at scale.
Is Zero Trust protection included in SASE Security?
Zero trust network access (ZTNA) is a core component of a SASE solution. This implements zero trust protection for the entire corporate WAN, including on-prem, cloud-based, and remote devices.
Does SASE have an advantage over Zero Trust?
Zero trust is a philosophy that needs to be implemented to bring value to an organization. SASE is one option for implementing zero trust at scale.
Use Cases and Best Practices for SASE & Zero Trust
The growth of cloud computing, remote work, and the cyber threat landscape have made SASE and zero trust invaluable solutions for the distributed enterprise. SASE and zero trust solutions can be used to manage many of the security challenges that companies face, including the following:
- Business Operations: Traditional, perimeter-focused security models often offer poor performance and security. Zero trust and SASE enable an organization to improve its security while also streamlining business operations.
- Contractors: Third-party contractors can pose a significant threat to an organization’s cyber security due to the potential for supply chain attacks. A zero-trust security strategy can manage these risks by limiting the access that external parties have to an organization’s applications, data, and systems.
- Secure Remote Workspaces: Traditional, perimeter-based security solutions are often ill-suited to securing the remote workforce. SASE’s cloud-based design enables it to provide comprehensive protection to all of an organization’s IT systems, regardless of location.
- Healthcare and HIPAA Compliance: HIPAA and similar laws mandate that healthcare organizations have certain security controls in place and manage access to sensitive healthcare information. SASE and zero trust help to implement the required security and access controls across the entire organization.
- Financial Regulatory Compliance: The financial industry is subject to regulations mandating visibility into their operations and the protection of sensitive information. SASE and zero trust help to achieve this by providing granular network visibility and strong, integrated network security controls.
- Legal Services Compliance: In the legal industry, organizations have access to highly sensitive information. A zero-trust security policy can help to protect this data and maintain compliance with applicable laws.
- IT Management: Security architectures built of standalone, point solutions are complex and difficult to manage. IT management is simplified by SASE, which integrates many security functions into a single solution.
- Security Compliance: Most companies are subject to data protection laws, standards, and industry regulations. SASE offers many of the network security controls required to comply with these, and zero trust helps to reduce the risk of security incidents.
When SASE & Zero Trust are Less Relevant
A zero-trust security strategy is always a useful protection for an organization. Organizations of every size and in every industry suffer from data breaches and other cyberattacks that often take advantage of excessive permissions. Implementing least-privilege access controls and micro-segmentation can dramatically reduce these organizations’ chances of attack.
However, for some organizations, SASE may not be the right solution for implementing zero trust. For example, if an organization’s systems and users are primarily located on-prem — without an extensive cloud deployment or remote workforce — then SASE’s cloud-based deployment may be less relevant than with a more distributed organization.
Zero Trust and SASE Security Solution for Businesses with Remote Workers
One of the main limitations of zero trust and SASE solutions is that they work primarily at the network level. They can be blind to certain endpoint security threats, such as a localized malware infection or a compromised device using a legitimate user’s session to bypass zero-trust security controls.
For comprehensive protection against cyber threats for remote workers, SASE and zero trust should be combined with a robust endpoint security solution. Venn Software creates a secure enclave on a user’s device where companies can manage endpoint security without infringing on the privacy of a remote worker’s personal use of their device. By providing strong endpoint protection for the remote workforce, Venn fills in the missing piece of a SASE security architecture.
Does implementing SASE automatically provide Zero Trust?
SASE has the built-in ability to support zero trust security due to its integration of zero trust network access (ZTNA) capabilities. However, an organization still needs to define the least-privilege access controls that ZTNA and SASE use to manage access to its IT resources.
What’s the difference between SASE and Zero Trust?
Zero trust is a philosophy stating that every access request should be independently verified rather than implicitly trusting authenticated users. SASE is a network security solution that can implement a zero-trust model alongside other security capabilities.
What is zero trust in edge computing?
Zero trust is a security model that states that every access request should be evaluated on a case-by-case basis. This applies to every aspect of an organization’s IT environment, including edge computing systems.
Is zero trust just MFA?
Zero trust is a security model designed to eliminate implicit trust in an organization’s security model. MFA is a valuable component of zero trust because it helps to strongly authenticate a user, enabling the system to apply the right permissions to them.
What is the SASE model?
Secure access service edge (SASE) is a network security solution that integrates many networking and security capabilities in a single cloud-based solution. This enables an organization to more effectively implement network security as a growing percentage of its IT assets move to the cloud.