As we start the new year and see companies begin their plans and execution for “the new normal”, a topic of discussion from a past Customer Advisory meeting has become much more pronounced: what is the relationship between Zero Trust and Secure Access Service Edge (SASE)? Is one more relevant as security teams begin preparing for either a return to the office or an increasingly distributed environment?
In short, they are not mutually exclusive. They look to help security teams who find that their footprint has expanded beyond their control. Many of their users control or own the device, traffic doesn’t traverse their own infrastructure and trusting users by default becomes insufficient.
In this context, Zero Trust and SASE work together by converging a least-privilege access strategy with an architecture that simplifies how highly distributed users,, and cloud resources are secured
As a simple litmus test, consider the following use case from a security team that we collaborate with. As their environment started to become increasingly distributed (e.g. applications moving to the cloud, increasing direct-to-cloud traffic, unexpected remote workforce, BYOD), they looked to overcome the expanding surface area with multiple point products that enforced zero trust and least-privilege access control policies: secure web gateways, CASBs, firewalls, and VPNs to name a few of the tens of functional capabilities.
Not only did they struggle with the swivel-chair management experience that grew more pronounced as more technology was required and more and more nooks and crannies presented themselves across the infrastructure, but legacy components like VPNs ultimately violated zero trust tenets and proceeded to create bottlenecks in performance.
Unintentionally, the attempt to adhere to zero trust constructs drove up the number of deployed point products and created unforeseen gaps. SASE balances and reinforces that approach by maintaining common security controls to all enterprise resources; ensuring not only consistency but removing blind spots that occur because of disparate products. From a single control point, security teams can configure policies that secure SaaS apps, control access to web destinations, identify shadow IT, and defend on-prem apps. The architecture will often include a Cloud Access Security Broker (CASB), Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) functionality.