These obstacles call for new ways to approach security. Secure access service edge (SASE) and zero trust are two evolving security methodologies. SASE is made up of several technologies but is often packaged as a single platform. SASE typically includes SD-WAN, SSE, CASB, and secure VPN solutions.
OnX Canada defines zero trust as a security framework rather than any specific technology. Zero trust guides how users interact with security technology. For example, zero trust network access (ZTNA) refers to how zero trust principles apply at the application level. Zero trust is more of a process and set of guiding principles that may involve many steps for organizations to reach zero trust maturity. Like “getting healthy,” zero trust is aspirational and requires continual attention to meet the changing needs of network security.
Currently, no single OEM delivers complete zero trust. However, SASE is vital to a robust zero trust security program.
This post will compare SASE and zero trust, explaining how each can support your organization’s cybersecurity, individually or combined.
Key terms:
- Zero trust: OnX defines zero trust as a framework based on aspirational security principles. The methodology accomplishes this by not implicitly trusting data, users, applications, workloads, networks, and devices.
- Zero trust network access (ZTNA): ZTNA, despite the name, applies zero trust principles to applications and workloads (not networks).
- Secure access service edge (SASE): SASE (pronounced “sassy”) is a portfolio of integrated networking and security tools that includes:
- Software-defined wide area network (SD-WAN): SD-WAN virtualizes traditional network infrastructure, speeding up traffic speeds and boosting reliability by incorporating several transports (LTE, broadband, DIA, and so on).
- Secure service edge (SSE): Cloud-based security solutions that defend edge network devices, data, and applications. These tools include Firewall-as-a-Service (FWaaS) and secure web gateway (SWG).
- Secure virtual private network (VPN): A secure, encrypted connection from an end-user to an organization’s network.
- Cloud access security broker (CASB): Cloud-hosted resources require security enforcement points to protect an organization’s SaaS and IaaS platforms. To maintain the security of these resources, CASB tools provide access control, threat protection, and (data loss prevention) DLP services to prevent data loss and unauthorized access.
Learn more: Three vital tactics for embedding cloud network security
The technology behind SASE and zero trust
Organizations need holistic and comprehensive ways to secure their digital real estate. This need has forced security solutions to consolidate and streamline over the past few years. Zero trust and SASE emerged from this push as methods that allow network managers to implement multiple solutions and address disparate objectives. Zero trust and SASE simplify security fabrics while giving network teams more tools and generating greater visibility into the environment.
Zero trust is not a technology. Instead, it is a guiding framework that includes multiple technologies. NIST defines five pillars that comprise zero trust:
- Identity.
- Devices.
- Networks.
- Applications and workloads.
- Data.
Each pillar has different technologies that apply zero trust principles to that respective silo. For example, zero trust network access is vital in securing applications/workloads. Other zero trust technologies include multi-factor authentication (MFA), extended detection and response (XDR), as well as best practices for passwords and e-mail security. However, it’s worth noting that zero trust is not limited to these individual solutions or tools, nor does it depend on any single technology. Zero trust mature organizations also have technology and policies that span and interact across pillars. And zero trust will continue to add new technologies as the security landscape develops.
In contrast, SASE is a technology tool essential to designing a zero-trust approach to networking. The SASE portfolio of technology includes SD-WAN, SSE, secure VPN, and CASB to deliver secure networking for organizations. SASE fills several core security needs. Microsoft defines the pillars of SASE as:
- Identity: Access is limited to verified users, devices, and identities.
- Cloud-native delivery: Automatic updates from a cloud delivery model that boosts overall security.
- Total edge support: Sustains all physical, virtual, and logical network edges.
- Worldwide distribution: Supports users globally.
Read more: Core advantages of a managed secure access service edge solution
As you can see, there is a fair amount of overlap between SASE and zero trust. However, despite the similarities, the two are not exactly interchangeable.
SASE vs zero trust
Shared traits
- Identity: Identity is key to both zero trust and SASE. Organizations need clear policies to ensure access to appropriate resources.
- Consolidation: SASE merges network security products, while zero trust consolidates security pillars into a framework.
- Authentication: SASE and zero trust require user verification for specific functions and data access. Unlike VPNs, users can’t access all operations, once in the system.
- Context-based access: Both zero trust and SASE use contextual risk evaluations and authorization.
Divergences
- Identity: Zero trust relies on authentication to verify users. A zero trust architecture defines which users get access to what applications, networks, or systems based on the authentications. On the other hand, SASE uses technology to monitor connections, identities, and devices to ensure zero trust identity policies are implemented correctly.
- Scope: Zero trust is a broad framework applied across technology pillars—users, devices, applications, networks, and identity. SASE is limited to network security.
- Solution category: SASE is a technology that merges multiple tools into a singular solution. Zero trust is a framework and set of security best practices.
The benefits of unifying SASE and zero trust
The continuing trend in cybersecurity is toward integrated, centralized, and streamlined operations. At OnX, we recommend that organizations adopt not just zero trust or SASE but a complete zero trust framework that utilizes SASE, which provides the following advantages:
- Enhanced security: SASE and zero trust increase visibility into disparate environments and fill gaps within the security fabric. Additionally, SASE and zero trust de-silo security architecture.
- Streamlined: Minimize network complexity with a central security control hub.
- Better scalability: Scale up or down these solutions as needed.
- Optimization: Automate recurring security tasks and free IT staff to focus on mission-critical ops.
SASE and zero trust unification enable companies to advance toward zero trust maturity with a cutting-edge technology solution that maintains security policy throughout the entire digital estate, from on-prem to cloud to edge computing.
Which is best for my organization?
SASE is not a replacement for zero trust. And vice versa. Ideally, the two should work together toward a fully optimized security fabric. SASE secures your organization’s network by following the principles of zero trust. Zero trust also branches into other silos of security, such as zero trust network access, which secures the application layer. SASE is a big lift for some businesses. Implementing SASE takes time to do right. Additionally, it requires constant monitoring and vigilance for misconfigurations.
The concept of zero trust is relatively simple as it starts from your current security level and aims to achieve a perfect level of security. Most organizations can quickly improve their security by taking immediate measures, leading to a high return on investment. However, some organizations may need help shifting their focus from daily IT operations and allocating the time required to create a comprehensive zero-trust network access plan.
The OnX team is well-versed in helping our customers on their security journey. Get in touch to learn how we can help.