It was only yesterday when Zero Trust was all the rage, however there is a new kid on the block; Secure Access Service Edge or SASE (pronounced sassy). It is not surprising that the security world is changing rapidly. Not only we have the ever-evolving threat landscape and Cloud migrations at scale, but also the new remote-working realities of the post-COVID era to thank for these changes. What is surprising however, is how fast vendors have jumped on the SASE story. Since its inception by Gartner at the end of August 2019, every major security and networking company has released a SASE compliant architecture or solution-set. Check out these announcements by; Zscaler, Palo Alto Networks, Akamai, Cisco, Fortinet, Juniper, and VMware.
Thanks to the highly successful marketing campaign of the above vendors, several questions are now being asked by business and security leaders alike; what is the difference between SASE and Zero Trust? Is one part of the other? Which is the right model for my business? Will I need to change my security strategy to achieve the same outcome?
Let me answer these questions.
What is the difference between SASE and Zero Trust?
For one, Zero Trust was coined by Forrester, SASE by Gartner 🙂
If Zero Trust is your “what”, SASE can be thought of as your “how”. Zero Trust does not focus on any particular technology solution in the Security space. Irrespective of whether you are deploying a firewall, a DLP product, an Anti-X solution, or new monitoring software, the principles of Zero Trust still apply to every aspect of the technology and its deployment.
SASE on the other hand specifically calls out several networking and security technologies. It talks about how these services are to be deployed by a provider in Cloud and how a business should consume the services.
Both SASE and Zero Trust have two common goals in mind however; securing your business, contextual and identity-based policy assignment.
Is one part of the other?
Gartner named Zero Trust Network Access (ZTNA) as one of the core components of SASE. This is where Gartner potentially started to confuse the market. The ZTNA that is referred to here, is the replacement to our traditional remote access VPN solution. It is not necessarily the full-blown deployment of a true Zero Trust-based architecture throughout your entire environment.
Therefore, strictly speaking, Zero Trust is not part of SASE. But, is SASE part of Zero Trust? Well, perhaps. SASE can help deliver all of the Zero Trust principles for some of your IT assets. Why some? Well, think of the Cloud Delivery of the SASE model. It may not necessarily apply to your entire environment.
Ultimately, however, this question is largely irrelevant as the answer does not impact anyone’s business or security strategy.