SASE vs Zero Trust, which is the right model for your business?

It was only yesterday when Zero Trust was all the rage, however there is a new kid on the block; Secure Access Service Edge or SASE (pronounced sassy). It is not surprising that the security world is changing rapidly. Not only we have the ever-evolving threat landscape and Cloud migrations at scale, but also the new remote-working realities of the post-COVID era to thank for these changes. What is surprising however, is how fast vendors have jumped on the SASE story. Since its inception by Gartner at the end of August 2019, every major security and networking company has released a SASE compliant architecture or solution-set. Check out these announcements by; ZscalerPalo Alto NetworksAkamaiCiscoFortinetJuniper, and VMware.

Thanks to the highly successful marketing campaign of the above vendors, several questions are now being asked by business and security leaders alike; what is the difference between SASE and Zero Trust? Is one part of the other? Which is the right model for my business? Will I need to change my security strategy to achieve the same outcome?

Let me answer these questions.

What is Zero Trust?

Zero Trust is a security strategy based on the following principles;

  1. Trust nothing and no one; always authenticate everything
  2. Least privileged access; authorise the right level of access
  3. Verify; always log and monitor all access

The above principles apply irrespective of whether you are a user, an entity (device, IoT) or a service (Application, API) accessing a resource in your data centre, or a Cloud. The strategy does not mandate any particular security services, technologies or indeed even an architecture. It simply says; authenticate, authorise and monitor.

What is SASE?

SASE goes into a reasonable degree of detail as to how some networking and networking security services should be deployed and consumed by organisations. It focuses heavily on four key technology areas;

  1. Network services; mainly the connectivity to your Data Centres and Cloud providers
  2. Network security services; SASE focused on some core security services
  3. Identity; much like Zero Trust, a policy is ultimately applied to an identity
  4. Consumption based; Cloud delivery of the above three

What is the difference between SASE and Zero Trust?

For one, Zero Trust was coined by Forrester, SASE by Gartner 🙂

If Zero Trust is your “what”, SASE can be thought of as your “how”. Zero Trust does not focus on any particular technology solution in the Security space. Irrespective of whether you are deploying a firewall, a DLP product, an Anti-X solution, or new monitoring software, the principles of Zero Trust still apply to every aspect of the technology and its deployment.

SASE on the other hand specifically calls out several networking and security technologies. It talks about how these services are to be deployed by a provider in Cloud and how a business should consume the services.

Both SASE and Zero Trust have two common goals in mind however; securing your business, contextual and identity-based policy assignment.

Is one part of the other?

Gartner named Zero Trust Network Access (ZTNA) as one of the core components of SASE. This is where Gartner potentially started to confuse the market. The ZTNA that is referred to here, is the replacement to our traditional remote access VPN solution. It is not necessarily the full-blown deployment of a true Zero Trust-based architecture throughout your entire environment.

Therefore, strictly speaking, Zero Trust is not part of SASE. But, is SASE part of Zero Trust? Well, perhaps. SASE can help deliver all of the Zero Trust principles for some of your IT assets. Why some? Well, think of the Cloud Delivery of the SASE model. It may not necessarily apply to your entire environment.

Ultimately, however, this question is largely irrelevant as the answer does not impact anyone’s business or security strategy.

Which is the right model for your business?

I believe by now you realise that this question is fundamentally wrong, or at best, misleading. Zero Trust is a very sound security strategy. You can deploy it to parts of your organisation using SASE or using largely on-prem and non-SASE-centric solutions.

Given the rapid rise in adoption of Cloud, and consumption of services in an X as a Service model, I do believe SASE will become the default architecture for all organisations. I recommend you start looking at developing your SASE-based architecture as soon as possible. I also recommend you stay away from provisioning SASE without the Zero Trust principles.

Any final words?

Architectures, technologies, and concepts aside, the basics of cybersecurity are still unchanged. You need to understand what assets you have, their value and classification, and who or what needs access to it. You still need to do your risk assessments, take care of user training, and have a plan in place for when (not if) your security posture is compromised. If you don’t have this base covered, neither SASE, nor Zero Trust will help you.

Wild prediction?

With so many vendors jumping on the SASE bandwagon, who will become the clear leader in this space? I think one that has not even entered the market yet; Microsoft. Microsoft is pushing into the security space and sooner or later will start acquisitions in this space. Perhaps zscaler is a good buy! Watch this space…