Organizations worldwide have been eager to embrace remote work and cloud resources alongside their on-premises users and applications. Gartner projects that 74% of organizations will sustain remote or hybrid work permanently. Similarly, IDC reports that at least 80% of organizations will continue to embrace hybrid cloud environments in the long term.
Historically, most organizations have used a hub-and-spoke network to connect users, sites, and apps, and “castle-and-moat” security, built with firewalls and VPNs, to try to defend that network. Physical appliance stacks deployed in their data centers provide both their networking and security.
But for organizations embracing remote work and cloud apps, these methodologies create challenges around cost, risk, and more. Extending the network to more users, sites, and clouds, and trying to secure that network with an ever-expanding perimeter, is complex and prone to countless hurdles.
Because of the incompatibilities between traditional architecture and modern work realities, organizations are increasingly turning to SASE and zero trust. The question is, do these two buzzwords truly deserve all their buzz?
SASE: A secure access service edge for the everywhere enterpriseSecure access service edge (SASE) is a joint model for networking and security. It combines wide-area network (WAN) capabilities with various security solutions, and delivers them together at the edge (as close to the user as possible). This means organizations do not have to backhaul traffic to hardware in their data centers. SASE aims to connect any user, anywhere, to any application or service—both securely and efficiently. In addition, advanced SASE offerings go beyond users to secure other entities—you can read more about that here.
SASE comprises two main components. For networking, software-defined wide-area network (SD-WAN) optimizes traffic routing more efficiently than traditional WAN (think MPLS). For security, security service edge (SSE) delivers security as a service at the edge, helping organizations to warm up to the edge-delivered SASE paradigm. SSE consolidates several leading security solutions, including:
Secure web gateway (SWG) for securing the use of the web
Cloud access security broker (CASB) for securing the use of SaaS
Zero trust network access (ZTNA) for securing the use of private applications
Firewall as a service (FWaaS) for protection across all ports and protocols
Data loss prevention (DLP) for classifying and protecting data
And more
The consolidated, edge-delivered approach of SASE helps organizations:
Improve security posture and reduce risk through a single platform that enforces advanced, consistent, flexible policies
Enhance user experiences and productivity by delivering secure connectivity at the edge—rather than backhauling traffic and adding latency
Reduce complexity by eliminating security point products—this minimizes technology costs, boosts operational efficiency, and more (in fact, this approach helps organizations to reduce costs by 20-30% on average, per Forrester)
Zero trust: The ideal approach to cybersecurityWhile many call zero trust a framework, a paradigm, or a methodology, it is perhaps best thought of as an architecture. It eliminates excessive permissions by applying the logic of “never trust; always verify” to every access attempt in an organization.
Access is governed by risk, which is determined by access context, and continuous monitoring ensures that changes to context and risk are incorporated into automated policy decisions in real time. This enables the enforcement of least-privileged access, whereby an authorized user is connected only to the resource they need, when they need it, and nothing more.
This zero trust requirement for granular, direct-to-app access is at odds with perimeter-based architectures, which grant excessive permissions by giving users and other entities access to the entire network. You can read more about the risks of that network-centric approach here.
A platform that provides zero trust architecture (like the Zscaler Zero Trust Exchange) provides secure any-to-any connectivity in a one-to-one fashion—without extending the network to anyone or anything. Think of a zero trust platform as an intelligent switchboard. This direct connectivity is accomplished through a cloud native proxy architecture that delivers zero trust security as a service and at the edge. Unlike traditional, perimeter-based architectures that focus on defending the network, zero trust architecture:
Minimizes the attack surface by eliminating firewalls and their public IP addresses, which threat actors can find and target over the internet. It replaces risky inbound connections with inside-out connections that hide your applications behind a zero trust cloud.
Stops compromise with full inline traffic inspection to identify and block threats in real time. A high-performance cloud—unlike a static hardware or virtual appliance—can inspect even encrypted traffic at scale. This is critical as more than 87% of threats now hide in encrypted traffic.
Eliminates lateral threat movement by granting users and other entities least-privileged access directly to authorized applications. No one and nothing connects to the network as a whole—if they did, they would be able to access the resources connected to that network.
Prevents malicious and accidental data loss through the same cloud-powered encrypted traffic inspection mentioned above. Additionally, as a zero trust platform secures any-to-any connectivity, it can provide least-privileged access to sensitive data and secure any data leakage path.
Enhances digital experiences and productivity through a high-performance, global security cloud that connects users directly to apps. This eliminates the need to backhaul traffic to a distant data center, minimizing latency.
Reduces operational complexity by consolidating point products into one comprehensive platform and allowing you to replace convoluted networking infrastructure with simpler zero trust networking.
Saves money by minimizing management overhead, optimizing technology costs, avoiding data breaches (which cost US$4.88 million each on average, per IBM), and more.
SASE and zero trust: Similarities and differencesSASE and zero trust have some significant areas of overlap, as you can see:
SASE delivers security and connectivity as a joint service at the edge
Zero trust architecture delivers secure, least-privileged, any-to-any connectivity as a service at the edge
Both also improve security and user experiences while reducing complexity and costs. Yet despite all this overlap, SASE and zero trust are not just synonyms. There are two important distinctions that need to be made.
Deployment and deliveryMost SASE offerings are deployed as virtual appliances in clouds like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Zero trust, meanwhile, is delivered as a cloud native service from a purpose-built security cloud.
This difference is crucial because overseeing virtual appliances still entails maintenance, takes time from admins, and increases management overhead. With zero trust, however, the vendor handles change implementation for their cloud, saving the customer the burden. As a result, zero trust provides greater simplification and cost reduction than SASE.
Risk reductionMore importantly for security, SASE and zero trust provide different degrees of risk reduction.
With a perimeter-based, network-centric architecture, a trusted network connects users, devices, clouds, apps, and locations, and security efforts focus on protecting said network with a defensive perimeter (hence the name castle-and-moat security). Apps reside on the network, and to access them, entities need to be connected directly to that network.
This increases risk in four key ways: It expands the attack surface, enables compromise, permits lateral threat movement, and fails to stop data loss, all of which are explained at length here. While zero trust decouples security and connectivity from the network and overcomes these four weaknesses, that’s not necessarily the case with SASE.
SASE aims to provide secure access as a service at the edge, but the question is: Access to what? Unfortunately, most SASE offerings are still network-centric—that is, they entail network access and rely on traditional tools like firewalls (which take the same perimeter-based approach, even if they are next-generation firewalls (NGFWs) deployed as appliances in the cloud).
In essence, zero trust can meet the demands of SASE, but the inverse is not true. Zero trust can deliver secure (least-privileged) access as a service at the edge, but most SASE offerings cannot provide zero trust security that retires network-centric architectures.
Zero Trust SASE: Bringing SASE and zero trust togetherSASE offerings from firewall vendors ultimately can’t help you transform your security and connectivity into true zero trust. So, if you are among the 60% of organizations identified by Gartner that are looking to check the boxes for both SASE and zero trust, make sure you deploy a comprehensive zero trust architecture that provides Zero Trust SASE.
To learn more about zero trust, sign up for our three-part webinar series, “Zero Trust, from Theory to Practice.” The series will guide you through your entire zero trust journey, from learning introductory concepts all the way to implementing the architecture.
To learn more about Zero Trust SASE and how you can achieve it with Zscaler, read our at-a-glance data sheet.
[#item_full_content] [[{“value”:”Organizations worldwide have been eager to embrace remote work and cloud resources alongside their on-premises users and applications. Gartner projects that 74% of organizations will sustain remote or hybrid work permanently. Similarly, IDC reports that at least 80% of organizations will continue to embrace hybrid cloud environments in the long term.
Historically, most organizations have used a hub-and-spoke network to connect users, sites, and apps, and “castle-and-moat” security, built with firewalls and VPNs, to try to defend that network. Physical appliance stacks deployed in their data centers provide both their networking and security.
But for organizations embracing remote work and cloud apps, these methodologies create challenges around cost, risk, and more. Extending the network to more users, sites, and clouds, and trying to secure that network with an ever-expanding perimeter, is complex and prone to countless hurdles.
Because of the incompatibilities between traditional architecture and modern work realities, organizations are increasingly turning to SASE and zero trust. The question is, do these two buzzwords truly deserve all their buzz?
SASE: A secure access service edge for the everywhere enterpriseSecure access service edge (SASE) is a joint model for networking and security. It combines wide-area network (WAN) capabilities with various security solutions, and delivers them together at the edge (as close to the user as possible). This means organizations do not have to backhaul traffic to hardware in their data centers. SASE aims to connect any user, anywhere, to any application or service—both securely and efficiently. In addition, advanced SASE offerings go beyond users to secure other entities—you can read more about that here.
SASE comprises two main components. For networking, software-defined wide-area network (SD-WAN) optimizes traffic routing more efficiently than traditional WAN (think MPLS). For security, security service edge (SSE) delivers security as a service at the edge, helping organizations to warm up to the edge-delivered SASE paradigm. SSE consolidates several leading security solutions, including:
Secure web gateway (SWG) for securing the use of the web
Cloud access security broker (CASB) for securing the use of SaaS
Zero trust network access (ZTNA) for securing the use of private applications
Firewall as a service (FWaaS) for protection across all ports and protocols
Data loss prevention (DLP) for classifying and protecting data
And more
The consolidated, edge-delivered approach of SASE helps organizations:
Improve security posture and reduce risk through a single platform that enforces advanced, consistent, flexible policies
Enhance user experiences and productivity by delivering secure connectivity at the edge—rather than backhauling traffic and adding latency
Reduce complexity by eliminating security point products—this minimizes technology costs, boosts operational efficiency, and more (in fact, this approach helps organizations to reduce costs by 20-30% on average, per Forrester)
Zero trust: The ideal approach to cybersecurityWhile many call zero trust a framework, a paradigm, or a methodology, it is perhaps best thought of as an architecture. It eliminates excessive permissions by applying the logic of “never trust; always verify” to every access attempt in an organization.
Access is governed by risk, which is determined by access context, and continuous monitoring ensures that changes to context and risk are incorporated into automated policy decisions in real time. This enables the enforcement of least-privileged access, whereby an authorized user is connected only to the resource they need, when they need it, and nothing more.
This zero trust requirement for granular, direct-to-app access is at odds with perimeter-based architectures, which grant excessive permissions by giving users and other entities access to the entire network. You can read more about the risks of that network-centric approach here.
A platform that provides zero trust architecture (like the Zscaler Zero Trust Exchange) provides secure any-to-any connectivity in a one-to-one fashion—without extending the network to anyone or anything. Think of a zero trust platform as an intelligent switchboard. This direct connectivity is accomplished through a cloud native proxy architecture that delivers zero trust security as a service and at the edge. Unlike traditional, perimeter-based architectures that focus on defending the network, zero trust architecture:
Minimizes the attack surface by eliminating firewalls and their public IP addresses, which threat actors can find and target over the internet. It replaces risky inbound connections with inside-out connections that hide your applications behind a zero trust cloud.
Stops compromise with full inline traffic inspection to identify and block threats in real time. A high-performance cloud—unlike a static hardware or virtual appliance—can inspect even encrypted traffic at scale. This is critical as more than 87% of threats now hide in encrypted traffic.
Eliminates lateral threat movement by granting users and other entities least-privileged access directly to authorized applications. No one and nothing connects to the network as a whole—if they did, they would be able to access the resources connected to that network.
Prevents malicious and accidental data loss through the same cloud-powered encrypted traffic inspection mentioned above. Additionally, as a zero trust platform secures any-to-any connectivity, it can provide least-privileged access to sensitive data and secure any data leakage path.
Enhances digital experiences and productivity through a high-performance, global security cloud that connects users directly to apps. This eliminates the need to backhaul traffic to a distant data center, minimizing latency.
Reduces operational complexity by consolidating point products into one comprehensive platform and allowing you to replace convoluted networking infrastructure with simpler zero trust networking.
Saves money by minimizing management overhead, optimizing technology costs, avoiding data breaches (which cost US$4.88 million each on average, per IBM), and more.
SASE and zero trust: Similarities and differencesSASE and zero trust have some significant areas of overlap, as you can see:
SASE delivers security and connectivity as a joint service at the edge
Zero trust architecture delivers secure, least-privileged, any-to-any connectivity as a service at the edge
Both also improve security and user experiences while reducing complexity and costs. Yet despite all this overlap, SASE and zero trust are not just synonyms. There are two important distinctions that need to be made.
Deployment and deliveryMost SASE offerings are deployed as virtual appliances in clouds like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Zero trust, meanwhile, is delivered as a cloud native service from a purpose-built security cloud.
This difference is crucial because overseeing virtual appliances still entails maintenance, takes time from admins, and increases management overhead. With zero trust, however, the vendor handles change implementation for their cloud, saving the customer the burden. As a result, zero trust provides greater simplification and cost reduction than SASE.
Risk reductionMore importantly for security, SASE and zero trust provide different degrees of risk reduction.
With a perimeter-based, network-centric architecture, a trusted network connects users, devices, clouds, apps, and locations, and security efforts focus on protecting said network with a defensive perimeter (hence the name castle-and-moat security). Apps reside on the network, and to access them, entities need to be connected directly to that network.
This increases risk in four key ways: It expands the attack surface, enables compromise, permits lateral threat movement, and fails to stop data loss, all of which are explained at length here. While zero trust decouples security and connectivity from the network and overcomes these four weaknesses, that’s not necessarily the case with SASE.
SASE aims to provide secure access as a service at the edge, but the question is: Access to what? Unfortunately, most SASE offerings are still network-centric—that is, they entail network access and rely on traditional tools like firewalls (which take the same perimeter-based approach, even if they are next-generation firewalls (NGFWs) deployed as appliances in the cloud).
In essence, zero trust can meet the demands of SASE, but the inverse is not true. Zero trust can deliver secure (least-privileged) access as a service at the edge, but most SASE offerings cannot provide zero trust security that retires network-centric architectures.
Zero Trust SASE: Bringing SASE and zero trust togetherSASE offerings from firewall vendors ultimately can’t help you transform your security and connectivity into true zero trust. So, if you are among the 60% of organizations identified by Gartner that are looking to check the boxes for both SASE and zero trust, make sure you deploy a comprehensive zero trust architecture that provides Zero Trust SASE.
To learn more about zero trust, sign up for our three-part webinar series, “Zero Trust, from Theory to Practice.” The series will guide you through your entire zero trust journey, from learning introductory concepts all the way to implementing the architecture.
To learn more about Zero Trust SASE and how you can achieve it with Zscaler, read our at-a-glance data sheet.”}]]
