The difference between SASE and Zero Trust

April 9, 2021 | Derrick Johnson

overlap of Zero Trust and SASE

Customers often ask me: What is the difference between Zero Trust and SASE?  My answer is almost always the same: Nothing….and, everything.  Both have taken the industry by storm over the last couple of years, and even more so with the security and access demands on the business driven by the existing remote workforce, but both have different implementation approaches.  It is important to understand, however, that one does not fully provide the other; in fact, they reinforce each other.  As you read through Gartner’s research that introduced SASE to the network and cybersecurity world, you’ll note that there are a number of similarities that can lead you to believe that implementing SASE can also implement Zero Trust.  While that may be the case in part, it is not a complete approach.  And just as there is not one product that will get you to Zero Trust, there is also not one product that fully meets Gartner’s vision for SASE. 

Zero Trust Network Access (ZTNA)

One key area of similarity is in ZTNA.  ZTNA focuses in on providing whitelisting capability for access to services.  This is undoubtedly why it is considered one of the core components of SASE.  Zero Trust is based on a set of principles, or tenets.  One of these tenets is that all network flows are authenticated before being processed, and that access is determined by dynamic policy.  Another tenet requires authentication and encryption applied to all communications independent of location and that security must be performed at the application layer closest to the asset.  These alone are foundational to ZTNA.  ZTNA secures access to services at the application layer (layer 7), rather than a complete network, like traditional remote access VPN implementations. Therefore, it provides for the means to only provide authorized and authenticated users with access to approved applications.

Monitoring for risk and trust levels

Gartner lists core components of SASE to include SD-WAN, secure web gateway (SWG), ZTNA, firewall-as-a-service and cloud application security broker (CASB).  One thing that often does get overlooked in their whitepaper is that a SASE solution needs to have the ability to identify sensitive data, and have the ability to encrypt and decrypted content with continuous monitoring for risk and trust levels.  Zero Trust eliminates trust from all network communications and seeks to gain confidence that the communications are legitimate.  This level of confidence is applied using trust levels (ironically) and scoring techniques.  Therefore, the implementation of a trust / risk engine that applies contextual scoring capabilities is crucial in a Zero Trust Authorization Core , and SASE provides a means to accomplish this through core component technology. 

Dynamic secure access

As stated earlier, a tenet of Zero Trust is that access is determined by dynamic policy.  Another tenet of Zero Trust is that technology is utilized for automation in support of user/asset access and other policy decisions.  This monitoring of user and device behaviors along with automation that drives policy changes is an important part of SASE.  Gartner writes that emerging leaders in SASE will embrace a strategic approach to ensure their solution monitors sessions continuously, analyzing for risk levels referencing user entity behavior analytics (UEBA) capabilities,  and are “capable of adaptive responses as a user’s behavior is analyzed and subsequent risk increases, or as a device’s trust decreases.”  Gartner stops short of detailing what should be done to establish trust and how trust levels should be scored, but they do document that the trust level should be context-aware, which is a recommended approach of Zero Trust.

Identity at the heart

The word “identity” appears 21 times within Gartner’s SASE research, even depicting “The SASE Identity-Centric Architecture”.  Since Zero Trust eliminates trust from all access attempts, one may think that identity doesn’t play a role in any Zero Trust strategy.  To gain confidence in the communications, and provide access to the appropriate data set, trust algorithms must have access to historical data stores and identity engines.  SASE requires identity to be able to drive policy changes based on access requirements.  For example, an IoT device accessing a cloud resource versus a business user accessing a private banking application require different levels of identity.  In all access cases, knowing who is accessing what requires that the ‘who’ and ‘what’ be identified.  As Gartner states: “The identity of a user/device/service is one of the most significant pieces of context that can be factored into the policy that is applied.”  They then mention other sources of context that should be evaluated, such as the location of the identity, time of day, risk/trust level, and data / application sensitivity being accessed, which align perfectly with a Zero Trust strategy.

These are just a few of the similarities between SASE and Zero Trust, but there are differences as well.  Zero Trust is an enterprise-wide strategy to eliminate risk to the business, whereas SASE provides guidance for vendors to design effective security solutions for the future.  While SASE outlines what a solution should have in order to provide secure access at the edge, other Zero Trust requirements around effective monitoring of threats to the business, continuous maintenance of the environment, and aligning solutions to governance and compliance requirements goes beyond any single technical solution.   

SASE is essentially built upon the principles of Zero Trust making Zero Trust a key cornerstone to SASE.  An implementation strategy for Zero Trust will also lead to many SASE elements falling into place, and a SASE implementation plan will require Zero Trust principles in developing the security policies that drive access. And since SASE policies go beyond security to also govern quality of service (QoS), path selection, dynamic routing, traffic shaping, cost and latency optimization among other network-centric policies, SASE cannot be seen solely as the fast-lane approach to implementing Zero Trust.

Derrick Johnson

About the Author: Derrick Johnson

Derrick Johnson is the National Practice Director for Cyber Operations within AT&T Cybersecurity Consulting, responsible for its direction and overall business performance. Derrick's practice provides strategic and tactical cybersecurity consulting services around next-generation network and cloud security architectures including Zero Trust Networking and SASE, cybersecurity operations consulting, cyber transformations, mobility/IoT and endpoint security and threat and vulnerability management among other initiatives. Derrick is a Certified Information Systems Security Professional (CISSP) and a Forrester Certified Zero Trust Strategist who joined the AT&T Cybersecurity Consulting team through the acquisition of the VeriSign Global Security Consulting business, which was completed in October 2009. Prior to working for VeriSign, Derrick was the Global Information Security Officer for Stream International; a global business service provider specializing in customer relationship management services. Prior to Stream, Derrick was a Senior Associate on KPMG’s Information Risk Management team, specializing in Information Security Services. Before becoming a consultant Derrick spent four years in systems and network engineering, with a role as a Senior Network Engineer with America OnLine, performing network engineering and administration for America OnLine’s Advanced Network Services (ANS) team. Derrick earned his BS in Computer Engineering from Syracuse University.

Read more posts from Derrick Johnson ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via email

RSS

Get price Free trial