Zero Trust and SASE have become top of mind for many organizations globally in the past year as business models changed overnight to accommodate a remote workforce, bringing an expanded attack surface. Zero Trust is an enterprise-wide strategy to eliminate risk to the business, whereas SASE provides guidance for vendors to design effective security solutions for the future. While SASE outlines what a solution should have to provide secure access at the edge, other Zero Trust requirements on effective monitoring of threats to the business, continuous maintenance of the environment, and aligning solutions to governance and compliance requirements go beyond any single technical solution.  

While organizations continue to seek implementation of both, they must understand their similarities and most importantly, how they reinforce each other. When reading Gartner’s research on SASE, businesses may think implementing SASE will also implement Zero Trust. This is not a complete approach and it takes multiple initiatives for organizations to properly implement each. Here we’ll discuss these similarities and additional initiatives for successful implementation.

The alignment and significance of identity

Because Zero Trust eliminates trust from all access attempts, one may think that identity doesn’t play a role in any Zero Trust strategy. To gain confidence in the communications, and provide access to the appropriate data set, trust algorithms must have access to historical data stores and identity engines. SASE requires identity to drive policy changes based on access requirements. For example, an IoT device accessing a cloud resource versus a business user accessing a private banking application require different levels of identity. In all access cases, knowing who is accessing what requires that the ‘who’ and ‘what’ be identified. As Gartner states: “The identity of a user/device/service is one of the most significant pieces of context that can be factored into the policy that is applied.” They then mention other sources of context that should be evaluated, such as the location of the identity, time of day, risk/trust level, and data/application sensitivity being accessed, which align perfectly with a Zero Trust strategy.

Shared principles of Zero Trust Network Access (ZTNA)

ZTNA focuses on providing whitelisting capability for access to services. This is undoubtedly why it is considered one of the core components of SASE. Zero Trust is based on a set of principles or tenets. One of these tenets is that all network flows are authenticated before being processed, and that access is determined by dynamic policy. Another tenet requires authentication and encryption applied to all communications independent of location and that security must be performed at the application layer closest to the asset. These alone are foundational to ZTNA. ZTNA secures access to services at the application layer (layer 7), rather than a complete network, like traditional remote access VPN implementations. Therefore, it provides for the means to only give authorized and authenticated users access to approved applications.

Dynamic policies and context-aware trust levels

A tenet of Zero Trust is that access is determined by dynamic policy. Another tenet of Zero Trust is that technology is utilized for automation in support of user/asset access and other policy decisions. This monitoring of user and device behaviors along with automation that drives policy changes is an important part of SASE. Gartner writes that emerging leaders in SASE will embrace a strategic approach to ensure their solution monitors sessions continuously, analyzing for risk levels referencing user entity behavior analytics (UEBA) capabilities, and are “capable of adaptive responses as a user’s behavior is analyzed and subsequent risk increases, or as a device’s trust decreases.” Gartner stops short of detailing what should be done to establish trust and how trust levels should be scored, but they do document that the trust level should be context-aware, which is a recommended approach of Zero Trust.

Satisfying the need for a trust and risk engine

Core components of SASE include SD-WAN, secure web gateway (SWG), ZTNA, firewall-as-a-service and cloud application security broker (CASB). One thing that often becomes overlooked is that a SASE solution needs to have the ability to identify sensitive data, and encrypt and decrypt content with continuous monitoring for risk and trust levels. Zero Trust eliminates trust from all network communications and seeks to gain confidence that the communications are legitimate. This level of confidence is applied using trust levels and scoring techniques. Therefore, the implementation of a trust/risk engine that applies contextual scoring capabilities is crucial in a Zero Trust Authorization Core, and SASE provides a means to accomplish this through core component technology.

Because SASE is essentially built upon principles of Zero Trust, Zero Trust is a key cornerstone to SASE. As a result, strategies behind each will continuously overlap, but be mindful that SASE cannot be seen solely as the fast-lane approach to implementing Zero Trust and will require multiple strategies for complete implementation.