What Comes First - SASE vs Zero Trust?
Published: July 5, 2017
First, let’s talk about SASE. Because many people wonder if SASE is really where the market is headed. SASE stands for Secure Access Service Edge. It's an architecture that Gartner has defined. At its most simple level, Gartner’s characterization of SASE is a system that combines security functions with wide area network capabilities.
If you ask the analysts, SASE is an emerging market. Think of it ultimately like this: SASE is a good way to explain the paradigm shift that needs to happen in terms of how enterprises look at their security architecture. Networks are going to need more security right at the edge, and the best way to do that is to build it into the system itself.
Having been supercharged by the recent waves of digital transformation, traffic patterns have changed dramatically in recent years. Even for enterprises lagging behind, the pandemic has made it clear that a viable digital strategy has become the only way moving forward
Enterprises have employees who are increasingly distributed. So are their applications. They don't sit only in their own data center anymore: the modern setup is that applications are cloud-agnostic and reside across multiple Cloud providers. Enterprises also potentially have many applications, and every employee, customer, partner, or contractor needs to have secure access to them.
Instead of having a clear traffic pattern, all of this can look like a big mess due to the need to provide user access to specific applications. Some people call it a matrix, but really, it’s a mess. So, a traditional “firewall in your DMZ” in front of your applications does not work anymore. And that’s a major motivator to consider when redesigning your network and security architecture in the SASE style.
SASE is essentially a combination of existing technologies that are put together differently. On the networking side, the key building blocks are Software Defined Wide Area Network (SD-WAN) and Zero Trust Network Access (ZTNA). As SASE is an architectural approach, the Zero Trust approach with ZTNA needs to go way beyond a glorified virtual private network (VPN) replacement.
Zero Trust is the crucial principle that comes with the networking technologies of SD-WAN. Adopting ZTNA when building out a SASE architecture integrates the network and security in a way that hasn’t happened before. In most iterations previously, security was a bolt-on component. Today, in a SASE environment, security is built-in.
A key concept of Zero Trust is called “least-privilege access.” Essentially, this means granting users only as much access as they need, which means all access is based on a need-to-know basis. At a company, a user only gets access to the information that their job function requires, regardless of their security clearance level or other approvals. If implemented properly, this dramatically reduces the attack surface and exposure. This concept is vital: it should be applied to application access from anywhere in the enterprise: a remote office or branch, the main campus, you name it.
In addition to that ongoing validation and continuous monitoring, standard security practices also need to be applied here. Another standard practice of a Zero Trust architecture is to leverage identity, both users and devices, to grant access specifically to not only what resources and applications are required but also to segment users, groups, and applications into small (micro- or hyper-) segments. The segmentation further limits exposure and prevents lateral movement of threats.
The ultimate goal must be to implement a Zero Trust model to enable users to work effectively and not create obstacles in daily operations. Extreme’s Infinite Enterprise consumer centricity concept is key here: if the customer’s needs are not met, and security is put on top of the solution rather than incorporated, the system won’t work, even if it remains secure. Instead, a solution built into the system with the customer needs in mind both drives productivity and increases adoption. So there should be a preference for the solutions and architectures which provide customer-centricity as a guiding principle in Zero Trust solutions.
Let’s dig deeper into the three tenets we use here at Extreme to describe the Infinite Enterprise. The first is infinite distributed connectivity. People are spreading out over the world and moving away from the center. But they want the same experience. So, it doesn’t matter if you’re a campus, hospital, a retail outlet, work from home, or the road: The network increasingly needs to reach people wherever they are. Network connectivity and reliable access in this environment are pivotal as a result.
Enterprises must effectively manage and scale dynamically up in the environment’s operations but also scale down to the individual. The only way to do this is to use Cloud Technologies. We call that building at scale, and it’s the second tenet of the Infinite Enterprise.
The third element is being consumer-centric. Once we’ve understood that people are distributed and building at scale to reach them is necessary, we must build a system they will want to use because it serves their needs. As mentioned above, customer-centricity is key to driving adoption and preference. People will only want to use a network if it is easy to use and secure at the same time.
Is building a SASE environment achievable? Is there a need for SASE architecture? I think the answer is yes to both questions. The Gartner definition is a very effective way to describe the needs of the enterprise moving forward. There's certainly a need to provide security and secure access in a different way at the edge.
The question becomes then, how do you build it? There are many ways to approach building a SASE system. There will be a need for custom solutions for many companies and industries. Some companies will need complete ecosystems for a SASE setup to function properly.
I think everybody needs to take a closer look at their system. Some components might be reusable. The same is true for your operational model and your security architecture overall. There’s probably not a one-size-fits-all solution.
History has shown is that if there's something new, it's unlikely that merging your legacy system makes sense. Most of the time, what often does work is building a parallel universe, where you start migrating users and applications over, and then you de-activate the old platforms over time. That’s likely going to be the approach for companies that need to create a SASE architecture.
But in this case, why we need SASE is as compelling as how we will build it.