SASE and Zero Trust: What’s the Connection?

November 12, 2021
| |
3 min read

Many organizations find themselves in a tricky spot today when it comes to digital transformation. With many looking to zero trust, how does Secure Access Secure Edge (SASE) fit in?

On the one hand, the events of 2020 helped to speed up many digital adoption projects. A 2020 report from McKinsey found that more than half of executives were either investing in new tech to get ahead in the business world or were changing the focus of the entire business to embrace digital tools, for example.

On the other hand, businesses and agencies don’t always balance that growth with security. According to Ponemon’s Digital Transformation and Cyber Risk report, 82% of IT security and C-level leaders said that their employer had suffered at least one data breach tied to their digital transformation efforts.

This finding shows how hard it can be to meet security needs amid growing complexity. Those challenges include aligning security and the C-suite on ongoing digital transformation projects. They also involve working with third parties and not always aligning with them in terms of security. Per the report, 58% of survey respondents said they lacked a risk management program for their third parties. About the same proportion (56%) said that they didn’t know whether their third parties’ policies and procedures helped to safeguard their information.

The Emergence of SASE

The meeting of digital transformation and growing complexity has rendered many older approaches to digital safety moot. The problem is that no one approach can provide comprehensive coverage on its own. Want to manage access in a dynamic fashion? That will be even harder.

Hence the emergence of SASE. Coined by Gartner in December 2019, SASE “combines network security functions … to support the dynamic secure access needs of organizations. These capabilities are delivered primarily aaS [as a service] and based upon the identity of the entity, real-time context and security/compliance policies.”

How ZTNA Works 

One of the core functions on which SASE relies is Zero Trust Network Access (ZTNA). This construct blends together the principle of least privilege with access controls to help secure networks against digital threats. In that sense, ZTNA coheres with SASE in that it seeks to curb the network permissions that help to expose applications, systems and data. It does this by promoting the use of microsegmentation tools and software-defined perimeter (SDP) tech, solutions that can help to prevent threat actors from moving sideways across the network from one access point to the next.

That’s not the only way in which ZTNA and SASE support each other. They also come together around the idea of protecting browser software against malicious websites. For its part, ZTNA doesn’t permit websites to freely interact with an endpoint’s browser software. Meanwhile, SASE uses remote browser isolation tech to remotely conduct web browsing in a virtual browser through the cloud. This helps to protect endpoints against suspicious website code, active content and downloads.

Despite how similar they may sound, SASE and ZTNA aren’t the same things. SASE provides insight into how vendors can design security solutions for the future, while ZTNA helps get rid of business risk across the infrastructure. Sure, a plan for either can lead your business to embrace elements of the other. But SASE does not enable security teams to implement ZTNA more quickly. Nor is enabling ZTNA the only thing SASE can do.

Partnerships Driving SASE

No one organization can provide everything you need to achieve SASE. That’s why vendor partnerships are so important. In August 2021, for instance, IBM Security partnered with Zscaler to deliver SASE services. Together, they can “help deliver a fully managed transformation to a cloud-based SASE architecture, a key element of a zero trust security posture.” That’s a key part of a more holistic approach to cybersecurity. 

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more