Network security architectural best practices are undergoing a dramatic shift. The long-forecasted move away from perimeter protection as a primary focus of network architectures seems to finally be underway as two new buzzwords shift into the consciousness of cybersecurity professionals: zero-trust network access and Secure Access Service Edge.
Simply put, the old network security method of using a drawbridge and moat to protect the castle doesn't cut it nowadays. Virtualization, cloud computing and remote workers have shifted the placement of the moat, and the moat doesn't necessarily protect against risks from inside the castle itself.
Zero-trust network access, also known as ZTNA, and Secure Access Service Edge, also known as SASE, are two approaches that are gaining steam as organizations seek to better secure their increasingly dispersed remote workforces against attack. Let's take a look at each of these architectural approaches and how they might work together to enhance your organization's cybersecurity posture.
What is zero-trust network access?
Zero trust is the more established of the two philosophies. Coined in 2010 by Forrester Research, it applies the longstanding security principle of least privilege (POLP) to network access. It does so in a manner that doesn't make the same assumptions about trust used in past architectures.
This article is part of
Specifically, the core operating principle of ZTNA is that no user or device should ever be granted access to resources based solely upon location on the network. Gone are the days of granting application access based on IP addresses or other network-based criteria.
Instead, ZTNA recognizes that, in today's operating environment, both users and sensitive data may be located anywhere: in a corporate office, at home, in the cloud or on the road. The zero-trust model replaces the network-focused access control approach with strong authentication and authorization technology that enables administrators to apply granular access controls. These controls permit users to access specific applications based upon their specific role(s) in the organization. The controls also are instrumental in protecting the network from incoming risks from outside the network, as well as risks inside the network, such as insider threats -- be they malicious or negligent.
A zero-trust network security approach not only simplifies network requirements, but also easily adapts to the flexible nature of today's technology environment. ZTNA enables users -- regardless of their network location -- to access services -- regardless of their network location -- while strictly enforcing the principle of least privilege.
What is Secure Access Service Edge?
SASE is a newer approach to networking and network security that builds on the ZTNA model in an attempt to deliver a fully integrated network. This cloud architecture model, introduced by Gartner in 2019, combines multiple cloud network and cloud security functions together, delivering them as a single cloud service.
SASE combines software-defined WAN and other networking services and functions, including the following:
- cloud access security brokers
- firewall as a service
- secure web gateways
SASE's aim is to blend these services and technologies to build a cloud-aware and cloud-based secure network.
The SASE model is especially appealing to organizations that abundantly use the cloud and cloud services or are on a path to the cloud. This includes distributed organizations -- for example, those with branch locations and dispersed end users, as well businesses with IoT and edge deployments.
Not ZTNA vs. SASE, but ZTNA and SASE
Think of SASE as a higher-level design philosophy than ZTNA. They are not separate or competing network security models; rather, ZTNA is part of an overall SASE architecture.
Note, however, that, while zero-trust implementation may be a short- to medium-term objective for network architects, SASE is a long-term goal. Organizations may decide today that they buy into the SASE approach and then move to slowly evolve their network and network security stacks toward the SASE model. This will take time as designers move to replace outdated security technologies and better integrate those that remain. Note that moving to a SASE model both requires and enables a zero-trust approach to network security.
The bottom line for today's cybersecurity professionals is that both zero trust and SASE are trends to watch closely and integrate into forward-looking architectural decisions. Organizations should plan to adopt zero-trust principles in the short term to better secure remote workforces accessing both cloud-based and on-premises services. At the same time, they should view all new networking projects through the lens of creating an environment that will support SASE down the road.