What Is SASE & How Does It Relate to Zero Trust Network Access (ZTNA)?
We go over the meaning of secure access service edge (SASE), the meaning of zero-trust network access (ZTNA), how they work together & more.
Security postures have seen a major paradigm shift in recent years. In the old paradigm, firewalls were the central points of trust. Everything behind a firewall was trusted and safe (or presumed to be safe), while everything outside of it was considered hostile and unsafe. Today, things are not nearly as simple. It’s difficult to protect the network perimeter when it’s almost impossible to define where that “perimeter” even lies.
This new cloud reality, coupled with the widespread remote work operations of 2020, has placed renewed emphasis on Secure Access Service Edge—better known by its acronym, SASE—for good reason.
What is SASE?
Secure Access Service Edge (SASE) is a comprehensive security framework that provides secure access to applications and data based on a strong digital identity, regardless of a user or machine’s location.
SASE was originally defined by Gartner in 2019 as “a new package of technologies including software-defined WAN (SD-WAN), secure web gateway (SWG), cloud access security brokers (CASB), Zero Trust Network Access (ZTNA), and firewall as a service (FWaaS) as core abilities, with the ability to identify sensitive data or malware and the ability to decrypt content at line speed, with continuous monitoring of sessions for risk and trust levels.”
At its core, SASE is synonymous with “strong authentication for all of your assets.” The number of devices connecting to corporate networks has increased exponentially, from personal devices like laptops and smartphones to connected assets like IoT devices and cloud services. As a result, IT security teams have shifted focus from the perimeter to authenticating the identity of each individual device. Enterprises are adopting a zero-trust mentality, where nothing is assumed to be safe until verified.
This is where Secure Access Service Edge comes in. Let’s break it down:
“Secure Access” refers to the fact that laptops, phones, and other devices need to connect to the network somehow. IoT devices likewise require a network connection. In order to ensure that those connections are safe, strong authentication is needed.
“Service Edge” refers to the fact that these devices exist at the network edge—what would once have been considered “outside the firewall.” Today, the edge means every single asset from laptops to APIs to mobile devices, and the only way to strongly protect it is to give it a digital identity—by provisioning that device with an identity certificate.
Pronounced as “sassy,” SASE solutions offer a flexible, multi-prong security technology approach that is well-suited for today’s IT landscape, which is incredibly complex considering hybrid and multi-cloud environments, a myriad of connected devices, and a distributed workforce. These solutions use digital identity to protect against sophisticated and scaled attack vectors, specifically targeting vulnerabilities stemming from this complexity. This security technology approach will also be applicable to future enterprise IT landscapes.
How does SASE work?
SASE works by combining SD-WAN, SWG, CASB, ZTNA, and FWaaS and by managing those solutions within a single set of security and identity policies. Let’s look at each of these components:
SD-WAN, or software-defined WAN, can improve the performance and security of a WAN connection, whether private, Internet broadband, LTE, and/or 5g connections, by setting policies and prioritizing, routing, and optimizing traffic across an enterprise’s WAN.
SWG, or secure web gateway, can protect users from web-based threats, such as malware, and denies unsecured Internet traffic from access to internal systems by enforcing corporate acceptable use policies.
CASB, or cloud access security broker, can identify and protect sensitive data by sitting between cloud service users and the cloud applications they are accessing. This helps organizations enforce security policies, even when cloud services are out of direct control.
ZTNA, or zero-trust network access, can be used to ensure secure and granular access control. ZTNA is a model where trust is never granted implicitly and must be continually evaluated.
FWaaS, or firewall as a service, can protect applications and data from unauthorized access through a cloud-based firewall that includes next-generation firewall (NGFW) capabilities and access controls such as intrusion prevention systems (IPS), URL filtering, and DNS security.
What are the benefits of SASE?
Digital transformation has given rise to a new era of enterprise security services. An important catalyst for SASE stems from the need to make disparate security solutions work together better. The modern enterprise no longer is dominated by a single stack of technology, and enterprises can no longer just focus on securing data centers and providing protection within a firewalled network architecture.
Today’s complex environments now include mobile devices, multi-cloud, DevOps, BYOD, Internet of Things, and more. Naturally, you need strong authentication for each of those systems. In this expanding environment, identity is the new perimeter, and SASE is designed for that environment.
Beyond the strong identity security that SASE provides, enterprises can also realize the following benefits:
Greater flexibility
Rapid adoption of new technologies
Increased IT efficiency
Lower administrative costs
These solutions provide organizations with the flexibility they need to securely access their applications and data regardless of where they are located, whether on-premises or in the cloud. This strong digital identity approach helps grant detailed access and permissions to each user, device, and process in the network. This power allows organizations to rapidly adopt innovations including SaaS applications, IoT devices, and remote access tools, and do so while locking down their infrastructure against attacks and maintaining control over who and what systems have access to specific applications and data.
Additionally, by consolidating all the networking and security functions traditionally delivered in point products and solutions, SASE architecture provides a single approach for IT administrators to manage their networks and security. This maximizes efficiency and productivity for IT teams by allowing them to define a single set of security policies and centrally manage multiple technologies against those policies.
Enterprises can also reduce administrative costs. SASE is deployed as a single software stack, which eliminates the need for multiple appliances. This reduces both capital expense projects and ongoing operating costs.
SASE vs ZTNA: differences, similarities and how they work together
Both SASE and ZTNA are important components of modern security architecture, however, they are two different solutions. SASE provides a comprehensive, multi-faceted security framework, while ZTNA is a more narrowly focused model focused on limiting resource access, which is a part of SASE. When used together, they can provide a more comprehensive security solution that is able to protect applications and data, regardless of the end user’s location.
Zero Trust Network Access, often referred to as software-defined perimeter (SDP), means denying access to resources unless the user or machine is explicitly allowed, thus enabling a tighter security approach that’s particularly useful in the event of a breach. Moreover, the access rights for each identity are continually evaluated and approved or declined accordingly.
'Never trust, always verify’ is the fundamental philosophy behind zero-trust networking, and is the key difference between zero trust and other networking models. With Zero Trust, there are no implicit trust relationships. Instead, all end users and devices are treated as untrusted until they can be verified. This verification process is at the core of the zero-trust model. It is done through a variety of methods, including authentication, authorization, and inspection, and is based on criteria, such as a user's identity, location, operating system and firmware version, and endpoint hardware type.
The benefits of a Zero Trust model are clear: improved cybersecurity from closing security gaps and controlling lateral movement on the network, as well as support for mobile and remote access employees. Additionally, a zero-trust model protects data in both the cloud and on-premises data centers, ensuring reliable defense against ransomware, malware, phishing attacks, and advanced threats.
The benefit of combining solutions
To put it simply, combining SASE and Zero Trust helps businesses with policy enforcement across their entire network. This approach provides several key benefits, including stronger network security, streamlined network management, lower costs, and a single view of the entire network.
SASE and ZTNA can also help businesses mitigate the risk of data breaches and reduce the attack surface. By combining these two approaches, businesses can establish a hardened cybersecurity perimeter that is difficult for malicious actors to penetrate. This helps ensure that only authorized users and devices are able to access sensitive data and systems and that users and machines only have access to the resources they need to do their jobs.
Is SASE a VPN?
No, SASE is not a VPN (Virtual Private Network) but rather a framework that provides secure access to applications and data, whereas VPNs are used to provide a secure connection from the user to the Internet. While VPNs can provide a secure connection, they are not always effective in protecting applications and data. SASE and ZTNA can be used together to provide a more secure solution that is able to protect applications and data from unauthorized access.
Since SASE includes ZTNA, it can be used in addition to VPNs, or it can replace them. Its ability to provide real-time, least privilege principles for access is particularly useful for cloud security, especially in today’s times of an increasingly remote workforce and cloud-native workloads. Zero Trust Network Access has a major advantage over VPN when it comes to granularity. With ZTNA, enterprises can restrict access at a more fine-tuned level compared to Virtual Private Networks.
How to manage digital identities within SASE
The application of SASE relies on a strong digital identity for all users, devices, and processes across the entire connected IT landscape. Within this identity-first security, it is critical for businesses to authenticate and encrypt all digital identities whether human or machine. Digital certificates issued by Certificate Authorities (CAs), such as Sectigo, are the underlying technology used to authenticate human or machine identities and establish digital trust.
Securing and managing identities within SASE solutions is not easily achieved considering the explosive growth in the volume, variety, and velocity of digital identities from new use cases, including hybrid and multi-cloud environments, digital signatures, DevOps containers, code, Robotic Process Automation (RPA), and other enterprise applications.
These identity challenges combine to present a near-impossible task, no matter the effort, to prevent a breakdown in identity management and protect your network and data against breach and theft. A 2021 EMA research study of IT executives found 81% of enterprises find it challenging to manage digital identities.
The best way for CISOs and their teams to apply SASE and ensure digital trust now and in the future is to automate every single identity's lifecycle across the entire IT ecosystem. Certificate Lifecycle Management (CLM) is a comprehensive solution that automates the certificate lifecycle, from provisioning and deployment to revocation.
CLM ensures that all certificates are properly installed, monitored, and renewed, providing organizations with the scalability, visibility, and control they need to keep their digital environments safe and compliant using SASE. Moreover, the modern approach to CLM is Sectigo's CA agnostic cloud-based solution. Sectigo Certificate Manager provides a single administration portal to secure and manage growing numbers of digital identities, both human and machine, with integrations into leading technology providers that work efficiently in any IT environment.
With increased remote working likely to continue for the foreseeable future, and the continued expansion of areas like IoT, SASE will only become more important as organizations search for more reliable ways to secure their networks—and Sectigo is at the cutting edge here.