What Is SASE & How Does It Relate to Zero Trust Network Access (ZTNA)?

Secure Access Service Edge (SASE) is a comprehensive security framework that provides secure access to applications and data based on a strong digital identity, regardless of a user or machine’s location.

SASE was originally defined by Gartner in 2019 as “a new package of technologies including software-defined WAN (SD-WAN), secure web gateway (SWG), cloud access security brokers (CASB), Zero Trust Network Access (ZTNA), and firewall as a service (FWaaS) as core abilities, with the ability to identify sensitive data or malware and the ability to decrypt content at line speed, with continuous monitoring of sessions for risk and trust levels.”

Pronounced as “sassy,” SASE solutions offer a flexible, multi-prong security technology approach that is well-suited for today’s IT landscape, which is incredibly complex considering hybrid and multi-cloud environments, a myriad of connected devices, and a distributed workforce. These solutions use digital identity to protect against sophisticated and scaled attack vectors, specifically targeting vulnerabilities stemming from this complexity. This security technology approach will also be applicable to future enterprise IT landscapes.

What Are the Benefits of SASE?

Digital transformation has given rise to a new era of enterprise security services. Enterprises can no longer just focus on securing data centers and providing protection within a firewalled network architecture. Today’s complex environments now include mobile devices, multi-cloud, DevOps, BYOD, Internet of Things, and more. In this expanding environment, identity is the new perimeter, and SASE is designed for that environment.

Beyond the strong identity security that SASE provides, enterprises can also realize the following benefits:

• Greater flexibility
• Rapid adoption of new technologies
• Increased IT efficiency
• Lower administrative costs

These solutions provide organizations with the flexibility they need to securely access their applications and data regardless of where they are located, whether on-premises or in the cloud. This strong digital identity approach helps grant detailed access and permissions to each user, device, and process in the network. This power allows organizations to rapidly adopt innovations including SaaS applications, IoT devices, and remote access tools, and do so while locking down their infrastructure against attacks and maintaining control over who and what systems have access to specific applications and data.

Additionally, by consolidating all the networking and security functions traditionally delivered in point products and solutions, SASE architecture provides a single approach for IT administrators to manage their networks and security. This maximizes efficiency and productivity for IT teams by allowing them to define a single set of security policies and centrally manage multiple technologies against those policies.

Enterprises can also reduce administrative costs. SASE is deployed as a single software stack, which eliminates the need for multiple appliances. This reduces both capital expense projects and ongoing operating costs.

How Does SASE Work?

SASE works by combining SD-WAN, SWG, CASB, ZTNA, and FWaaS and by managing those solutions within a single set of security and identity policies. Let’s look at each of these components:

• SD-WAN, or software-defined WAN, can improve the performance and security of a WAN connection, whether private, Internet broadband, LTE, and/or 5g connections, by setting policies and prioritizing, routing, and optimizing traffic across an enterprise’s WAN.
• SWG, or secure web gateway, can protect users from web-based threats, such as malware, and denies unsecured Internet traffic from access to internal systems by enforcing corporate acceptable use policies.
• CASB, or cloud access security broker, can identify and protect sensitive data by sitting between cloud service users and the cloud applications they are accessing. This helps organizations enforce security policies, even when cloud services are out of direct control.
• ZTNA, or zero-trust network access, can be used to ensure secure and granular access control. ZTNA is a model where trust is never granted implicitly and must be continually evaluated.
• FWaaS, or firewall as a service, can protect applications and data from unauthorized access through a cloud-based firewall that includes next-generation firewall (NGFW) capabilities and access controls such as intrusion prevention systems (IPS), URL filtering, and DNS security.

What Is the Difference Between SASE and Zero Trust Network Access?

Both SASE and ZTNA are important components of a modern security architecture, however, they are two different solutions. SASE provides a comprehensive, multi-faceted security framework, while ZTNA is a more narrowly focused model focused on limiting resource access, which is a part of SASE. When used together, they can provide a more comprehensive security solution that is able to protect applications and data, regardless of the end user’s location.

Zero Trust Network Access, often referred to as software-defined perimeter (SDP), means denying access to resources unless the user or machine is explicitly allowed, thus enabling a tighter security approach that’s particularly useful in the event of a breach. Moreover, the access rights for each identity are continually evaluated and approved or declined accordingly.

‘Never trust, always verify’ is the fundamental philosophy behind zero-trust networking, and is the key difference between zero trust and other networking models. With Zero Trust, there are no implicit trust relationships. Instead, all end users and devices are treated as untrusted until they can be verified. This verification process is at the core of the zero trust model. It is done through a variety of methods, including authentication, authorization, and inspection, and is based on criteria, such as a user’s identity, location, operating system and firmware version, and endpoint hardware type.

The benefits of a Zero Trust model are clear: improved security from closing security gaps and controlling lateral movement on the network, as well as support for mobile and remote access employees. Additionally, a zero trust model protects data in both the cloud and on-premises data centers, ensuring reliable defense against ransomware, malware, phishing attacks, and advanced threats.

The Benefit of Combining Solutions

To put it simply, combining SASE and Zero Trust helps businesses with policy enforcement across their entire network. This approach provides several key benefits, including stronger network security, streamlined network management, lower costs, and a single view of the entire network.

SASE and ZTNA can also help businesses mitigate the risk of data breaches and reduce the attack surface. By combining these two approaches, businesses can establish a hardened cybersecurity perimeter that is difficult for malicious actors to penetrate. This helps ensure that only authorized users and devices are able to access sensitive data and systems and that users and machines only have access to the resources they need to do their jobs.

Is SASE a VPN?

No, SASE is not a VPN but rather a framework that provides secure access to applications and data, whereas VPNs are used to provide a secure connection from the user to the Internet. While VPNs can provide a secure connection, they are not always effective in protecting applications and data. SASE and ZTNA can be used together to provide a more secure solution that is able to protect applications and data from unauthorized access.

Since SASE includes ZTNA, it can be used in addition to VPNs, or it can replace them. Its ability to provide real-time, least privilege principles for access is particularly useful for cloud security, especially in today’s times of an increasingly remote workforce and cloud-native workloads. Zero Trust Network Access has a major advantage over VPN when it comes to granularity. With ZTNA, enterprises can restrict access at a more fine-tuned level compared to Virtual Private Networks.

How to Manage Digital Identities Within SASE

The application of SASE relies on a strong digital identity for all users, devices, and processes across the entire connected IT landscape. Within this identity-first security, it is critical for businesses to authenticate and encrypt all digital identities whether human or machine. Digital certificates issued by Certificate Authorities (CAs), such as Sectigo, are the underlying technology used to authenticate human or machine identities and establish digital trust.

Securing and managing identities within SASE solutions is not easily achieved considering the explosive growth in the volume, variety, and velocity of digital identities from new use cases, including hybrid and multi-cloud environments, digital signatures, DevOps containers, code, Robotic Process Automation (RPA), and other enterprise applications.

These identity challenges combine to present a near-impossible task, no matter the effort, to prevent a breakdown in identity management and protect your network and data against breach and theft. A 2021 EMA research study of IT executives found 81% of enterprises find it challenging to manage digital identities.

The best way for CISOs and their teams to apply SASE and ensure digital trust now and in the future is to automate every single identity’s lifecycle across the entire IT ecosystem. Certificate Lifecycle Management (CLM) is a comprehensive solution that automates the certificate lifecycle, from provisioning and deployment to revocation.

CLM ensures that all certificates are properly installed, monitored, and renewed, providing organizations with the scalability, visibility, and control they need to keep their digital environments safe and compliant using SASE. Moreover, the modern approach to CLM is Sectigo’s CA agnostic cloud-based solution. Sectigo Certificate Manager provides a single administration portal to secure and manage growing numbers of digital identities, both human and machine, with integrations into leading technology providers that work efficiently in any IT environment.

*** This is a Security Bloggers Network syndicated blog from Sectigo authored by Sectigo. Read the original post at: https://sectigo.com/resource-library/what-is-sase-how-it-relates-to-ztna