The evolution of SASE and its importance in zero trust
SASE has been an increasingly important security framework for five years – but integrating zero trust is crucial to its success
The secure access service edge (SASE) model has come a long way since it was first coined five years ago – and offers a variety of capabilities to help organizations cope with securing networks as cyber security threats evolve. Such an architecture is a radical departure from the cumbersome and complex systems of old — and presents a radical simplicity for businesses hoping to combine networking and security as a service pillars into a cloud-deliverable service at the network edge.
The need for SASE has largely been driven in recent years by changing working patterns, and the knock-on effect for organizations around the world. The surge in cloud computing following COVID-19 also lent itself well to the need to embrace SASE solutions, especially with an organization's network perimeter expanding into unknown territory. As Forrester analyst senior analyst Tope Olufon puts it when speaking to ITPro: “An increasingly distributed workforce and an increased adoption of cloud computing means the concept of a perimeter has become increasingly fuzzy.”
Of the many components of SASE, one of the most crucial is zero trust network access (ZTNA) – which, when integrated into SASE, allows zero trust by design across the breadth of the organization. Arguably, without such a component, the purpose of SASE is defeated. With the threat landscape constantly offering more challenges that businesses must overcome, embedding zero trust at the heart of any SASE initiative – and vice versa – could be the difference be the difference between withstanding the onslaught and succumbing to it.
The evolution of SASE
The concept of SASE originates from a Gartner report authored by analyst Frank Marsala, in which he argued that the enterprise perimeter could no longer be considered a physical location. Instead, Marsala said, it's a set of dynamic edge capabilities delivered from the cloud, as and when needed, as services. At the time, no single vendor offered the entire portfolio, but this has arguably changed five years on.
"SASE is a security model that provides secure access to applications and data in an organization," Raj Rajarajan, professor of security engineering at City St George's University of London, tells ITPro. "SASE incorporates many things such as firewall, network traffic monitoring, data loss prevention, cloud security broker, and many other services including providing access to assets. Hence it's an integrated security solution for cloud-based applications that is scalable and interoperable."
Now, the full SASE portfolio includes the secure web gateway (SWG), firewall as a service (FWaaS), cloud-access security broker (CASB), software-defined wide-area network (SD-WAN), and ZTNA, according to Palo Alto Networks.
With digital transformation increasing – as well as remote and hybrid working – more organizations have adopted SASE to develop an integrated security framework, says Rajarajan. This ensures any on-premises systems are integrated securely with remote systems and in the cloud. SASE also helps to avoid fragmentation of infrastructure.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"There is a lot of integration of SASE and zero trust today to address the next-generation security challenges from zero trust systems," he adds. "Many organizations find using SASE will provide a bird's eye view of the organizational assets, their interdependency, and hence can address any of the cascaded impacts in the unlikely event of a cyber-attack."
The rise of zero trust
Although zero trust may seem like a recent concept, the ideas behind it stretch back 30 years to a foundational computer science study in 1994. Using these ideas, it was then coined as a term in 2010 by then-senior Forrester analyst John Kindervag as a means to describe an antidote to the "broken" trust model in cyber security. However, it took at least another decade before his ideas would translate to rapid adoption among organizations across various industries.
"Although zero trust has been around since 2010, the increasing remote working and the penetration of IoT devices in the enterprises have made it more attractive as a solution to address any of the access control challenges," says Rajarajan.
"It does not trust any system and the users are continuously authenticated for privileged access to systems. That’s why it's called zero trust. It does not trust any edge device or systems or the cloud and the systems and users are continuously authenticated based on digital identity credentials, multi-factor authentication (MFA), or end-point security."
The rise of the cloud and SASE, in particular, has further demanded the integration of zero trust ideas into the foundation of a business' network-based security. "In the current landscape of remote work, implicit trust has lost its former prominence, making way for the ascendancy of zero-trust security principles," wrote customer identity and access management (CIAM) expert, Caroline Johnson in a Medium post. "Guided by tenets like “always-verify” and “least privilege,” zero trust redefines network security by providing comprehensive visibility across the entire network, whether situated in the cloud or conventional data centers."
Better integrating ZTNA into SASE
Enterprises need to adopt zero trust privileged access management (PAM) within a comprehensive SASE framework to allow organizations to tailor the capabilities of a SASE model to the needs of privileged users, according to a blog post published by the Cloud Security Alliance. Zero trust PAM applies the principles of zero trust to managing and monitoring privileged access within an organization. Combining this with SASE means the network is secured for all users and the overall security posture is strengthened – reducing the risks linked with any insider threats or unauthorized access.
SASE can also be integrated in a much more effective way if it adopts the principles of zero trust. Cloudflare, for example, highlights that SASE models that lean heavily on zero trust can safeguard an organization far better than if they didn't. When establishing access policies, zero trust-embedded SASE takes more than an entity's identity into account – also factoring in geolocation, device posture, enterprise security standards, and a continuous evaluation of risk.
"Zero trust can be useful in providing access control for authenticating any of the systems or cloud environments," explains Rajarajan, adding that zero trust is often a key sub-component of SASE solutions. "It's good to continuously authenticate the users and the edge devices as there are times at which you may have contractors working and they may no longer be eligible to access some of the corporate network assets.
"If you incorporate the zero trust security framework it's unlikely they can get access to all systems without providing the credentials. In addition, zero trust is based on identity and hence it's easy to increase the security levels using MFA combining device hardware features together with user identity features. This can stop any unauthorized access as device fingerprints are unique and many users may not have the knowledge to get access to this data."
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.