NordLayer - Network Security

The growth of cloud computing, software-as-a-service (SaaS), and remote working is changing network architecture. Companies must ensure that diverse device communities are secure. They must protect cloud-hosted data located outside traditional network perimeters.

SASE and Zero Trust Network Access (ZTNA) have emerged to solve these problems. But which security approach should companies choose? Is there even a choice to make, or are we talking about two interrelated concepts?

SASE and ZTNA are often seen as competing ideas. However, they are natural allies and should form complementary aspects of a modern cloud security system.

What is SASE?

Secure Access Service Edge (SASE) is a network security approach designed to lock down remote devices, IoT sensors, and cloud-based data. It rose to prominence during the Covid pandemic when home-working rapidly multiplied network endpoints. SaaS and the IoT have sustained this growth, making SASE a popular option for modern network security.

SASE replaces hardware data centers with infrastructure residing in the cloud. This infrastructure employs a series of technologies to protect critical resources and enable efficient user access:

  • SD-WAN – Software Defined Wide Area Networking removes the need for hardware servers. It acts above network infrastructure, granting access for globally distributed user communities and cloud resources.
  • Firewall-as-a-Service – Cloud-optimized firewalls screen traffic to block malicious agents, enabling network micro-segmentation.
  • Cloud Access Security Broker – Link together network users and cloud applications. CASBs apply security policies governing access to all core workloads.
  • Secure Web Gateway – Secure Web Gateways track incoming web traffic for cyber threats and provides alerts when threats emerge.

These core SASE features combine with Zero Trust Network Access to police user activity and limit network access.

The principal goal of SASE in the network

SASE aims to secure networks while simplifying network architecture and boosting efficiency. It replaces outdated hardware-based network systems with cloud-based alternatives.

Traffic is no longer back-hauled via central data centers and flows to security tools close to cloud applications. Cloud-optimized traffic flows eliminate network bottlenecks, making remote access smoother.

Security policies apply throughout the network, not just at the perimeter. Authentication is needed when users access all cloud resources. Firewalls enable precise network segmentation to limit east-west movement. Web gateways also restrict access to the wider internet. The result is security that protects cloud architecture without compromising user experience.

What is Zero Trust?

Zero Trust Network Access (ZTNA) is a set of principles about how to secure modern networks. ZTNA emerged as a response to the rise of cloud-based SaaS tools and remote or hybrid working.

The core idea of ZTNA is the principle of least privilege. This principle states that network users should enjoy sufficient privileges to carry out their tasks. These tasks are pre-defined according to user roles. Permissions and access management applications work alongside tools like network micro-segmentation to ensure complete control.

Networks engineered on ZTNA lines do not confer trust until systems authenticate users. When access systems grant authorization, users can access the resources they need. Until then, their ability to roam freely across network infrastructure is limited.

ZTNA has become a popular security paradigm since the publication of NIST SP 800-207, Zero Trust Architecture in 2018. This document lays out the governance and compliance requirements for a ZTNA configuration and informs many network security transformations worldwide.

The key role of Zero Trust in the network

Why do we need ZTNA network and security solutions? Older moat and castle security models are now irrelevant. Network perimeters reach into multiple cloud-based SaaS applications across dispersed geographic environments. They extend into every device used by a remote workforce.

ZTNA authenticates users as they navigate complex network architectures. It allows security teams to secure sensitive data on cloud storage services. Security professionals can detect unauthorized agents on networks before they cause harm, and they can accommodate rapidly changing network endpoints.

How does SASE differ from Zero Trust?

SASE is a suite of security technologies that locate security close to users and applications. Cloud-based security tools operate wherever users, devices, and apps come together. This contrasts with older approaches which focus on basic perimeter security.

SASE requires network transformation, including retooling security stacks to accommodate cloud-based tools. It is best conceptualized as a long-term security goal, not an off-the-shelf solution.

Zero Trust is an approach to network security focused on controlling user access. Zero Trust Network Security is often a requirement for a robust SASE implementation. It acts as a component of wider security solutions and often performs a complementary role to SASE tools.

SASE vs. Zero Trust: two pieces of the same puzzle

Seeing SASE and Zero Trust as competitors is not helpful. Instead, the two security concepts must be blended together when seeking network security solutions.

Think of SASE and ZTNA as ideas contributing to a security vision. They are part of a mindset based on dynamic perimeters, user authentication, segmentation, and the protection of cloud-based assets.

SASE seeks to minimize complexity and re-engineer networks to reflect cloud transformations. ZTNA focuses on access management and permissions. It responds to a more complex threat environment, offering simple solutions beyond traditional security measures.

There is no need to see friction between the two approaches. They are two pieces in the same puzzle – and network security teams need to harness both.

How SASE and Zero Trust support each other

Zero Trust security is the foundation of SASE architecture. It focuses on user identification, authentication, and monitoring. Security managers can add other aspects of SASE when ZTNA measures are in place. But moving ahead with SASE makes no sense without a plan to create zones of trust.

The Zero Trust model is a firm basis for visualizing security during transformation processes. Robust Zero Trust authentication systems facilitate the addition of cloud brokers and bring branches online without adding security risks. Planners can manage transitions to SASE, knowing users are properly tracked and limited to role-based resources.

Benefits of implementing SASE and Zero Trust together

Blends of Zero Trust Network Access and SASE have many benefits:

  • Optimized cloud protection – Cloud Access Security Brokers deliver security direct to SaaS applications. ZTNA controls allow security teams to set privileges for every SaaS user or workgroup. SASE architecture optimizes traffic flows for each app.
  • Strong business security – Identity-based security based around the assumption of mistrust provides a firm basis for enterprise network protection. Networks do not automatically trust users when they breach the perimeter. Threats have limited freedom to move, reducing the scope for harm.
  • Smart baseline analysis – Zero Trust Network Access allows security teams to set baselines for security audits and analysis. Tools assess standard user behavior and can detect anomalies based on historical data. This type of analysis is possible due to constant authentication and data collection.
  • Network simplification – Migration to cloud resources results in application and device sprawl. Blending ZTNA and Secure Access Service Edge solves this problem by reducing the need for security hardware. Centralized security consoles replace multiple antivirus or firewalls. Cloud resources are gathered together for access management and tracking.
  • Reduced costs – SASE and ZTNA reduce long-term network management costs. Security teams do not need to update separate security software tools. Companies require fewer security devices. Secure remote working limits the need for office space.
  • Easy expansion – Networks expand as mobile devices, remote workers, or SaaS apps come online. SASE/ZTNA makes expanding safe and simple. Endpoints do not require separate security solutions. SASE software automatically delivers security policies as needed. New branch locations can also exploit centralized security tools, instantly sharing enterprise-wide solutions.

Combine SASE and ZTNA to build a secure future

Find the right blend of security tools for your network. SaaS, IoT and remote devices pose major headaches for network security. Zero Trust and SASE approaches offer solutions that accommodate dynamic perimeters and provide secure access to cloud applications. But they are even more effective in combination.