Chris ScheelsSeptember 21, 2020
SASE Starts with ZTNA
Securing private access to your organization’s critical resources is a core component of a Secure Access Service Edge or SASE solution (pronounced ‘sassy’ according to Gartner).
Securing private access to your organization’s critical resources is a core component of a Secure Access Service Edge or SASE solution (pronounced ‘sassy’ according to Gartner). This can include access for users in branch offices, retail locations, mobile users and a remote workforce, who are accessing a wide variety of private resources running on-premises, in remote data centers, or in cloud-based IaaS environments. This Zero Trust Network Access (ZTNA) is a critical component of a SASE approach, and one which we believe merits careful thought.
Where should we start? Recently I asked a cybersecurity analyst about his take on SASE. His reply was a bit tongue-in-cheek but has some truth to it. He said, "there is a lot in there, I call it the sassy sausage". Few people know how the sausage is made as long as it’s delicious, right?
SASE is one of the many overwhelming "things" that security pros have to learn, research, purchase and implement...as if security wasn’t hard enough already. But as digital transformation continues, attackers grow more sophisticated by the day. We have to fundamentally change how we approach security and networking to protect what’s important.
I will attempt to explain SASE in 2 bullets in a moment. Hopefully I am up for the challenge. But first let’s start by answering the basic questions "What is SASE and where does it come from?".
SASE stands for Secure Access Service Edge. According to Gartner, SASE is defined as “the secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.1"
In its simplest form, there are two things that are coming together, network and network security. We believe that each of these two markets are undergoing individual convergences, which makes SASE a lot to digest.
Figure 1 - Source: “The Future of Network Security Is in the Cloud” August 30, 2019 – Gartner
This blog focuses on the network security "side" of SASE. There is no question that there is ongoing convergence in the cybersecurity industry as enterprises are struggling to build a cohesive security ecosystem to thwart attackers and malicious insiders, while reducing complexity. I count about 25 'ingredients' that are wrapped up in the SASE sausage, but there are some key components to consider. One of those keys is ZTNA to secure access to private resources and applications regardless of where they live (private cloud, public cloud, SaaS, on-premises, or at a datacenter).
SASE is not one-size-fits all as no two organizations are the same – SASE will mean different things to different people and companies. One of our North American government customers is a perfect example. They are seeking a SASE approach but want full control rather than a cloud-based multi-tenant environment for various reasons. This is a common theme with most of our enterprise customers as well.
Now I’ll summarize SASE in two bullets:
- Migration of network and security to the cloud as-a-service
- A combination of security functions into a "thing"
Today there is no easy button for SASE. It requires a lot of research, planning, and execution on the chosen strategy. Similar to Zero Trust, SASE is going to be a journey. It took years to build our current network infrastructures and security defense in depth strategies, and it will take time and effort to transform them into something better.
Five challenges to a SASE approach:
- SASE is still in its infancy, less than a year old as a concept
- There are lots of technologies included in SASE
- Not every application is web-based or can be “cloudified”
- No vendor does everything that is outlined in SASE today
- Implementing a SASE approach takes time
Why ZTNA is critical
Zero Trust Network Access protects access to the crown jewels.
However you decide to implement SASE for your organization, ZTNA is a critical component. Settling for a “just okay” ZTNA solution is not in the cards for most CISO's. It reminds me of those witty "Just Okay" AT&T commercials. I like the one where the tattoo artist says "Relax, it’s going to look okay. I'm one of the tattoo artists in the city". The customer replies “Don’t you mean one of the BEST tattoo artists in the city?”. Don't settle for just any ZTNA solution.
A recent article published by 451 research on SASE, ZTNA and XDR, adds some great context around SASE and is worth reading. The article states that:
“This interoperability may be technological; the components integrate to greater or lesser degrees. This may not require its components to be delivered by a single provider; indeed, it may be beyond the scope of any individual provider to meet or exceed the capabilities of best-of breed contenders in every SASE segment, at least currently.” – Source: 451 Research - SASE, ZTNA and XDR: Three security trends catalyzed by the impact of 2020.
This illustrates two things, the demand for solutions to integrate and the need for best-of-breed capabilities. More interestingly, in the ZTNA section of the article it mentions that:
“SASE will play a role in delivering these capabilities, but one of the most fundamental – access control – goes beyond the definition of SASE. Access control requires the ability to apply policy to attempts to gain access to a given target. It incorporates concepts of identity; indeed, the term 'identity and access management' (IAM) defines the overall domain of information security, of which helps to deliver, but it also transcends it. It may be more appropriate to say that access control intersects with SASE, but is neither defined nor bound by it.” – Source: 451 Research - SASE, ZTNA and XDR: Three security trends catalyzed by the impact of 2020.
This is why access control and securing private access is so pivotal. Our customers confirm this when they select Appgate SDP to provide the ZTNA element of their SASE framework and for dynamic granular access control.
Appgate SDP, a SASE approach to Zero Trust Network Access:
- Most comprehensive ZTNA solution
- Foundation for a cohesive security ecosystem
- Programmable, extensible, and API driven
Your branch offices, retail locations, remote and mobile users deserve the most comprehensive ZTNA solution. Secure private access with confidence for any user, on any device, for any resource, in any location. Explore ways to start experiencing Appgate SDP today.
 Gartner “The Future of Network Security Is in the Cloud,” Neil MacDonald, et al, 30 August 2019