SASE vs. Zero Trust Explained
Organizations at every scale are looking for alternatives to the expensive, brittle, and unsecure network architectures of the past. Secure perimeters and other legacy paradigms cannot handle today’s distributed world. Two leading alternatives, Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) promise to keep both users and resources secure regardless of location.
ZTNA has been in development for decades but was first popularized by Forrester Research in 2010. More of a philosophy than a technology, ZTNA is based upon three principles:
- Assume breach - Since cyberattacks can happen at any time, no user, device, or network can ever be trusted. Every connection request must be challenged.
- Verify explicitly - Going beyond user identity, ZTNA evaluates the risk of each request, from device posture to source network, to inform the degree of authorization.
- Least privilege - The degree of access to resources users receive is based on their immediate needs. These ephemeral permissions are revoked when sessions end, after defined windows expire, or when any aspect of trust changes.
First defined by Gartner, SASE is a technology framework that guides enterprises through the converging trends in secure networking. SASE replaces secure perimeters with a cloud-native service that enforces policies at the network’s edge. Gartner’s SASE future identified five converging technologies:
- Software-Defined Wide Area Networking (SD-WAN)
- Firewall-as-a-Service (FWaaS)
- Secure Web Gateway (SWG)
- Cloud Security Broker (CASB)
- Zero-Trust Network Access (ZTNA)
That last bullet point is a sign that the ZTNA-vs-SASE question may be misguided. We will clear things up by discussing ZTNA and SASE in more detail, highlighting their similarities and differences. Whether or not companies adopt SASE, ZTNA will become part of their network security architectures. We will help you understand when SASE is appropriate and when companies like yours should consider a robust Zero Trust solution.
What are Zero Trust and SASE?
What is Zero Trust?
The three principles of Zero Trust transcend specific technologies. Adopting Zero Trust requires a change in the way organizations think about trust. Traditional network architectures implicitly trusts employees using managed computers on the office LAN. That trust also extended to employees receiving access through a VPN gateway.
Cloud computing, mobile technologies, and remote or distributed workforces make trust a risky proposition — especially given the sophistication of cybercriminals. User devices and network infrastructure could be compromised at any time. Implicit trust opens the door to hackers.
Adopting Zero Trust principles of assume breach, verify explicitly, and least privilege changes the security equation from trust-by-default to deny-by-default. ZTNA challenges every connection request. User permissions are limited to specific resources and not entire networks. With ZTNA, breached networks or compromised user credentials deny hackers easy access to company data and make breaches easier to discover.
What is SASE?
Unlike ZTNA, Gartner’s SASE is technology-specific. The consultancy identified five technologies shaping modern, cloud-oriented networking and extrapolated them to a logical end state. SASE represents the convergence of these five technologies:
- Software-Defined Wide Area Networking - SASE vendors will operate globe-spanning points-of-presence (PoP) networks that will connect their customers’ users and resources. Dedicated network backbones will deliver performant connections through secure, encrypted tunnels.
- Firewall-as-a-Service - SASE vendors will push security enforcement to the network edge by using FWaaS to manage inbound and outbound traffic.
- Secure Web Gateway - SASE vendors will let companies control users’ access to other sites or block access to known botnet command-and-control servers.
- Cloud Security Broker - SASE vendors will develop integrations with cloud service providers so companies can control access to every resource within a single system.
- Zero-Trust Network Access - SASE vendors will use the previous technologies to implement Zero Trust’s core principles, improving their customers’ security postures.
Another defining element of SASE is its focus on the future. Although many vendors offer some of these technologies, few offer a complete solution today. And none offer truly cloud-native solutions.
When unveiling SASE in 2019, Gartner’s analysts cited inconsistencies, manageability issues, and high latency as reasons to avoid long-term contracts. This uncertainty explains why only 10% of large enterprises have started implementing SASE.
What principles do Zero Trust and SASE share?
Whether your company adopts SASE or not, Zero Trust is a compelling way to address today’s network challenges:
- Cybercriminals easily compromise user credentials and penetrate networks.
- Remote work and BYOD policies are now standard practice.
- More contractors and other third parties need access to company resources.
- VPN and other secure-perimeter technologies are more difficult to maintain, scale, and secure.
Replacing the secure perimeter paradigm with Zero Trust, regardless of the implementation, is the only way to protect company assets in today’s environment.
How are they different?
ZTNA provides a technology-agnostic paradigm that gives companies a better way to think about secure access in today’s distributed networks. With a long history of development, Zero Trust solutions already support teams and large enterprises.
On the other hand, SASE is a particular implementation of Zero Trust using the other four technologies Gartner identified. More importantly, Gartner revealed its SASE vision defined only three years ago. SASE does not fully exist today, but large enterprises see the potential in unifying access in a global, cloud-native solution.
How to pick the right model for your organization
Gartner recommends that enterprises begin with implementing Zero Trust. Replacing your brittle, unsecure architecture with a Zero Trust solution will create dramatic near-term benefits:
- Networks and resources become invisible to hackers, reducing the risk of attack.
- Hackers’ movements are constrained and easier to spot, limiting the blast radius of security breaches.
- Over-provisioning and other examples of poor security hygiene go away as least privilege policies limit user credentials.
- Unified Zero Trust solutions apply to all users to reduce administrative overhead.
- Unified Zero Trust solutions protect all resources to further reduce administrative overhead.
You may also face outside pressures to adopt Zero Trust sooner rather than later. In 2021, the Biden Administration directed all federal agencies to adopt Zero Trust. Once underway, federal agencies will expect their suppliers to have compatible Zero Trust architectures.
Whether SASE is part of your company’s future is another question. Since SASE is still a work in progress, adopting this emerging network architecture will require internal expertise and investments. Large enterprises have those resources as well as partners like Gartner to help stitch SASE’s separate components together.
If SASE aligns with your company’s IT strategies and you have the long-term resources, then SASE may be the best Zero Trust implementation. If SASE is overkill for your business today, consider alternative Zero Trust solutions.
How Twingate can help
Twingate uses software-defined perimeters to implement Zero Trust as a fully distributed network architecture. When you deploy Twingate’s deny-by-default proxies to protected resources, the resources disappear. Transparent client apps evaluate device posture, network status, and other factors to enforce security policies before any connection request. Although connections are coordinated by Twingate’s cloud-native control servers, the encrypted tunnels flow directly between users and resources.
Twingate’s distributed network architecture essentially turns each user device into a secure PoP that uses the most performant network to deliver access. Twingate’s approach avoids many of the constraints companies face when adopting SASE:
- Fragmentation - Different vendors offer different SASE components, but none have developed ground-up solutions that fully implement Gartner’s vision of the future.
- Expertise - Companies may have experience with some aspects of SASE, but few have deep expertise with all five components — much less managing them as a unified system.
- Priorities - Global pandemics, supply chain disruption, and geopolitical turmoil make less than ideal time to seek executive buy-in on major architecture changes.
Twingate delivers a focused Zero Trust solution that addresses today’s challenges and produces the kind of results that get executive attention:
- Phased deployments let you protect the most important resources first.
- Twingate co-exists with traditional networks, so no infrastructure investments are needed.
- Integrations with your established identity providers and CI/CD pipelines let you deploy Twingate quickly without affecting existing infrastructure.
- Simple interfaces reduce administrative overhead while enabling policies based on user roles and the principle of least privilege.
- Networks become more performant and easier to manage as user traffic routes directly to cloud resources.
Meet today’s challenges today with Zero Trust from Twingate
20th Century ways of thinking about network access are obsolete. People connect from too many places with too many devices. The resources they access are no longer contained to a company’s data center, residing instead on many different cloud platforms. Both Zero Trust and SASE offer better ways to meet the performance, management, and security challenges that legacy architectures create.
Although SASE is a compelling vision of our converged future, implementing SASE requires the long-term commitment, expertise, and resources of a large enterprise. You can deploy Twingate’s Zero Trust solution in as little as a week and start reaping the benefits of more secure assets, more performant networks, and better experiences for users and administrators alike.
Our free starter tier lets you see how Twingate works for individuals or small teams. Contact us to learn more about starting your company’s journey to Zero Trust.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Announcing WebAuthn for Twingate Universal MFA
Twingate is excited to announce support for WebAuthn MFA, enabling customers to use biometrics and security keys for MFA.