Cybersecurity Technologies: SSE, SASE, ZTNA, and Zero Trust
Posted April 28, 2023 by Sayers
If you find the growing list of security technologies confusing, you’re not alone. Sure, we can abbreviate lengthy terms like Secure Access Service Edge to its SASE acronym, but that helps with brevity, not clarity. So we’ve pulled together a round-up of some of the most common but somewhat mystifying security technologies and asked our engineering leaders to help define them. In the process, we found many of these seemingly new security terms are simply consolidations or evolutions of existing toolsets, now offered in a cloud-delivered service if they weren’t already.
What Is Secure Access Service Edge (SASE)?
SASE (pronounced “sassy”) emerged in 2019 as the consolidation of several security-as-a-service functions on one side and software-defined wide area networking (SD-WAN) on the other.
Today SASE has become an umbrella term for a broad category of unified cloud services addressing both network and security needs. Designed for organizations that want to connect and protect their users wherever they are, as well as control what those users can access, SASE technologies and capabilities include:
- Security (the SSE side of SASE): Network Security, Cloud Access Security Broker (CASB), Cloud Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), Web Application and API Protection as a Service (WAAPaaS), Firewall as a Service (FWaaS), Remote Browser Isolation (RBI), and Domain Name System (DNS) Security.
- Network: SD-WAN, WAN Optimization, Bandwidth Aggregation, Networking as a Service, and Content Delivery Network (CDN).
Technology vendors tend to focus on either the networking or the security side of SASE, though a few such as Cato Networks offer a full SASE platform.
“While many vendors may say they do SASE, they’re typically heavy on one side of the equation and light on the other, if they have it at all,” says Ken Wisniewski, Sayers Senior Security Architect. “There are traditional SD-WAN vendors that have begun to add on some form of security, either by building, acquiring, or integrating with a more SSE-focused vendor.”
In just one recent example, a large financial services client recently chose an integrated SASE solution combining Silver Peak for SD-WAN and Palo Alto Networks Prisma Access for SSE.
Gartner predicts by 2024, 30% of enterprises will adopt cloud-delivered SWG, CASB, ZTNA, and branch office FWaaS capabilities from the same vendor, up from less than 5% in 2020.
What’s So Special About The SSE Side of SASE?
Security Service Edge (SSE) encompasses the security side of SASE. More organizations are wanting to use SSE to move their perimeter security (think firewalls protecting a traditional office environment) to the edge for improved visibility and control in the cloud.
Enforced by technologies such as Secure Web Gateways (essentially URL filtering combined with decryption), ZTNA, and CASB, security at the edge enables users to have the same consistent user experience no matter where they are.
However, the advent of SSE doesn’t mean the firewall goes away. Wisniewski says:
“We still need that firewall feature-set in data center environments, for ingress security controls, and for internal segmentation. But if your primary use case is user-side access and authentication, then that pushes to the SSE / SASE architecture. Plus now your firewall is infinitely scalable. You don’t have to deploy a new piece of hardware every few years when your user population grows. You just license more of the solution, and it scales accordingly.”
What Is Zero Trust In Cybersecurity?
Rather than a specific technology, Zero Trust is a methodology that takes a “never trust, authenticate everywhere” approach and eliminates the idea of trusting some users and devices by default.
“Zero Trust says we’re not going to trust even the internal network,” Wisniewski says. “Instead, all communications by users and devices must be authenticated and verified in order for things to operate.”
Zero Trust encompasses several areas including identity, user authentication, and continuous validation of the user and what they’re accessing. Once verified, each identity’s access is controlled based on security policies and tools such as ongoing risk analysis.
Multi-Factor Authentication (MFA) plays an important part in the identity aspect of Zero Trust, requiring two or more verification factors for a user to gain access to a network resource such as a specific application.
Adaptive MFA builds flexibility into the system, using contextual factors such as user role, device type, and behavior to decide how and when a user must authenticate.
For a more in-depth look at Zero Trust Security, click here.
What Is Zero Trust Network Access (ZTNA)?
ZTNA represents the evolution of the Virtual Private Network (VPN) for remote access technology that establishes a protected connection between the user and the network.
By integrating with identity and application controls, ZTNA toolsets act as Zero Trust VPNs that can provide application access at a granular level. Gerry Wollam, Sayers Senior Cybersecurity Solutions Architect, says:
“With ZTNA, you’re taking VPN technology and adding zero trust into it. When end users connect to the network with traditional VPN clients, they may have access to a system, systems, or an entire network. Usually that access is too broad. With a ZTNA type of technology, we can lock down what the user is doing more effectively.”
Some of the larger SASE or SSE vendors such as Netskope, Palo Alto Networks, or Zscaler offer feature sets that can replace a traditional VPN. But while ZTNA’s granular level of application access works for most users, you still might need traditional VPN for all the use cases and capabilities administrators require.
The Role of Identity In Security Technologies
Identity’s role in cybersecurity should be considered from the perspective of both the user and the endpoint. Joe Schnell, Sayers Senior Cybersecurity Architect, explains:
“You do have to manage identity, whether it’s silicone based or carbon based. Once you use one of these different architectural methods for connectivity, do you still trust the user at the keyboard? That’s where MFA and adaptive MFA come in to authenticate the user. For the identity piece from an endpoint perspective, does it have the appropriate certificates and everything needed to identify it’s one of your hosts?”
Technology vendors are collaborating to increase adaptive MFA capabilities. For example, Okta, an identity and access management vendor, is partnering with endpoint security providers CrowdStrike and SentinelOne.
“Okta uses the telemetry generated by their partners’ Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) tools, which look for suspicious activity,” Schnell says. “They can reach into the identity piece and say, wait a minute, there’s some activity on here that raises some red flags, so let’s prompt for another MFA to make sure the user on the other end is who we expect and is doing what we want them to.”
Identity also is an important factor when third parties access your organization’s environment. Chris Willis, Sayers VP of Cybersecurity and Network Engineering, says, “A lot of breaches have occurred through third parties, who don’t need full network access and often don’t need the access they’ve been given. A ZTNA solution will give them very specific access to do only what they need to do.”
Questions? Contact us at Sayers today to learn how these technologies relate to your business.