Event Recording

SASE vs. Zero Trust: Perfect twins or antagonists?

Log in and watch the full video!

The concepts behind Zero Trust and SASE are not new, but recent developments in technological capabilities, changes in the way people are working, accelerated adoption of cloud and Edge computing, and the continued evolution of cyberthreats have resulted in both rising in prominence.  

As organizations seek to improve their security capabilities, many are evaluating Zero Trust and SASE to determine whether to adopt either, one, or both.  Join this session to understand what each can potentially deliver and the exact nature of the relationship between them.   

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So John and I are gonna tackle as sassy versus zero trust, perfect twins or antagonists. We'll see how that, that goes. So the concepts of zero trust. So we're gonna have, yeah, we, we are just gonna look at what is sassy, what is zero trust and, and we're gonna examine the relationship between them. So the concepts of sassy and zero trust are not new, but recent developments in technological capabilities and the way we're working, not to mention COVID and with cloud and edge computing mean that both of these things have come to prominence. So in an effort to secure their organizations, many are looking at sassy and zero trust as, as a way to, to, to figure it out. But they do, we go for sassy. Do we go for zero trust? Do we go for both? Or do we go for none? And to understand this, it's important to look at what each can potentially deliver and then try and figure out what the relationship is between them. So we're gonna have first a look at SASSI and I'll hand over to my colleague, John.
Thank you. So, so far today, we've heard about zero trust and then trust. Now we're back to zero trust and we're gonna throw a curve and talk about sassy. So Sassy's one of these topics that was invented by another Analyst Analyst firm too, kinda like zero trust. And interestingly enough, sassy is kind of a combination of a bunch of different technologies. It's not really radically new, but it's, it's a grouping of technologies that I think, you know, makes a lot of sense. So we'll just start off with, what is it? So, you know, at a high level sassy, I think we can say is SDWAN networking technology combined with security services and unified management. It's designed to deliver both security and SDWAN cuz SD, N doesn't really have security beyond the transport level, sort of built into it and bring that to the edge. So, and edge is probably another term that we've heard a lot lately, you know, we've, we've had, on-premise now the cloud and now the edge, and this is, you know, bringing services closer to where people, companies, partners need to use them. So whether that's in the cloud, whether it's, you know, distributed data centers around the world, bringing, you know, copies of that through content delivery networks and, and other businesses like that, that's what we mean by the edge in this case.
So, you know, Sani is really designed to target a couple of different shortcomings. We've got, you know, scalability and performance. You've got lack of insight around what's going on from a security perspective and no consistent way to do policy enforcement because, you know, there's lots of different products involved currently. So the vendors that are out there, like I said, are mostly some of the big stack vendors in the cybersecurity realm. There are a few Sassis specialists, you know, and, and they will tell you they're out to improve the overall user experience, improve it operations and sort of consolidate, not necessarily eliminate some of these point solutions. And we'll get into the full list of what we consider the point solutions that make up sassy in a minute and then move all this to a cloud native management architecture that, you know, today there are many, many single pans of glass in the network operating center, the security operating center, and being able to consolidate those from a management perspective can be very useful for, you know, containing costs and increasing efficiency at that level.
So real high level, you know, the, the two major use cases is that I see them are, you know, remote facilities, you know, your branch offices, maybe production, warehouse facilities in different places around the world conference facilities like this one or hotels, you know, shops even kiosks. And then there was also the work from anywhere. Of course, you know, people were working remotely before the pandemic, but as we all know that greatly accelerated that trend. And regardless how much click bait you see on LinkedIn, people are gonna be working from anywhere for forever. So this is kind of a reality that that needs to be addressed because the solutions that are in place today still are, are, are not quite what they need to be for the most part.
So continuing to look at what do we mean by this? You know, sassy addresses performance, you know, performance can be a problem when you think about, well, maybe you've got all your users are coming in today, over VPN, they're coming into maybe one or two different data centers that you own. And then they're bouncing from there, back out to the cloud. Maybe they're having to go to other sites. So just think about the complexity involved in, you know, users accessing many different kinds of applications that are distributed, you know, across resources that maybe you own, or maybe that are, are SAS delivered to. So that's, you know, very complex, there's a lot of performance opportunities for performance degradation in those cases, sassy should and will integrate identity the business context and be able to do real time risk assessments. It comes with a promise of being widely available and promising uniform access to everything and integrated security and of course being scalable.
So like I said, you know, SDWAN is kind of a foundational part of this. And I think that's why we've seen some of the big networking vendors, you know, be first to sort of group around and embrace sassy as a concept and, and marketing term as well as deployment model. But SDWAN really only addresses the transport level. There's the whole need for access control, authentication authorization, and all that on top of that, that really isn't part of SDWAN N so, you know, we need to secure communication from end to end. We need policy based access controls. We need to be able to dump this information, the security analytics into things like SIM and so security, orchestration, automation, and response, and then again, provide better administration for the combinations of all these tools. So here's the list I wanted to get to, you know, we see SASI as being comprised of a number of different point solutions, probably first up firewall intrusion protection.
This can be offered as a service soft software defined perimeter, secure web gateways and endpoint management and security. This is endpoint protection detection, response, NextGen, antivirus, and EDR combined together. Because, you know, if we're going to be doing things like replacing or upgrading VPN to SD wan, then that's gonna require an agent on all the affected users machines. So you might as well roll up all this functionality into one, including, you know, your E P D R agent malware protection sandbox, these E P D R agents. If they catch a piece of code, they don't know, they need to be able to send that off to a sandbox, detonate it, get a determination back whether or not it's something that is okay to run on the user's machine. And then, you know, a host of these other security services like DLP, DLPs making a comeback, many would argue. It never went away CASBY, which is kinda like DLP for the cloud. Then cloud security, posture management, user behavioral analytics, and then finally zero trust for the authentication and authorization pieces. So with that, I'm gonna hand it back over to Warwick.
Thanks, John. So perhaps the first clue there is that you can see that zero trust and sassy are closely together. And that in a sense, sassy depends on zero trust. So what is driving the interest in zero trust? Well, we've got faces of, of ransomware attacks. Now we're seeing more instances of industrial espionage, and of course there's a lot of intellectual property theft. So therefore the old model just doesn't work anymore where you've got the secure perimeter, but nothing to stop people moving around inside. So we have to move to something different. So at this point, we just kind of reflect back on onto John kindergarten. Who's considered by many to be the father of, of zero trust networks should be designed without implicit trust, enforcing, strict identity, verification, and least privileged access. So that's kind of where we need to go now because the old model no longer works.
So zero trust is widely regarded as being critical to protect and secure data and infrastructure. And as for Brit said in his presentation this morning, it's not a product or a technology that can be retrofitted over existing systems. Rather it's an approach to security. And I think he said it would, I think he used the journey word and, and we need to assume that networks and can be breached. And it's based on the principle of never trust, always verify. So that's where we also get to move towards the idea of, of identity centric security and where security is around the thing you're trying to protect rather than something bigger than that. And zero trust is used to architect, good cybersecurity hygiene from the ground up. So it's more than just point solutions.
So I've already said, it's essentially a concept on the architecture model. It's about continual verification of each user device, application and transaction. And it's aimed at making it more difficult for bad actors to carry out successful attacks because we see more and more that it's, it's, they're getting inside. You've gotta assume breach. So you need to keep track of what they're doing inside your networks. It's about shifting to a trusted identity based model of security. It's designed to secure data while ensuring it's availability, cuz that's, you know, we've also heard at this morning about convenience and security. It's pointless. Having something is super secure that you can't get to. And it's also about increasing security overall producing boosting productivity and blocking that lateral movement that I spoke about. So unfortunately it often involves restructuring how resources are structured and accessed. These are the, the tenants of zero trust.
We won't run through them, but it's useful. You've got them in the slide deck. You can, you can have a look at them. So back to where, what Fibria mentioned here this morning, zero trust is a journey that begins with a long term business strategy. We also heard from one of the keynotes this morning have a plan. It requires a step by step implementation. It's not something that can be done overnight. You need to focus on using existing or readily available tools. Again, a, a, a point that Fabricio made earlier and it maintains the continuity of business processes and avoids adding complexity to the existing architecture. It's, it's, it's pointless adding stuff that makes complex situation even more complex. So the security components of sassy are the list that John mentioned. And there we have zero trust network access, as he said. So the relationship is more a symbiotic one. So we look now more closely at that relationship and some conclusions. So John, if you can join me for the rest of the session, SASI solutions often include zero trust network assets is one of the capabilities, sorry.
Yeah. So in order to get that access control, this is where I think, you know, sassy and zero trust come together pretty much perfectly. You need those key concepts and that is sort of embodied by zero trust. Sassy will rely on SDWAN and it's kind of the networking foundation, but you know, for the access control piece, then it's gonna be necessary to add on things like zero, zero trust. I think it's risky to assume that SDWAN is secure. Like I said, you know, it does have transport level security. It can be encrypted point to point. There are definitely advantages over, you know, things like just MPLS connections or other kinds of point to point connections. But the one cannot assume that it's simply secured just because of the transport layer security trusting a single element in a multi-layered security stack is kind of the opposite of what we mean by zero trust. This is necessary to, you know, drill down into each level and, and make sure that we're thinking about the means to secure each layer.
So, yeah. So from where you can see we going, is that the relationship between sassy and zero trust is largely complimentary
Okay. So now we can move on to some recommendations, consider whether zero trust alone will address your security needs without SASSI cuz we seeing a lot of organizations they're going, oh, sassy, it's the new bright, shiny term they're rushing and looking in that, whereas it it's dependent on zero trust. So perhaps maybe zero trust on its own can, can meet your needs. And you might not need to add that extra layer of complexity.
You know, I think there's definitely going to be a role for sassy sassy solutions might be a better fit for, you know, big organizations that, that have very complex networking infrastructure that may have mature IAM infrastructure as well. And this is something that can be, you know, bolted on or sort of really reconfigured depending on the sorts of stacks of, of programs that you're already using.
And for cloud native sta startups, there needs to be good reasons for opting to sassy because they're cloud native. So sassy as John pointed out is, is, is really great for, for where you've got a lot of legacy it. But if you're, if you're born in the cloud, perhaps you don't need to go there.
Yeah. I think that's a good point. You know, one, there are, you know, customer deployed concentrators, application gateways and appliances that sassy companies will give, you know, out to customers that are designed to collect all the traffic from, you know, large on-premise locations and then dump that into their infrastructure, you know, the traffic. So, you know, if you're, if you're a startup, you don't really have that kind of scenario going anyway. So you probably don't need that kind of functionality.
So if SASI still seems the best option after you've understood the risks of SD wan ensure that any prospective Sasse implementation can meet your current and future needs in terms of functionality, integration, and future proofing.
So where these things make sense, it's not enough just to make your security requirements specified these two concepts. These two types of products do and should work well together. I can't tell you we've got research and KC coming up both on zero trust and on sassy. So we'll be reviewing all the products that purport to be in this space and publishing on that later this year,

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00