March 25, 2023

How SASE and Zero-Trust Connect

With the rise of cloud applications and remote work, cybersecurity practices no longer revolve around securing the network perimeter of a centralized workplace. As part of this paradigm shift, we are witnessing the frameworks of Secure Access Service Edge (SASE) and Zero Trust gain increasing popularity in the cybersecurity sphere. With both models targeted at overcoming limitations of traditional cybersecurity models, let’s clarify how SASE and Zero Trust differ and relate to each other, and the role they play in enabling next-generation data security.

The Zero Trust security model is designed to overcome the limits of traditional security models by eliminating implicit trust towards all access requests. It revolves around the core principles of “never trust, always verify”, “assume breach” and “least privileged access”, which allows for the enforcement of more granular security controls to safeguard subjects, enterprise assets, and resources.

The Secure Access Service Edge (SASE) model, introduced by Gartner in 2019, is a cloud-based architecture that consolidates the functionalities of traditional network security devices, such as firewalls, secure web gateways (SWG), and virtual private networks (VPN), into a unified service. In addition, SASE can include features such as zero-trust network access (ZTNA), secure web access, cloud access security broker (CASB), and data loss prevention (DLP). In doing so, it aims to streamline network access and enhance adherence to security and compliance policies.

Therefore, SASE represents a consolidated cloud-based architecture, while Zero Trust represents a cybersecurity strategy that the former helps to enable in the realm of network access.

What’s Next for SASE and Zero Trust?

In the current digital landscape, around 60% of corporate data worldwide is stored in cloud-based systems. As we look ahead, it is expected that businesses will embrace hybrid clouds that integrate public cloud, private cloud, and on-premise environments. Under the distributed architecture of hybrid cloud setups, data is less observable beyond the corporate network. This means Zero Trust should no longer be limited to network access, which raises the question: How do we extend Zero Trust to safeguard access to data and applications?

Therefore, the next frontier of SASE will not only be about establishing Zero Trust network access, but implementing Zero Trust data protection to support hybrid and multi-cloud architectures. This calls for the concept of Data Access Service Edge (DASE): the DASE approach extends SASE by applying the Zero Trust strategy to secure data resources in a multi-cloud environment.

While SASE establishes secure access to a network where the sensitive data is stored, DASE ensures that sensitive data is not accessible by default even within the network and cloud, taking on a “never trust, always verify” approach. At the time of the data access request, DASE utilizes dynamic authorization and attribute-based access controls (ABAC) to validate policies based on real-time context such as user role and location. With hybrid and multi-cloud architectures as the future, DASE allows organizations to strengthen their security by enabling least privilege access for data beyond the network perimeter.

For more on applying Zero Trust to the data level, watch our episode “Zero Trust on the File-Level with Emre Koksal” from the NextLabs Cybersecurity Expert Series.