Ending the Zero Trust, SSE, and SASE Confusion

December 21, 2023

Zero Trust, Secure Service Edge (SSE), or Secure Access Service Edge (SASE) are related concepts in network security, but they are not inherently the same. Their differences lie primarily in their scope, approach, and implementation.

Before we dive into these critical differences, it’s essential to recognize that the development and publication timelines for these technologies reflect the evolving landscape of cybersecurity and network management.

The evolutions of Zero Trust, SSE, and SASE

Zero Trust began to take shape as a concept in the early 2000s.

It emerged from the recognition that the traditional perimeter-based security model was becoming ineffective due to the increasing mobility of users and the shift toward cloud computing. In 2010, while at Forrester Research, John Kindervag formally introduced the term "Zero Trust,” framing it as a new approach to cybersecurity.

Notable Zero Trust milestones include: 

  • 2013-2016: The model gained traction, with organizations beginning to adopt Zero Trust principles.
  • 2017: The Zero Trust eXtended Ecosystem framework was introduced by Dr. Chase Cunningham while at Forrester. This consolidation and formalization of the ZT ecosystem is a watershed moment as it allows vendors and buyers to more clearly understand how and where ZT “fits” into an ecosystem.
  • 2018: Google's BeyondCorp, a model for implementing Zero Trust in enterprise environments, garnered attention, showcasing practical applications of the concept.
  • 2020-2021: The COVID-19 pandemic accelerated the adoption of Zero Trust, as organizations had to adapt to remote working rapidly.
  • NIST publications: NIST's Special Publication 800-207, "Zero Trust Architecture," became a key document, providing formal guidelines and frameworks for Zero Trust implementation.

SSE is a subset of SASE, focusing specifically on security services. It evolved alongside the broader SASE concept but has no separate timeline.

SASE was first introduced in 2019 by Gartner in a report titled "The Future of Network Security Is in the Cloud." This report formally introduced SASE as an integrated framework combining network and security functions.

Notable SASE milestones include:

  • Post-2019: After its introduction, SASE quickly gained attention as a solution for the challenges posed by increased cloud adoption, remote work, and mobile access.
  • 2020-2021: The pandemic further highlighted the need for SASE solutions as organizations sought to manage network access and security in a more distributed IT environment.

Examining the frameworks, principles, and implementations

Zero Trust established the philosophical and strategic groundwork for cybersecurity, focusing on "never trust, always verify." SASE, introduced in 2019, incorporates Zero Trust principles within its framework. 

A more recent development combines network and security functions in a cloud-centric approach. The COVID-19 pandemic also catalyzed these technologies; Zero Trust and SASE saw accelerated adoption during this time due to the shift towards remote work and increased reliance on cloud services.

Now, understanding the timelines, let’s dive into the key differences among these technologies. 

Zero Trust

Conceptual framework: Zero Trust is a strategic approach to cybersecurity that assumes no entity (user or device) should be automatically trusted, regardless of its location (inside or outside the network).

Fundamental principle: "Never trust, always verify." It operates on the assumption that threats exist both outside and inside the network.

Implementation: An organization implements Zero Trust by ensuring that all resources are accessed securely, regardless of location. This involves continuous verification of credentials, limiting access based on necessity (least privilege), and using analytics to detect and respond to anomalies in real time.

This is accomplished through technologies like multi-factor authentication (MFA), identity and access management (IAM), endpoint security, and more. Zero Trust policies require continuous verification of the operational context and adherence to the principle of least privilege.

SSE and SASE

Technology solutions: SSE and SASE are more specific technology solutions that blend network security functions with WAN capabilities:

  • SSE: Focuses on securing access to the cloud and web via a combination of security services like secure web gateways (SWG), cloud access security brokers (CASB), and zero trust network access (ZTNA).
  • SASE: A broader concept that combines SSE's security capabilities with comprehensive WAN services. It's designed to support the dynamic, cloud-based environment in which businesses now operate, offering network optimization and security.

Implementation: These are typically cloud-native, scalable services that integrate various networking and security functions, designed to be flexible and adaptive to changing business needs.

What are the key differences between Zero Trust and SSE or SASE?

  • Scope and focus: Zero Trust is a broad, strategic framework encompassing various aspects of cybersecurity. SSE and SASE focus more on specific solutions, integrating security and network capabilities, especially for cloud environments.
  • Technological implementation: While Zero Trust can be a part of SSE and SASE solutions (especially in access control and verification), SSE and SASE are specific types of technology deployments that include a range of tools and functions.
  • Network vs. security centric: Zero Trust is fundamentally security-centric, focusing on securing every access point and verifying all entities. SSE and SASE, while they include security aspects, also focus on network efficiency, performance, and management.

In summary, while Zero Trust, SSE, and SASE share common goals of enhancing security, especially in increasingly cloud-dominated environments, they represent different layers and approaches within the cybersecurity landscape. 

Zero Trust is a guiding principle that can influence SSE and SASE implementations, but SSE and SASE provide specific technological frameworks that integrate various networking and security functions.

Using SSE and SASE technologies for a Zero Trust initiative

Expanding on the explanation of how Zero Trust, SSE, and SASE differ, let's delve into how a company can use SSE and SASE technologies in the context of a Zero Trust strategic initiative.

SSE can be a vital component of a Zero Trust initiative

SSE, particularly, can aid in securing cloud and web access. SSE solutions will focus on securing data and applications accessed online and in the cloud. An organization should consider the use of SSE technologies like Cloud Access Security Broker (CASB) to monitor and manage access to cloud services or use Secure Web Gateways (SWGs) to enforce company policies on web-based traffic.

SASE extends the principles of Zero Trust across the network and security domains 

SASE offers a unified technology portfolio to support modern business operations' dynamic and distributed nature across current distributed networks. 

A company should integrate SASE to enhance network efficiency and security along with other SSE solutions if necessary. This could involve using SASE's integrated network solutions and policy controls to route traffic efficiently while applying consistent security policies across all locations, users, and devices. 

Use technologies like Next-Gen Firewalls, OT and IoT security solutions, and via SD-WAN tools.

Benefits of integrating SSE and SASE with a Zero Trust strategy

  • Unified policy enforcement: By integrating SSE/SASE with Zero Trust, a company ensures that all network connections, whether from on-premises devices or remote locations, adhere to the same security policies.
  • Enhanced access control: SSE's focus on cloud access and SASE's broader network coverage complement Zero Trust's continuous verification by providing granular control over who accesses what resource and under what conditions.
  • Scalability and flexibility: As organizations evolve, so do their security needs. SSE and SASE, being cloud-native solutions, offer the scalability and flexibility required to adapt to changing business needs, aligning well with the proactive and adaptive nature of Zero Trust.

References

1. Zero Trust Architecture by NIST: NIST SP 800-207 is a special publication by NIST that defines Zero Trust as a set of cybersecurity principles for enterprise architecture, focusing on protecting resources rather than network segments.

2. SASE Reference Architecture: Palo Alto Networks offers a comprehensive guide on implementing SASE for securing internet access across various devices, locations, and networks. This includes best practices and design principles for deploying cloud-delivered security services.

3. Cisco Secure Access Service Edge (SASE) and Security Service Edge (SSE) Architecture Guide: Provides an updated architecture guide on Cisco's SASE and SSE solutions, focusing on seamless access to applications regardless of user location.

4. Checkpoint's SASE Architecture Reference Guide: This document provides a basic understanding of SASE architecture, addressing the needs of evolving organizations and offering best practices for deployment.

5. Fortinet's SASE Architecture Documentation: Fortinet's documentation on SASE architecture focuses on cloud-delivered security services that enforce secure access at the network's edge, including user endpoints.

6. Microsoft Zero Trust Reference Architectures: Microsoft provides resources for IT architects and implementers on applying Zero Trust principles, including deployment steps, reference architectures, and logical architectures.

7. NIST Zero Trust Architecture: NIST's document offers an abstract definition of Zero Trust Architecture (ZTA) and discusses general deployment models and use cases for improving an enterprise's IT security posture.

8. Intel Zero Trust Reference Architecture Technology Guide: This guide introduces Zero Trust Reference Architecture (ZTRA) with Intel confidential computing technology, focusing on Zero Trust Network Access (ZTNA) standards.

9. Department of Defense (DoD) Zero Trust Reference Architecture: The DoD's reference architecture for Zero Trust provides insights into how this framework is implemented in a high-security government environment.

Watch our December episode of “Security Snippets”—a new series from G2’s Market Research team.

 

SASESecure Access Service Edge (SASE) Platforms Consolidate security

Centralize access control, data protection, and threat prevention with an integrated SASE architecture.

Ending the Zero Trust, SSE, and SASE Confusion This article explores the key differences between Zero Trust, SSE, and SASE - examining their unique timelines, frameworks, and principles. https://learn.g2.com/hubfs/Light%20%287%29.png
Dr. Chase Cunningham Chase Cunningham is VP of Security Market Research at G2. With over two decades of experience in Cyber Forensic and Analytic Operations, he has held senior security and analyst roles at NSA, CIA, FBI, and other government agencies, as well as with industry leaders Accenture and Forrester. A retired U.S. Navy Chief, Chase most recently was Chief Strategy Officer at Ericom Software. Chase also hosts the DrZeroTrust podcast. https://learn.g2.com/hubfs/dsc_6585~2.jpg https://www.linkedin.com/in/dr-chase-cunningham