SASE and ZTNA: Decoding the different flavors of Zero Trust
Are you sometimes as confused as I am about the various definitions of Zero Trust, and how almost every vendor has co-opted the term for their marketing? Disclaimer – we could be accused of the same, but hopefully our approach is clear, as explained below. We have Zero Trust Network Access, which you’ve all probably heard of, the original Zero Trust Edge, which is more-or-less Forrester’s SASE and in fact pre-dates Gartner. Then there is ZT 2.0, but I’m curious where 1.0 went. At Aryaka, we speak of the Zero Trust WAN, which is a foundation for our Unified SASE approach. Gartner has defined Universal ZTNA, which in fact is close to our ZT WAN, and they also speak of a Zero Trust Architecture. So how do you decode the different flavors of Zero Trust, and why should you care?
As a review, unlike a traditional ‘open’ network where there is implicit trust for resources secured via traditional firewalls, an architecture built on Zero Trust principles extends what is termed the ‘least privilege principle’ to individual resources. You never trust by default, and you have the observability and tools in place to quickly respond to any breach . This also helps the admin to quickly revoke the access centrally. In large enterprises, applications, data, or resources might be managed by different groups/departments or persona, so, hunting down who owns what and then revoking access when breaks happen, is going to slow down the process. ZTNA and a centralized portal will help simplify the process and shorten the response time. This approach, as you’d imagine, is critical as the enterprise threat (or trust) perimeter expands to include the hybrid cloud, employees away from the office, SaaS applications, as well as partners and customers. And note that Zero Trust is different from a more traditional VPN, which also grants full access after authentication, even multi-factor. So how does one implement Zero Trust?
Looking at the Aryaka architecture, we’ve developed a single-pass architecture that is based on a distributed data plane supporting network, application, and security processing. The intelligence can therefore be implemented at any point across the WAN, from the edge to the middle-mile, and into the cloud. This is under the control of a unified control plane that breaks down potential silos that could result in not only performance issues, but security breaches. This in-turn maps to a universal management pane with handoffs to customer and partner portals as well as 3rd parties. A Zero Trust WAN therefore integrates sophisticated application processing, security, as well as the necessary observability and control. The distributed intelligence supports granular policy control across the network, supporting users, data, applications, and any workloads or devices.
For those familiar with the NIST architecture, the control plane is the Policy Decision Point, while the distributed data plane plays the role of the Policy Enforcement Point. The whole ‘system’ of course receives inputs from different Threat Intelligence and Active Directory platforms, with outputs to SIEM and others.
If you’d like to learn more about taking a practical approach to ZT implementation and how it can benefit your business, please reach out to us!