It’s Time for Zero Trust SASE

The workplace has changed for good. According to a recent Gallup poll, 50% of US employees are working in hybrid mode and only 20% are entirely on-site. Another forecast analysis from Gartner projected hybrid work being the norm for almost 40% of global knowledge workers by the end of 2023.

Branch offices no longer look the same, and more and more organizations are moving to a cafe-like model for their workplaces. Combined with the shift to cloud and SaaS, this is driving fundamental shifts in IT infrastructure. The way we design, build, and secure our networks needs to evolve to support this new normal.

One size does not fit all

The old network-centric model of connectivity and security presents challenges when users and apps are everywhere. Trying to shoehorn traditional firewall/VPN-based security into an increasingly fuzzy and complex network environment has only resulted in more cost, complexity, and risk. Cyberattacks keep rising despite the increasing spend on firewalls, fueling threats such as ransomware. According to Zscaler ThreatLabz, ransomware attacks increased almost 40% between 2022 and 2023, with the average demand being $5.3M.

The current generation of networking technologies was designed to solve problems from 30 years ago, when IT systems couldn’t talk to each other. It’s no surprise that we ended up with a networking stack designed to maximize connectivity and reachability between users and computing systems globally.

While this has unlocked vast amounts of productivity gains and business value, it has come at the expense of cyber risk. An attacker needs to find just one entry point anywhere in the organization and can move laterally from there to access critical crown jewel applications and data. With an attack surface spanning branches, retail locations, clouds, remote users, and partners, securing traditional network infrastructure has become a complex and costly endeavor.

Zero trust is disrupting networking

Zero trust is a cybersecurity strategy that shifts the focus from networks to entities—users, devices, apps, and services. It asserts that no entity should be trusted by default and should only be explicitly allowed to access certain resources based on identity, context, and security posture, and then continuously reassessed for every new connection.

Traditional networking does not lend itself to the zero trust model since it confers implicit trust—once you’re on the network, you can go anywhere and talk to any entity. Network architects can limit the amount of trust and the extent of lateral movement by segmenting the network, but this is complex and difficult to manage—it’s like building a superhighway system and adding checkpoints at every ramp and interchange.

Zero trust networking is an opportunity to fundamentally rethink the way we build enterprise networks. Instead of starting with fully trusted routed overlays, we need to start with a zero trust foundation and then connect entities into an exchange that can broker connections as needed based on context and security posture.

Figure: Zero Trust Architecture

Traditional SD-WAN is not zero trust

Traditional SD-WAN arrived on the scene over a decade ago and was meant to give organizations an alternative to expensive MPLS WAN services. Using multiple ISP connections and active path monitoring, SD-WANs drastically improved the overall reliability and performance of internet connections and offered organizations the confidence that mission-critical apps can work over the internet.

Fast-forward a decade and through a global pandemic, and we no longer need to prove that the internet is fast and reliable enough to run enterprise apps. Gigabit fiber connections are readily available and most SaaS apps are optimized to be consumed over the internet. SD-WAN needs to solve different problems today—like ensuring a consistent experience and security for users between home and office, securing IoT device traffic and extending zero trust security to all sites, without the use of additional firewall/VPN appliances.

Secure Access Service Edge (SASE)

Gartner coined the term SASE in 2019 to describe the convergence of security and networking, delivered from a common cloud native platform that is better aligned with modern traffic flows. SASE is widely understood to be a combination of security services such as FWaaS, SWG, CASB, DLP, and connectivity services such as ZTNA and SD-WAN, delivered from the cloud.

The shift to SASE represents an opportunity to rethink and rebuild security services from the ground up for cloud scale. Yet many SASE solutions simply extend the firewall/VPN model to the cloud and deliver a hosted version of the traditional security appliances. With bolted-on SD-WAN integrations, these solutions fail to deliver the promise of zero trust for anything beyond users.

A better way

Zscaler pioneered zero trust security for remote users and eliminated clunky remote-access VPNs, reducing cyber risk for thousands of organizations globally. We built an industry-leading AI-powered SSE platform that has been a leader in the Gartner Magic Quadrant for SSE two years in a row.

Now, we’re excited to bring the same zero trust security to branches, factories, retail stores, and data centers. Join us on January 23 as we announce our industry-first SD-WAN innovations that help you transform your security and networking architecture with a Zero Trust SASE platform built on zero trust AI. Hear from your industry peers about their transformation journeys and the benefits they realized. Register now and save your spot!