SASE vs. Zero Trust: What's the Difference?

The world of cybersecurity, as with seemingly every area of tech, is rife with jargon and acronyms. Knowing the meaning of each is part of the battle, but then comes understanding how they fit together—or don’t. In this blog post, we’ll unpack two related, but distinct terms: zero trust and SASE.

Part of the confusion stems from industry hype. Wherever a term attracts attention, countless vendors will jump on the bandwagon, even when their offering has a tenuous connection to the technology behind the term.

Zero trust and SASE are among the most widely referenced terms in the cybersecurity world right now. Each is an architectural approach, and both drive greater security and better experiences for organizations. What other attributes bring the two together, or else set them apart? Let’s dive in and explore each term to uncover the answer.

What is zero trust?

Zero trust is THE hot topic in cybersecurity, and every security vendor wants a piece of the action, so we’ll start here. Way back in 1994, Stephen Paul Marsh coined "zero trust" in his doctoral thesis, where he referred to trust as something finite and definable, not subject to human interpretation. In other words, he asserted that trust can be objectively established (or not) based on predetermined criteria.

This logic was first applied to security and cloud applications by a Forrester Research analyst in 2010. All network traffic, he said, should be treated as untrusted, and there should be no implicitly trusted users on the network. The technologies that used to protect us, and created trusted zones (typically behind VPNs and firewalls) simply don’t stand up to today’s advanced cybercriminals, armed with powerful tools to find and exploit vulnerabilities.

Zero trust can’t be built with VPNs and firewalls

Attention around the zero trust framework has grown, boosted by the steady migration of applications and services to the cloud, as well as the remote work boom in the wake of the COVID-19 pandemic. More recently, government mandates around the world have begun to specifically call out zero trust and drive its adoption.

If you’re new to zero trust, join one of our monthly introductory webinars, where we’ll take you from key principles through practical use cases for rolling it out.

What is SASE?

Secure access service edge (SASE) has some overlap with zero trust, but it’s also a broader term. Analyst firm Gartner introduced the acronym (pronounced "sassy") in 2019. Like zero trust, SASE architecture requires some bold collaboration from security and networking teams to bring together software-defined wide area networking (SD-WAN) and multiple security technologies, including:

• Secure web gateway (SWG) to prevent unsecured internet traffic from entering the network
• Zero trust network access (ZTNA) to give users secure, least-privileged access to internal applications
• Cloud access security broker (CASB) to ensure secure, compliant use of cloud apps and services
• Firewall as a service (FWaaS) to deliver advanced threat prevention and access controls

Interest in SASE has evolved. After an initial explosion, progress slowed as organizations realized the extent of change required to fully implement it. The pandemic added further drag because there was simply no need to redesign site connectivity for empty sites. So, organizations prioritized the security changes, without the networking (SSE).

Now that the return to work is well underway, attention is returning to SASE, and especially to vendors who can offer the whole solution, eliminating the need to cobble together security and networking solutions from different suppliers.

At Zscaler, we take a different approach to SASE that removes the ineffective VPNs used by SD-WAN, preferred by traditional networking vendors for their SASE offerings. In place of VPN, Zscaler uses private encrypted tunnels to securely connect locations via the zero trust exchange. We call it Zero Trust SD-WAN, an alternative approach that removes the risk of lateral threat movement inherent in traditional SD-WAN designs.

SASE overlaps with, but is distinct from zero trust

Implementing a true SASE solution will partially deliver zero trust, but only for private applications. Zscaler offers the same zero trust approach for private applications as well as those accessed on the web (SaaS), internet access, and other application types. The zero trust principle "never trust, always verify" applies to all device, workload, user, and third-party traffic. Identity, user, and device context plus business policies are all considered before a connection is made to an application.

Learn more in this ESG research paper.

Which is better?

As you can see, zero trust and SASE are related in some ways. They differ insofar as you can roll out zero trust without SASE (as many have done with SSE), but you can’t build a robust SASE without zero trust elements. Sometimes, people ask us: which is better?

The ultimate goal is to protect everything, everywhere, and for that a comprehensive zero trust framework is ideal. SASE goes the extra mile by also addressing network transformation. They can be delivered simultaneously, but starting with zero trust ensures your organization is protected against cyberthreats. As they say, security first!

Wherever you start, Zscaler has always been a pioneer in this space, and we’re ready to talk to you about how we can better protect your organization and its work. Get in touch with us today.