Reverse Route Injection

Zero Trust SASE




Zero Trust SASE

In today’s digital age, where remote work and cloud-based applications are becoming the norm, traditional network security measures are no longer sufficient to protect sensitive data. Enter Zero Trust Secure Access Service Edge (SASE), a revolutionary approach that combines the principles of Zero Trust security with the flexibility and scalability of cloud-based architectures. In this blog post, we will delve into the concept of Zero Trust SASE and explore its benefits and implications for the future of network security.

Zero Trust is a security model that operates on “never trust, always verify.” It assumes that no user or device should be granted automatic trust within a network, whether inside or outside the perimeter. Instead, every user, device, and application must be continuously authenticated and authorized based on various contextual factors, such as user behavior, device health, and location.

SASE is a comprehensive security framework that combines networking and security capabilities into a single cloud-based service. It aims to simplify and unify network security by providing secure access to applications and data, regardless of the user’s location or device. SASE integrates various security functions, such as secure web gateways, cloud access security brokers, and data loss prevention, into a single service, reducing complexity and improving overall security posture.


Highlights: Zero Trust SASE

  • The Lag in Security 

Today’s digital transformation and strategy initiatives require speed and agility in I.T. However, there is a lag, and that lag is with security. Security can either hold them back or not align with the fluidity needed for agility. As a result, we have decreased an organization’s security posture, which poses a risk that needs to be managed. We have a lot to deal with, such as the rise in phishing attacks, mobile malware, fake public Wi-Fi networks, malicious apps, and data leaks.

  • The Role of New Security Requirements

These are some of the challenges that new security requirements have propelled. One is the critical capability to continuously discover, assess, and adapt to ever-changing risk and trust levels. These are bundled into a Secure Access Service Edge: SASE definition solution and Zero Trust network design capabilities combined into one SASE architecture.


Related: For pre-information, you may find the following helpful:

  2. SASE Model
  3. SASE Solution
  4. Cisco Secure Firewall
  5. SASE Definition


SASE Architecture

Key Zero Trust SASE Discussion Points:

  • The rise of SASE.

  • Challenges to existing networking.

  • The misconception of Trust.

  • SASE definition and SASE architecture.

  • SASE requirements.


Back to basics: Zero Trust SASE

The SASE Concept

Gartner coined the SASE concept after seeing a pattern emerge in cloud and SD-WAN projects where full security integration was needed. We now refer to SASE as a framework and a security best practice. SASE leverages multiple security services into a framework approach.

The idea of SASE was not far from what we already did by integrating multiple security solutions into a stack that ensured a comprehensive, layered, secure access solution. By calling it a SASE framework, the approach to a complete solution somehow felt more focused than what the industry recognized as a best security practice.

SASE Meaning

Main SASE Definition Components

SASE - Secure Access Service Edge

  • Network as a Service (NaaS)

  • Security as a Service (SECaaS)

  • Zero-Trust Architecture

  • Cloud-Native Architecture

The Benefits of Zero Trust SASE:

1. Enhanced Security: Zero Trust SASE ensures that only authorized users and devices can access sensitive resources, minimizing the risk of data breaches and insider threats. Organizations can mitigate the impact of compromised credentials and unauthorized access attempts by continuously verifying user identities and device health.

2. Scalability and Flexibility: With Zero Trust SASE, organizations can scale their security infrastructure dynamically based on their needs. SASE solutions can adapt to changing network demands as cloud-based services, providing secure access to applications and data from anywhere, anytime, and on any device.

3. Simplified Management: By consolidating multiple security functions into a single service, Zero Trust SASE simplifies security management and reduces operational overhead. Organizations can centrally manage and enforce security policies across their entire network, eliminating the need for multiple-point solutions and reducing complexity.

4. Improved User Experience: Zero Trust SASE eliminates the need for traditional VPNs and complex access control mechanisms. Users can securely access applications and data directly from the cloud without backhauling traffic to a central location. This improves performance and user experience, especially for remote and mobile users.


The Rise of SASE

The rise of SASE and Zero Trust security strategy. The security infrastructure and decisions must become continuous and adaptive, not static, that formed the basis of traditional security methods. Consequently, we must enable real-time decisions that balance risk, trust, and opportunity. As a result, security has beyond a simple access control list (ACL) and zone-based segmentation based on VLANs. In reality, there is no network point to act as an anchor for security.


Zero trust SASE
Diagram: Zero Trust SASE: Digital transformation and strategy.


Zero Trust SASE: SASE Architecture

Many current network security designs and technologies were not designed to handle all the traffic and security threats we face today. This has forced many to adopt multiple-point products to address the different requirements. Remember that for every point product, there is an architecture to deploy, a set of policies to configure, and a bunch of logs to analyze.

I find correlating logs across multiple-point product solutions used in different domains hard. For example, a diverse team may operate the secure web gateways (SWG) to that of the virtual private network (VPN) appliances. It could be the case that these teams work in silos and are in different locations.

Challenges to existing networks

We have many challenges to existing networks and infrastructure that create big security holes and decrease security posture. In reality, several I.T. components give the entity more access than required. We have considerable security flaws with using I.P. addresses as a security anchor and static locations; the virtual private networks (VPN) and demilitarized zone (DMZ) architectures used to establish access are often configured to allow excessive implicit trust.  

The issue with a DMZ

The DMZ is the neutral network between the Internet and your organization’s private network. It’s protected by a front-end firewall that limits Internet traffic to specific systems within its zone. The DMZ can have a significant impact on security if not appropriately protected. Remote access technologies such as VPN or RDP, often located in the DMZ, have become common targets of cyberattacks. One of the main issues I see with the DMZ is that the bad actors know it’s there. It may be secured, but it’s visible.

The issue with the VPN

In basic terms, a VPN provides an encrypted server and hides your IP address. However, the VPN does not secure users when they land on a network segment and is based on coarse-grained access control where the user has access to entire network segments and subnets. Traditionally, once you are on a segment, there will be no intra-filtering on that segment. That means all users in that segment need the same security level and access to the same systems, but that is not always the case. 

Overly permissive network access

VPNs generally provide broad, overly permissive network access with only fundamental access control limits based on subnet ranges. So, the traditional VPN provides overly permissive access and security based on I.P. subnets.

Security infrastructure
Diagram: Security infrastructure: The issues.


SASE Architecture and Misconception of Trust 

Much of the non-zero trust security architecture is based on trust. Bad actors abuse this trust. On the other hand, examining a SASE overview includes Zero Trust networking and remote access as one of its components can adaptively offer the appropriate trust required at the time and nothing more.

It is like providing a narrow segmentation based on many contextual parameters continuously assessed for risk to ensure the user is who they are and that the entities, either internal or external to the network, are doing what they are supposed to do.

Removes excessive trust

A core feature of SASE and Zero Trust is that it removes the excessive trust once required to allow entities to connect and collaborate. Within a zero-trust environment, our implicit trust in traditional networks is replaced with explicit identity-based trust with a default deny. With an identity-based trust solution, we are not just looking at IP addresses to determine trust levels. After all, they are just binary, deemed a secure private or a less trustworthy public. This assumption is where all of our problems started. They are just ones and zeros.

Zero Trust concept: Proxy for trust

To improve your security posture, it would be best to stop relying primarily on IP addresses and network locations as a proxy for trust. We have been doing this for decades. There is minimal context to place a policy with the legacy constructs. To determine the trust of a requesting party, we need to examine multiple contextual aspects, not just IP addresses.

And the contextual aspects are continuously assessed for security posture. This is a much better way to manage risk and allows you to look at the entire picture before deciding to enter the network or access a resource.

zero trust requirements
Diagram: Zero Trust requirements. Lockdown of trust and access


Challenging Environments

More outside than inside

The current environmental challenge is that more users, devices, applications, services, and data are located outside an enterprise than inside. As a result, there has been a rapid rise in remote working, especially in recent times. Also, there has been an increase in the adoption of cloud-based services, particularly SaaS. These environmental changes have turned the enterprise network “inside out.”. So, the traditional perimeter that we had was useless.


Also, many organizations are adopting multi-cloud. There are challenges in deploying and managing native security offerings from multiple cloud service providers. The different service providers will have other management consoles and security capabilities that do not share or integrate the policies. Although we have technologies that help with this, cloud providers are different entities. So, to combat these, let’s say, environmental evolutions, we have attempted other attempts to secure our infrastructure.


SASE: First attempt to 

Organizations have been adopting different security technologies to combat these changes to include in their security stack. Many of the security technologies are cloud-based services. Some of these services include the cloud-based secure web gateway (SWG), content delivery network [CDN], and web application firewall [WAF]. A secure web gateway (SWG) protects users from web-based threats and applies and enforces acceptable corporate use policies. 

A content delivery network (CDN) refers to a geographically distributed group of servers working together to deliver Internet content quickly. A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

Datacenter is the center of the universe.

However, even with these welcomed additions to security, the general trend was that the data center is still the center of most enterprise networks and network security architectures. Let’s face it; these designs are proving ineffective and cumbersome with the rise of cloud and mobile. Traffic patterns have changed considerably, and so has the application logic.


SASE: Second attempt to

The next attempt was for a converged cloud-delivered secure access service edge (SASE) to accomplish this shift in the landscape. And that is what SASE architecture does. As you know, the SASE architecture relies on multiple contextual aspects to establish and adapt trust for application-level access.

It does not concern itself with large VLAN and broad-level access or believes that the data center is the center of the universe. Instead, the SASE architecture is often based on PoP, where each PoP acts as the center of the universe.

The SASE definition and its components are a transformational architecture that can combat many of these discussed challenges. A SASE solution converges networking and security services into one unified, cloud-delivered solution that includes the following core capabilities of sase.

From the network side of things: SASE in networking

    1. Software-defined wide area network (SD-WAN)
    2. Virtual private network (VPN)
    3. Zero Trust Network ZTN
    4. Quality of service (QoS)
    5. Software-defined perimeter (SDP)

From the security side of things: SASE capabilities in security

    1. Firewall as a service (FWaaS)
    2. Domain Name System (DNS) security
    3. Threat prevention
    4. Secure web gateways
    5. Data loss prevention (DLP)
    6. Cloud access security broker (CASB)


Zero Trust SASE: What the SASE architecture changes

SASE changes the focal point to the identity of the user and device. With traditional network design, we have the on-premises data center that is considered the center of the universe. With SASE, that architecture changes this to match today’s environment and moves the perimeter to the actual user, devices, or PoP with some SASE designs.  In contrast to the traditional enterprise network and security architectures, the internal data center is the focal point for access. 


SASE features
Diagram: SASE features


VPN Security Scenario 

The limitations of traditional remote access VPNs

Remote access VPNs are primarily built to allow users outside the perimeter firewall to access resources inside the perimeter firewall. As a result, they often follow a hub-and-spoke architecture with users connected by tunnels of various lengths depending on their distance from the data center. Traditional VPNs introduce a lot of complexity. For example, what do you do if you have multiple sites where users need to access applications? With this type of scenario, the cost of management would be high. 

Tunnel based on I.P

What’s happening here is that the tunnel creates an extension between the client device and the application location. The tunnel is based on IP addresses on the client device and the remote application. Now that there is I.P. connectivity between the client and the application, the network where the application is located is extended to the client.

However, the client might not sit in an insecure hotel room or from home. These may not be sufficiently protected, and such locations should be considered insecure. The traditional VPN has many issues to deal with. They are user-initiated, and policy often permits split-tunnel VPN where there can be no Internet or cloud traffic inspection.


SASE and VPN: A zero-trust VPN solution

A SASE solution encompasses VPN services and enhances the capabilities to operate in cloud-based infrastructure to route traffic. On the other hand, with SASE, the client connects to the SASE PoP, which carries out security checks and forwards the request to the application. A SASE design still allows clients to access the application, but they can only access that specific application and nothing more, like a stripped-down VLAN known as a micro-segmentation.

Clients must pass security controls, and no broad-level access is susceptible to lateral movements. Access control is based on an allowlist rather than the traditional blocklist rule. Also, other variables present in the request context are used instead of using I.P. addresses as the client identifier. As a result, the application is now the access path, not the network.

ZTNA remote access

So, no matter what type of VPN services you use, the SASE provides a unified cloud to connect to instead of backhauling to a VPN gateway—simplifying management and policy control. Well-established technologies such as VPN, secure web gateway, and firewall are being reviewed and reassessed in Zero Trust remote access solutions as organizations revisit approaches that have been in place for over a decade. 

A quick recommendation: SASE and SD-WAN

The value of SD-WAN is high. However, it also brings many challenges, including new security risks. In some of my consultancies, I have seen unreliable performance and increased complexity due to the need for multiple overlays. Also, these overlays need to terminate somewhere, and this will be at a hub site.

However, when combined with SASE, the SD-WAN edge devices can be connected to a cloud-based infrastructure rather than the physical SD-WAN hubs. This brings the value of interconnectivity between branch sites without the complexity of deploying or managing physical Hub sites.


sase in networking
Diagram: SASE in networking.

Zero Trust SASE: Vendor considerations

SASE features converge various individual components into one connected, cloud-delivered service, making it easy to control policies and behaviors. The SASE architecture is often based on a PoP design. When examining the SASE vendor, the vendor’s PoP layout should be geographically diverse, with worldwide entry and exit points.

Also, considerations should be made regarding the vendor’s edge/physical infrastructure providers or colocation facilities. We can change your security posture, but we can’t change the speed of light and the laws of physics.

SASE capabilities and route optimizations

Consider how the SASE vendor routes traffic in their PoP fabric. There should be route optimization at each PoP. Some route optimizations are for high availability, while others are for performance. Does the vendor offer cold-potato or hot-potato routing? The cold-potato routing means bringing the end-user device into the provider’s network as soon as possible. On the other hand, “hot-potato routing” means the end user’s traffic traverses more of the public Internet.


The Main Zero Trust SASE Architecture Requirements List

The following is a list of considerations to review when discussing SASE with your preferred cybersecurity vendor.


zero trust environment
Diagram: Zero trust environment


Zero Trust SASE requirements: Information hiding

Secure access service requires clients to be authenticated and authorized before accessing protected assets, regardless of whether the connection is inside or outside the network perimeter. Then, real-time encrypted connections are created between the requesting client and the protected asset. As a result, all SASE-protected servers and services are hidden from all unauthorized network queries and scan attempts.

You can’t attack what you can’t see.

The base for network security started by limiting visibility – you cannot attack what you cannot see. Public and private IP addresses range from separate networks. This was the biggest mistake we ever made as I.P. addresses are just binary, whether they are deemed public or private. If a host were assigned a public address and wanted to communicate with a host with a private address, it would need to go through a network address translation (NAT) device and have a permit policy set.

Security based on the visibility

Network address translation is mapping an IP address space into another by modifying network address information in the I.P. header of packets while they are in transit across a traffic routing device. Limiting visibility this way works to a degree, but we cannot get away from the fact that a) if you have the I.P. address of someone, you can reach them, and b) if a port is open, you can potentially connect to it. Therefore, the traditional security method can open your network wide for compromise, especially when bad actors have all the tools. However, finding a port scanning tool, downloading, and running it is not hard.

“Nmap,” for Network Mapper, is the most widely used port scanning tool. Nmap works by checking a network for hosts and services. Once found, the software platform sends information to those hosts and services, responding. Nmap reads and interprets the response and uses the data to create a network map.

Example: Single Packet Authorization

Zero Trust network security is used for information and infrastructure hiding through lightweight protocols such as a single packet authorization (SPA). No internal IP addresses or DNS information is shown, creating an invisible network.

As a result, we have zero visibility and connectivity, only establishing connectivity after clients prove they can be trusted to allow legitimate traffic. Now, we can have various protected assets hidden regardless of location: on-premise, public or private clouds, a DMZ, or a server on the internal LAN, in keeping with today’s hybrid environment.

This approach mitigates denial-of-service attacks. Anything internet-facing is reachable on the public Internet and, therefore, susceptible to bandwidth and server denial-of-service attacks. The default-drop firewall is deployed, with no visible presence to unauthorized users. Only good packets are allowed.


Zero Trust SASE tools: Single packet authorization (SPA)

Single packet authorization (SPA) also allows for attack detection. If a host receives anything other than a valid SPA packet or similar construct, it views that packet as part of a threat. The first packet to a service must be a valid SPA packet or similar security construct.

If it receives another packet type, it views this as an attack, which is helpful for bad packet detection. Therefore, SPA can determine an attack based on a single malicious packet, a highly effective way to detect network-based attacks. Thus, external network and cross-domain attacks are detected.

single packet authorization
Diagram: Single packet authorization (spa)


Zero Trust SASE architecture requirements: Mutually encrypted connections

Transport Layer Security ( TLS ) is an encryption protocol that protects data when it moves between computers. When two computers send data, they agree to encrypt the information in a way they both understand. Transport layer security (TLS) was designed to provide mutual device authentication before enabling confidential communication over the public Internet.

However, the standard TLS configuration is the validation that ensures that the client is connected to a trusted entity. So, the typical TLS adoptions authenticate servers to clients, not clients to servers. 

Mutually encrypted connections

SASE uses the full TLS standard to provide mutual, two-way cryptographic authentication. Mutual TLS provides this and goes one step further to authenticate the client. Mutual TLS connections are set up between all components in the SASE architecture.

Mutual Transport Layer Security (mTLS) is a process that establishes an encrypted TLS connection in which both parties use X. 509 digital certificates to authenticate each other.  MTLS can help mitigate the risk of moving services to the cloud and can help prevent malicious third parties from imitating genuine apps.

Firstly, this offers robust device and user authentication as connections from unauthorized users and devices are mitigated. Secondly, forged certificates, which are attacks aimed at credential theft, are disallowed. This will reduce impersonation attacks where a bad actor can forge a certificate from a compromised certificate authority.


Zero Trust SASE architecture requirements: Need to know the access model

Thirdly, SASE employs a need-to-know access model. As a result, SASE permits the requesting client to view only the allowed resources appropriate to the assigned policy. Users are associated with their devices that are validated based on policy. Only connections to the specifically requested service are enabled, and no other connection is allowed to any other service. 

SASE provides additional information, such as who made the connection, from what device, and to what service. All these give you full visibility into all the established connections, which is pretty hard to do if you have an IP-based solution. So now we have a contextual aspect of determining the level of risk. As a result, it makes forensics easier. The SASE architecture only accepts good packets; bad packets can be analyzed and tracked for forensic activities.

A key point: Device validation

Secondly, it enforces device validation, which helps against threats from unauthorized devices. Not only can we examine the requesting user, we can also perform device validation. Device validation ensures that the machine is running trusted hardware and used by the appropriate user.

Finally, suppose a device does become compromised. In that case, there is a complete lockdown on lateral movements as a user is only allowed access to the resource it is authorized to. Or they could be placed into a sandbox zone where human approval must intervene and assess the situation.


Zero Trust SASE architecture requirements: Dynamic access control

This traditional type of firewall is limited in scope as it cannot express or enforce rules based on identity information, which you can with zero trust identity. Attempting to model identity-centric control with the limitations of the 5-tuple, SASE can be used alongside traditional firewalls and take over the network access control enforcement that we try to do with conventional firewalls.

SASE deploys a dynamic firewall that starts with one rule – deny all. Then, requested communication is dynamically inserted into the firewall, providing an active firewall security policy instead of static configurations. For example, every packet hitting the firewall is inspected with a single packet authentication (SPA) and then quickly verified for a connection request. 


sase and zero trust
Diagram: Zero trust capabilities


A key point: Dynamic firewall

Once established, the firewall is closed again. Therefore, the firewall is dynamically opened only for a specific period. The connections made are not seen by rogues outside the network or the user domain within the network.

Allows dynamic, membership-based enclaves that prevent network-based attacks. The SASE dynamically binds users to devices, enabling those users to access protected resources by dynamically creating and removing firewall rules.

Access to protected resources is facilitated by dynamically creating and removing inbound and outbound access rules. Therefore, we now have more precise access control mechanisms and considerably reduced firewall rules.


Zero Trust SASE architecture requirement: Micro perimeter

Traditional applications were grouped into VLANs whether they offered similar services or not. Everything on that VLAN was reachable. The VLAN was a performance construct to break up broadcast domains but was pushed into the security world but never meant to be there. 

Its prime use was to increase performance. However, it was used for security in what we know as traditional zone-based networking. The segments in zone-based networks are too large and often have different devices with different security levels and requirements.

Logical-access boundary

SASE enables this by creating a logical access boundary encompassing a user and an application or set of applications. And that is it—nothing more and nothing less. Therefore, we have many virtual micro perimeters specific to the business instead of the traditional main inside/outside perimeter. Virtual perimeters allow you to grant access to the particular application, not the underlying network or subnet.


sase and zero trust
Diagram: SASE and micro perimeters


Reduce the attack surface.

The smaller microperimeters reduce the attack surface and limit the need for excessive access to all ports and protocols or all applications. These individualized “virtual perimeters” encompass only the user, the device, and the application. They are created and are specific to the session and then closed again when the session is over or if there is a change in the risk level and the device or user needs to perform setup authentication.

Software-defined perimeter (SDP)

Also, SASE only grants access to the specific application at an application layer. The SDP part of SASE now controls which devices and applications can access distinctive services at an application level. Permitted by a policy granted by the SDP part of SASE, machines can only access particular hosts and services and cannot access network segments and subnets.

Broad network access is eliminated, reducing the attack surface to an absolute minimum.  SDP provides a fully encrypted application communication path. However, the binding application permits only authorized applications, so they can only communicate through the established encrypted tunnels, thus blocking all other applications from using them.

This creates a dynamic perimeter around the application, including connected users and devices. Furthermore, it offers a narrow access path—reducing the attack surface to an absolute minimum.


Zero Trust SASE architecture requirement: Identity-driven access control

Traditional network solutions provide coarse-grained network segmentation based on someone’s I.P. address. However, someone’s I.P. address is not a good hook for security and does not provide much information about user identity. SASE enables the creation of microsegmentation based on user-defined controls, allowing a 1-to-1 mapping, unlike with a VLAN, where there is the potential to see everything within that VLAN.

Identity-aware access

SASE provides adaptive, identity-aware, precision access for those seeking more precise access and session control to applications on-premises and in the cloud. Access policies are primarily based on user, device, and application identities.

The procedure is applied independent of the user’s physical location or the device’s I.P. address, except where it prohibits it. This brings a lot more context to policy application. Therefore, if a bad actor gains access to one segment in the zone, they are prevented from compromising any other network resource.


Implications for the Future:

Zero Trust SASE represents the future of network security as organizations increasingly adopt cloud-based applications and embrace remote workforces. With the proliferation of IoT devices, edge computing, and hybrid cloud environments, traditional security models are no longer sufficient to protect critical assets.

Zero Trust SASE provides a holistic and adaptive approach to security, ensuring that organizations can defend against evolving threats and maintain a strong security posture in the digital era.

Conclusion: Zero Trust SASE combines the principles of Zero Trust security with the scalability and flexibility of cloud-based architectures, revolutionizing how organizations approach network security. Organizations can securely embrace digital transformation by continuously verifying user identities and device health while providing secure access to applications and data from anywhere. With enhanced security, simplified management, and improved user experience, Zero Trust SASE is undoubtedly the future of network security.


sase and zero trust

Matt Conran: The Visual Age
Latest posts by Matt Conran: The Visual Age (see all)

Comments are closed.