Talking Zero Trust and SASE with CISOs at the Summit

There aren’t many events where a critical mass of Chief Information Security Officers gathers to exchange ideas about the current threat environment, key initiatives, etc. The annual Gartner Security and Risk Management Summit is one of them, and I’m looking forward to attending it this year.

I’m particularly interested in the experiences and best practices around implementing Zero Trust. While the term itself has become overused and something of a cliché, from a practitioner’s perspective, its key principles embody a very pragmatic approach to leveraging connectivity and the network to build a strong cyber defense.

The idea of “trust nothing” and “verify everything” has been around for a long time and is even codified in documents such as the NIST 800-27 Special Publication on Zero Trust. Many organizations have implemented Network Access Control (NAC) to verify the identity of users and devices, assign the appropriate role and access privileges, and then enforce those rights in the network. NAC works well and has evolved to provide a rich set of solutions that range from automated device discovery and fingerprinting, AAA and non-AAA authentication, automated guest onboarding, and end point posture assessment—with full integration into the broader security ecosystem.

But as we have all discovered, the emergence of SaaS and cloud-based workloads and services requires a broader approach to Zero Trust. It started with the “Starbucks problem” where employees, partners, and customers could access corporate resources completely outside of the corporate network. That concern multiplied exponentially with the pandemic and the rise of hybrid work.

As organizations grappled with the twin requirements of extending their Zero Trust framework to a cloud environment while ensuring that users received great IT services, a set of solutions started to emerge that addressed these challenges. Collectively, this is referred to as SSE or Secure Service Edge. According to Gartner®, SSE secures access to the web, cloud services, and private applications regardless of the location of the user, the device they are using, or where that application is hosted.[1] It can contain a number of different solutions such as ZTNA (Zero Trust Network Access), SWG (Secure Web Gateway), CASB (Cloud Access Security Broker), DLP (Data Leak Protection), FWaaS (Firewall as Service), DEM (Digital Experience Monitoring), etc.

Clearly, few organizations will implement all of these functions at the same time, and, in fact, each of these attacks a different part of the “off network” Zero Trust problem. ZTNA seems to be a favorite starting point, especially for organizations looking for a more flexible alternative to VPN. SWG and CASB cover general internet and specific application access, while DEM enables IT teams to see the network and application experience through the eyes of the user.

SSE is a great complement to SD-WAN, and jointly they create SASE (Secure Access Service Edge). According to Gartner®, SASE is the convergence of WAN edge and security from vendors spanning multiple markets.[2] We’ve seen many customers implement SASE and I’ll be interested to hear how my peers coordinate on the decision-making and implementation of a full SASE solution.

If you are going to the conference, I’d love to chat about your views on these subjects and any other top-of-mind topics that you have. See you there.

Additional Resources

• Three ways to jump-start your journey to SD-WAN, SSE, and SASE
• How to achieve 5 critical capabilities of Zero Trust network security
• The role of network access control in Zero Trust Security

[1] Gartner®, Magic Quadrant for Security Service Edge, By Charlie Winckless, Aaron McQuaid, John Watts, Craig Lawson, Thomas Lintemuth, Dale Koeppen, April 2023.

[2] Gartner®, Where Do I Start with SASE Evaluations: SD-WAN, SSE, Single-Vendor SASE, or Managed SASE? By John Watts, Nat Smith, Jonathan Forest, May 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

To learn more, visit us here.