Is zero trust architecture a product and how does it relate to SSE?
Holistically, zero trust is often described as a strategy or a framework, not a product sold by specific vendors. This is true, insofar as zero trust is a new way of security thinking that permeates across a number of areas and it is not just architecture or technology. However, there are practical implementations from vendors, like Zscaler, that have built their solutions with zero trust at their core. Once deployed, this technology forms the basis of providing secure access for users, things, and workloads to public or private destinations, based on zero trust principles.
When considering solutions based on zero trust architecture, it is important to understand how this market is described and categorized. The most common taxonomy is called Security Service Edge or SSE (defined by Gartner), which is an umbrella description for solutions offering zero trust architecture, among other functions.
Gartner’s SSE provides a framework that combines the main elements of network security–including the Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), a Cloud Access Security Broker (CASB), and firewall as a service (FWaaS), among other components–as provided from the cloud at a location near the end user. ZTNA, in this context, relates merely to user-to-private application access. The main point is that the security stack, once hosted on-premises, moves to the cloud or the “security edge.” This affords security operations all the benefits of cloud-hosted solutions, including simplified complexity, scalability, easier maintenance, architecture, etc.
How do the concepts of zero trust architecture relate to the broader concepts of SSE? They are closely intertwined. Think of SSE as a practical implementation of zero trust architecture, along with other ecosystem components like identity, EDR, or a SIEM/SOAR.
Is zero trust a passing fad or is it here to stay?
Zero trust, as delivered by an SSE vendor, has already made an enormous impact on several organizations. It proved especially valuable as the pandemic moved workers home, expanded the network, taxed VPN resources, and opened new doors to attackers. Organizations that transitioned to ZTA were able to send workers home seamlessly, while avoiding the common bottlenecks and security concerns that normally accompany such a massive workforce shift. That being said, many organizations are still in various stages of their transformation journey.
Zscaler survey results show that today, more than 90% of organizations migrating to the cloud have a zero trust security strategy in place, or plan to in the next 12 months. Respondents indicated that zero trust network access (ZTNA) is their #1 priority, based on the need to provide a secure hybrid work environment. They cite their employees’ inconsistent access experiences for on-premises and cloud-based applications and data as a top reason to implement a zero trust-based hybrid work infrastructure. In addition, 68% of IT leaders also admit that cloud migration requires a rethinking of traditional security models.
In our survey, the reasons to move to zero trust security were ranked by respondents in this order: (1) improve detection of advanced threats, (2) improve detection of web application attacks, and (3) broaden security to protect sensitive data.
Gartner publishes the Magic Quadrant and Critical Capabilities research on the Security Service Edge, and as of this writing, is working on the 2023 version. They made the following prediction about ZTA and SSE, highlighting movement toward a consolidated SSE approach over point solutions:
“By 2025, 80% of organizations seeking to procure SSE-related security services will purchase a consolidated SSE solution, rather than stand-alone cloud access security broker, secure web gateway and ZTNA offerings, up from 15% in 2021.
What the data shows is that traditional network and security architectures are not equipped to provide adequate security and connectivity for the rapidly evolving hybrid workplace. Globally, IT and security leaders have or are actively planning to replace their legacy architectures with a zero trust solution based on an SSE platform.
So, to definitely answer the question, ZTNA is one component in a comprehensive SSE framework. Zero trust and SSE are not synonymous, but without ZTNA any SSE is incomplete.
What to read next
Security Service Edge (SSE) reflects a changing market: what you need to know