Last Updated 2/17/2023
An Insider's View on Controversial Issues
This is a work in progress. I expect others will have their “correct” view of things. Let’s look at SASE and its elements. A topic with millions of dollars invested already. These are covered in the Terminology page but this is what I really think, starting with the Gartner invention ZTNA. More to follow …
Zero Trust Network Access (ZTNA) Analysis
The Terminlogy page reinforces the issue that all technology is a linguistic phenomenon. So let’s dissect/decompose the last one: Gartner’s definition of ZTNA word for word and see if we can make some sense of it. The only defined context for me is the MEF’s 118 Zero Trust Framework and Service Attributes (November 2022).
Gartner’s words: “Zero trust network access (ZTNA) is a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. Cybyr.com comment: I have no idea what this “identity- and context-based, logical access boundary” marketing mumbo jumbo means but let’s assume it refers to authenticated and identified subject actors desiring access to target actors based on a policy and access control – and no others can access that target.
“The applications are hidden from discovery, and access is restricted via a trust broker (“broker” is undefined but in MEF terms this likely refers to Policy Management) to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants (in MEF terms this could mean subject and target actors) before allowing access and prohibits lateral movement elsewhere in the network. (I assume this means the access control is specific only to the designated target actor in their current location) This removes application assets from public visibility and significantly reduces the surface area for attack.” (I assume again that it means the only access to the asset is via the brokerage or Policy Management service.) The three elements that are missing from the definition are (1) time when access is permitted (2) ongoing automated monitoring and event notification and (3) likely separation of policy management and policy enforcement. There is no mention of block lists or allow lists. Again, Least Privilege and NIST defined Access control types are not mentioned but we’ll let those pass.
The question remains however: “What has this to with Zero Trust or Network Access?” The answer is that ican nable the Zero Trust principle of preventing data exfiltration but does not mention that. Secondly, It does not mention Network Access. What it does do is address the issue of accessing network connected Cloud based software and data by unauthorized actors. So it’s the language of the term ZTNA itself that is misleading to me. Like everyone else, my understanding is based on what I have learned and which will likely be differnet from you the reader. maybe the time was right to have Zero Trust in a term and there was no element that showed how the other elements were glued together.
I hope this analysis was useful and gives an ideas of the issues faced when an attempt is made to implement a well-meaning marketing idea without a carefully thought through standard. As we said earlier, SASE was a very nice idea and it caught on. It’s a great example of how a competitive market was generated at speed that standards bodies cannot do while maintaining the integrity of their work. – Mark Fishburn, February 2023.
Recap from the Terminology page
|CASB and SWG||Note: what is the difference between CASB and SWG?. Both CASB and SWG offer data & threat protection, and they are cloud-based. Cloud-based SWGs have more capabilities, which made them a suitable replacement for the limited firewall. They fulfil the same use case of network/perimeter protection by delivering network security services via the Cloud.|
|Cloud Access Security Broker||CASB||A Cloud access security broker is Cloud-hosted software or on-premises software or hardware that act as an intermediary or gateway between users and Cloud service providers. This is curious because as with other SASE elements this sounds a similar description that Gartner provided for ZTNA (see below).|
|Firewall as a Service||FWaaS||Firewall as a service, also known as a Cloud firewall, provides Cloud-based network traffic inspection capabilities to customers seeking to migrate to a hybrid or multi-cloud model. It reduces the burden on on-premises data center equipment and management burden for internal Cybersecurity teams.|
|Secure Access Service Edge||SASE|
SASE is designed as a fully-integrated WAN networking and security framework that connects remote users and branch offices to cloud and corporate applications and the Internet. As first outlined by Garner in December 2019 (Link to the original blog describing this “new package of technologies), SASE is a conceptual framework not a product. It encompasses: (1) SD-WAN – a network overlay technology, (2) Cloud Access Security Broker (CASB), (3) Secure Web Gateway (SWG), (4) Firewall as a Service (FWaaS) and (5) Zero Trust Network Access (ZTNA). All these terms are covered in this Terminology page. Their definition is up for interpretation.
Late in 2022 the MEF expanded on the original idea introducing a SASE service and service attributes definition (MEF 117) by defining a standard ‘SASE service’ combining security functions and network connectivity.
|Secure Service Edge||SSE|
Follow-on to the above. Later Gartner defined SSE – a more IT-focused and implementable subset of SASE without SD-WAN and FWaaS consisting of CASB, SWG and ZTNA. It defines SSE as securing access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service, and may include on-premises or agent-based components. In March 2022 Gartner created a new magic quadrant summarizing 11 players in this space.
Note: If after reading this, Googling SASE or SSE and looking at product definitions in this space, you are still unclear then we would not be surprised since vendors and providers match their capabilities to their market. If you are looking for guidance then it comes down to matching what a product does and seeing if it matches your requirements.
|Secure Web Gateway||SWG||Secure web gateways act as a barrier, keeping users from accessing malicious websites, malware, or web traffic that is part of a Cyberattack. SWG is a solution that filters malware from user-initiated Internet traffic to enforce corporate and regulatory policy compliance. A secure web gateway is a Cyberbarrier or checkpoint that keeps unauthorized traffic from entering an organization’s network. The traffic that a secure web gateway governs is all inline—the gateway stands between all incoming and outgoing data.|
A set of principles and strategies intended to prevent the exfiltration of data in many areas, layers and apps operating in a hybrid cloud, perimeter-less network. See Section 7 of the Book for an in-depth examination.
In a world where the network perimeter no longer exists, A Zero Trust approach is the best and perhaps the only approach to protecting your assets. Remember it’s not a system but an approach whose deployment is context and location dependent.
|Zero Trust Network Access||ZTNA||Zero Trust Network Access is an element of Gartner’s original SASE concept. ZTNA solutions provides secure remote access to an organization’s applications, data, and services based on clearly defined access control policies. It could be said that ZTNA is the Zero Trust replacement to virtual private networks (VPNs) in that ZTNA grants access only to specific services or applications, where VPNs grant access to an entire network. ZTNA is an obvious solution to distributed workforce security.|