What is Zero Trust Edge?

Zero Trust Edge is a security solution that connects internet traffic to remote sites using Zero Trust access principles, primarily by utilizing cloud-based security and networking services. 

Zero Trust Edge (ZTE) provides a safer internet on-ramp, since ZTE networks are accessible from virtually anywhere, spanning the internet using Zero Trust Network Access (ZTNA) to authenticate users and devices as they connect. 

Noting that networking and cybersecurity have become increasingly intertwined, Gartner introduced the secure access services edge (SASE) concept, which in part includes the convergence of cloud security and cloud networking services. SASE solutions are designed to secure the cloud, data center, and branch network edges and deliver a secure SD-WAN fabric across different connectivity. Recently, Forrester documented a newer model of SASE in their report "Introducing The Zero Trust Edge Model For Security And Network Services,” which defines Zero Trust Edge (ZTE), putting more emphasis on the “Zero Trust” component. 

Although the enterprise network perimeter has been decaying for decades, when the global Covid pandemic sent employees scurrying to setup remote offices at home the perimeter evaporated entirely. Work from home (WFH) employees have become the new normal, and businesses are constantly seeking new channels for engaging with their customers – including web and mobile applications. 

Since this expanding universe of users and devices must connect to enterprise resources to perform their job functions or transact business, security professionals are increasingly adopting Zero Trust approaches to networking to securely support their remote workforce. 

For this reason, the initial ZTE use case for most organizations will be securing remote workers while eliminating the need for virtual private networks (VPNs), which often become overburdened with the deluge of new connections brought on by the WFH crowd. 

The further integration of networking and security is being fueled by three major drivers: 

• Security professionals demand to determine that traffic permitted on the network meets their stringent security trust levels and monitoring and analysis of traffic to ensure compliance with policies
• Networking professionals need to adopt ZTE polices and execute networking in a security light, rather than security teams overlaying corporate networks.
• Need for a safe internet access on-ramps for every client and endpoint and the ability to thwart or bypass malware that may exist anywhere along the network route

Although many organizations have virtualized their networks via the use of software-defined wide area networking (SD-WAN), this approach does not address many newer security requirements. By bringing cloud security and networking together in this manner, ZTE provides some key benefits including: 

Risk Reduction. Since security is woven into the fabric of the network and each connection is inspected and secured, IT professionals need not worry about where users are connecting from, what applications are being used, or what type of encryption (if any) is being used. Each connection and transaction is authenticated every time. 

Cost Savings. Since ZTE is typically delivered as an automated, cloud-delivered service, ZTE networks are inherently scalable. Because they are part of the internet fabric they support an organization’s digital transformation without regard to legacy architectures. 

Enhanced User Experience. Networking performance and throughput are improved since on-ramps are available worldwide, reducing the need for backhaul and driving latency down. 

Although the ZTE model is designed to be either cloud hosted or edge hosted security stack, bandwidth limitations in many areas require some elements of the stack to reside on local infrastructure.

There are currently three ZTE approaches that organizations can leverage

1. Cloud delivered service based on vendor-operated or third-party network with several to hundreds of points of presence (POPs) with ZTE capabilities. This approach takes a software-as-a-service (SaaS) angle.
2. ZTE as part of a WAN connection service, with carrier providing ZTE functionality as well as outsourced security. Comcast Enterprise and Akami offer ZTE functionality, and many SD-WAN providers are partnering with ZTE-focused security vendors to complete an offering. Although there will be many options, on-premises offerings will lack the agility of cloud-based systems and SD-WAN/ZTE combinations will require policies to be configured for each service, lacking an overall single pane of glass solution.
3. Homegrown approach, realistic only for large, agile enterprises who have capabilities to build their own ZTE offering utilizing cloud service providers for POPs and cloud-hosted firewall and other security services that reside in the public cloud. Although ultimately flexible, this approach requires constant monitoring of evolving security components, cloud services, and the IT skills to create and manage such an offering.

It is expected that ZTE will have the most value when cloud-based, since solutions should be built on two key cloud-borne principles:

• Network and security management that is cloud based and provides a single set of policies for users across the enterprise and management tools for networking, firewall, and other SD-WAN functionality. This will reduce errors, increase efficiency, and facilitate setting up similar policies for multiple systems.
• Monitoring, management, and analysis tools that link networking and security. This ZTE hallmark enables better utilization of links, helps spot network anomalies that could lead to security issues, and brings the entire network – including peering metros – into the monitoring bubble. The sheer volume of data collected and analyzed fairly demands cloud-based solutions for storage and processing to achieve the desired analytics.

When fully deployed, organizations can centrally manage, monitor, and analyze the set of security and networking services that reside within ZTE solutions, regardless of whether they are cloud-borne or hosted in a remote location.

The Zero Trust edge model is transformative not disruptiveto the way security and networking have traditionally been consumed. Always in a constant state of evolution, cybersecurity functions have been quick to move to the Zero Trust edge.

Companies are getting pulled into the Zero Trust edge by proxy of the remote worker security problem, but significant challenges lie ahead to achieve the full promise of the model, including:

Legacy applications and services. Modern web applications that support identity federation are easier configured in a ZTE, but those applications built on non-web protocols, especially RDP/VDI for remote access and SIP/VoIP for voice will not be so easily integrated, as there is no standardized for them to be utilized in a ZTE environment.

Legacy networking gear. Once the computers and applications are joined to the ZTE, IT must consider the myriad of operational technology (OT) and internet of things (IoT) devices, of which there may be thousands in any organization.

Capacity. Although ZTE can solve tactical access problems for remote workers, they do not yet have the ability to replace high-capacity network and security services that provide data center access today. Organizations may choose to undertake a cloud migration before they transit to ZTE protection for certain enterprise assets.

ZTE was defined by Forrester as a refinement of the original SASE model, with an increased focus on the “zero trust” component of that model. Since the internet was designed without regard to security, it has spawned a universe of malware and ever-changing attack surfaces. ZTE takes the approach of ignoring the decades of security patches and band-aids that have been applied to attempt a safe connection, and assume the worst and thus authenticate every connection using ZTE, even if the endpoint’s only internet connection is to tunnel through it to another endpoint, thus keeping users away from the ‘bad parts of town’ on the public internet.