Zero Trust Edge is a security solution that connects internet traffic to remote sites using Zero Trust access principles, primarily by utilizing cloud-based security and networking services.
Zero Trust Edge (ZTE) provides a safer internet on-ramp, since ZTE networks are accessible from virtually anywhere, spanning the internet using Zero Trust Network Access (ZTNA) to authenticate users and devices as they connect.
Noting that networking and cybersecurity have become increasingly intertwined, Gartner introduced the secure access services edge (SASE) concept, which in part includes the convergence of cloud security and cloud networking services. SASE solutions are designed to secure the cloud, data center, and branch network edges and deliver a secure SD-WAN fabric across different connectivity. Recently, Forrester documented a newer model of SASE in their report "Introducing The Zero Trust Edge Model For Security And Network Services,” which defines Zero Trust Edge (ZTE), putting more emphasis on the “Zero Trust” component.
Although the enterprise network perimeter has been decaying for decades, when the global Covid pandemic sent employees scurrying to setup remote offices at home the perimeter evaporated entirely. Work from home (WFH) employees have become the new normal, and businesses are constantly seeking new channels for engaging with their customers – including web and mobile applications.
Since this expanding universe of users and devices must connect to enterprise resources to perform their job functions or transact business, security professionals are increasingly adopting Zero Trust approaches to networking to securely support their remote workforce.
For this reason, the initial ZTE use case for most organizations will be securing remote workers while eliminating the need for virtual private networks (VPNs), which often become overburdened with the deluge of new connections brought on by the WFH crowd.
The further integration of networking and security is being fueled by three major drivers:
Although many organizations have virtualized their networks via the use of software-defined wide area networking (SD-WAN), this approach does not address many newer security requirements. By bringing cloud security and networking together in this manner, ZTE provides some key benefits including:
Risk Reduction. Since security is woven into the fabric of the network and each connection is inspected and secured, IT professionals need not worry about where users are connecting from, what applications are being used, or what type of encryption (if any) is being used. Each connection and transaction is authenticated every time.
Cost Savings. Since ZTE is typically delivered as an automated, cloud-delivered service, ZTE networks are inherently scalable. Because they are part of the internet fabric they support an organization’s digital transformation without regard to legacy architectures.
Enhanced User Experience. Networking performance and throughput are improved since on-ramps are available worldwide, reducing the need for backhaul and driving latency down.
Although the ZTE model is designed to be either cloud hosted or edge hosted security stack, bandwidth limitations in many areas require some elements of the stack to reside on local infrastructure.
There are currently three ZTE approaches that organizations can leverage
It is expected that ZTE will have the most value when cloud-based, since solutions should be built on two key cloud-borne principles:
When fully deployed, organizations can centrally manage, monitor, and analyze the set of security and networking services that reside within ZTE solutions, regardless of whether they are cloud-borne or hosted in a remote location.
The Zero Trust edge model is transformative not disruptiveto the way security and networking have traditionally been consumed. Always in a constant state of evolution, cybersecurity functions have been quick to move to the Zero Trust edge.
Companies are getting pulled into the Zero Trust edge by proxy of the remote worker security problem, but significant challenges lie ahead to achieve the full promise of the model, including:
Legacy applications and services. Modern web applications that support identity federation are easier configured in a ZTE, but those applications built on non-web protocols, especially RDP/VDI for remote access and SIP/VoIP for voice will not be so easily integrated, as there is no standardized for them to be utilized in a ZTE environment.
Legacy networking gear. Once the computers and applications are joined to the ZTE, IT must consider the myriad of operational technology (OT) and internet of things (IoT) devices, of which there may be thousands in any organization.
Capacity. Although ZTE can solve tactical access problems for remote workers, they do not yet have the ability to replace high-capacity network and security services that provide data center access today. Organizations may choose to undertake a cloud migration before they transit to ZTE protection for certain enterprise assets.
ZTE was defined by Forrester as a refinement of the original SASE model, with an increased focus on the “zero trust” component of that model. Since the internet was designed without regard to security, it has spawned a universe of malware and ever-changing attack surfaces. ZTE takes the approach of ignoring the decades of security patches and band-aids that have been applied to attempt a safe connection, and assume the worst and thus authenticate every connection using ZTE, even if the endpoint’s only internet connection is to tunnel through it to another endpoint, thus keeping users away from the ‘bad parts of town’ on the public internet.