I recently read an article in CRN where Zscaler CEO Jay Chaudhry stated that he’s not a believer in SASE because he thinks “SD-WAN is anti-zero trust.” I respect Jay immensely, but I must respectfully disagree with this statement.
A Broader Perspective on SD-WAN
Jay primarily criticizes SD-WAN for allegedly facilitating unrestricted access once connected to a network, thereby undermining Zero Trust. This perspective, however, somewhat distorts the role and operation of SD-WAN. Essentially, while SD-WAN provides a conduit to the network, it’s the network’s prerogative to determine access parameters.
Moreover, it’s crucial to remember that SD-WAN and Zero Trust are not arch-nemeses. On the contrary, they can harmoniously coexist, enhancing network security when their powers are combined.
How SD-WAN and Zero Trust Complement Each Other
SD-WAN has emerged as an indispensable technology that lets organizations connect their branch offices, data centers, and cloud resources over wide area networks securely and efficiently. This technology relies on software-based management and dynamic traffic routing to improve network performance, lower costs, and simplify network management.
Conversely, Zero Trust is a robust security framework that advocates for no trust between devices, users, or services, regardless of their network perimeter location. The focus of Zero Trust is on continual verification, rigorous access controls, and a least privilege approach to augment security and safeguard against data breaches and cyber threats.
While it’s accurate to state that SD-WAN doesn’t directly enforce Zero Trust principles, it’s crucial to note that it doesn’t inherently conflict with Zero Trust either. Rather, Zero Trust can be superimposed onto SD-WAN to enhance security, applying principles such as micro-segmentation, identity and access management (IAM), continuous verification, and encryption. This strategic blend enables organizations to establish a secure, efficient, and adaptable network infrastructure that minimizes the risk of cyber threats.
Revisiting the Legacy LAN Infrastructure
The issue Jay raises isn’t a problem with SD-WAN; it’s a problem with our legacy LAN infrastructure. I agree with Jay that our LANs still largely operate under a legacy “trusted network” model, granting users wide-ranging network access instead of implementing a Zero Trust approach. But the proposed solution is off the mark.
If the aim is to protect employees working on-site, we need to overhaul the LAN to incorporate Zero Trust principles. This is an area where Jay might lack insight as he primarily operates in a cloud-delivered security context, focusing on Zero Trust for remote workers only.
At Versa, we envision a broader scope of Zero Trust which we call “Zero Trust Everywhere”. This concept extends Zero Trust Network Access to ALL employees, whether remote or on-site. Achieving this requires a substantial shift in the way LANs operate.
The LAN must adopt a Zero Trust model that never implicitly trusts anyone or any device, regardless of its network location. This involves a significant transformation of the legacy LAN into a “Zero Trust LAN”:
Legacy LAN |
Zero Trust LAN |
---|---|
Implicit trust | Never trust, always verify |
Unlimited network access | Granular access control |
One-time authentication | Continuous trust evaluation |
Importantly, all of these align perfectly well with existing SD-WAN architectures. Jay, THIS is the architectural conversation we need to have.
Pioneering the Future of Secure Networking
We find our customers all across a spectrum on this issue. Some organizations use SD-WAN and Zero Trust solutions from different vendors; others use integrated solutions from a single vendor like Versa. Many of them realize substantial value from a unified networking and security stack integrating SD-WAN, ZTNA, and a broad set of security capabilities. And a number of forward-leaning organizations are extending Zero Trust into their LAN.
It’s a nascent field, and we’re excited to see it grow. If you’re exploring Zero Trust, I invite you to join this conversation as we navigate this frontier together. Let’s re-think and re-define how we secure our networks, for the benefit of all.