Is zero trust compatible with SD-WAN / SASE?

110%

Both Zero Trust and SD-WAN are cornerstones of a SASE architecture. They should be so empirically linked that you can not see the world without it.

Remember though, Zero Trust is a methodology and mentality, not a product. If someone tries to sell you ZT, then they don’t understand it.

If you remove SD-WAN from SASE, you’re left with SSE.

If you remove Zero Trust from SASE, you’re left with a hole in your network (and ransomware to deal with!)

When you're talking about zero-trust in SD-WAN and trusting identities entering the network from the outside, that's all fine. But once you're inside the network, all those controls are gone. We design our networks in such a way that if an attacker does have credentials or if you have malware on that machine that the endpoint detection and response (EDR) missed because now the attacks are fileless, then none of the heuristics are going to pick up on it. Attackers start snooping around because now they have creds, they can get the AD, they can get the remote desktop protocol (RDP), etc. Your zero-trust is out the window. 

All these attacks are happening because of internal propagation. We're still looking at the perimeter but we're not looking at what can happen once you're in. Because everybody has this argument that the attackers are already in your environment and they're just waiting for an opportunity to get around. Why give them that opportunity? It doesn't make any sense. 

Why do we have VLANs in which every device on it has connect access to everything else? We say this VLAN can't talk to that VLAN, but then we have the capability to RDP into a server—once you're on that server and you start an RDP session, you have access to the whole network. So the whole networking concept is broken of zero-trust.

It just depends on how much effort you want to put into it. When I was at a previous company, we did VLAN segmentation but we also put Cisco ISE on top of it. That was a beast to roll out and managing the roles and permissions is a full-time job. But it will tell you when there's lateral movement across machines or abnormal behavior. It was a long project.