Is zero trust compatible with SD-WAN / SASE?

ArchitectureStrategy
2.3k viewscircle icon3 Comments
Sort by:
Director of Enablement2 years ago

110%

Both Zero Trust and SD-WAN are cornerstones of a SASE architecture. They should be so empirically linked that you can not see the world without it.

Remember though, Zero Trust is a methodology and mentality, not a product. If someone tries to sell you ZT, then they don’t understand it.

If you remove SD-WAN from SASE, you’re left with SSE.

If you remove Zero Trust from SASE, you’re left with a hole in your network (and ransomware to deal with!)

vCISO and COO in Software4 years ago

When you're talking about zero-trust in SD-WAN and trusting identities entering the network from the outside, that's all fine. But once you're inside the network, all those controls are gone. We design our networks in such a way that if an attacker does have credentials or if you have malware on that machine that the endpoint detection and response (EDR) missed because now the attacks are fileless, then none of the heuristics are going to pick up on it. Attackers start snooping around because now they have creds, they can get the AD, they can get the remote desktop protocol (RDP), etc. Your zero-trust is out the window. 

All these attacks are happening because of internal propagation. We're still looking at the perimeter but we're not looking at what can happen once you're in. Because everybody has this argument that the attackers are already in your environment and they're just waiting for an opportunity to get around. Why give them that opportunity? It doesn't make any sense. 

Why do we have VLANs in which every device on it has connect access to everything else? We say this VLAN can't talk to that VLAN, but then we have the capability to RDP into a server—once you're on that server and you start an RDP session, you have access to the whole network. So the whole networking concept is broken of zero-trust.

Lightbulb on1
Head of Information Technology4 years ago

It just depends on how much effort you want to put into it. When I was at a previous company, we did VLAN segmentation but we also put Cisco ISE on top of it. That was a beast to roll out and managing the roles and permissions is a full-time job. But it will tell you when there's lateral movement across machines or abnormal behavior. It was a long project.

Lightbulb on1

Content you might like

When hiring an Enterprise Architect (EA), what is most important for them to have on their CV?

An EA certification18%

Several years of general EA experience73%

Experience with a business similar to yours8%

View Results

How often does IT collaborate with HR to socialize new productivity tools?

Always10%

Often56%

Sometimes26%

Rarely6%

Never

View Results

Is anyone working on automation of EA Practice activities such as design and/or roadmap development through the use of AI tools? This could include but not be limited to strategy, analysis, solution development, governance submissions, standards review, white papers etc. We are using ARIS as an EA repository and are considering the use of the AI companion or perhaps even standalone AI tools to import, process, analyses & publish. Happy to discuss ideas for future implementation.

Read More Comments

Has anyone successfully negotiated with a big hyperscaler partner to introduce a term into the contract that establishes service prices as public price at time of contract execution and holds those prices flat for the entire contract term? We're trying to think of ways to mitigate potential future cost increases if public prices change (due to tariffs or other unknown conditions) and dilute the impact of negotiated discounts.

We are dealing with a specific issue in our VDI non-persistent environment, which operates using Omnissa Horizon (formerly VMware). We are employing a hybrid join for authentication that integrates ADFS and Entra ID.   Here are the details of our problem:   1. **Environment**: VDI non-persistent using Omnissa Horizon 2. **Authentication Method**: Hybrid join with ADFS and Entra ID 3. **Issue**: Users are experiencing difficulties authenticating to Microsoft 365 apps within the virtual machine. The authentication process gets stuck in a loop when attempting to access the smartcard. I would appreciate any insights or experiences from others who have encountered similar issues or have a similar environment working successfully.