GUEST ESSAY: Testing principles to mitigate real-world risks to ‘SASE’ and ‘Zero Trust’ systems

By Sashi Jeyaretnam

A new generation of security frameworks are gaining traction that are much better aligned to today’s cloud-centric, work-from-anywhere world.

Related: The importance of ‘attack surface management’

I’m referring specifically to Secure Access Service Edge (SASE) and Zero Trust (ZT).

SASE replaces perimeter-based defenses with more flexible, cloud-hosted security that can extend multiple layers of protection anywhere. ZT shifts networks to a “never-trust, always-verify” posture, locking down resources by default and requiring granular context to grant access.

With most business applications and data moving to cloud and users connecting from practically anywhere, SASE and Zero Trust offer more versatile and effective security. Assuming, of course, that they work the way they’re supposed to.

Effective testing

Modern SASE/ZT solutions can offer powerful protection for today’s distributed, cloud-centric business networks, but they also introduce new uncertainties for IT. Assuring performance, interoperability, resilience, and efficacy of a SASE implementation can be tricky.

What’s more, striking the right balance between protecting against advanced threats and ensuring high Quality of Experience (QoE) is not easy when new DevOps/SecOps tools are pushing out a 10X increase in software releases.

Effective testing becomes critical. Today’s highly distributed, intensely dynamic environment results in potentially thousands of hybrid cloud test cases that need to be continually verified. IT and security teams must address:

SASE assurance: Most Managed Security Service Providers (MSSPs) are bound by service-level agreements (SLAs) for the services they deliver, including SASE. Since there are no standard SASE key performance indicators (KPIs,) just determining how to validate SASE behavior can be problemat

ZT behavior: ZT frameworks grant access based on identity, policy, and context. Each of these elements must be validated across multiple security controls, like next-generation firewall (NGFW) and data loss protection (DLP) tools. Once again, there is no standard set of ZT test cases to guide this validation.

SASE applications: Applying strong security without impeding performance requires an understanding of the footprint, scalability, and robustness of different SASE application services in different cloud environments; these include NGFWs, application firewalls, secure web gateways, and more.

Edge NFs: Even when offered as a single “solution,” SASE edge clouds can include multiple proprietary NFs (SD-WAN, NGFW, ZT) each with its own API and management tool. These all need to be validated.

Security policy: Successfully enforcing policy in a SASE environment starts with validating security rule sets. With evolving threats and ongoing network changes, that can’t be a one-time job. Next-gen automated test tools can be leveraged to continually re-validate policies.

Testing principles

Clearly, SASE/ZT testing merits serious consideration, and the right test cases for one organization won’t necessarily map to another. Here are four pillars of effective SASE testing:

Test across all deployment environments. SASE architectures must be validated end to end—from users and branches, through SASE points of presence, to cloud application servers. Additionally, performance needs to be profiled across all networks and SASE behavior measured across all architectures—virtualized, containerized, and bare metal


Test for the real world. Specific SASE KPIs unique to a company’s operating environment need to be identified. Simulating generic traffic patterns can be misleading. Care must be taken to ensure testing reflects real-world network and application traffic profiles.

Accurately simulate vulnerabilities. Realistic threat models likewise should be used to validate SASE security efficacy—including simulating the evasion and obfuscation techniques that real hackers use. And since malware and vulnerabilities constantly change, threat models must continually evolve too.

Prioritize QoE. The best all-around metric for SASE/ZT testing is QoE, as it reflects multiple underlying factors, including performance, error detection, encryption variability, overall transaction latency, and (for ZT) concurrent authentication rate. Security controls that impede important business activities, will motivate users to try to bypass them.

Despite the complexity of SASE/ZT validation, it’s easy to understand what effective testing looks like. The right tools in place can continually test a full range of use cases across all environments.

Organizations can draw on a new generation of automated, always-on SASE/ZT testing tools. These systems integrate automated continuous security and QoE providing the dynamic protection companies expect and need.

About the essayist: Sashi Jeyaretnam is Senior Director of Product Management for Security Solutions, at Spirent,  a British multinational telecommunications testing company headquartered in Crawley, West Sussex, in the United Kingdom.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone