Fundamentally, Security Service Edge (SSE) provides the security service elements of a comprehensive Secure Access Service Edge (SASE) strategy. So, to be clear, SSE is a subset or component of a SASE solution or strategy.
SSE delivers access control, threat protection, data security, security monitoring, and acceptable use control functionality in a single cloud-delivered solution. Further, when SSE is combined with software defined wide area networking (SD-WAN), it forms a comprehensive SASE platform, providing monitoring and policy enforcement with integrated network controls and application APIs augmented by endpoint-based controls.
Now let’s take a short step back and discuss where SSE came from and the components that often make up an SSE solution.
Security Services Edge (SSE) is a cybersecurity concept Gartner introduced in its 2021 Roadmap for SASE Convergence report. According to Gartner, “SSE is a collection of integrated, cloud-centric security capabilities that facilitates safe access to websites, software-as-a-service (SaaS) applications, and private applications. Specifically, SSE-related security capabilities include:
A comprehensive SSE solution provides organizations with the complete set of security technologies they need to provide employees, trusted partners, and contractors secure remote access to applications, data, tools, and other corporate resources – without having them connect directly to the corporate network.
Further, a full SSE solution allows security teams to monitor and track behavior more effectively once users access the network. As the remote workforce grew during the pandemic, securing remote and mobile users, and the data and apps they access became critical – SSE solutions provide the tools to achieve an improved security posture.
In the last section, we quoted Gartner concerning the definition of SSE. Let’s dig into why it is a concept and not a well-defined “solution.” To do that we’ll take another short step back and discuss SASE.
Secure Access Service Edge (SASE) – is a cloud architecture model that bundles network and Security-as-a-Service functions together and delivers them as a single cloud service. SASE allows organizations to unify their network and security tools in a single management console.
Gartner introduced and defined SASE as a concept in 2019. They define SASE as “the convergence of software-defined wide area networking or SD-WAN, and network security services like CASB, FwaaS, and ZTNA into a single, cloud-delivered service model.”
In plain language, SSE solutions provide secure connectivity to users through cloud-based services, eliminating the need for employees to connect directly to the corporate network for cloud-based services and applications.
An enormous benefit of SSE is to eliminate the need to expose an organization’s IT infrastructure or applications needlessly. Rather, an SSE solution allows users to connect securely to applications across the internet.
Let’s take just a moment to compare the two Gartner concepts. In the SASE framework, network and security services should be consumed through a unified, cloud-delivered approach. The networking and security aspects of SASE solutions will focus on improving the user-to-cloud-app experience while inherently reducing costs and complexity.
You can look at a SASE platform in two parts. The SSE piece focuses on unifying all security services, including SWG, CASB, and ZTNA. The second piece, the WAN part, focuses on networking services, including software-defined wide area networking (SD-WAN), WAN optimization, quality of service (QoS), and other means of improving routing to cloud apps.
Increasingly, organizations are adopting software and infrastructure as a service (SaaS, IaaS) solutions and other cloud apps. Because of this migration to the cloud, the company’s critical information and data becomes more distributed outside of the traditional on-prem data centers. Furthermore, and most importantly for SSE, the shift to users connecting from diverse locations via mobile and remote devices to cloud applications, like Microsoft 365 and Google Docs has driven the need for the SSE solution.
Traditional Network Security Issues with Remote Users
Securing cloud apps and mobile users is difficult with traditional network security approaches because:
Finally, typical layered security defense concepts or solutions are overwhelmingly complex for security teams. While firewalls, IDS/IPS, Endpoint, Anti-virus and other technology play critical roles in defending an organization from attack, they also inherently leave gaps that are often easily exploited by today’s more sophisticated malware.
Delivered from a unified cloud-centric platform, SSE enables organizations to break free from the challenges of traditional network security. SSE provides four primary advantages:
SSE improves visibility across remote users and data, regardless of location, connection or channels accessed. Also, SSE automatically patches software updates across applications and most importantly without the typical lag time of manual IT administration.
Because security is now delivered through the cloud, the behavior of users is visible no matter the connection, location, or activity. This will be an enormous benefit as security teams deal with anomalous traffic on their networks that often are tell-tale signs of malicious activity.
According to Gartner among others, “SSE can deliver many key security services—SWG, CASB, ZTNA, cloud firewall (FWaaS), cloud sandbox, cloud data loss prevention (DLP), cloud security posture management (CSPM), and cloud browser isolation (CBI)—all in one platform.” In addition, it is not an all-or-none proposition. With SSE, organizations can add technologies to the platform at their own pace. One technology is not dependent on another like many layered, on-prem security solutions.
The Zero Trust model is the response to the realization that the perimeter security approach hasn’t been practical because many data breaches happened. After all, attackers could move through internal systems without the risk of being uncovered and stopped once they got past the corporate firewalls.
SSE platforms (along with SASE) should enable least-privileged access from users to the cloud or private apps with a fundamental zero trust policy based on four factors: user, device, application, and content. Applications are not exposed to the internet and thus can’t be discovered, reducing the attack surface, increasing security posture, and further minimizing business risk.
Continuing to leverage Gartner’s idea of the SSE concept, “SSE must be fully distributed across a global footprint of data centers. The best SSE architectures are purpose-built for inspection in every data center instead of vendors hosting their SSE platforms in IaaS infrastructures.”
Distributed architecture improves performance and reduces latency because content inspection—including TLS/SSL decryption and inspection—occurs where the end user connects to the SSE cloud. Combined with peering across the SSE platform, this gives your mobile users the best experience. They no longer need to use slow VPNs, and access to apps in public and private clouds is fast and seamless.
SSE policy control helps mitigate risk as end users access content on- and off-network. Enforcing corporate internet and access control policies for compliance is also a key driver for this use case across IaaS, PaaS, and SaaS.
Another key capability is cloud security posture management (CSPM), which protects your organization from risky misconfigurations that can lead to breaches.
Detecting threats and preventing successful attacks across the internet, web, and cloud services are critical drivers for adopting SSE. With the shift to remote work and mobile access to the corporate network, end users are accessing content across any connection or device.
An SSE platform must have advanced threat protection capabilities, including a cloud firewall (FWaaS), cloud sandbox, malware detection, and cloud browser isolation. CASBs enable the inspection of data within SaaS apps and can identify and quarantine existing malware before it inflicts damage. Adaptive access control, whereby an end user’s device posture is determined, and access is adjusted accordingly, is also a key component.
The modern workforce needs remote access to cloud services and private applications without the inherent risks and slow speeds of VPN. Thus, enabling access to applications, data, and content without enabling access to the network is a critical piece of Zero Trust access, because it eliminates the security risks of giving users direct access to the corporate network.
Providing secure access to private and cloud apps without needing to open firewall ACLs or expose apps to the internet is critical. SSE platforms should enable native inside-out app connectivity, keeping apps “dark” to the internet. A ZTNA approach should also offer scalability across a global network of access points, giving all your users the fastest experience regardless of connectivity demands.
SSE enables you to find and control sensitive data no matter where it resides. By unifying key data protection technologies, an SSE platform provides better visibility and greater simplicity across all data channels. Cloud DLP enables sensitive data or PII to be easily found, classified, and secured to support Payment Card Industry (PCI) standards and other compliance policies. SSE also simplifies data protection, as you can create DLP policies just once and apply them across inline traffic and data at rest in cloud apps via CASBs.
SSE solutions provide secure connectivity to users through cloud-based services, eliminating the need for employees to connect directly to the corporate network for cloud-based services and applications. An enormous benefit of SSE is to eliminate the need to expose an organization’s IT infrastructure or applications needlessly. Rather, an SSE solution allows users to connect securely to applications across the internet.
This is a critical strategy to protect your network and cloud environment against modern threats. Explore this capability and leverage it to safeguard your data.