Security Service Edge (SSE), first introduced by Gartner in early 2021, is a single-vendor, cloud-centric, converged solution that accelerates digital transformation by protecting enterprise web access, cloud services, software as a service, and private applications and is considered an essential component for building network and cloud security capable of accommodating better performance and growth.
According to Gartner, Security Service Edge is primarily provided as a cloud-based service and may include a hybrid of on-premises or agent-based components. SSE cloud-based components and features include:
- Access control
- Threat protection
- Data security
- Security monitoring
- Acceptable use control enforced by network and API-based integration
What drove the need for Security Service Edge?
A growing industry trend, Security Service Edge solves fundamental challenges organizations face around remote work, cloud, secure edge computing, and digital transformation. As organizations adopt software and infrastructure-as-a-service (SaaS, IaaS) offerings, as well as other cloud applications, their data becomes more distributed outside of their on-premises data centers. Additionally, growing populations of users are mobile and remote, connecting from anywhere, over any connection, to their cloud applications and data.
Protecting cloud applications and mobile users is difficult with traditional network security approaches because:
- Anchored in the data center, legacy technologies cannot follow connections between users and cloud applications.
- Retransmitting (“hairpinning”) user traffic to a data center through a traditional VPN for inspection slows everything down.
- Hardware administration and maintenance make traditional data center approaches expensive.
- VPNs are easy to exploit due to their lack of patches.
To make matters worse, today’s data center security stacks have grown organically into complex, difficult-to-integrate collections of point products. This complexity inherently leaves gaps between different security solutions, further increasing the risk of advanced threats or ransomware attacks.
What is the difference between SASE and Security Service Edge?
Secure Access Service Edge (SASE), introduced by Gartner in 2019, is the convergence of networking and security technologies on a single cloud-delivered platform to enable secure and rapid cloud transformation. In this next evolution of SASE, Gartner introduces a two-pronged vendor approach, bringing together a highly convergent wide area network (WAN) edge infrastructure platform with a highly convergent security platform – known as Security Service Edge (SSE).
Security Service Edge (SSE), is the security component of SASE that unifies all security services, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA), to protect access to the web, cloud services, and private applications. WAN Edge Infrastructure, the networking component in the SASE framework, focuses on the network connectivity element, transforming network architectures to enable more efficient direct-to-cloud connectivity.
Within the SASE framework, both networking and security are consumed in a unified manner and delivered as a cloud service. Security Service Edge converges with WAN Edge Infrastructure to achieve a complete SASE platform. SSE security services include:
Cloud Access Security Broker (CASB)
CASB acts as an intermediary between users and cloud service providers as companies move their sensitive assets to the cloud, helping to address gaps in data visibility, security, and compliance, extending existing on-premises infrastructure security policies, and creating new policies for specific cloud content. CASB integrated into an SSE model automatically discovers and controls software-as-a-service (SaaS) risks and serves as an API-based security process to scan SaaS applications for data, malware, and policy violations while Leverages user and entity behavior analysis (UEBA) and artificial intelligence (AI) capabilities for real-time threat prevention.
Secure Web Gateway (SWG)
SWG is a cyber barrier that acts as a checkpoint that prevents unauthorized traffic from entering a company’s network. A SWG allows users to access secure, approved websites and protects users against web-based threats by connecting the user and the website while performing protective functions such as URL filtering, web visibility, malicious content inspection, and access controls to the Web.
Zero Trust Network Access (ZTNA)
ZTNA applies granular, adaptive, and context-sensitive policies to provide secure Zero Trust access to private applications hosted in corporate clouds and data centers from any location and remote device. ZTNA serves as a key enabler for SASE, transforming the security perimeter into a dynamic, policy-based, cloud-delivered edge to support the access requirements of digital transformation.
Data Loss Prevention (DLP)
Data Loss Prevention enables policy-based classification of the content of information contained in an object, typically a file, during storage, use, or movement across a network. DLP tools are used to apply these policies in real time to extend necessary protection to sensitive data elements and to limit the access and flow of this information, especially outside the organization, as required by the organization’s policies.
Remote Browser Isolation (RBI)
RBI is a powerful form of protection against web threats that contains web browsing activities within an isolated cloud environment. RBI protects users against any malware or malicious code that may be hidden on a website and eliminates the opportunity for malicious code to come into contact with the end user’s device.
Firewall as a Service (FWaaS)
FWaaS is a cloud-based firewall solution that protects data and applications on the Internet. SSE uses FWaaS to aggregate traffic from multiple sources, including on-premises data centers, cloud infrastructure, branch offices, and mobile users. FWaaS also offers consistent policy enforcement and security enforcement across all locations and users, while providing complete network visibility and control.
How to deploy and manage SASE?
There are two directions a company can take to create an effective SASE solution:
Single Supplier Approach
Evaluate and contract a single vendor offering that combines a WAN Edge infrastructure and an SSE solution. While this approach can satisfy an organization’s SASE requirements by simplifying operations, it can include forgoing advanced security features that only an SSE vendor can provide. In the long run, a lack of advanced security features can end up being more costly if you need to purchase additional solutions from security vendors to fill the gaps.
Two-vendor approach
Evaluate and contract a two-vendor solution that provides a best-in-class WAN edge infrastructure solution and SSE security solution by converging CASB, SWG, ZTNA, RBI, and FWaaS components into an integrated offering. This two-vendor approach simplifies and streamlines long-term system deployment, management, and maintenance.
Advantages of Security Service Edge over traditional network security
Delivered from a unified, cloud-centric platform,Security Service Edge enables organizations to free themselves from the challenges of traditional network security. SSE offers four main advantages:
-
Better risk reduction
Security Service Edge allows cybersecurity to be provided without being tied to a network. Security is provided from a cloud platform that can track the user’s connection to the application regardless of location. Providing all security services in a unified way reduces risk by eliminating the gaps often seen between point products.
SSE also improves the visibility of users—wherever they are—and data, regardless of the channels they access. Additionally, SSE automatically applies security updates across the entire cloud, without the delay typical of manual IT administration.
-
Zero trust access
Security Service Edge platforms (along with SASE) must allow users the least privileged access to private or cloud applications with a strong zero trust policy based on four factors: user, device, application, and content. No user should be inherently trusted, and access should be granted based on identity and policy.
Securely connecting users and applications using business policies over the Internet ensures a more secure remote experience because users are never placed on the network. Meanwhile, threats cannot move laterally and applications remain protected by the SSE platform. Applications are not exposed to the Internet and therefore cannot be discovered, which reduces the attack surface, increasing your security and further minimizing business risk.
-
User experience
By Gartner’s definition, SSE must be fully distributed across a global area of data centers. The best SSE architectures are designed specifically for inspection across all data centers, unlike vendors who host their SSE platforms on IaaS infrastructures.
The distributed architecture improves performance and reduces latency because content inspection – including decryption and TLS/SSL inspection – occurs where the end user connects to the SSE cloud. Combined with peering on the Security Service Edge platform, this provides mobile users with the best experience. They no longer need to use slow VPNs, and access to applications across public and private clouds is fast and seamless.
-
Consolidation Advantages
With all major security services unified, you’ll see lower costs and less complexity. SSE can provide many important security services – SWG, CASB, ZTNA, cloud firewall (FWaaS), cloud sandbox, cloud data loss prevention (DLP), cloud security posture management (CSPM), and data isolation. cloud browser (CBI) – everything in one place. platform. Plus, if you don’t need everything right away, you can easily add any of these services as your organization grows.
With all protection unified under one policy, every channel your users and data traverse gets the same consistent protection.
Furthermore, we cannot fail to mention:
- Direct and secure Internet access to applications, tools, data, and resources from anywhere in the world, reducing processing traffic for unauthorized access, data, risks, and threats, improving processing traffic for unauthorized access, risks, and security threats data, eliminating the need to route traffic back through the datacenter
- Faster, more secure, and more efficient connectivity to private, cloud, and web applications by accessing application resources from any user, any device, anywhere
- Monitoring and tracking the behavior of users accessing the network
- Defend against threats in the cloud and on any web destination by detecting cloud-native attacks and advanced malware
- Data protection across the Internet, in the cloud, and in cloud-to-cloud migration
- Enabling secure Zero Trust access to data and applications based on user identity, context, and least privileged access
Top Security Service Edge use cases
-
Secure access to cloud services and web usage
Enforcing policy control over user access to the Internet, web, and cloud applications (historically performed by a SWG) is one of the primary use cases of the security service edge. Security Service Edge policy control helps mitigate risk as end users access content on and off the network. Enforcing corporate Internet policies and access control for compliance is also an important factor for this use case in IaaS, PaaS, and SaaS.
Another important feature is cloud security posture management (CSPM), which protects your organization from risky misconfigurations that can lead to breaches.
-
Detect and mitigate threats
Threat detection and prevention of successful attacks on the Internet, web, and cloud services are key factors in the adoption of SSE and, to a lesser extent, SASE. With end users accessing content through any connection or device, organizations need a strong, defense-in-depth approach against malware (early launch anti malware) , phishing, and other threats.
Your Security Service Edge platform must have advanced threat prevention capabilities, including cloud firewall (FWaaS), cloud sandbox, malware detection, and cloud browser isolation. CASBs enable data inspection in SaaS applications and can identify and quarantine existing malware before it causes damage. Adaptive access control, whereby the posture of the end-user device is determined and access is adjusted accordingly, is also an essential component.
-
Connect and protect remote workers
The modern remote workforce needs remote access to cloud services and private applications without the inherent risks of VPN. Allowing access to applications, data, and content without allowing network access is a critical part of zero trust access because it eliminates the security ramifications of placing the user on a flat network.
Providing secure access to private and cloud applications without needing to open firewall ACLs or expose applications to the Internet is key here. Security Service Edge platforms must enable native, inside-out application connectivity while keeping applications “obscure” to the Internet. A ZTNA approach must also offer scalability across a global network of access points, providing all your users with the fastest experience, regardless of connectivity demands.
-
Identify and protect sensitive data
SSE allows you to find and control sensitive data no matter where it resides. By unifying key data protection technologies, an SSE platform provides better visibility and greater simplicity across all data channels. Cloud DLP enables sensitive data (e.g., personally identifiable information [PII]) to be easily found, classified, and protected to support Payment Card Industry (PCI) standards and other compliance policies. SSE also simplifies data protection because you can create DLP policies just once and apply them to inline traffic and data at rest in cloud applications through CASBs.
The most effective Security Service Edge platforms also offer high-performance TLS/SSL inspection to handle encrypted traffic (that is, most data in transit). Also key to this use case is the discovery of Shadow IT, which allows organizations to block risky or sanctioned applications across all endpoints.
What are the main challenges that SSE addresses?
Security Service Edge addresses the fundamental security challenges of remote work, digital business enablement, and cloud transformation. As SaaS, PaaS, and IaaS adoption grows, there is more data outside the data center, users are increasingly working remotely, and VPNs are slow and often easily exploited. All of this is difficult to secure using legacy network architectures.
SSE helps organizations address key use cases:
Simplifying the administration and management of security controls
Organizations must manage both cloud and on-premises with a patchwork of different and disparate security controls that vary between cloud providers and on-premises infrastructure. Security Service Edge helps reduce costs and complexity by enabling streamlined policy adoption and deployment across on-premises, cloud, and remote work environments.
Replacing VPNs to protect remote workers accessing private applications
Companies must implement a more secure solution to protect themselves against the rapid increase in remote workers accessing private applications in highly vulnerable environments. VPNs present an inherent security risk by implicitly granting unrestricted, trust-based access to the entire corporate network once authenticated. SSE’s ZTNA capability helps provide granular access to resources, enabling appropriate levels of access for any user, anywhere.
Prevent advanced malware and ransomware to protect web users
Businesses need the detection and mitigation of advanced malware and other threats. Many modern attacks use techniques such as social engineering to exploit cloud providers’ capabilities and mimic user behavior with legitimate credentials. SSE’s SWG capability helps by providing an in-line cyber barrier responsible for monitoring web traffic and preventing unauthorized traffic.
Providing visibility and control over SaaS applications
Organizations need visibility and control over the data accessed and stored in the cloud, protecting it and stopping cloud threats from a single cloud-native point of application. SSE’s CASB capability provides multi-mode support by applying granular policies to monitor and regulate access to sanctioned and unsanctioned cloud services.
Protecting sensitive data anywhere:
Organizations require the protection of data that resides or moves completely outside the security scope of the perimeter to be used, shared, and accessed securely. SSE’s DLP capability provides a centralized, unified approach to data protection, where data classifications are defined once and applied across policies across the web, cloud, and endpoint.
Choosing the right Security Service Edge solution
Look for a Security Service Edge platform that offers fast, scalable security and a seamless user experience based on zero trust. You need a platform that is:
Purpose-built for fast user and cloud application experience
Fast, secure access requires a globally distributed, cloud-native architecture across a large data center. Security Service Edge platforms built for inspection have an advantage over Security Service Edge platforms hosted in IaaS clouds, which are not primarily built for the demands of real-time content inspection. When every data center is an inspection node, security is always fast and local to the user, wherever they are. Additionally, look for fast and strong SSE vendor peering so that your cloud application experience remains optimized.
Built from the ground up with a Zero Trust architecture
Access control should be governed by identity and never place users on your network. Look for cloud-native vendors that offer broad support for zero-trust access across all users, devices, IoT, cloud applications, and workloads. Here too, a vendor with a large global data center presence will ensure that its users always get a fast experience, without the hindrance of a VPN. Your vendor’s ZTNA approach to Security Service Edge must have a proven track record in large global deployments, as scalability is critical to remote user productivity.
Capable of inline and scalable proxy inspection
Proxy inspection terminates both connections – from the device and from the cloud application. Falling between the two means that a full SSL inspection can be performed and connections cannot “pass”. This allows for better security and inspection than traditional pass-through firewalls.
Focus on Security Service Edge platforms that can deliver TLS/SSL content and inspection on a global scale. Because inline inspection is often performed on business-critical traffic, outages due to scalability issues can have a serious impact. Make sure your chosen SSE vendor has solid service level agreements (SLAs) and a track record of inlining traffic inspection for large global enterprises.
Driving more innovation in Security Service Edge growth
As organizations adopt Security Service Edge as a unified platform, additional security features and services will ensure the SSE platform is future-proof. One service that is starting to migrate to SSE is digital experience monitoring, which allows IT to quickly identify connectivity issues in the user’s connection to the cloud application.
Additionally, as defined by the SASE architecture, consolidation of network services together with an SSE platform is important. This includes strong connectivity support across SD-WAN services, on-premises branch connectivity, and multi-cloud connectivity. By focusing on SASE service providers that also drive Security Service Edge innovation, you can ensure room for growth without adding complexity as your organization’s cloud ecosystem matures.
The ideal is to rely on the expertise of an IT company that follows trends and works with the best professionals in the field. This way, your company will have access to what it really needs to prosper.