What is SSE (Security Service Edge)?
Security Service Edge, or SSE, as defined by Gartner in the Hype Cycle for Cloud Security in 2021, is the security component of SASE that secures access to the web, SaaS applications, and private applications. It includes advanced security capabilities such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA) and Firewall as a Service (FWaaS).
Security Service Edge (SSE) Explained
With the emergence of hybrid work environments, users connect from anywhere and from any device, accessing business applications and sensitive data directly in the cloud. As the traditional security perimeter continues to dissolve, security functions must also move to the cloud. SSE enables organizations to apply consistent security from the cloud and secure access to applications spread across multiple clouds, data centers, and software-as-a-service applications. An SSE solution — when combined with an advanced SD-WAN - creates a Secure Access Service Edge (SASE) architecture that significantly improves end user Quality of Experience for cloud-hosted applications.
How does SSE work?
An SSE solution secures remote access to web, cloud services, and private applications.
Traditionally, enterprises centrally hosted their applications in data centers, facilitating a variety of security inspections such as firewall and IDS/IPS. With applications moving to the cloud and remote working initiatives, enterprises now struggle to protect their applications from external threats as they operate in distributed environments outside the traditional security perimeter. Legacy network infrastructures prevent IT departments from monitoring all connections between users and SaaS applications. Additionally, directing cloud-destined traffic to the data center for security inspection significantly – and negatively – impacts application performance and user experience.
Security Service Edge solutions are cloud-delivered services that enable organizations to perform advanced security inspections closer to endpoints, including users and devices. It creates a dynamic security perimeter that provides threat protection, data security, security monitoring, and access control regardless from where users connect.
Components of SSE
Security Service Edge (SSE) includes four core security components:
ZTNA assumes that by default, no user can be trusted to access anything until proven otherwise. Unlike a VPN that gives connected users broad access to the corporate network, ZTNA limits user access, via a trust broker, to only specific applications or microsegments that have been approved for the user.
CASB identifies and detects sensitive data in cloud applications, including cloud-to-cloud access, and enforces security policies such as authentication and Single Sign On (SSO). It prevents users from signing up for and using cloud applications that are not authorized by an organization’s IT and security policies. This allows organizations to reduce shadow IT that causes security and compliance issues.
SWG protects organizations from web-based threats using several defense techniques. It sits between a user and a website so that users connect to the SWG solution, which performs several security inspections including URL filtering, malicious code detection, and web access control and then redirects the traffic to the website.
FWaaS is a cloud-based firewall that analyzes traffic from multiple sources. FWaaS consolidates traffic from multiple locations operated by the organization, including corporate headquarters, remote branch offices, and mobile users. FWaaS often supports critical access controls like IDS/IPS, advanced threat prevention, URL filtering, and DNS security.
- Other security services in addition to the core capabilities above can be offered such as Data Loss Prevention (DLP), Remote Browser Isolation (RBI), and sandboxing.
What is the difference between SSE and SASE?
In 2019, Gartner coined the term SASE (Secure Access Service Edge) to combine SD-WAN capabilities with cloud-delivered security services. Even though networking and security are closely interrelated, they remain two different and very complex domains of expertise. Security evolves rapidly to ensure protection against ever changing cybersecurity risks, while wide area networking is about providing fast, robust, and flexible connections. Additionally, security and networking are typically managed by different teams.
In early 2022, Gartner released the SSE Magic Quadrant as a new category for the cloud-delivered security component of SASE. SSE defines the set of security services that help achieve the security vision of SASE, while SD-WAN defines the WAN edge networking functionality requirements of SASE.
In short, SASE = SD-WAN + SSE
Why should I consider SSE?
- SSE provides secure remote access
As hybrid working is the new norm, enterprises must secure their remote workers so that they can connect from anywhere. SSE offers Zero Trust capabilities that assume no user can be trusted by default. Based on identification, users can access certain parts of the network and see cloud applications that are relevant to their role in the organization only, preventing them from accessing and exploiting sensitive corporate data.
- SSE protects cloud-first organizations from external threats
With the acceleration of digitization, cybercrime has grown at the same rate. As most of the applications have moved to the cloud, organizations must now find effective ways to protect their digital assets. SSE provides firewall capabilities and protects organizations from web-based threats using several techniques such as URL filtering and malicious code detection. Thanks to its CASB features, it protects sensitive data hosted in the cloud by enforcing security policies. Other security features, such as Remote Browser Isolation (RBI), isolate web users from the internet by rebuilding web pages free from malicious codes.
- SSE helps build a best-of-breed SASE with an advanced SD‑WAN
By tightly integrating with multiple SSE vendors, an advanced SD-WAN solution enables organizations to build a best-of-breed SASE architecture without compromising performance or security. It gives organizations the freedom of choice to select the best SSE solutions. To integrate with SSE solutions, an advanced SD-WAN can automate the configuration of secure tunnels between branches and SSE points of presence, identify the applications on the first packet, assign policies to traffic from specific applications, and automatically route the traffic to an SSE service based on the security policies set by organizations.
What are the Benefits of SSE?
- Improved security
SSE brings security closer to the user and enables a more flexible approach toward connectivity outside the enterprise walls. Hosted in the cloud, SSE is easily updated to address the latest security threats, and policy changes can be immediately and automatically pushed to remote users, providing a consistent security approach.
- Simplified operations
SSE unifies several security services into one single platform, eliminating overlaps and leveraging the benefits of a single platform by deduplicating and harmonizing security policies. It provides greater visibility into security incidents from a central location, and it helps streamline operations and reduce costs.
- Best-of-breed SASE
With two distinct capabilities, SD-WAN and SSE, enterprises can choose the best networking and security functions that fit their needs to build a best-of-breed SASE architecture. Additionally, advanced SD-WAN solutions enable organizations to go beyond SASE and secure IoT devices by integrating next-generation firewall capabilities that dynamically segment the network based on role and identity.