Back To Blog

The Security Service Edge: EXPLAINED

Security service edge (SSE) will be one of the most talked about subjects in 2022, and beyond. The problem is not many IT leaders understand what SSE is, how it differs from SASE, what to look for when selecting one, or the value they provide for the business.

In the video below I demystify SSE. Enjoy.

Over the next few minutes, I’m going to explain what Security Service Edges are, why they’ve been created, and hopefully give you some clarity on how to leverage them for your business in the near future. First, want to think about why any of this matters at all. The biggest causes for this change is the increase in cloud and user mobility over the last few years.

And what good is cloud if you don’t have a secure means providing connectivity to this? At the fundamental basis, Security Service Edge is meant to secure access between authorized users and specific applications that might be in cloud. These could be private apps running in public cloud, private apps running in legacy datacenter, SaaS applications like Microsoft 365 and Salesforce, or even the open internet.

So one thing that many customers need to wrap their heads around, especially if you’re used to the network security world, is, given what’s going on in the space, increased use of cloud mobility– these are networks that organizations don’t control. You don’t control Microsoft 365’s network or AWS or Azure’s network. You don’t control the personal Wi-Fi that a user’s working from home.

How do you do network security in this world? The reality is, you can’t. So the big question here is, how do we secure access to the internet? If that’s the case, how do we use the internet as, essentially, the new corporate network? That’s where this new set of technology really comes into play. Now, before we get into what SSE is, we first need to think about how we got here.

Over the last few years, there have been several technologies that have been introduced– secure web gateways, a key technology, then you had cloud access security brokers. This was all around discovering SaaS applications that were in use, minimizing over privilege and over sharing of cloud resources as well, and more recently, a new technology called zero trust network access, AKA ZTNA. These were developed to secure access to private applications that are often a great alternative to VPN to use for remote employee access, third-party access, accelerating M&A, and a whole host of other key use cases that businesses care about.

Now, what Gartner and other key firms started to realize was that these technologies were starting to converge into a single framework. That framework it’s called Secure Access Service edge, SASE. Well you might be familiar with that SASE term. It’s probably the architecture and marketing buzz term you see at the top of many of these security vendors out here. What Gartner has done over time, though, has looked to develop more intricate definitions for what SASE means. It started as the overall framework and architecture, and the refining is down to two key subsections.

Now, the first is around WAN optimization. So this is where you see tools like SD-WAN, content delivery, et cetera, being focused on. Again, on the network operations perspective. The other piece is what’s called Security Services Edge, and that’s what we’re going to talk about today. This is essentially the set of network security technologies that were traditionally delivered by perimeter-based solutions deployed on-prem.

What’s happening is, these technologies are being moved to cloud. They’re being cloudified, if you will. So now, key technologies like SWG, CASB, and ZTNA are conjoined as a single solution, a single integrated set of security services meant to secure access to business resources. So what does that look like? Here’s a high-level SSE architecture representation. Now, you’ll find right away, this is very different from network connectivity. In many cases, you’ll find that this is not about connecting user to a network at all. It’s about connecting a user, or in some cases, even a server, another application, to a specific application, and only that app.

Now, some of the key differences you’ll find between SSE and traditional network security fall within the actual flow of traffic, and how that traffic is monitored, remediated, et cetera. You’ll see, from the beginning, instead of allowing passthrough connections, like in the case of the network firewall, all traffic is actually first terminated. So you have this termination point, where the user is forwarding traffic up to the SSE service.

SSE services a few different things. Terminates the tunnel. It authenticates the user based on the IP that’s used. Most of these support SAML 2.0, based IDPs, so proctors or Azure IPs, Ping Identities of the world. It then authorizes access based on policies. These policies can take into consideration context like device posture, user location, device type, et cetera. The authorized user can then get access to the application.

Now, instead of trusting them or placing them into the corporate network, for example, in this example I have here, you have SAP running in public cloud. What’s happening is, this outbound connection from that private application to the SSE service, in which case, the brokering between the specific user specific application takes place. Now, this isn’t about listening for inbound ports like a traditional VPN concentrator or DMZ or inbound gateway.

There’s actually no inbound connection at all. So the user connects to the application through outbound connections. These two individual tunnels are actually stitched together in the location that makes the most sense based on the user’s location and the application’s location as well. Now, in this example, I’ve talked about private applications here. But this is just as important and just as useful for accessing private apps in the datacenter, SaaS applications like Microsoft 365, Salesforce, Box, et cetera. Even the internet or safe web browsing as well.

Now, what you want to think about when you have a Security Service Edge service is you want to try to minimize complexity and make managing policies as simple as possible. So having a single pane of glass for that SSE service is important. One place where you can manage access to all your applications for all your users and all your endpoints.

Now, as you could guess, the benefit around Security Services Edge are you’re taking these services, leveraging them through cloud, and extending them as close to the edge– AKA the user’s location– as possible. This is a huge benefit for businesses from not only security perspective, where you can search for SSE services that allow for in-line inspection, and there’s this idea of application access without network access, not having to expose your network to the open internet.

But it’s also huge benefits around user experience and reduction of cost and complexity. From the user experience side, many SSE services offer the ability to have digital experience monitoring built into the platform in itself, to manage hop-by-hop metrics between that user, accessing from home, attempting to get access to Microsoft 365, to determine what are the different hops, where are potential areas of latency, and allow IT operations teams to pinpoint those challenging areas and solve them immediately.

The other piece is around minimizing cost and complexity. Since these are cloud-delivered services, there are no appliances to manage. This is about application-level segmentation, so there’s no network segmentation or ACLs that are based on source IP and destination IP. The goal is fast access, secure access, and scalability. Key to that scalability is making it super easy to set and manage policies as users move between home and the office.

And the beauty of this entire architecture is that this is not just about user applications. You can apply this same concept to server-to-server connections as well, which is really changing the way we look at connectivity today, and this is what securing access to internet looks like in the modern era.

Hopefully this makes sense. There will be more videos down the line around what Security Services Edge is, and some of the key use cases for real-world implementations.

If you are interested in learning more about SSE, feel free to speak with our team here at Axis!

We’d be happy to provide a quick demo of our SSE platform

About the Author

Christopher Hines
Christopher Hines

VP of Strategy

Chris is responsible for the go to market strategy for the company’s cloud-based zero trust application access platform. He works with customers to help guide them on their path to securing a modern workplace with zero trust. Prior to Axis, he spent four years at Zscaler working as Director of Product Marketing for Zscaler’s zero trust solution, Zscaler Private Access. Chris has previously worked at Unicorn container company Docker, CASB company Bitglass, and Data Storage company EM Corporation (now Dell).

Did You Find This Interesting? Share It With Others:

Explore more content:

Back To Blog

Start Simplifying Your App Access