Security Service Edge (SSE)
Security Service Edge (SSE) is a relatively new term used to describe a set of integrated, cloud-delivered, security services that broker secure connections between authorized users and business resources by using identity and policy. First introduced by Gartner in 2021, Security Service Edge (SSE) represents the future of security connectivity. As more and more users work outside the corporate perimeter due to hybrid work, adoption of SaaS apps (i.e. M365, Salesforce, Box etc.) increases, and private applications move to public cloud, IT leaders have realized that it no longer makes sense to backhaul user traffic to a corporate network. Because of this, many IT leaders are looking to replace traditional network security appliances (i.e. Firewalls, VPN gateway appliances, web gateway appliances etc.) in an attempt to better protect data, deliver a better experience and reduce costs for the business.
SSE platforms are the modern alternative to traditional network security technologies. They extend secure connectivity out to the users location through cloud services – without connecting users to the corporate network, exposing applications or IT infrastructure to the Internet, or requiring complex network segmentation. Instead, a Security Service Edge (SSE) platform allows IT to provide end users with secure access to private applications from anywhere, safely access the Internet, and quickly access SaaS apps used for work. SSE services that include Digital Experience Monitoring (DEM) can even boost user productivity by making it easier for network operations managers to monitor application, device and network performance.
SASE vs. SSE
The terms Secure Access Service Edge (SASE) and Security Service Edge (SSE) are often conflated. While they may sound similar, they are actually different. SASE represents the broader framework that many IT leaders are looking to adopt. It’s the notion of combining modern day network optimization services (i.e. SD-WAN, Content delivery, QoS) with modern day secure access services (i.e. ZTNA, SWG, CASB etc.). Put simply, SSE represents one half of the SASE framework.
Companies looking to securely enable a modern workplace should begin first by deploying an SSE platform. Once SSE is deployed they can either decide to continue to invest in network optimization or embrace more of an “internet-only” model. This will allow them to make smarter decisions on whether or not technologies, like SD-WAN, are important to their business mission, or not.
Five tips for selecting the right SSE platform
- Avoid using multiple vendors for SSE
by using a single vendor you can avoid challenges like complexity of policy management, multiple user interfaces to manage, and potential architectural conflicts
- Prioritize SSE platforms that are fully cloud-delivered vs. hardware-based
Not all SSE services are fully cloud-based, some are nothing more than virtualized appliances or actual physical hardware. Vetting each service out, and ensuring they are cloud-delivered, will help you reduce costs of appliances, automatically scale as needed via cloud, and deliver a better user experience due to more points of presence (some SSE services run on the backbone of AWS and GCP)
- Select vendors that make policy management simple
Many SSE vendors provide SSE capabilities through bolt-on acquisitions. When this happens, it can be years before true integrations between those technologies take place. This can cause management headaches for IT when it comes to policy. Simplified policy comes from SSE solutions that are natively integrated and share the same cloud.
- Choose a SSE platform that offers ZTNA with inspection
IT must have visibility into what employees and third-party users are accessing, what they are downloading, and what activities they performed when accessing an app. Zero trust network access (ZTNA) services that lack inspection will not be able to provide IT security teams with this critical visibility. They will also struggle to adapt access rights based on changes in context.
- Look for a SSE platform that includes Digital Experience Monitoring (DEM)
Security must not impede user experience. DEM solutions allow network operations to track hop-by-hop metrics for end users connecting to SaaS and private apps. This helps them to provide better visibility into user experience, and to reduce mean time to remediation of support tickets by pinpointing the exact source causing disruption to users.
Benefits that SSE brings to the business
Protect business data
SSE services use a zero-trust architecture that combines identity, policy, and context to securely connect business users to key business apps. This reduces the overall attack surface, minimizes the change of over-privileged access, and helps security prevent threats like ransomware, insider threats, acquiring a breach through M&A, and third-party users.
Deliver a better experience to end-users
SSE increases the presence of secure access technologies by extending security services to the edge ( the user location and their device) via a cloud architecture. This helps minimize latency (no backhauls to the datacenter or site-to-site VPNs). SSE platforms that support both agent-based and agent-less access models help make access seamless to end users – even as they shift between home and the office.
Get deeper security controls
SSE services that offer inspection provide deep visibility at the user and application level, which is more granular than source IP and destination IP – making it simple for security to react to potential threats.
Enable key business initiatives
Enabling hybrid work for employees, securely connecting the business ecosystem with private data, simplifying the migration to the cloud, and accelerating IT integration during M&A are all initiatives that are easily supported by an SSE platform.
Reduce IT spend
SSE services that are fully cloud-delivered helps IT avoid renewing contracts for disparate network security services like VPN, firewalls, or secure web gateway appliances. In some cases, the SSE service charges are based on a per-user, per-year, subscription. This makes it easy for IT to prevent expenditures while avoiding issues with high bandwidth costs, or management of appliances.
Getting started with your SSE platform exploration
According to Gartner the first step in adopting a SSE platform should be to “Deploy zero trust network access (ZTNA) to augment or replace legacy VPN for remote users, especially for high-risk use cases.” Once this is done, teams can then look to further inventory their equipment and any existing contracts to begin putting together a phase out plan for perimeter-based security technologies. They can then look to consolidate contracts by selecting a single SSE vendor that can provide ZTNA, SWG and CASB. These decisions will not only impact infrastructure at the corporate office, but can also help accelerate branch office transformation projects – helping to minimize unnecessary MPLS costs, and instead investment in cloud-based security edge services at the branch..
Watch ‘SSE Explained’ video to learn about the SSE architecture
Learn how to get started with the Architect’s Guide to Adopting SSE