Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

How to Choose a Security Service Edge Platform


This is the third installment of our security service edge (SSE) blog series. Our first blog explores what SSE is as a platform, and the second looks at the top use cases. In this blog, we’ll explore what features you should be looking for when selecting an SSE platform.

SSE is all about delivering security from the cloud. Cloud apps and mobility have started a revolution, and security needs to be untethered from the network. While SASE explores the complete framework required both from a network and security perspective, SSE (the security half of SASE) is all about security services. In order to reap maximum benefits from SSE, you need to be uncompromising in your decision process. Why? Unlike point products, a holistic, integrated approach like SSE will undoubtedly become a key centerpiece of your security strategy. It is crucial to make the right decisions. Let’s take a look at the capabilities an effective SSE platform should include.


Inline and SSL inspection at scale

One of the key values of SSE is its ability to deliver a unified approach to security inspection.   Across web, internet, cloud apps, and data, inspection will be the most important thing your SSE platform will be doing. Because much of your SSE platform will be delivering inline inspection across business-critical traffic, you need to make sure it was built with that in mind. If there is a problem with your SSE platform, you’ll know immediately, as your business traffic will come grinding to a halt. When choosing an SSE platform, stress test extensively, and select platforms with a proven pedigree for performance and scale across large organizations.

Additionally, SSE platforms should provide proxy inspection. This is the only way to deliver SSL inspection, where most threats now hide. The best SSE platforms need to be able to deliver ultimate scalability to accommodate a surge of users and traffic. Keep in mind that proof of value (POV) testing associated with pre-purchase often cannot simulate the demands and scalability of an ecosystem with 20,000+ users. Don’t overlook the importance of getting references from SSE vendors that prove they can deliver at scale across giant install bases.


Purpose-built zero trust

Many organizations have initiatives around zero trust. It’s a huge market driver, and one of the key reasons Gartner has defined SSE with strong zero trust overtones. Zero trust network access (ZTNA) is the concept that remote access should provide user-to-app connectivity without having to place the user on the network. As organizations began swapping out their legacy VPNs for ZTNA in force around the beginning of the pandemic, it became clear that ZTNA was a much-needed security service within the SSE ecosystem. ZTNA is really no different than SWG and CASB, as they all focus on user-to-app connections. Forward-thinking companies are now shopping for zero trust solutions to complement the rest of their cloud security services.

So what capability should your SSE have to enable zero trust? At its core, zero trust is identity-driven least-privilege access. View your SSE platform as an international airport—nothing gets through unless it passes all identity checks. An effective SSE platform should not only evaluate identity, but also uplevel security by checking for device posture, user risk score, location, and destination. Of course, all this only works if the SSE platform can scale SSL inspection and has the global presence to protect all users, both on and off the network.  


Optimization for enhanced user experience

User experience is a critical aspect of SSE that should not be overlooked when selecting an SSE platform. We know that legacy data center security approaches can negatively impact user experience, and we’ve all heard the saying that security shouldn’t be an inhibitor—you shouldn't even know it’s there. Backhauling users and offices to a centralized egress point is sure to gain users’ attention, but for all the wrong reasons. Alternatively, creating a direct path to the internet and cloud applications increases speed and improves user experience, reinforcing the value of cloud platforms like SSE.

Securing all these connections with a ubiquitous cloud platform immediately provides a faster experience, but there are a few things you need to consider in an SSE platform. First, as previously mentioned, look for vendors with the largest footprint of global point of presence (POP), especially if you have a distributed workforce. Employees globally, from London and Japan to Australia, India, and the U.S. all want to have a fast experience, with a local SSE onramp. Also, purpose-built SSE vendors will deliver inspection down to the edge. Instead of having a few centralized locations of compute, every SSE onramp should do edge inspection with all security services across SSL. This again ensures the fastest experience without any security latency. Lastly, strong peering is a must with SSE. Ensure your SSE vendor peers with as many other cloud providers as possible, ensuring the connection between everything your business uses is also fast and local.


Room to grow

The last recommendation when picking an SSE platform is to think about the future. SSE is all about unifying cloud security services in a holistic way. As mentioned, it will be a centerpiece of your security strategy: once you embrace a unified platform, you will wonder how you operated without it. Look for vendors that value innovation and are preparing for the future of SSE based on customer requirements.


Outside of security, think through other areas of your company that will require growth, including:

Branch offices

While remote work is still top of mind, your branch offices will soon start coming back to life, and they will need fast internet performance to match what users have come accustomed to at home going direct. The best SSE vendors will add significant value on the network side, which is core to the SSE parent, SASE. Direct internet access (DIA), SD-WAN, and other connectivity aspects of your organization can benefit from an SSE vendor with a strong feature network set that can maximize branch office performance and user experience. 

Digital experience monitoring

The ability to monitor user experience, with in-depth visibility into choke points, can be an invaluable tool to maintain user productivity and prove the worth of your SSE platform to the board. Lastly, expanding the scope of SSE to cloud workloads is an important initiative. Like users, workloads connect to the internet, require inspection, and have extensive routing and connectivity requirements. Look for SSE vendors that deliver workload connectivity and protection. Enabling SSE to be at the heart of your IT ecosystem simplifies requirements while consolidating all your user and workload security across the same policy and controls.

Because SSE is newly-defined, it can be difficult to identify the most important benefits, and even more difficult to select the platform that is best for your business. Don't be intimidated. Instead, consider the factors that matter most to your organization, from user experience and growth potential to zero trust and security requirements.

Learn more:

What is Security Service Edge?

What You Need to Know About Gartner’s New Security Service Edge

Gartner’s New Security Service Edge: Real-World Applications

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.