Hero Panel Image

SSE solution series: the user experience imperative

Share:
Sanjit Ganguli

Sanjit Ganguli

Contributor

Zscaler

Nathan Howe

Nathan Howe

Contributor

Zscaler

Mar 22, 2022

A security service edge with global points of presence and internet peering exchange relationships with providers and application vendors provide a powerful alternative to the backhauling and hairpinning required by legacy security stacks.

When choosing an SSE solution, consider a track record for operating a global cloud, optimizing application connectivity, and tools for diagnosing UX degradations. 

An SSE vendor’s points of presence across the globe and Internet peering exchange relationships with providers and application vendors provide a powerful alternative to the backhauling and hairpinning required by legacy security stacks.

Beyond these architectural benefits, SSE vendors are uniquely positioned to measure and diagnose end-user experience based on their presence on user endpoints and in the application data path. These advantages allow SSE vendors to understand user experience from the perspective of the user’s endpoint and provide deeper diagnostics and scale by leveraging the public service edge infrastructure.

Focus on SSE vendors that have integrated a monitoring solution (commonly called Digital Experience Monitoring or DEM) into their existing agents and cloud infrastructure. Those vendors offering solutions that require additional agents or are loosely integrated acquisitions will not provide the same level of visibility and diagnostics.

The DEM solution offered by the SSE vendors needs to be broad—providing end-to-end visibility and troubleshooting of end-user performance issues for any user or application, regardless of location. In addition, it should enable continuous monitoring for network, security, desktop, and help desk teams with insight into the end-user device, network, and application performance issues. Finally, it should enable both reactive workflows helping to close employee-reported trouble tickets and proactive workflows helping to identify macro-issues (like regional ISP outages or global application downtime) before users ever notice. This needs to be enabled with machine learning-based scoring algorithms, tracking normal vs. abnormal user experience by user, application, office, or geolocation.

This monitoring should be at multiple levels, including layer 7 to provide insight into web application response times and layer 3 to understand network behavior, including hop-by-hop insight into path, latency, and packet loss. This analysis should also include self-diagnosis of the SSE vendor’s cloud to identify if and when the SSE hop is inducing anomalous delay. Finally, the solution should provide insight into the user’s endpoint device health and identify device events contributing to scoring drops.

Microsoft Teams and Zoom Quality Performance Monitoring and Troubleshooting

With Teams and Zoom becoming the primary collaboration and communication platform for many organizations, measuring and diagnosing audio/video quality issues becomes even more pressing. DEM solutions provided by the SSE vendor should be able to interface with popular UCaaS applications like Zoom and Microsoft Teams to ingest audio and video quality metrics and marry them with deep, hop-by-hop network analysis and endpoint device analytics. By combining these data sets, the DEM solution should identify those having quality issues as well as provide a root cause for the problem.

Additionally, the DEM should leverage the scale of the SSE vendor’s cloud, using it to proxy and cache telemetry tests, so that granular data can be collected from every end user, every few minutes, with minimal impact on the applications.

Be wary of legacy monitoring tools that take a data center-centric approach to monitoring and collecting metrics from fixed locations rather than directly from the user device. This approach does not provide a unified view of performance based on the user device, network path, or application, and offers little visibility when users and applications are not in the data center or on the corporate network. These tools create information silos and do not share any context, leading to fragmented visibility into the user experience and extended troubleshooting time. Point monitoring tools optimized for data centers leave visibility gaps for detecting, troubleshooting, and diagnosing end-user performance issues across the Internet, whereas a modern DEM solution built into an SSE platform provides the widest range of data for root cause analysis.

Optimizing M365 User Experience

A comprehensive SSE can go beyond measuring and diagnosing end-user experience to optimize the performance of popular SaaS applications like Microsoft 365. The challenge is many companies centrally route traffic through hub-and-spoke networks and ExpressRoute. In addition, user traffic from M365 increases network utilization by 40% and most companies’ Internet egress infrastructures just aren’t up to the task, and user experience suffers. Microsoft recommends direct Internet connections and SSE vendor architecture, allowing for local Internet breakouts to provide optimal performance and cost.

But architecture matters. The SSE vendor’s points of presence across the globe and peering relationships with providers and application vendors need to bring the edge closer to the users for fast connectivity and low latency access. Look for SSE vendors that peer with direct fiber to Microsoft 365 in most major exchanges to reduce latency to approximately 1-2 ms round trip time, scale to handle the high number of long-lived connections, allow for rapid file downloads, and provide fast DNS resolution with fewer hops.

M365 transactions are especially important to secure with your SSE solution, as the inspection of applications like OneDrive and SharePoint is advantageous for the prevention of sensitive data loss. This also provides a full audit trail of every communication to and from the M365 applications. However, be aware that certain M365 applications like Teams may not need to be inspected, given that much of this traffic is voice/video via UDP.

The success of any transformation, be it digital, network, or security, is driven by how the end user experiences it. The ultimate goal of any SSE project is to improve the end-user experience while reducing threat exposure and protecting sensitive data. Therefore, the ideal outcome is that an SSE ven- dor’s ability to improve UX can be measured with the DEM capability—this should be an easy task, as moving away from hairpinning to a data center or away from VPNs are well-accepted ways to improve the user experience:

  • The SSE solution should modernize the user experience and update the help desk experience. By leveraging a proactive approach to user experience, the help desk can react before users complain.
  • The SSE solution should provide insight into real-time audio and video performance for collaboration platforms like Teams and Zoom.
  • The SSE solution should collect metrics from the application, endpoint, and network layers to find anomalies and provide root cause determination.
  • The SSE vendor must provide minimal hops between their cloud and popular destinations like Microsoft 365.

 

Part 1: SSE solution series: why a global, scalable cloud platform matters
Part 2: SSE solution series: the criticality of a zero trust architecture foundation
Part 3: SSE solution series: choose SSL/TLS inspection of traffic at production scale
Part 4: SSE solution series: virtues of broad blanket protection

Editor's note: This content is adapted from The 7 Pitfalls to Avoid when Selecting an SSE Solution 

Explore more insights

Recommended