Resources > Security Terms Glossary > What Is Security Service Edge (SSE)

What Is
Security Service Edge?

What Is Security Service Edge?

Security service edge (SSE) is a convergence of network security services delivered from a unified cloud platform. Defined by Gartner in its “2021 Strategic Roadmap for SASE Convergence,” SSE is a subset of the secure access service edge focused on supporting secure access to the web and cloud-based apps with core capabilities such as:

  1. Secure web gateway (SWG) for secure internet access

  2. Cloud access security broker (CASB) for secure SaaS and cloud app access

  3. Zero trust network access (ZTNA) for secure private app access

 

What Has Driven the Need for SSE?

SSE is growing rapidly as a solution to fundamental challenges in the cloud, secure edge computing, remote work, and digital transformation. As organizations adopt infrastructure and software as a service (IaaS, SaaS) offerings and cloud apps, their data becomes more distributed outside their on-premises data centers. In addition, many organizations’ users are increasingly mobile and remote, connecting to apps and data from everywhere, over any connection.

Securing cloud apps and mobile users is difficult with traditional network security approaches because:

  • Legacy technologies, anchored to the data center, can't follow connections between users and cloud apps.
  • Relaying ("hairpinning") user traffic to a data center via traditional VPN for inspection slows everything down.
  • Administration and hardware maintenance make traditional data center approaches expensive.
  • VPNs are easy to exploit due to a lack of patching.

Making matters worse, today’s data center security stacks have organically grown into complex, difficult-to-integrate collections of point products. This complexity leaves gaps between disparate security solutions, further increasing the risk of ransomware attacks or other advanced threats.

Take a look at the video below for a quick rundown of the advantages of SSE over traditional security approaches.

 

Secure Access Service Edge (SASE) vs. Security Service Edge (SSE)

In the SASE framework, network and security services are consumed through a unified, cloud-delivered approach. The networking and security aspects of SASE solutions focus on improving the user-to-app experience while reducing costs and complexity.

You can look at a SASE platform in two slices. The SSE slice focuses on unifying all security services, including SWG, CASB, and ZTNA. The other, the WAN edge slice, focuses on doing so for networking services, including software-defined wide area networking (SD-WAN), WAN optimization, quality of service (QoS), and other means of improving routing to cloud apps.

SSE diagram shows a cloud-based security platform that consolidates multiple security capabilities including SWG, ZTNA, cloud access security broker (CASB), data protection, and remote browser isolation (RBI).

Source: CXO REvolutionaries, "Security Service Edge (SSE) reflects a changing market: what you need to know"

Advantages of SSE Over Traditional Network Security

Delivered from a unified cloud-centric platform, SSE enables organizations to break free from the challenges of traditional network security. SSE provides four primary advantages:
 

1. Better risk reduction

SSE enables unified cybersecurity services to be delivered from a cloud platform that can follow user-to-app connections anywhere, instead of being tied to a network. This eliminates the gaps often seen between point products, reducing risk. SSE also improves visibility across users and data in any location, regardless of the channels accessed. Additionally, SSE automatically enforces security updates across the cloud without the lag time of manual IT administration.

2. Zero trust access

SSE platforms (along with SASE) should grant least-privileged access anchored in zero trust policy—with authentication based on user, device, application, and content. Securely connecting users and apps over the internet, never your network, ensures a more secure remote experience. Meanwhile, threats can’t move laterally, and apps aren’t exposed to the internet, so they can't be discovered, reducing your attack surface and risk alike.

3. User experience   

An effective SSE architecture must be distributed across a global footprint of data centers, rather than hosted in IaaS, and purpose-built for inspection in every single one. Performing decryption and inspection—including TLS/SSL inspection—closer to end users improves performance and reduces latency. Combined with peering across the platform, this gives mobile users the best experience, avoiding VPNs and offering fast, seamless access to cloud apps.

4. Consolidation advantages

A unified, cloud-delivered platform reduces costs and complexity. SSE can deliver many key services—SWG, CASB, ZTNA, cloud firewall (FWaaS), cloud sandbox, cloud data loss prevention (DLP), cloud security posture management (CSPM), and cloud browser isolation (CBI)—which can all be activated later if you don’t need them at first. Ultimately, bringing together all protection under one policy ensures that all channels your users and data traverse offer the same protection.

SSE reflects a changing market: What you need to know

Read our blog post
SSE reflects a changing market:  What you need to know

Zscaler SSE at a Glance

Read the brief
Zscaler SSE at a Glance

Zscaler Security Service Edge Infographic

Take a look
The Future of Network Security is in the Cloud

Comprehensive Security for the Modern Enterprise

Learn more
Comprehensive Security for the Modern Enterprise

Industry talk featuring Gartner: The future of network security is SASE

Watch the webinar
Industry talk featuring Gartner: The future of network security is SASE

Top SSE Use Cases

1. Secure access to cloud services and web usage

Controlling user access to the internet and cloud applications (historically performed by a SWG) is a primary SSE use case. SSE policy control helps mitigate risk as end users access content on- and off-network. Enforcing corporate internet and access control policies for compliance is also a key driver for this use case.

Another key capability is cloud security posture management (CSPM), which protects your organization from risky misconfigurations that can lead to breaches.

2. Detect and mitigate threats

Detecting threats and preventing successful attacks across the internet and cloud services are key drivers for adopting SSE and, to a lesser extent, SASE. With end users accessing apps and data from anywhere, organizations need a strong approach to malware, phishing, and other threats.

Your SSE platform must have advanced threat prevention capabilities, including cloud firewall, cloud sandbox, malware detection, and CBI. CASBs enable inspection of data within SaaS apps and can identify and quarantine existing malware before it inflicts damage. Adaptive access control measures that can determine end user device posture and automatically adjust access are also key.

3. Connect and secure remote workers

The modern remote workforce needs remote access to cloud services and private applications without the inherent risks of VPN. Enabling access to applications, data, and content without enabling access to the network eliminates the security ramifications of placing the user on a flat network.

Providing secure access to apps without needing to open firewall ACLs or expose apps to the internet is key here. SSE platforms should enable native inside-out app connectivity, keeping apps "dark" to the internet. A ZTNA approach should also offer scalability across a global network of access points, giving all your users the fastest experience regardless of connectivity demands.

4. Identify and protect sensitive data 

SSE unifies key data protection technologies to help you find and control sensitive data anywhere, with better visibility across all data channels. Cloud DLP enables sensitive data to be easily found, classified, and secured to support industry standards and other compliance policies. SSE also simplifies data protection, as you can create DLP policies just once and apply them across inline traffic and data at rest in cloud apps via CASBs.

The most effective SSE platforms also deliver high-performance TLS/SSL inspection to address encrypted traffic (that is, most data in transit). Also key for this use case is shadow IT discovery, which allows organizations to block risky or sanctioned applications across all endpoints.

 

Choosing the Right SSE Solution

Look for an SSE platform that gives you fast, scalable security and a seamless user experience based on zero trust. You need a platform that is:

Purpose-built for a fast user and cloud app experience

Fast, secure access requires a cloud native architecture distributed across a global data center footprint. SSE platforms built for inspection at every data center, not simply hosted in IaaS clouds, ensure real-time content inspection and security won’t slow users down, no matter where they are. You should also look for strong service provider peering from SSE vendors to guarantee the cloud app experience remains optimized.

Built from the ground up with a zero trust architecture

Access should be governed by identity, with users never placed on your network. Look for cloud native vendors that support zero trust access across all users, devices, IoT, cloud apps, and workloads. A vendor with a large global data center footprint will ensure a strong user experience without the hindrance of a VPN. Your vendor's ZTNA approach to SSE should have a proven track record across large global deployments, as scalability is imperative for remote user productivity.

Capable of scalable, inline proxy inspection

Proxy inspection terminates both connections—from the device and from the cloud app—and can fully inspect all traffic before it’s allowed to pass, unlike traditional passthrough firewalls. Focus on SSE platforms that can deliver content and TLS/SSL inspection at global scale. Since inline inspection is usually performed on business-critical traffic, interruptions can have serious impact. Ensure your chosen SSE vendor has strong service-level agreements (SLAs) and a track record of inspecting inline traffic for large global enterprises.

Driving further innovation in SSE growth

The ease of introducing new cloud-delivered security capabilities and services will ensure an effective SSE platform is future-proof. Digital experience monitoring, for instance, is migrating into SSE as a means for IT to quickly identify connectivity issues in the user-to-cloud-app connection.

As defined by the SASE architecture, network service consolidation along with an SSE platform is important. This includes strong connectivity support across SD-WAN services, local branch office connectivity, and multicloud connectivity. Focus on SASE providers that are also driving SSE innovation to ensure you can grow without adding complexity as your cloud ecosystem matures.

 

Zscaler and SSE

Zscaler solves your cloud and mobility challenges with a revolutionary platform for SSE and beyond. We'll help you reduce your costs and complexity with zero trust, eliminate your attack surface, and provide a fantastic user experience.

Learn more about Zscaler SSE.

You should also take a look at the 2022 Gartner Magic Quadrant for Security Service Edge. We're proud to be a Leader and highest in "Ability to Execute."