What is Security Service Edge?
Not to be confused with secure access service edge (SASE), Gartner has defined the security service edge (SSE) as a convergence of network security services delivered from a purpose-built cloud platform. SSE can be considered a subset of the SASE framework with its architecture squarely focused on security services. The Gartner secure service edge comprises three core services:
- Secure access to internet and web (SWG)
- Secure access to SaaS and cloud apps (CASB)
- Secure remote access to private apps (ZTNA)
What problems have driven the need for SSE?
As a growing industry trend, SSE solves fundamental challenges organizations are facing due to remote work, the cloud, and digital transformation. As organizations adopt SaaS, IaaS, and other cloud apps, their data has become increasingly distributed outside the data center. In addition, users are now increasingly remote and are connecting from everywhere, over any connection, to their cloud apps and data.
Securing these cloud apps and mobile users is difficult with traditional network security approaches. Anchored to the data center, these legacy technologies lack the ability to follow connections between users and cloud apps. Forcing the end-user back over traditional VPNs to the data center for security inspection slows the experience. Additionally, traditional data center approaches are costly to maintain due to administration and hardware refresh requirements, while VPNs can be easily exploited due to a lack of patching. To make matters worse, today’s data center security stacks have organically grown into a complex collection of point products that are difficult to integrate. As such, this security complexity intrinsically leaves gaps between the disparate security solutions, which further increase the risk of advanced threats or ransomware attacks.
The differences between secure access service edge (SASE) and security service edge (SSE)
In the SASE framework, both network and security services should be consumed in a unified approach delivered from the cloud. Both the network and security aspects of SASE solutions are focused on improving the user-to-cloud app experience while reducing cost and complexity. Within SASE, SSE focuses on the unification of all security services, including secure web gateway (SWG), cloud access security broker (CASB), and zero trust network access (ZTNA). The other half of the SASE platform focuses on the simplification and unification of network services, including software-defined wide area networking (SD-WAN), WAN optimization, quality of service (QoS), and other means of improving routing to cloud apps.
The advantages of SSE over traditional network security
Delivered from a unified cloud-centric platform, SSE enables organizations to break free from the challenges of traditional network security. There are four prime advantages SSE provides organizations:
1. Better risk reduction
First, SSE enables cybersecurity to be delivered without being tied to a network. Security is delivered from a cloud platform that can follow the user to the app connection regardless of location. Because all security services are delivered in a unified approach, risk is reduced as there are no gaps commonly seen across point products. Visibility is improved across users—no matter the location—and data, regardless of the channel(s) accessed. Additionally, security updates are automatically enforced across the cloud, without the lag time often seen from IT administration.
2. Zero trust access
SSE platforms (along with SASE) should enable least-privileged access from users to cloud or private apps. No user should be inherently trusted. Access should be granted based on identity and policy. A strong zero trust policy should consist of four factors: user, device, application, and content. By securely connecting users and apps using business policies over the internet, organizations can ensure a more secure remote experience. Users are never placed on the network, and the lateral movement of threats is eliminated, further reducing business risk. Additionally, applications remain protected behind the SSE platform. They are not exposed to the internet and cannot be discovered, which dramatically increases security by reducing the attack surface.
3. User experience
In the Gartner definition, security service edge (SSE) must be fully distributed across a global footprint of data centers. The best SSE architectures are purpose-built for inspection in every data center, as opposed to vendors hosting their SSE platforms in IaaS infrastructures. A distributed architecture improves performance and reduces latency, as content inspection and SSL decryption and inspection are located where the end-user connects to the SSE cloud. When combined with peering across the SSE platform, users get the best application experience. Mobile users are no longer required to leverage slower VPN architectures, and applications across both public and private clouds are fast and seamless.
4. Consolidation advantages
Because all key security services are unified, organizations gain the advantages of lower cost and reduced complexity. SSE delivers many key security services all in one platform: secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA), cloud firewall (FWaaS), cloud sandbox, cloud data loss prevention (DLP), cloud security posture management (CSPM), and cloud browser isolation (CBI). Any of these services can be easily added as organizations grow. And because all protection is unified under one policy, all channels leveraged by users and data get the same consistent protection.
Top SSE use cases
Secure access to cloud services and web usage
Enforcing policy control over user access to the internet, web, and cloud applications is one of the primary use cases for the secure service edge (SSE). Historically performed by a secure web gateway, SSE policy control helps mitigate risk as end-users access content on- and off-network. Enforcing corporate internet and access control policies for compliance is also a key driver for this use case across IaaS, PaaS, and SaaS. Another key capability is cloud security posture management (CSPM), with which organizations can be protected from dangerous misconfigurations that can lead to breaches.
Detect and mitigate threats
Detecting and preventing threats that exist across the internet, web, and cloud services are key drivers for organizations adopting SSE and, to a lesser extent, SASE. As end-users can now access content across any connection or device, a strong defense-in-depth approach to malware, phishing, and other threats is needed. SSE platforms must have strong advanced threat capabilities, including cloud firewall (FWaaS), cloud sandbox, malware detection, and cloud browser isolation. Cloud access security brokers (CASBs) enable the inspection of data within SaaS apps and can identify and quarantine existing malware before it inflicts damage. Adaptive access control is also a key component of SSE, whereby an end user's device posture is determined and access to content is adjusted in order to protect cloud and private applications from compromise.
Connect and secure remote workers
Remote access to cloud services and private applications without the risks of VPN is a fundamental driver for SSE. Enabling application access without network access is fundamental to providing zero trust access to data and content because it eliminates the security ramifications of placing the user on a flat network. Enabling access to private and cloud apps without the requirement of opening firewall ACLs, or exposing apps to the internet, is key to this use case. SSE platforms should enable native inside-out app connectivity, so apps remain dark to the internet. The zero trust network access solution (ZTNA) should also provide strong scalability across a global network of access points, so all of an organization's users get the fastest experience, regardless of connectivity demands.
Identify and protect sensitive data
SSE enables organizations to find and control sensitive data no matter where it resides. By unifying key data protection technologies within the SSE platform, organizations get better visibility across all data channels as well as greater simplicity. Cloud DLP enables sensitive data to be easily found and classified in order to secure data such as personally identifiable information (PII) and support compliance policies such as Payment Card Industry (PCI) standards. SSE also enables the simplification of data protection, as DLP policies only need to be created once and then applied across both inline traffic and data at rest in cloud apps via cloud access security brokers (CASBs). Additionally, the best SSE platforms will deliver high-performance SSL inspection, where most data in transit resides. The discovery of shadow IT is also key for this use case, which allows organizations to block risky or sanctioned applications across all endpoints.
Choosing the right security service edge (SSE)
Look for SSE platforms that are purpose-built for a fast user and cloud app experience. This requires a cloud-native architecture globally distributed across the largest data center footprint. SSE platforms built for inspection have an advantage over SSE platforms hosted in IaaS clouds, which are not primarily built for the demands of real-time content inspection, which includes SSL inspection. Ensuring that every data center is an inspection node ensures that security is always fast and local to the user, regardless of where the user connects. Also, look for fast and strong peering from SSE vendors, so the cloud app experience remains optimized.
Zero trust architecture
A strong SSE platform will be built from the ground up around the concept of zero trust. Access control should be governed by identity, and should never place users on the network. Look for cloud-native vendors that offer the broadest support of zero trust access across all users, devices, IoT, cloud apps, and workloads. Vendors with large global data center footprints will ensure users always get a fast experience, without the impact of VPNs. Ensure that a vendor's zero trust network access (ZTNA) approach to SSE has been proven across large organizations' global deployments, as scalability is imperative for remote user productivity.
Inspection, performance, and scalability
Look for SSE platforms that are based on proxy inspection. Proxy inspection terminates both connections—from the device and from the cloud app. Sitting between the two connections means that full SSL inspection can be performed and connections are not allowed to "pass through." This intrinsically enables better security and inspection than traditional passthrough firewall architectures. Focus on SSE platforms that are proven to deliver content and SSL inspection at a global scale. As inline inspection is usually performed on business-critical traffic, interruptions due to scalability issues can significantly impact a business. Ensure SSE vendors have strong service-level agreements (SLAs) and a proven track record with inspection inline traffic for large, global enterprises.
While Gartner has defined current security capabilities around SSE, the best SSE service providers will be driving additional innovation around SSE growth. As organizations embrace SSE as a unified platform, additional features and services will ensure the SSE platform is future-proof.
One service that is now beginning to migrate into SSE is digital experience monitoring, which allows IT to quickly identify connectivity issues from the user to cloud app connection. Additionally, as defined by the SASE architecture, network service consolidation along with the SSE platform is important. This includes strong connectivity support across SD-WAN requirements, Local branch office connectivity, and multi-cloud connectivity. By focusing on SASE vendors that are also driving SSE innovation, you can ensure room for growth without adding complexity as the organization matures.