What is security service edge?
Security service edge (SSE), as defined by Gartner, is a convergence of network security services delivered from a purpose-built cloud platform. SSE can be considered a subset of the secure access service edge (SASE) framework with its architecture squarely focused on security services. The secure service edge comprises three core services:
- Secure access to the internet and web by way of a secure web gateway (SWG)
- Secure access to SaaS and cloud apps via a cloud access security broker (CASB)
- Secure remote access to private apps through zero trust network access (ZTNA)
What has driven the need for SSE?
As a growing industry trend, SSE solves fundamental challenges organizations face relating to remote work, the cloud, secure edge computing, and digital transformation. As organizations adopt software and infrastructure as a service (SaaS, IaaS) offerings as well as other cloud apps, their data becomes more distributed outside their on-premises data centers. In addition, growing populations of users are mobile and remote, connecting from everywhere, over any connection, to their cloud apps and data.
Securing cloud apps and mobile users is difficult with traditional network security approaches because:
- Anchored to the data center, legacy technologies can't follow connections between users and cloud apps.
- Relaying ("hairpinning") user traffic to a data center via traditional VPN for inspection slows everything down.
- Administration and hardware maintenance make traditional data center approaches expensive.
- VPNs are easy to exploit due to a lack of patching.
To make matters worse, today’s data center security stacks have organically grown into complex, difficult-to-integrate collections of point products. This complexity inherently leaves gaps between disparate security solutions, further increasing the risk of advanced threats or ransomware attacks.
What's the difference between secure access service edge (SASE) and security service edge (SSE)?
In the SASE framework, network and security services should be consumed through a unified, cloud-delivered approach. The networking and security aspects of SASE solutions focus on improving the user-to-cloud-app experience while reducing costs and complexity. You can look at a SASE platform in two slices. The SSE slice focuses on unifying all security services, including SWG, CASB, and ZTNA. The other, the WAN edge slice, focuses on doing so for networking services, including software-defined wide area networking (SD-WAN), WAN optimization, quality of service (QoS), and other means of improving routing to cloud apps.
Source: CXO REvolutionaries, "Security Service Edge (SSE) reflects a changing market: what you need to know"
Advantages of SSE over traditional network security
Delivered from a unified cloud-centric platform, SSE enables organizations to break free from the challenges of traditional network security. SSE provides four primary advantages:
1. Better risk reduction
SSE enables cybersecurity to be delivered without being tied to a network. Security is delivered from a cloud platform that can follow the user-to-app connection regardless of location. Delivering all security services in a unified way reduces risk because it eliminates the gaps often seen between point products. SSE also improves visibility across users—wherever they are—and data, regardless of the channels accessed. Additionally, SSE automatically enforces security updates across the cloud without the typical lag time of manual IT administration.
2. Zero trust access
SSE platforms (along with SASE) should enable least-privileged access from users to cloud or private apps with a strong zero trust policy based on four factors: user, device, application, and content. No user should be inherently trusted, and access should be granted based on identity and policy. Securely connecting users and apps using business policies over the internet ensures a more secure remote experience because users are never placed on the network. Meanwhile, threats cannot move laterally, and applications remain protected behind the SSE platform. Apps are not exposed to the internet and thus can't be discovered, which reduces the attack surface, increasing your security and further minimizing business risk.
3. User experience
By Gartner's definition, SSE must be fully distributed across a global footprint of data centers. The best SSE architectures are purpose-built for inspection in every data center, as opposed to vendors hosting their SSE platforms in IaaS infrastructures. Distributed architecture improves performance and reduces latency because content inspection—including TLS/SSL decryption and inspection—occurs where the end user connects to the SSE cloud. Combined with peering across the SSE platform, this gives your mobile users the best experience. They no longer need to use slow VPNs, and access to apps in public and private clouds is fast and seamless.
4. Consolidation advantages
With all key security services unified, you'll see lower costs and less complexity. SSE can deliver many key security services—SWG, CASB, ZTNA, cloud firewall (FWaaS), cloud sandbox, cloud data loss prevention (DLP), cloud security posture management (CSPM), and cloud browser isolation (CBI)—all in one platform. Plus, if you don't need everything right away, you can easily add any of these services as your organization grows. With all protection unified under one policy, all channels your users and data traverse get the same consistent protection.
Top SSE use cases
1. Secure access to cloud services and web usage
Enforcing policy control over user access to the internet, web, and cloud applications (historically performed by a SWG) is one of the primary use cases for the security service edge. SSE policy control helps mitigate risk as end users access content on- and off-network. Enforcing corporate internet and access control policies for compliance is also a key driver for this use case across IaaS, PaaS, and SaaS.
Another key capability is cloud security posture management (CSPM), which protects your organization from risky misconfigurations that can lead to breaches.
2. Detect and mitigate threats
Detecting threats and preventing successful attacks across the internet, web, and cloud services are key drivers for adopting SSE and, to a lesser extent, SASE. With end users accessing content across any connection or device, organizations need a strong defense-in-depth approach to malware, phishing, and other threats.
Your SSE platform must have advanced threat prevention capabilities, including cloud firewall (FWaaS), cloud sandbox, malware detection, and cloud browser isolation. CASBs enable inspection of data within SaaS apps and can identify and quarantine existing malware before it inflicts damage. Adaptive access control, whereby an end user's device posture is determined and access is adjusted accordingly, is also a key component.
3. Connect and secure remote workers
The modern remote workforce needs remote access to cloud services and private applications without the inherent risks of VPN. Enabling access to applications, data, and content without enabling access to the network is a critical piece of zero trust access because it eliminates the security ramifications of placing the user on a flat network.
Providing secure access to private and cloud apps without needing to open firewall ACLs or expose apps to the internet is key here. SSE platforms should enable native inside-out app connectivity, keeping apps "dark" to the internet. A ZTNA approach should also offer scalability across a global network of access points, giving all your users the fastest experience regardless of connectivity demands.
4. Identify and protect sensitive data
SSE enables you to find and control sensitive data no matter where it resides. By unifying key data protection technologies, an SSE platform provides better visibility and greater simplicity across all data channels. Cloud DLP enables sensitive data (e.g., personally identifiable information [PII]) to be easily found, classified, and secured to support Payment Card Industry (PCI) standards and other compliance policies. SSE also simplifies data protection, as you can create DLP policies just once and apply them across inline traffic and data at rest in cloud apps via CASBs.
The most effective SSE platforms also deliver high-performance TLS/SSL inspection to address encrypted traffic (that is, most data in transit). Also key for this use case is shadow IT discovery, which allows organizations to block risky or sanctioned applications across all endpoints.
Choosing the right SSE solution
Look for an SSE platform that gives you fast, scalable security and a seamless user experience based on zero trust. You need a platform that is:
Purpose-built for a fast user and cloud app experience
Fast, secure access requires a cloud native architecture globally distributed across a large data center footprint. SSE platforms built for inspection have an advantage over SSE platforms hosted in IaaS clouds, which are not primarily built for the demands of real-time content inspection. When every data center is an inspection node, security is always fast and local to the user, wherever they are. Also, look for fast and strong peering from SSE vendors, so the cloud app experience remains optimized.
Built from the ground up with a zero trust architecture
Access control should be governed by identity and never place users on your network. Look for cloud native vendors that offer broad support for zero trust access across all users, devices, IoT, cloud apps, and workloads. Here, too, a vendor with a large global data center footprint will ensure your users always get a fast experience without the hindrance of a VPN. Your vendor's ZTNA approach to SSE should have a proven track record across large global deployments, as scalability is imperative for remote user productivity.
Capable of scalable, inline proxy inspection
Proxy inspection terminates both connections—from the device and from the cloud app. Sitting between the two means full SSL inspection can be performed and connections are not allowed to "pass through." This enables better security and inspection than traditional passthrough firewalls. Focus on SSE platforms that can deliver content and TLS/SSL inspection at a global scale. Since inline inspection is usually performed on business-critical traffic, interruptions due to scalability issues can have serious impact. Ensure your chosen SSE vendor has strong service-level agreements (SLAs) and a track record of inspecting inline traffic for large global enterprises.
Driving further innovation in SSE growth
As organizations embrace SSE as a unified platform, additional security capabilities and services will ensure the SSE platform is future-proof. One service beginning to migrate into SSE is digital experience monitoring, which allows IT to quickly identify connectivity issues in the user-to-cloud-app connection.
Additionally, as defined by the SASE architecture, network service consolidation along with an SSE platform is important. This includes strong connectivity support across SD-WAN services, local branch office connectivity, and multicloud connectivity. By focusing on SASE service providers that are also driving SSE innovation, you can ensure room for growth without adding complexity as your organization's cloud ecosystem matures.
Zscaler and SSE
Zscaler solves your cloud and mobility challenges with a revolutionary platform for SSE and beyond. We'll help you reduce your costs and complexity with zero trust, eliminate your attack surface, and provide a fantastic user experience.
You should also take a look at the 2022 Gartner Magic Quadrant for Security Service Edge. We're proud to be a Leader and highest in "Ability to Execute."