Security Service Edge (SSE): What Happened to the "A" in SASE?
In this article
Before we can dive into security service edge (SSE), we first need to go down memory lane with secure access service edge (SASE).
SASE has rapidly become an architecture that's top of mind for the IT community and not just because it's a fun term to say. SASE gives your business peace of mind by knowing that you are providing optimal and secure edge-to-cloud connectivity.
Prior to SASE's rise in popularity, many organizations had already embarked on their transition from a traditional data center design that is centralized to a cloud-centric design by implementing solutions like software-defined wide area network (SD-WAN). However, security teams were still unable to achieve the following that SASE solves for:
- Network and security visibility.
- Centralized security policy.
- Secure, consistent access to internal resources while minimizing latency.
- A cohesive user experience regardless of physical location and identity context.
I know what you're thinking, "My organization just started on our SASE journey and now there's a new breakout term called SSE?!"
Don't panic. Simply think of SSE as the unified security services slice of the SASE pizza. Gartner coined the term SSE in its 2021 Strategic Roadmap for SASE Convergence. The firm's intent was to develop a path for organizations struggling to bridge the gap between their cloud security design and WAN service edge design.
Looking at the image above, think of SASE as the extra-large pizza you would like to order for your network and security team pizza party. However, your network team likes cheese pizza, and your security team likes pepperoni pizza. Due to cost, you can only order one extra-large pizza. The solution here is to order a half-and-half SASE pizza.
Yes, we're aware the analogy can be likened to a bad dad joke. The point is, you can start your SASE journey by focusing on the unified security features of SSE or focusing on the WAN service edge.
This gives IT leadership the ability to begin their digital transformation, even if the network team and security team are not aligned for a full SASE solution. However, once the network and security toppings are ready to be put on the SASE pizza, the oven is hot and ready to bake the perfect half-and-half pizza.
Simply put, SSE is the security stack of SASE.
One way to orient yourself around the new terminology is to understand how SSE and SASE are similar and how they are different.
Like SASE, SSE delivers:
- Threat protection.
- Data security.
- Centralized security policy and monitoring.
- A secure user experience regardless of location.
SSE is unlike SASE in that:
- Users might have an inconsistent experience due to network latency.
- It's a great solution for newcomers to the SASE pizza party.
- While it can work with legacy network architecture, it does not unify network and security architectures.
Organizations have begun to transition to SSE or are considering SSE for two main reasons. The first, which started a while ago, is the increased reliance on cloud-delivered applications. Organizations needed a way for branch and remote users to access applications like Office 365 and Salesforce without introducing latency.
A traditional approach to securing these applications would be to put a centralized firewall or VPN solution between the user and application, forcing the user to access the application through the corporate data center. Inevitably, this slows down access to the application.
By moving security services to the cloud edge, SSE allows users to access cloud-delivered applications over a direct internet connection for a much faster experience.
The second main driver of SSE was COVID-19. The sharp and sudden rise in remote work forced organizations to think about how they could deliver a consistent user experience for a user whether they were at home, at the branch or at the campus.
The ability of SSE to apply unified security policies suddenly became very attractive for IT leaders. With SSE, security policy stays with the user, regardless of where they are getting work done.
Traditionally, IT departments have maintained rigid access methods for remote users through network access control (NAC) or VPN solutions. However, now that we've prioritized delivering the same experience to remote users as those onsite, these solutions begin to fall short.
One of the great things about SSE is that it allows for the concept of identity with context. IT can use SSE to grant access to resources based on traditional authentication elements like username and password, but it also allows IT to grant access on far more characteristics, such as user location, device location, security posture and time of day.
Using SSE for identity with context leads to logical boundaries for precise, least-privilege access. In turn, it can accelerate an organization's path to zero trust by providing an easier way to validate initial access to the network as well as an easier way to repeatedly validate network connections.
While the change in terminology might be frustrating, remember that SSE is a good thing. Adopting a full SASE architecture won't be the right path for every organization. Instead, use SSE to incrementally move toward a unified experience for network and security services. Plus, realize tangible security benefits along the way.
Figuring out how your organization should approach SASE is hard. Schedule a briefing with one of our experts to jump start your journey.