Security Service Edge

Security service edge (SSE) is a collection of integrated, cloud-centric security capabilities that secures access to the web, cloud services, and private applications. SSE capabilities include access control, threat protection, data security, security monitoring, and acceptable use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components. The concept of SSE was introduced by Gartner in its 2021 Roadmap for SASE Convergence report released on March 25th, 2021.

SSE aims to solve challenges organizations face relating to remote work, the cloud, secure edge computing, and digital transformation. Organizations adopting software and infrastructure as a service (SaaS, IaaS) and other cloud apps have data dispersed across many services. Additionally, with the rise of mobile and remote work, their data is accessed over a wide range of connections. SSE replaces traditional network security approaches to secure cloud apps and mobile users.

ZTNA is a category of technologies that provides secure remote access to applications and services based on defined access control policies. Unlike virtual private networks (VPNs), which grant complete access to a LAN, ZTNA solutions default to deny, providing only the access to services the user has been explicitly granted.

SWG protects users from web-based threats, in addition to applying and enforcing corporate acceptable use policies. Instead of connecting directly to a website, a user accesses the SWG, which is then responsible for connecting the user to the desired website and performing functions such as URL filtering, web visibility, malicious content inspection, web access controls, and other security measures. SWGs provides users secure internet access when they are disconnected from the business VPN.

CASBs help organizations discover where their data is while using multiple software-as-a-service (SaaS) applications and when it is moving across cloud environments, on-prem data centers or accessed by mobile workers. CASB also enforces the organization’s security, governance, and compliance policies allowing authorized users to access and consume cloud resources while enabling organizations to effectively and consistently protect their data across multiple locations.

There are two types of CASBs available: traditional CASBs and integrated CASBs. An integrated CASB uses an in-line security mechanism to automatically discover and control all SaaS risks with existing SaaS applications and emerging ones. It also has an API-based security mechanism to scan SaaS applications for sensitive data, malware, and policy violations while maintaining compliance and preventing threats in real time without dependence on third-party tools.

FWaaS enables firewalls to be delivered as part of a company’s cloud infrastructure to protect cloud-based data and applications. SSE strategy uses FWaaS capabilities to enable organizations to aggregate traffic from multiple sources—whether from on-site data centers, branch offices, mobile users, or cloud infrastructure. It also provides consistent application and security enforcement of policies across all locations and users while giving complete network visibility and control without deploying physical appliances.

SASE is a cybersecurity concept first coined by Gartner in 2019. SASE is the convergence of software-defined wide area networking or SD-WAN, and network security services like CASB, FWaaS, and ZTNA into a single, cloud-delivered service model. Gartner defines it as:

SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.

In the SASE framework, network and security services are implemented using a unified, cloud-delivered approach. SASE platforms can be separated into two:

1. The Wide Area Network (WAN) edge focuses on networking services, including software-defined wide area networking (SD-WAN), WAN optimization, quality of service (QoS), and other means of improving routing to cloud apps.
2. SSE focuses on unifying all security services.

Differentiation of WAN and SSE that make up the broader SASE framework.

Companies with SSE products include the following:

• Zscaler (Zscaler Internet Access, Zscaler Private Access)
• Skyhigh Security (Skyhigh Security Cloud-Native Application Protection Platform, Skyhigh Security Secure Web Gateway, McAfee Web Protection - Legacy)
• Cisco (Cisco Umbrella, Cisco Cloudlock)
• Microsoft (Microsoft Defender for Cloud Apps)
• Broadcom (Symantec CloudSOC Cloud Access Security Broker, Symantec Web Security Service)
• Netskope (Netskope Security Cloud, Netskope NextGen SWG)
• Forcepoint (Forcepoint ONE, Forcepoint Web Security - Cloud, Forcepoint CASB)
• Palo Alto Networks (Prisma Access, SaaS Security)
• iboss (iboss cloud platform)
• Proofpoint (Proofpoint Cloud App Security Broker - PCASB, Proofpoint Web Security)
• Trend Micro (Trend Micro InterScan Web Security)
• Menlo Isolation (Menlo Isolation Security Operations Center - iSOC)
• Lookout (Lookout CASB)
• Cloudflare (Cloudflare One)