firewall as a service (FWaaS) Secure service edge strengths drive SASE deployments

Explaining the differences between SASE vs. SSE

Most security professionals are familiar with Secure Access Service Edge, but now there's a new tool for administrators to consider: security service edge.

Secure Access Service Edge is a concept familiar to most security professionals. The newer security service edge might not be, however.

Coined in 2019 by Gartner, SASE represents the convergence of networking service brokering, identity service brokering and security as a service within a single unified fabric. SASE helps make security more effective by reducing the steps it takes to harness the traditional approaches companies rely on to protect both edge environments and standalone users. It does this by creating a single brokering fabric that envelopes all the disparate networking services an organization is using and puts them under a single point of control.

Late in 2021, Gartner introduced a new concept: security service edge (SSE). SSE focuses more on security capabilities and less on network connectivity and infrastructure.

One of the major elements of SASE is software-defined networking (SDN), with an emphasis on brokered connectivity for branch offices and remote locations through a cloud fabric. While SSE still includes some elements of network access and brokered connectivity, SSE is geared more to end users than SASE.

To that end, let's explore the core aspects of SSE.

Zero-trust network access

Zero-trust network access focuses primarily on how end users access cloud and online services and data. It involves policies applied to evaluate who is accessing resources, from what system and whether any behavioral aspects of access are suspicious or malicious.

Key elements of zero-trust network access include the following:

  • strong authentication and authorization of endpoint systems and user accounts;
  • adaptive access policies that evaluate group membership and privileges, access behaviors and known malicious or suspicious indicators; and
  • browser isolation and sandboxing to prevent malware infection and other browser-based threats.

Secure web gateway

Secure web gateway (SWG) functionality includes content filtering and URL-based access controls, as well as some DNS monitoring and browser security controls. Most SWG platforms include content monitoring and data loss prevention policy tools as well. Leading options also offer remote browser isolation tools and capabilities that fortify web browsers with a sandbox designed to protect users when visiting designated sites.

Cloud access security broker

A cloud access security broker (CASB) probes deeply into cloud services -- primarily SaaS but also applications and services in PaaS and IaaS environments -- to examine API calls and behaviors to determine whether unusual activity is detected.

Many cloud applications today are complex web services with vast arrays of API calls. CASB services permit a much deeper analysis of specific interactions within the context of a single cloud application.

Network traffic control/firewall as a service

Another capability some vendors tout is network traffic control, sometimes referred to as firewall as a service (FWaaS). FWaaS replaces traditional next-gen firewall controls with a cloud-based model.

SSE can be a valuable feature here to control things such as remote access protocols -- for example, SSH and Remote Desktop Protocol -- and any other nonweb traffic that could be malicious.

SASE for comprehensive coverage

In many ways, when examining SASE vs. SSE, consider SSE a subset of SASE -- encompassing most of the same security control capabilities other than network bandwidth control and WAN optimization.

SASE is a more appropriate brokering option for enterprises needing comprehensive cloud-based connectivity and a security policies application that covers both end users and entire locations moving away from a hub-and-spoke model of network connectivity. For remote users, SSE offers all the same security options without layering on software-defined WAN and SDN network traffic management options that would largely be superfluous.

Most organizations today need what SSE provides: a suite of controls that can shield a remote workforce from malicious activities through the deployment of a zero-trust model governing access control and monitoring, browser and cloud services security, and data protection. Many providers offer both SASE and SSE, with SSE available through a licensing model that enables an organization to upgrade to SASE if appropriate.

Next Steps

Top 5 benefits of SASE to enhance network security

Dig Deeper on Cloud security

Enterprise Desktop
Cloud Computing