Explaining the differences between SASE vs. SSE

Zero-trust network access

Zero-trust network access focuses primarily on how end users access cloud and online services and data. It involves policies applied to evaluate who is accessing resources, from what system and whether any behavioral aspects of access are suspicious or malicious.

Key elements of zero-trust network access include the following:

• strong authentication and authorization of endpoint systems and user accounts;
• adaptive access policies that evaluate group membership and privileges, access behaviors and known malicious or suspicious indicators; and
• browser isolation and sandboxing to prevent malware infection and other browser-based threats.

Secure web gateway

Secure web gateway (SWG) functionality includes content filtering and URL-based access controls, as well as some DNS monitoring and browser security controls. Most SWG platforms include content monitoring and data loss prevention policy tools as well. Leading options also offer remote browser isolation tools and capabilities that fortify web browsers with a sandbox designed to protect users when visiting designated sites.

Cloud access security broker

A cloud access security broker (CASB) probes deeply into cloud services -- primarily SaaS but also applications and services in PaaS and IaaS environments -- to examine API calls and behaviors to determine whether unusual activity is detected.

Many cloud applications today are complex web services with vast arrays of API calls. CASB services permit a much deeper analysis of specific interactions within the context of a single cloud application.

Network traffic control/firewall as a service

Another capability some vendors tout is network traffic control, sometimes referred to as firewall as a service (FWaaS). FWaaS replaces traditional next-gen firewall controls with a cloud-based model.

SSE can be a valuable feature here to control things such as remote access protocols -- for example, SSH and Remote Desktop Protocol -- and any other nonweb traffic that could be malicious.

SASE for comprehensive coverage

In many ways, when examining SASE vs. SSE, consider SSE a subset of SASE -- encompassing most of the same security control capabilities other than network bandwidth control and WAN optimization.

SASE is a more appropriate brokering option for enterprises needing comprehensive cloud-based connectivity and a security policies application that covers both end users and entire locations moving away from a hub-and-spoke model of network connectivity. For remote users, SSE offers all the same security options without layering on software-defined WAN and SDN network traffic management options that would largely be superfluous.

Most organizations today need what SSE provides: a suite of controls that can shield a remote workforce from malicious activities through the deployment of a zero-trust model governing access control and monitoring, browser and cloud services security, and data protection. Many providers offer both SASE and SSE, with SSE available through a licensing model that enables an organization to upgrade to SASE if appropriate.