Almost three years and several flavors of secure access service edge (SASE) later, yet another acronym coined by Gartner has made headlines across the networking and network security market. Secure service edge (SSE), converges security services in a single-vendor, cloud offering. It’s touted as SASE minus network access or software-defined wide area network (SD-WAN).
SSE presents itself as the magic bullet for organizations that need to extend their security perimeter to their cloud environments and remote workers, but are skeptical of giving up their existing networking infrastructure and investments for SASE’s ubiquitous security. Some even argue that SD-WAN in SASE was always additional baggage, and SSE can now deliver all the sassy SASE perks – integration, ease of management, and comprehensive security across all edges.
But SASE offers much more, so let’s first focus on the hype around SSE.
There’s no denying that SSE can help improve organizations making security more ubiquitous and easier to deploy compared to the legacy on-premises and multi-vendor approach to network security. That’s because just like SASE, SSE has the following characteristics:
- Cloud-native: A cloud-native security stack means no more backhauling remote and mobile users to on-prem, centralized security solutions and appliances. Security teams can inspect traffic at the point-of-presence (POP) nearest to the end-user and once for all of the single-vendor security functions. This undeniably improves security performance. Unlike SASE though, the traffic doesn’t undergo network operations like WAN optimization in that single pass.
- Convergence: Such convergence results in better integration, lower costs, and less complexity. Organizations can add security services as needed without undergoing complex integrations. Admins can ensure consistent security policies across services and for every endpoint, apps and users, regardless of its location. Security service convergence also eliminates the security product sprawl and reduces the overlaps and gaps inherent to point solutions. However, it fails to address the visibility gaps created by the sheer lack of shared context between networking and security event data.
- Outsourced: The provider remotely manages the security services, which means automatic security updates and better utilization of in-house talent.
- Centrally-managed: A unified management console for security operations simplifies monitoring and auditing and reduces redundant alerts and blind spots despite having a segregated view of networking operations.
So with SSE, organizations get significantly cheaper, up-to-date, and comprehensive security independent of their existing network infrastructure. However, separating networking from security means organizations will leave out some remarkable SASE benefits. That’s why many organizations are taking SSE as a first step to implementing SASE in the future.
The implications of skipping the "A" are profound. It's false to assume that network security runs independently of networking and network data. SASE's single-vendor approach to networking and security means security teams can see the bigger picture and use both network and security events data to make informed decisions. In fact, organizations will give up multiple security and performance benefits of consolidation going the SSE route. Here's what they'll miss:
- Ease-of-management: SASE offers a single-pass network and security architecture with a unified control plane. SSE also lacks a single timeline for all networking and security events. Operations personnel end up juggling multiple interfaces anyway.
- Shared context: SASE delivers shared context for networking and security event data that security teams can analyze to eliminate false positives and detect and prevent zero-day threats. With SSE, the data remains siloed and security teams remain blind to any networking information that can help analyze threat alerts.
- Resiliency: Global SASE POPs, with their WAN capabilities, provide multi-level network resiliency – if one POP fails, security teams can redirect traffic to other POPs. SSE doesn’t address network resiliency as a part of its security services. In addition to SSE’s performance and security compromises, organizations may still end up deploying on-prem, disparate network and security devices and solutions for their WAN traffic. That can complicate network and security deployments.
SSE or SASE? Choose the one that best fits
SSE holds value for organizations that have gone fully remote and enterprises hard set on keeping their existing networking infrastructure and providers for now. Unified, cloud-based security services are much more adequate for modern remote workforces and hybrid or cloud-first architectures for which traditional security simply doesn’t work anymore. A two-vendor approach still makes sense compared to a disparate, multi-vendor security solutions and equipment.
However, SSE compromises the security, performance, resiliency, and visibility benefits of SASE. While by providing two views – one for security and other for networking – it’s better than five views, but it still leaves companies juggling multiple consoles and disrupts visibility. Being unable to correlate networking and security events deprives security operations of information they can use to better protect the enterprise.
Ultimately, it’s up to individual organizations to decide if SSE is worth the compromise in the long run. For those considering SSE as a stepping-stone to SASE, chart a clear migration path for the future. Companies can only make the right choice after evaluating their unique requirements, circumstances, and future objectives.
Etay Maor, senior director, security strategy, Cato Networks