Explain the differences between SASE and SSE
Secure Access Service Edge is a familiar concept to most security professionals. However, the new security service edge may not be.
Invented in 2019 by Gartner, SASE represents the convergence of network service brokerage, identity service brokerage, and security-as-a-service within a single unified fabric. SASE helps make security more effective by reducing the steps required to leverage traditional approaches that enterprises rely on to protect both edge environments and standalone users. It does this by creating a single brokerage structure that wraps all the disparate network services an organization uses and puts them under a single point of control.
End of 2021, Gartner introduces a new concept: security service edge (SSE). SSE focuses more on security capabilities and less on connectivity and network infrastructure.
One of the core elements of SASE is software-defined networking (SDN), with an emphasis on brokered connectivity for branch offices and remote sites through a cloud fabric. While SSE still includes some elements of network access and brokered connectivity, SSE is more end-user friendly than SASE.
To this end, let’s explore the fundamental aspects of the SSE.
Zero Trust Network Access
Zero-Trust Network Access focuses primarily on how end users access cloud and online services and data. This involves policies applied to assess who is accessing resources, from what system, and whether behavioral aspects of access are suspicious or malicious.
Key elements of Zero-Trust Network Access include the following:
- strong authentication and authorization of endpoints and user accounts;
- adaptive access policies that assess group membership and privileges, access behaviors, and known malicious or suspicious indicators; and
- Browser isolation and sandboxing to prevent infection from malware and other browser-based threats.
Secure Web Gateway
Secure Web Gateway (SWG) functionality includes content filtering and URL-based access controls, as well as some DNS monitoring and browser security controls. Most SWG platforms also include content monitoring and data loss prevention tools. The main options also offer remote browser isolation tools and features that harden web browsers with a sandbox designed to protect users when visiting designated sites.
Cloud Access Security Broker
A Cloud Access Security Broker (CASB) deeply probes cloud services – primarily SaaS, but also applications and services in PaaS and IaaS environments – to examine API calls and behaviors to determine if a unusual activity is detected.
Many cloud applications today are complex web services with vast ranges of API calls. CASB services enable much deeper analysis of specific interactions within the context of a single cloud application.
Network/Firewall Traffic Control as a Service
Another feature touted by some vendors is network traffic control, sometimes called firewall as a service (FWaaS). FWaaS replaces traditional next-generation firewall controls with a cloud-based model.
SSE can be a valuable feature here for controlling things like remote access protocols – for example, SSH and Remote Desktop Protocol – and any other non-web traffic that might be malicious.
SASE for full coverage
In many ways, when discussing SASE versus SSE, think of SSE as a subset of SASE – encompassing most of the same security control capabilities other than network bandwidth control and WAN optimization.
SASE is a more suitable brokerage option for companies that need full cloud-based connectivity and security policy enforcement that covers both end users and entire sites moving away from a single location. hub-and-spoke network connectivity model. For remote users, SSE offers all the same security options without overlaying software-defined WAN and SDN network traffic management options that would be largely redundant.
Most organizations today need what SSE provides: a suite of controls that can protect a remote workforce from malicious activity through the deployment of a zero-trust model governing the control and monitoring of access, security of browsers and cloud services and data protection. Many vendors offer both SASE and SSE, with SSE available through a licensing model that allows an organization to upgrade to SASE if needed.