top of page

SASE and SSE – What’s the difference?

Secure Access Service Edge (SASE), Secure Service Edge (SSE) – What are these all about? They sound similar, so why does Gartner make so many Magic Quadrants with seemingly overlapping capabilities?

Let’s examine the differences and commonalities.

SASE is a Gartner specification term coined in 2019 that explores cloud security products more as a framework; whereas SSE, coined in 2022, looks at a group of Cloud Security products within a single management domain. SSE also removes the SDWAN component of SASE and puts it in the “Additional Capabilities” group.

Before Next Generation Firewalls (NGFW) became a thing, customers purchased a stateful firewall, IDS/IPS, Web filtering, etc. When NGFW firewalls came out, they packaged all these security applications within a single firewall where all management and reporting could be done seamlessly. The management of the various products became difficult, and correlating incidents were more laborious.

Like previously mentioned, SASE is a group of products within a framework for Cloud Security products.

See details below regarding: Core, Recommended, and Optional SASE and SSE capabilities; and definitions according to NetsKope and Aruba.

So, what does all this mean, and why should you care?

Ultimately, what is unfolding is the maturing of Cloud Security, regardless of its nomenclature. If you are working to secure your SaaS applications with a CASB solution, or your remote workers via a SWG, you have the options of many technology solutions and integration approaches with your existing tools. If you are starting from a clean slate, then you might want to look at an SSE solution with a single pane of glass for ease of management.

Here at Nth Generation, we can help you decide on the best path for your organization. Nth can help improve your security posture through solutions tailored to your needs. To request more info, CLICK HERE.

Resources: Core SASE capabilities:
  • SWG

  • CASB

  • ZTNA

  • SD-WAN

  • FWaaS (including Intrusion Prevention System [IPS]/Intrusion Detection System [IDS])

  • Sensitive-data and malware inspection capabilities

  • Line rate operation

Recommended SASE capabilities:
  • Remote browser isolation

  • Network sandbox

  • DNS protection

  • API-based access to SaaS for data context

  • Support for managed and unmanaged devices

  • Web application and API protection

Optional SASE capabilities:
  • Wi-Fi hot spot protection

  • Network obfuscation or dispersion

  • Legacy VPN

  • Edge compute protection

SOURCE: Gartner

The core SSE offering included the ability to secure web access via proxy (SWG functionality), secure SaaS access via API and proxy modes (CASB functionality), and provide secure remote access to private applications (ZTNA functionality). Each of these core capabilities must support the securing of any user from any device or location. Native SWG, CASB and ZTNA functions had to be generally available by 30 August 2021.

SOURCE: Gartner

Core capabilities evaluated include:
  • Cloud-delivered service

  • Forward proxy

  • Advanced threat defense

  • Data security controls

  • In-line SaaS security controls

  • API-based SaaS security controls

  • ZTNA

Additional capabilities evaluated included, but were not limited to:
  • SD-WAN integration

  • FWaaS

  • RBI

  • Advanced analytics

  • UEBA

  • Adaptive access controls

  • CSPM

  • DEM

Below are some definitions according to NetsKope and Aruba:


How SSE Makes It Better: Secure web gateway (SWG)

Controls access and defends against web threats only.

​Cloud access security broker (CASB)

Serves as a security policy enforcement point, placed between cloud service consumers and cloud service providers, to enforce enterprise security policies as cloud-based resources are accessed. Evaluates behavior and has awareness of SaaS application functionality to set appropriate access for a given person.

​Zero Trust network access (ZTNA)

Enforces the premise that no one is blindly trusted and allowed to access company assets until they’ve been validated as legitimate and authorized. Supports implementation of least privilege access, which selectively grants access only to resources that people, or groups of people require, nothing more.

Remote browser isolation (RBI)

Separates worker devices from the act of web browsing by hosting and running all browsing activity in a remote, cloud-based container. Such sandboxing protects data, devices, and networks from all kinds of threats originating from malicious websites.

Firewall as a service (FWaaS)

​Provides network security for all outbound ports and protocols for safe, direct-to-Internet access via an agent on managed devices, or via Generic Routing Encapsulation (GRE) and Internet Protocol Security (IPsec) for offices. One policy engine and one security platform, providingsimplified management for workers and branch offices using one console.

​Software Defined Wide Area Network (SDWAN)


​An SD-WAN uses a centralized control function to securely and intelligently direct traffic across the WAN and directly to trusted SaaS and IaaS providers. This increases application performance and delivers a high-quality user experience, which increases business productivity and agility and reduces IT costs.


bottom of page