Secure Access Service Edge (SASE), Secure Service Edge (SSE) – What are these all about? They sound similar, so why does Gartner make so many Magic Quadrants with seemingly overlapping capabilities?
Let’s examine the differences and commonalities.
SASE is a Gartner specification term coined in 2019 that explores cloud security products more as a framework; whereas SSE, coined in 2022, looks at a group of Cloud Security products within a single management domain. SSE also removes the SDWAN component of SASE and puts it in the “Additional Capabilities” group.
Before Next Generation Firewalls (NGFW) became a thing, customers purchased a stateful firewall, IDS/IPS, Web filtering, etc. When NGFW firewalls came out, they packaged all these security applications within a single firewall where all management and reporting could be done seamlessly. The management of the various products became difficult, and correlating incidents were more laborious.
Like previously mentioned, SASE is a group of products within a framework for Cloud Security products.
See details below regarding: Core, Recommended, and Optional SASE and SSE capabilities; and definitions according to NetsKope and Aruba.
So, what does all this mean, and why should you care?
Ultimately, what is unfolding is the maturing of Cloud Security, regardless of its nomenclature. If you are working to secure your SaaS applications with a CASB solution, or your remote workers via a SWG, you have the options of many technology solutions and integration approaches with your existing tools. If you are starting from a clean slate, then you might want to look at an SSE solution with a single pane of glass for ease of management.
Here at Nth Generation, we can help you decide on the best path for your organization. Nth can help improve your security posture through solutions tailored to your needs. To request more info, CLICK HERE.
Resources: Core SASE capabilities:
SWG
CASB
ZTNA
SD-WAN
FWaaS (including Intrusion Prevention System [IPS]/Intrusion Detection System [IDS])
Sensitive-data and malware inspection capabilities
Line rate operation
Recommended SASE capabilities:
Remote browser isolation
Network sandbox
DNS protection
API-based access to SaaS for data context
Support for managed and unmanaged devices
Web application and API protection
Optional SASE capabilities:
Wi-Fi hot spot protection
Network obfuscation or dispersion
Legacy VPN
Edge compute protection
SOURCE: Gartner
The core SSE offering included the ability to secure web access via proxy (SWG functionality), secure SaaS access via API and proxy modes (CASB functionality), and provide secure remote access to private applications (ZTNA functionality). Each of these core capabilities must support the securing of any user from any device or location. Native SWG, CASB and ZTNA functions had to be generally available by 30 August 2021.
SOURCE: Gartner
Core capabilities evaluated include:
Cloud-delivered service
Forward proxy
Advanced threat defense
Data security controls
In-line SaaS security controls
API-based SaaS security controls
ZTNA
Additional capabilities evaluated included, but were not limited to:
SD-WAN integration
FWaaS
RBI
Advanced analytics
UEBA
Adaptive access controls
CSPM
DEM
Below are some definitions according to NetsKope and Aruba:
CAPABILITY WHAT IT DOES
How SSE Makes It Better: Secure web gateway (SWG) | Controls access and defends against web threats only. |
Cloud access security broker (CASB) | Serves as a security policy enforcement point, placed between cloud service consumers and cloud service providers, to enforce enterprise security policies as cloud-based resources are accessed. Evaluates behavior and has awareness of SaaS application functionality to set appropriate access for a given person. |
Zero Trust network access (ZTNA) | Enforces the premise that no one is blindly trusted and allowed to access company assets until they’ve been validated as legitimate and authorized. Supports implementation of least privilege access, which selectively grants access only to resources that people, or groups of people require, nothing more. |
Remote browser isolation (RBI) | Separates worker devices from the act of web browsing by hosting and running all browsing activity in a remote, cloud-based container. Such sandboxing protects data, devices, and networks from all kinds of threats originating from malicious websites. |
Firewall as a service (FWaaS) | Provides network security for all outbound ports and protocols for safe, direct-to-Internet access via an agent on managed devices, or via Generic Routing Encapsulation (GRE) and Internet Protocol Security (IPsec) for offices. One policy engine and one security platform, providingsimplified management for workers and branch offices using one console. |
An SD-WAN uses a centralized control function to securely and intelligently direct traffic across the WAN and directly to trusted SaaS and IaaS providers. This increases application performance and delivers a high-quality user experience, which increases business productivity and agility and reduces IT costs. |