SASE & SSE – foundations

Digital transformation, distributed users and ubiquitous remote access, and so the washed border of the network is practically invisible. Cloud IT security turned to be the cure to keep assets safe and end users satisfied. Also SD-WAN is having it’s renaissance since it’s emergence in 2015 (first mentions in 2014). As it happens with revolutions and transformations – each comes with it’s own vocabulary. In 2019, Secure Access Service Edge (SASE) came upon us, and already in 2021 Secure Service Edge (SSE) appeared. What is it all about? Let us explain!

Secure Service Edge is a component of SASE that focuses on internet and application access. Yes, the acronym happens to have 3/4 of letters coincide – it is worth addressing: SSE  is meant for securing access to websites, SaaS applications and company applications in their premises. One of the reasons for the separation of SSE is the strong focus on security functions rather than general network management and QoS. Right now different stacks of technology serve the purposes of IT security departments, different for Networking Departments.

In a very simplified way, it looks like this:

SSE -> data protection, user monitoring and protection against outside threats

SASE = SSE + SD-WAN -> SSE + ensuring business continuity and providing access to the company branches

We’ve listed a few reasons in the previous article comparing Web Security and Next Generation Firewalls, and the main one we’ve listed above. It is a separation of cybersecurity from network management.

The main features of the Secure Service Edge related features include:

1. Zero Trust Network Access (ZTNA) – we can briefly describe it as a VPN substitute, a technology that allows you to securely access selected (unlike VPN) resources stored locally. ZTNA combines user authentication and authorization to selected resources.
   
   
2. Secure Web Gateway (SWG) – We have described the secure proxy in another article. Here we indicate that it is part of the SSE.
   
   
3. Cloud Access Security Broker (CASB) – a cloud access broker allows you to protect SaaS applications by monitoring API or intercepting traffic in a proxy mode. In addition to standard access-related policies (depending on location, device, etc.), it also provides functions such as Single Sign-On, IdP or data encryption in the cloud. In addition, it observes what data is stored in your cloud resources and controls user behavior – paying attention to anomalies.
   

We have described the essential functions of SSE above – it is worth adding that they do not end there. Manufacturers add features that allow you to meet today’s challenges. Those that respond to today’s threats are primarily:

1. Data Loss Prevention – DLP is in the era of common migrations to SaaS and taking into account the possible leakage vectors after such migration – a necessity. Consider integrating with your local DLP and data recognition options. Enterprise-class technologies will provide categorization algorithms based on machine learning (supervised) or fingerprinting (creating a “fingerprint” of information based on a proprietary set of correlated classifiers).
   
   
2. Cloud Posture Security Management – is a set of functions designed to identify problems with misconfiguration and compliance risks regarding assets stored in the cloud. The goal of the CSPM is to continuously monitor the cloud infrastructure for security configuration gaps.
   
   
3. Remote Browser Isolation – the ultimate anti-zero-day malware. The user’s session runs fully in a virtual machine in a vendor environment – and the user only sees an interactive projection (similar to screen sharing – you can click, but in case of an attack your machine won’t suffer).
   
   
4. Sandboxing – protection against zero-day threats in files that you need to download to your machine. It allows you to run a file in a safe environment that mimics your system to see how the file behaves. Pay attention to the level of integration with the SEZ you plan to implement.
   
   
5. FWaaS – Firewall-as-a-Service – some argue that the firewall is the network part and the SASE side, not the SSE. However, some vendors provide it as a functionality within the platform. However, let’s face it, at the moment it will not replace the new generation firewalls used locally by most organizations.
   
   
6. Content Disarm & Reconstruction – an alternative to sandboxing for the more demanding. It “takes apart” the file down to the code level, eliminates all unnecessary and suspicious fragments, and then puts the file back together and passes it to the user. The key parameter is the level of precision in the reconstruction of the file.
   
   
7. Vulnerability Scanning – allows you to spot vulnerabilities in your infrastructure. This SSE extension will work for your Data Center – in the case of a public cloud, it is the provider’s responsibility.
   

In addition, vendors offering SSE support integration with Endpoint Detection and Response solutions. However, EDR is not part of SASE, so we will answer any questions about this area personally.

Summarizing the above, the SSE solution provides organizations with the full set of security technologies they need to provide employees, trusted partners and contractors with secure remote access to applications, data, tools and other corporate resources, as well as monitor and track user behavior after accessing the network.

And what’s with SASE? 

Under SASE, both web and security services should be used in a unified cloud-delivered approach. Both the network and security aspects of SASE solutions focus on improving the user-to-cloud application experience while reducing cost and complexity. Under SASE, SSE focuses on unifying all security services, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). The other half of the SASE platform focuses on simplifying and unifying network services, including Software Defined Wide Area Network (SD-WAN), WAN optimization, Quality of Service (QoS), and other ways to improve routing to cloud applications.

In 2022, Gartner intends to publish the first Market Quadrant showing Secure Service Edge vendors – and we are already emphasizing the value of this technology for the company today. Primarily:

1. Better risk reduction

The SSE enables cybersecurity to be delivered without being tied to devices and network topology. Security is provided by a cloud platform that can follow the user to connect the application regardless of location. As all security services are delivered in a standardized manner, the risk is reduced as there are no gaps that often occur in point products. Improved visibility to users and data – regardless of location and regardless of the channels accessed. In addition, security updates are automatically enforced in the cloud, without the delays often seen in IT administration.

2. Unified Zero-Trust approach

SSE platforms (along with SASE) should allow least-privileged users to access cloud-based or private applications. No user should be inherently trustworthy. Access should be granted on the basis of identity and policy. The strong principle of zero trust should be made up of four factors: user, device, application, and content. By securely connecting users and applications with business policies over the Internet, organizations can provide remote support for them. Users are never placed on the network and the intrinsic spread of threats is eliminated, further reducing business risk. Additionally, applications remain protected behind the SSE platform. They are not exposed to the Internet and cannot be detected, which greatly increases security by reducing the attack surface.

3. UX – User Experience

According to Gartner’s definition, Security Service Edge (SSE) must be fully distributed worldwide in data centers and allow edge computing – processing data at the point of its origin. The best SSE architectures are designed for control in any data center, unlike vendors hosting their SSE platforms on IaaS infrastructures. The distributed architecture improves performance and reduces latency as content inspection and SSL decryption and inspection are located where the end user connects to the SSE cloud. Mobile users no longer need to use slower VPN architectures, and applications in both public and private clouds run fast and hassle-free.

4. Technology Consolidation

As all key security services are standardized, organizations benefit from lower cost and complexity. SSE provides many key security services on a single platform: Secure Internet Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Cloud Firewall (FWaaS), Cloud Sandboxing, Data Loss Prevention Cloud (DLP), Cloud Security Posture Management (CSPM), and Cloud Browser Isolation (RBI). Each of these services can be easily added as your organization grows. And because all protection is unified under one policy, all user channels and data receive the same consistent protection.

In view of the ongoing digitization, the information security and IT departments will only cooperate more closely. What, in our opinion, will be emphasized more strongly is the distinctiveness of IT security (especially prevention) and ensuring business continuity. Knowing the differences between SSE and SASE will allow managers to more effectively allocate responsibilities and arrange processes so that the functionalities of both technologies support the strategic goals of individual departments. In the end, we all want the same thing – the peace of mind of users and assuring steady stream of business operations.