www.scmagazine.com
Open in
urlscan Pro
2606:4700:20::681a:d13
Public Scan
Submitted URL: https://go.scmagazine.com/dc/-vMdw_6ux1ia6WSIpe-HqylIsTbdQR8716vGgsCjNduTvgXwp0D9AQpDnu0oYJ1enyToD6_WK57ETF6ErHaAFSq99-t2U...
Effective URL: https://www.scmagazine.com/resource/cloud-security/sse-vs-sase-whats-the-difference?utm_source=marketing-campaign&utm_mediu...
Submission: On July 21 via api from US — Scanned from DE
Effective URL: https://www.scmagazine.com/resource/cloud-security/sse-vs-sase-whats-the-difference?utm_source=marketing-campaign&utm_mediu...
Submission: On July 21 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="w-100" scmag-registration="set">
<div class="my-2 font-sans"><label class="visually-hidden form-label" for="email">Business Email</label><input placeholder="Business Email*" required="" type="email" id="email" class="fs-7 text-black p-3 form-control" value=""></div>
<div class="fs-9 my-4">
<p>By clicking the Subscribe button below, you agree to SC Media <a class="text-underline" href="/terms-and-conditions" data-feathr-click-track="true" data-feathr-link-aids="["60071024bdb3f8d0470da8d6"]">Terms and Conditions</a><span>
and </span><a class="text-underline" href="/privacy-policy" data-feathr-click-track="true" data-feathr-link-aids="["60071024bdb3f8d0470da8d6"]">Privacy Policy</a>.</p>
</div><button type="submit" class="btn btn-primary">Subscribe</button>
</form>Text Content
Log inRegister
Topics
Events
Podcasts
Research
Recognition
Leadership
About CRA
ADVERTISEMENT
Cloud security, Emerging technology, Network security
SSE VS. SASE: WHAT’S THE DIFFERENCE?
Paul WagenseilFebruary 21, 2023
Credit: Getty Images
Many organizations would like to move to converged cloud-security solutions such
as secure access service edge (SASE) and security service edge (SSE). Yet
according to a recent survey, the adoption rate is low, and the concepts remain
unclear to many.
CyberRisk Alliance (CRA) interviewed 300 information-technology professionals
about converged cloud security in the fall of 2022. Of the respondents, 77%
considered it to be "very important" or "extremely important."
"As large of a company as we are, it is embarrassing that we do not have [a
converged network-security solution]," said one respondent from the health-care
sector. "Regulators will kill us, I think, if we do not achieve this soon."
There is a recognized need for converged cloud security, but only 10% of survey
respondents said their organizations had implemented SASE or SSE. Nearly half
(46%) admitted they didn't completely understand what the terms meant.
ADVERTISEMENT
What exactly are SASE and SSE? How do they differ, and how might they benefit
you? Here's what you need to know.
SASE: MORE THAN THE SUM OF ITS PARTS
SASE is something Gartner analysts came up with in a 2019 white paper titled
"The Future of Network Security Is in the Cloud" (paywalled). An acronym-heavy
Gartner blog post explained the concept thus:
"SASE combines network security functions (such as SWG [secure web gateway],
CASB [cloud access security broker], FWaaS [firewall as a service] and ZTNA
[zero trust network access]), with WAN capabilities (i.e., SD-WAN [software
defined wide area network]) to support the dynamic secure access needs of
organizations. These capabilities are delivered primarily aaS [as a service] and
[are] based upon the identity of the entity, real-time context and
security/compliance policies."
In plain English, SASE uses a software-based virtual network to create
regionally distributed points of presence (PoPs) that provide nearby secure
networking and cloud-based security functions to branch offices and remote
users. SASE brings security and networking geographically closer to users, cuts
down lag and latency, eliminates the need for a company VPN, abolishes the
obsolete perimeter model and lets organizations shift from on-premises to
cloud-based security solutions.
"What makes SASE stand out from point solutions and other secure networking
strategies is that it's both secure and direct," explained Zscaler in a glossary
listing. "Rather than relying on your data center security, traffic from your
users' devices is inspected at a nearby point of presence (the enforcement
point) and sent to its destination from there. This means more efficient access
to applications and data, making it the far better option for protecting
distributed workforces and data in the cloud."
SASE has five essential components:
1. A cloud access security broker (CASB) to monitor and control traffic between
an organization's users and its cloud instances and web applications. A CASB
may incorporate aspects of identity and access monitoring (IAM), endpoint
detection and response (EDR) and data loss prevention (DLP).
2. A cloud-based firewall-as-a-service (FWaaS) to filter network traffic
according to the organization's rules, often using next-generation firewall
(NGFW) functions such as intrusion prevention/detection (IPS/IDS) or
domain-name-system (DNS) security.
3. A software-defined wide-area network (SD-WAN) that can securely link branch
offices, data centers and remote users. The SD-WAN may overlay the public
internet, may use a private backbone to link to PoPs, or may do both.
4. A secure web gateway (SWG) to monitor, inspect and log users' web traffic
and block malware and intrusions. It can also filter content and block
specific URLs according to organizational policy and may include browser
sandboxing.
5. Zero-trust network access (ZTNA), which verifies and authenticates each user
upon access, even if the user is on-premises. Lateral movement can be
restricted by additional authorization requirements.
Combining these different cloud-based solutions makes it easier to manage an
organization's overall security and lowers costs as legacy hardware is phased
out and subscriptions are consolidated.
"The whole converged solution concept is about reducing complexity," said Boaz
Avigad, senior director of product marketing at Perimeter 81. "You want
something that is simple and easy to use and can be managed from a single pane
of glass. You want a single agent running on the edge devices to deliver all of
the services."
However, SASE is still more of a framework than an actual product. Few vendors
can offer a comprehensive SASE package. In most cases, an organization will need
to piece together a SASE solution from various parts, often over a period of
months or even years before it can achieve full implementation. "You have
vendors that have almost everything, and vendors that have less, but you have no
single vendor that offers all of what Gartner defines as part of SASE," said
Avigad.
Credit: Zscaler
SSE: FOR ORGANIZATIONS THAT DON'T NEED THE FULL SASE
In 2021, Gartner noticed that many organizations weren't adopting the entire
SASE model, but instead implementing only its security aspects. So Gartner came
up with a new concept: security service edge, or SSE.
"Security service edge (SSE) secures access to the web, cloud services and
private applications," reads the Gartner definition. "Capabilities include
access control, threat protection, data security, security monitoring, and
acceptable-use control enforced by network-based and API-based integration."
SSE is a subset of SASE, eliminating the SD-WAN but retaining the CASB, FWaaS,
SWG and ZTNA functions. It also retains PoPs, which can be connected over the
internet using ZTNA policies rather than via an SD-WAN.
"Some companies don't need SASE," said Perimeter 81's Avigad. "If you are a
cloud-borne company, you have no use for SD-WAN. [SASE is] for companies that
have both branch offices and people working from home."
SSE, which Avigad calls "hardware-less by definition," may also be better for
organizations that choose to retain their existing networking infrastructure.
Furthermore, adopting SSE instead of SASE means that networking and security
teams don't have to combine duties, a practical consideration that organizations
may struggle with.
"While I had to work with a networking team when I was a CISO, I never had
responsibility for networking," said Frank Kim, CISO-in-residence YL Ventures
and a SANS Institute fellow. "SSE makes a lot more sense for a CISO because it
just focuses on security."
IS SASE OR SSE BETTER FOR YOUR ORGANIZATION?
The choice between SASE and SSE is best made after a thorough assessment of your
organization's abilities, needs and goals. As mentioned above, a fully remote
company can likely opt for SSE over SASE because it can replace SD-WAN with ZTNA
over the internet.
For much more along these lines, please read our guides:
How to determine if your IT environment is ready for SASE
Buying SASE: Questions to ask vendors before you commit
How to determine SASE needs specific to your IT environment
It may even be advantageous to wait until the converged-cloud-security industry
consolidates itself and more vendors are able to offer full-package SASE or SSE
solutions.
"My organization is most likely to consider purchasing an [SSE] solution that is
a one-platform, comprehensive network security solution," said one respondent in
the CRA survey. "This approach is more efficient and cost-effective than
purchasing individual solutions for each aspect of network security."
Paul Wagenseil
Paul Wagenseil is custom content strategist for CyberRisk Alliance, leading
creation of content developed from CRA research and aligned to the most critical
topics of interest for the cybersecurity community. He previously held editor
roles focused on the security market at Tom’s Guide, TechNewsDaily.com,
SecurityNewsDaily.com, and spent nearly 10 years at FoxNews.com.
RELATED
Cloud security
NEW FREE CLOUD SECURITY TOOLS OFFERED BY CISA
SC StaffJuly 20, 2023
The Cybersecurity and Infrastructure Security Agency has updated its free
open-source cloud protection software toolkit with five new programs aimed at
helping bolster cloud security posture and malicious activity detection,
according to SiliconAngle.
Third-party risk
NORTH KOREAN-LINKED LAZARUS GROUP TIED TO SUPPLY CHAIN ATTACK ON JUMPCLOUD
Steve ZurierJuly 20, 2023
Further research after Colorado-based JumpCloud invalidated its API keys two
weeks ago led to indicators of compromise linked to North Korea.
Cloud security
MUST-HAVE BROWSER SECURITY FEATURES
Paul WagenseilJuly 20, 2023
Unmanaged workplace web browsers are not safe enough for organizational use,
which is why many enterprises are turning to browsers designed for security and
centralized administration. Here's a checklist of features to look for when
considering secure enterprise browsers.
Brandview
WHY A CYBER RESILIENCE APPROACH TO DIGITAL RISK IS NEEDED NOW MORE THAN EVER
As cyber risk practitioners ourselves, we believe that understanding past claims
trends is core to future planning for enterprises. Part of Resilience’s mission
is to bring this knowledge to our clients, and now, with the release of our
first annual Claims Report, the public as well.
RELATED EVENTS
*
Cybercast
SAAS DATA BACKUPS: AUTOMATED RESILIENCE & RECOVERY IN THE CLOUD
On-Demand Event
*
Cybercast
MODERN PRIVILEGED ACCESS MANAGEMENT IN THE CLOUD: WHAT’S IN, WHAT’S OUT?
On-Demand Event
*
Cybercast
TACKLING THE UNIQUE CHALLENGES OF KUBERNETES & CONTAINER SECURITY
On-Demand Event
ADVERTISEMENT
GET DAILY EMAIL UPDATES
SC Media's daily must-read of the most current and pressing daily news
Business Email
By clicking the Subscribe button below, you agree to SC Media Terms and
Conditions and Privacy Policy.
Subscribe
ADVERTISEMENT
X
--------------------------------------------------------------------------------
ABOUT US
SC MediaCyberRisk AllianceContact UsCareersPrivacy
GET INVOLVED
SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us
EXPLORE
Product reviewsResearchWhite papersWebcastsPodcasts
Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may
not be published, broadcast, rewritten or redistributed in any form without
prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy
Policy and Terms & Conditions.
COOKIES
This website uses cookies to improve your experience, provide social media
features and deliver advertising offers that are relevant to you.
If you continue without changing your settings, you consent to our use of
cookies in accordance with our privacy policy. You may disable cookies.
Accept cookies