What is Security Service Edge (SSE)? SASE vs SSE vs VPN

The CISO Perspective

26 May 202206:36

Summary

TLDRThis video discusses the evolution of networking and security solutions in response to the rise of cloud-based services and remote workforces. It explains how traditional VPNs became inadequate as businesses increasingly relied on SaaS and cloud applications. The video introduces SASE (Secure Access Service Edge) as a solution to these challenges, integrating security and network services across distributed locations. It also highlights the shift towards SSE (Security Service Edge), which focuses solely on security without the networking components. The choice between SASE and SSE depends on an organization's need for SD-WAN and on-premise connectivity, providing a modern solution for secure, remote work access.

Takeaways

😀 VPNs were once essential for remote users to access corporate resources but are now less relevant due to the rise of cloud and SaaS applications.
😀 The explosion of SaaS and cloud-based services means that central VPN termination points are no longer practical due to increased latency and bottlenecks.
😀 SASE (Secure Access Service Edge) addresses the need for security and network services by using globally distributed Points of Presence (PoPs) to connect users directly to SaaS applications or private resources.
😀 SASE integrates multiple services, including Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA), and SD-WAN.
😀 Gartner predicts that by 2025, over 60% of enterprises will have strategies to migrate to SASE, driven by its ability to provide remote work security and performance.
😀 Integrating security and networking into a single solution under SASE can be difficult, as vendors often struggle to offer seamless compatibility between the security and networking components.
😀 Some businesses may prefer to opt for a best-of-breed solution, selecting separate vendors for security (e.g., Zscaler) and networking (e.g., Viptela).
😀 The need for SD-WAN is diminishing in a post-COVID world, especially as remote work increases and the cloud becomes the primary resource access point.
😀 SSE (Security Service Edge) is a new category that focuses only on the security components of SASE, excluding the networking aspects of SD-WAN.
😀 SSE is ideal for businesses that need security without the need for SD-WAN or want flexibility to choose different SD-WAN vendors, providing a streamlined approach to work-from-anywhere security.
😀 The decision between SASE and SSE depends on whether an organization requires on-premise connectivity, with SASE being more suitable for hybrid environments and SSE being tailored for fully remote organizations.

Q & A

What is the primary role of VPNs in the past for remote access?
-VPNs were used to securely connect remote users to corporate resources located in private networks or data centers, effectively allowing them to access internal applications and services remotely.
Why has the traditional use of VPNs become less effective in modern organizations?
-Modern organizations increasingly rely on cloud-based services and SaaS applications, which are accessed directly over the internet. This shift makes the need to route traffic through a central VPN hub less efficient, causing higher latency, bottlenecks, and additional costs.
How has the rise of SaaS and cloud-based services impacted network architecture?
-As SaaS and cloud services have grown, organizations have moved away from using private networks for remote access. This has made the traditional model of backhauling all user traffic through a central location less viable, as it introduces performance issues and higher costs.
What is Secure Access Service Edge (SASE), and what problem does it solve?
-SASE is a framework that combines network and security services into a unified system. It solves the problem of securely connecting users to cloud applications from any location, by routing them through the nearest Points of Presence (PoPs), minimizing latency and maintaining strong security policies.
What are the four core components of SASE as described in the video?
-The four core components of SASE are: 1) Secure Web Gateway (SWG), 2) Cloud Access Security Broker (CASB), 3) Zero Trust Network Access (ZTNA), and 4) SD-WAN for optimized connectivity and routing.
How do SASE providers ensure security for remote users?
-SASE providers enforce security by routing user traffic through the nearest PoP location. Security policies such as URL filtering, malicious code detection, and application identification are applied at the PoP to secure the traffic before it reaches the SaaS or private resources.
What challenges arise when integrating security and networking vendors in SASE solutions?
-Integrating security and networking vendors can be challenging due to the complexity of combining technologies from different vendors. Users may face integration issues, limiting their ability to choose the best-of-breed solutions for both security and networking needs.
What is Security Service Edge (SSE), and how does it differ from SASE?
-SSE is a new category introduced by Gartner in 2021 that focuses solely on the security components of SASE, such as SWG, CASB, and ZTNA. Unlike SASE, SSE does not include SD-WAN or networking components, making it ideal for organizations that do not need SD-WAN or prefer separate vendors for security and networking.
Which organizations would benefit most from using SSE instead of SASE?
-Organizations that are fully remote or do not require SD-WAN connectivity would benefit most from SSE, as it focuses exclusively on securing SaaS and cloud-based applications without the need for networking components.
How does the decision to choose between SASE and SSE depend on an organization's infrastructure?
-The decision depends on whether an organization needs SD-WAN for managing network connectivity or if they are entirely cloud-based and require only security solutions for SaaS applications. SASE is better for organizations with hybrid or on-premise connectivity needs, while SSE suits those without SD-WAN requirements.