The SASE journey requires reliable partners with truly integrated platform capabilities, not vendors wielding smoke-and-mirrors-style marketing proclaiming “SASE” in giant headlines. But clarity is critical, and both SASE and the more-recently-coined security service edge (SSE) terminology, can be a little confusing. Let’s examine what distinguishes SASE from SSE, and why both concepts are so fundamental to building cloud-centric security and networking architectures of the future.
SASE: A Security and Networking Architecture
SASE, first coined by research firm Gartner® in 2019, is a framework for designing security and networking architecture in a world where the use of cloud applications is now ubiquitous in business. The SASE framework includes both the technologies required and the way those technologies are integrated and delivered not only to match the flexibility and economics of cloud access but also to align with the evolution of evaluation, procurement, and deployment practices.
These are necessary changes. In a cloud-first, work-from-anywhere world whose requirements have been accelerated by a global pandemic, security must become perimeterless and must be able to follow a company’s most important asset—its data—with a level of contextual awareness sufficient to protect that data wherever and whenever it is accessed, everywhere it happens to be stored.
What’s more, all of this needs to smoothly transpire while maintaining fast and reliable network performance, which preserves the user experience, maximizes business, and helps users stay productive. SASE transitions essential networking and security capabilities to the cloud, eliminating perimeter-based appliances and legacy products. It provides safe and reliable access to web services, applications, and data, with zero trust principles applied throughout to achieve continuous adaptive trust during every interaction.
Security Service Edge (SSE): The Security Capabilities Needed for SASE
SSE is a more recent term, described by Gartner’s Neil MacDonald and John Watts in the “Hype Cycle(™) for Cloud Security, 2021” in July. A good way to view SSE is a term describing the evolving security stack that sustains the SASE journey—more specifically, a set of capabilities necessary to achieve the security SASE describes, focusing on core platform requirements including cloud access security broker (CASB), secure web gateway (SWG), and zero trust network access (ZTNA).
Gartner highlights that “by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.”* A simple way to think about SSE, and the work being done by enterprise IT teams toward SSE, is as “the security side” of SASE — managing access to and protecting an organization’s data, which in so many cases today is crucial for competitive advantage. Remember, too, that IT teams are simultaneously modernizing “the networking side,” such as delivering SD-WAN capabilities. But even with such rapid adoption of SASE architecture, most businesses will not tackle SASE exactly the same way, with some focused on the core security capabilities described under SSE, others continuing to retire legacy networking investments in favor of more modern networking capabilities such as SD-WAN, and still others working throughout the infrastructure to add zero trust network access (ZTNA) capabilities and begin to phase out lagging technologies such as VPNs. SASE is the total blueprint; SSE is a subset of overall SASE requirements focused on several key security-related components of the blueprint that, when sourced from a single platform provider, offer previously unattainable efficiency of operation and economy of scale.
There is at least one more important consideration when looking at SASE, SSE, and the objectives technology teams are trying to achieve with this new architecture. Many vendors claim to check the boxes called “CASB,” “SWG,” and “ZTNA.” True differentiation — differentiation that actually enables the journey to SASE — manifests as an understanding of context. Perhaps the most important capability is distinguishing company app instances from personal app instances. Legacy security technologies provide simplistic binary, allow-or-deny controls, but for cloud apps in use by both businesses and individual users, binary is no longer sufficient: the content and context requires analysis, especially when more than two-thirds of threats are cloud-delivered**.
The threat and data protection efficacy of SSE within SASE requires detailed context that legacy defenses hosted in the cloud are unable to provide. SASE can support business-driven network and security transformations, but only with the right emphasis on context will SSE enable overall success with app and data transformation in direct relation to threat and data protection.
Here at Netskope, we’re continuing to expand our industry-leading Secure Access Service Edge (SASE) platform capabilities to address critical customer needs in cloud security, networking, and the application of zero trust principles at every point where data is accessed in the cloud. We’ve been named by Gartner as the 2021 Gartner Peer Insights Customers’ Choice™ for both CASB and SWG, including scoring highest among all SWG vendors in the report as the highest-rated Customers’ Choice vendor (4.7/5 based on 49 reviews as of April 2021).
Gartner and Hype Cycle are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved
Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.
*Gartner, “2021 Strategic Roadmap for SASE Convergence.” Neil MacDonald, Nat Smith, Lawrence Orans, Joe Skorupa. March 25, 2021
**Netskope Threat Labs, Cloud & Threat Report, July 20, 2021