As we reach the tail end of our educational SD-WAN series, we once again turn to the importance of security when building a software defined wide area network.
Check out the SD-WAN series:
- Secure Access Service Edge (SASE): The Security-driven SD-WAN
- Implementing SD-WAN Appliances in MPLS and VLAN Environments
- SD-WAN and Firewalls: Best Practices Around Next Generation Service Chaining
In the series, we talked about secure access service edge (SASE). One of the components of that piece was zero trust network access (ZTNA), which stands up as a core pillar of SASE practice. However, ZTNA, similar to all of the other core services packaged into SASE, can be offered as its own standalone solution and therefore is more of a point-solution than an umbrella methodology like SASE.
In this installment, we will be detailing Security Service Edge (SSE) in depth and explaining how this newer framework is being widely adopted when it comes to security across a diverse set of WANs. Let it be known that there is a bit of marketing panache when it comes to the retooling of SASE into SSE, but there are distinct differences that have a real impact, so we will be primarily focusing on those.
What Is SSE?
Security Service Edge is a convergence of network security services delivered from the cloud. The main difference between SASE and SSE is that SSE focuses solely on the security services as opposed to networking solutions as well. To be blunt, it’s everything included in SASE minus SD-WAN, WAN Optimization and other network specific services. That means secure web gateways (SWG), ZTNA, cloud access service brokers (CSB), Firewall as a Service (FWaaS), browser isolation, data protection, decryption and more are all tethered back to a security incident event management (SIEM) platform in a true SSE environment.
The benefit of this consolidation is that the technology approach is solving for the security methodology and framework above all, and an end user exploring SSE has a need for security assistance more than networking assistance. Since the solution is also decoupled from SASE, that means it’s not tied to the network and therefore has even more scrutiny of how users communicate with applications across all different types of networks.
In order to actually be defined as an SSE, there is a requirement that the architecture is fully distributed across a global network of data centers. This is important because it improves performance by the virtue of transport layer security (TLS)/secure socket layer (SSL) decryption and inspection occurring where the end user connects to the desired cloud. This reduces the need for hair-pinning VPNs or overly complicated service chains to maintain a secure connection throughout data transfer. This might not be the best solution for all organizations as this is a higher barrier to entry and not a use case that runs across all IT shops.
The benefit here in a hybrid or remote work environment is quite vast and hard to quantify. Being closer to the source of the data means that users across the organization are going to receive a better experience when interacting with various clouds and accessing all types of datasets. In this way, SSE is built for the work of today and how it could evolve in the future.
Why SSE in the Context of SD-WAN?
Having SSE and SD-WAN as separate services from one another means that they can both do their jobs to the best of their abilities:
- SD-WAN can focus on application prioritization and bandwidth utilizations.
- SSE can focus on enforcing an application and user-sensitive security policy regardless of where the information worker or system is communicating from.
The keystone benefit is the cleaner division of responsibility and therefore the lack of confusion among the systems when the security policy overrides network policy, which is all tied back to SIEM and potentially security operation center (SOC) services.
For organizations that have a network team and a separate security team, these services can be managed independently of one another while still having accountability to one another. And the bundling of network services under SD-WAN, coupled with the bundling of security services under SSE means that each service will be offered cheaper than if purchased separately.
With the vast amount of hybrid and remote work options available in today’s marketplace, having ZTNA in tandem with SD-WAN is crucial in either a SASE or an SSE deployment. SSE, however, moves toward security and network access to that security approach as a user experience driven methodology, and that is the most impressive and future-proof feature.
A true benefit for all involved is that SSE is separate from SD-WAN and therefore can be sourced and implemented within an IT shop with less friction and greater access to change management on security and network as two distinct entities. This can solve a procurement challenge within an organization while also delivering more specific value to the IT leaders looking to buy the technology for its benefits.
SSE is an important and newer technology trend that sits within the NIST framework for security solutions. Therefore, it’s important to monitor and continually evaluate as this emerging technology takes shape. It will certainly not be the last acronym technology that sits on top of SD-WAN, but at the moment, it’s the hottest one to dig into and explore as it relates to the user driven wide area network.
Get more tech insights like this right in your inbox with CompTIA’s IT Career Newsletter. Subscribe today.