The ‘Buzzword Biographies’ is a blog series that takes a looks at popular technology industry acronyms and trends, and tries to explain and describe them. I, personally struggle with what some of these terms and trends really mean, so I have done some research and shared what I learned in an attempt to help others and myself.
The way network security is approached has been changing. Having large campus LANs that connect through centralized data centers to egress to the internet is not one of the only network architectures anymore. In that model, perimeter security is king. Large firewalls are purchased, installed, and configured to keep the good stuff in, and the bad stuff out. The goal is to protect the ‘trusted’ network. However, with the more recent concept of zero trust (we’ll have to get into this one in another post), there is no trusted network anymore. All networks are treated as untrusted and all actions need to be authenticated and authorized. Plus, with the adoption of cloud services and the concept of work from anywhere, the perimeter or edge of the network is now wherever the individual is connecting to the network and their services. This is where terms like Secure Access Service Edge (SASE) and Security Service Edge (SSE) enter the picture. These two acronyms seem close in name. What do they mean, and are they synonymous; or do they mean two completely different things?
Secure Access Service Edge (SASE)
SASE is a term that was developed by research and consulting company, Gartner. Here is Gartner’s definition of SASE:
“Secure access service edge (SASE) delivers converged network and security as a service capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA). SASE supports branch office, remote worker and on-premises secure access use cases. SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.”
I think the first important thing to note is that SASE is not a protocol or a specific point solution outright. It is a term to describe a delivery method for security services. SASE describes a solution that provides multiple security (and networking) functions into a cohesive system. A SASE solution is meant to secure connectivity from wherever a user is connecting to applications and services.
Security Service Edge (SSE)
SSE is also a Gartner coined term with the following definition:
“Security service edge (SSE) secures access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service, and may include on-premises or agent-based components.”
Compare and Contrast
On the face of the two Gartner definitions, I see a lot of similarities between SASE and SSE. SSE seems to focus more into the security components of accessing applications and services, and less on the networking components. Upon further research, I found this comparison article from CATO Networks that frames it up nicely, even with a pretty picture! SSE can be seen as a component of SASE, or a solution that can stand on its own, focusing on specific security components. The pieces of SSE that CATO Networks lists are:
-Cloud Access Security Broker (CASB) / Data Loss Prevention (DLP)
-Cloud Secure Web Gateway (SWG)
-Zero Trust Network Architecture (ZTNA)/VPN
According to this CATO Networks article:
“SSE describes a limited scope of network security convergence, which combines SWG, CASB/DLP and ZTNA into one, cloud-native service. SSE provides secure access to internet, SaaS and specific internal applications, without directly addressing secure access to WAN resources.”
I interpret this as meaning that SSE is focused on securing access to the internet and applications, while securing the transport networks would be covered by solutions such as SD-WAN, which would be a SASE component. SSE components can contain both cloud hosted services (CASB,DLP, Cloud SWG), as well host or agent based solutions (VPN/security clients) that provide access to the cloud hosted services.
The Why
The terms Secure Access Service Edge (SASE) and Secure Service Edge (SSE) both address the shift of workloads in on-premises data centers and centralized network architectures to cloud hosted workloads and architectures. Network security is no longer thought solely as a perimeter focused strategy, protecting an internal trusted network. With the concept of ZTNA, no network should be inherently trusted and all actions should be secured. Depending on the need, organizations can adopt SSE solutions on their own, or integrate SSE into a greater SASE solution.
Quick Links for Reference
Gartner SASE definition – https://www.gartner.com/en/information-technology/glossary/secure-access-service-edge-sase
Gartner SSE definition – https://www.gartner.com/en/information-technology/glossary/security-service-edge-sse
CATO Networks SASE and SSE comparison article – https://www.catonetworks.com/security-service-edge/sse-vs-sase/
Netication 