What Is Security Service Edge (SSE)?
Security Service Edge (SSE) is a Secure Access Service Edge (SASE) service. It consists of functional components such as Zero Trust Network Access (ZTNA), Firewall as a Service (FWaaS), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB). These components provide a host of functions for enterprises, such as access control, Internet access security, threat detection, cloud application access proxy, and data security. In addition, SSE provides consistent service experience, unified security protection, and centralized O&M capabilities. This enables employees, customers, partners, and contractors to easily and securely access enterprises' private programs, Software as a Service (SaaS) applications, and Internet applications from anywhere (including airports, homes, and branches), facilitating remote office or mobile office.
Why Do Companies Need SSE?
In today's enterprise operation environment, digital transformation is gaining momentum, and remote office, mobile office, and cloud SaaS services are seeing wide application. This trend brings unprecedented challenges to the enterprise network architecture and security management.
Amid these changes, the many limitations of traditional branch and headquarters (HQ) border access deployment mode have been exposed. For example, in traditional mode, if a branch accesses the Internet through the HQ via the private line or SD-WAN, the egress bandwidth of the HQ can easily become a bottleneck. As the service volume increases, especially when multiple branches exchange data at the same time, the pressure on the egress of the HQ increases sharply, causing network congestion and affecting office efficiency. In addition, the cost of this mode also increases as the usage grows. In this case, branches need to directly access the Internet to improve work efficiency and reduce bandwidth costs, while also not compromising network security. This cannot be achieved in traditional mode.
In addition, remote users and users on the move face many restrictions when accessing cloud SaaS services if they are far away from the HQ. For example, in terms of data privacy, because a data transmission path in a conventional mode may be relatively complex, and data needs to pass through a series of nodes, the data leakage risks are increased. And in terms of experience assurance, long-distance data transmission may cause a relatively high latency, affecting real-time response to user operations and reducing work efficiency.
Cyber security requirements are also becoming increasingly complex, requiring multiple technologies to cope with these challenges. Among the many solutions, SSE defined by Gartner is starting to stand out. SSE integrates multiple security functions into a unified cloud-native service, covering key security technologies such as ZTNA, FWaaS, SWG, and CASB. This integrated service can effectively cope with the limitations of the conventional mode and provide comprehensive, flexible, and efficient cyber security solutions for enterprises in the context of digital transformation, remote and mobile office, and wide application of cloud SaaS services. It can perform dynamic access control based on multi-dimensional information such as user identity, device status, and application context. In this way, it ensures user experience while meeting security requirements and adapting to complex and ever-changing cyber security requirements of modern enterprises.
Benefits of SSE
Compared with the traditional cyber security architecture, SSE brings the following benefits:
1. Better risk mitigation
SSE can implement network security delivery without relying on conventional network security devices. Security services are provided by the cloud platform, which can be operated based on the connections between users and applications, regardless of the geographical location. All security services are provided in a unified manner to implement consistent security protection. Furthermore, common vulnerabilities of single-point products can be eliminated, and security updates can be automatically performed in the cloud to effectively mitigate risks.
2. Zero-trust network access
ZTNA, a component of SSE, continuously performs access policy control and risk assessment based on factors such as users, devices, applications, and content, allowing users to access the cloud or private applications with the minimum permissions. No user should be trusted by default. Access permissions should be granted based on identities and policies. Application release prevents applications from being exposed to the Internet without limitations, thereby reducing the attack surface and minimizing service risks.
3. User experience
According to Gartner, SSE must be deployed in data centers (DCs) around the world. The optimal SSE architecture is built for detection in each DC, providing security services nearby instead of hosting the SSE platform in the IaaS infrastructure by the carrier. This distributed architecture can provide nearby access services for remote office users as well as users on the move, ensuring optimal experience. They no longer need to use slow VPNs and can quickly and seamlessly access applications in the public and private clouds.
4. Integration advantages
Costs and complexity can be reduced by unifying all critical security services. SSE provides a host of key security services, such as ZTNA, FWaaS, SWG, and CASB. All these services are integrated on one platform and can be deployed and enabled as required. By unifying the security protection of all accesses into one policy, multiple security protection capabilities can be integrated to maximize the digital security of the organization.
What Are the Core Components of SSE?
The following are the four core components of SSE:
- ZTNA: Based on the principle of "never trust, always verify", strict identity authentication and authorization are required for each access request. To elaborate, fine-grained access control is implemented to ensure that only authorized users and devices can access specific applications and services. ZTNA is typically integrated with identity and access management (IAM) systems to perform dynamic and context-aware access control. In this way, users can access the network only after passing authentication and their access behaviors are monitored in real time, helping to prevent unauthorized access and handle security threats in a timely manner.
- FWaaS: provides firewall functions as a cloud service. It moves the traditional hardware-based firewall functions to the cloud and provides and manages firewall services through cloud service providers, so as to safeguard enterprise networks and applications.
- SWG: safeguards users' Internet access. It integrates multiple functions and technologies to control, monitor, and protect web traffic, so as to prevent the spread of malware, malicious websites, and malicious content.
- CASB: a solution used to protect the security and compliance of enterprises when they are using cloud services. It acts as an intermediate agent between the enterprise intranet and the cloud service provider, providing enterprises with high visibility, control, and protection of data and applications in the cloud environment.
SSE vs. SASE
Gartner proposed the concept of SASE in 2019 and then the concept of SSE in 2021. SSE is a refined and independent class of security functions in the SASE architecture. The two concepts have different scopes. SASE is an overall architecture that integrates network functions (SD-WAN) and security functions (SSE). It provides enterprises with a comprehensive unified network and security solution, spanning network connection optimization and security protection. SSE focuses on a collection of security functions and is a key element of SASE security. It provides specific security functions for enterprises in terms of cloud environments and network access. In short, SASE = SD-WAN + SSE; SSE = ZTNA + FWaaS + SWG + CASB, as shown in the following figure.
SSE vs. SASE
Applications of SSE in Huawei Xinghe Intelligent SASE Solution
Huawei Xinghe Intelligent SASE Solution complies with the MEF SASE model standards. It consolidates SD-WAN networking, security, and remote access into a unified network-security convergence solution. The solution is logically divided into four layers: management and control, SSE, network, and endpoint. Leveraging flexible modular combination, the SSE layer provides users with security services, including traffic-type and non-traffic-type security capabilities such as ZTNA, FWaaS, SWG, and CASB. For more solution details, see Huawei Xinghe Intelligent SASE Solution. For details about solution deployment and maintenance, see Huawei Xinghe Intelligent SASE Solution Documentation.
- Author: Li Shiguang, Yang Xiaofen
- Updated on: 2024-12-09
- Views: 405
- Average rating: