Manage your Network!

Security Service Edge (SSE) Limitations & Disadvantages. Protecting all Traffic, Users, Apps, and Services with 360-degree SSE

This article explores the Security Service Edge (SSE) portion of Secure Access Service Edge (SASE) and the need for holistic cybersecurity protections.

We lightly touch upon the drivers for tighter enterprise security and then dive into what SSE is, comparing its architecture and migration path to SASE to a 360-degree SSE approach which offers complete visibility, optimization and control with a seamless path to SASE convergence.

How Security Service Edge (SSE) fits into SASE’s Security Pillars

Key Topics:

The Need For Holistic Security

Legacy security architectures presupposed security as local and siloed with appliances everywhere. Unfortunately, these architectures produced protection, performance, and visibility gaps, so the overall security requirements for enterprises have proven this model insufficient.

This outdated approach influenced the need for security simplification and assumes enterprises replace these architectures with a strategy that will:

Simplify security management
Minimize security blind spots
Inspect traffic flows in all directions
Deliver Zero Trust access everywhere
Give visibility and control into all traffic

SSE vs. 360-degree SSE: What is The Architecture Difference?

Security Service Edge (SSE) is new category introduced by Gartner, two years after SASE, and represents an essential step toward simplifying complex security architectures by consolidating them into cloud-delivered services. This allows enterprises to quickly adapt to new business and technical challenges like cloud migration, the growing hybrid workforce, etc.

The figure below represents the basic SSE architecture and its protection scheme:

Basic SSE Architecture and its protection scheme

SSE consolidates SWG, CASB, DLP, and ZTNA and represents a small portion of the security pillars of SASE. However, diving deeper into what SSE delivers versus what businesses require, we realize that basic SSE lacks full security protection and has coverage shortcomings, as pictured below:

SSE represents a small portion of the security pillars of SASE

Nonuser traffic, malicious traffic, and WAN malware propagation are not considered. A 360-degree approach to SSE, which provides advanced threat protection for east-west and north-south traffic, is required to counter this. Such a service performs real-time inspection of all traffic for advanced threats and sensitive data leakage with consistent policy enforcement everywhere. The picture below describes this service.

Catonetworks 360-degree approach to SSE: 360-degree SSE

With a Single Pass Processing Engine, a 360-degree SSE enhances basic SSE, adding FWaaS, IPS, and NGAM for a full inspection and enforcement of multiple access, network, and security policies. This protects all traffic, users, apps, and services.

Security Collaboration

Collaboration among security technologies is crucial for complete protection. With a single converged software stack, all security functions in a 360-degree SSE share contextual data, enforcement decisions, threat data, etc. For example, CASB and ZTNA share context with FWaaS to enforce corporate security policies; and FWaaS shares this context with NextGen Anti-malware (NGAM) and IPS for advanced threat protection.

360-degree SSE provides holistic threat protection with coverage to and from all threat vectors. This is something a basic SSE cannot deliver.

SSE or SSE 360: Choose Your Defense Carefully

Users can choose SSE approaches, so we encourage due diligence in your evaluation.

The following chart provides a detailed comparison:

	Basic SSE	360-degree SSE
Core Capabilities
ZTNA (Zero Trust Network Access)	Yes	Yes
Client and Clientless, Device Posture	Yes	Yes
Continuous traffic inspection for threats	No	Yes
SWG (Secure Web Gateway)	Yes	Yes
CASB/DLP (Cloud Access Security Broker)	Yes	Yes
Inline	Yes	Yes
FWaaS with Full Threat Prevention	No	Yes
Unified architecture for all capabilities	No	Yes
Management
Connect with IPSec enabled or SD-WAN devices	Yes	Yes
“Single Pane of Glass” management	Yes	Yes
Self-healing platform (cloud availability)	No	Yes
Proven fast adaptation to evolving threats	No	Yes
Traffic Visibility
Internet: Web sites, Public Cloud Apps (Office 365)	Yes	Yes
WAN: Cloud DC Apps (AWS, Azure, GCP)	No (requires app-specific connectors)	Yes
WAN: Physical DC Apps	No (requires app-specific connectors)	Yes
All ports and protocols	No	Yes
Traffic Control
SSL decryption	Yes	Yes
Internet traffic	Yes	Yes
WAN traffic inspection	No	Yes
Traffic Prevention
Inbound/Outbound (Web)	Yes	Yes
WAN propagation	No	Yes
All ports and protocols	No	Yes
Advanced Threat Detection	No	Yes
Security events: collection, reporting, and exporting	Yes	Yes
Path to SASE Convergence
Seamlessly expandable to single-vendor SASE	No	Yes
Appliance elimination for SD-WAN, FW, Routers, Wan Opt.	No	Yes
SD-WAN capable	3^rd party	Yes

A crucial advantage of the 360-degree SSE, as articulated in this chart, is the seamless and straightforward manner by which customers, when ready, can migrate to a single-vendor SASE deployment.

360-Degree SSE: Seamless Path to Single-Vendor SASE

With 360-degree SSE, customers can quickly implement a single-vendor SASE, adding only an SD-WAN Edge device. This approach extends the functionality of basic SSE with built-in FWaaS, IPS, and NGAM for advanced threat protection and SD-WAN for global networking services with guaranteed performance. This extends coverage for all traffic, users, apps, and locations.

Summary

The Security Service Edge (SSE) simplifies the fragmented security stack by consolidating ZTNA, SWG, DLP, and CASB. This is a good start but still leaves visibility and protection gaps.

360-degree SSE “sees” all traffic flows and applies the full range of security policies for real-time inspection for threats, sensitive data, and compliance with consistent enforcement across a global private backbone.

A 360-degree SSE delivers on the promise of omnipresent enterprise security.