With a cloud-native, globally distributed architecture, SSE provides significant benefits over traditional appliance-based solutions. SSE or (Security Service Edge) refers to a limited scope of network security convergence, the combination of SWG, CASB / DLP and ZTNA, delivered as a single cloud-native service. SSE is a great step in the right direction towards Gartner’s ultimate vision of converged SASE (Secure Access Security Edge). Find out how enterprise IT can benefit from a converged SSE solution, from the right network security vendor.

Consistent Security Policy Enforcement
SSE establishes a global fabric that connects all edges into a common security platform. All traffic, between any two edges, is inspected by SSE and the full set of corporate policies can be enforced for threat prevention and data protection. SSE provides consistent security policy enforcement down to a single user, avoiding the need to compromise on depth of security controls to small locations due to budget and maintenance concerns. For complete enterprise protection, SSE must be able to inspect not only user-to-application web traffic but also traffic to legacy applications, traffic across physical locations, and traffic exchanged between non-human edges like applications and IoT devices.

Reduced Attack Surface with Zero Trust Access (ZTA)
SSE implements zero trust access by ensuring users can only access authorized applications (“least privilege access”) and application access is continuously assessed for anomalies such as threats, attacks, and data loss. SSE solutions vary in the way they deploy zero trust access, how application connectivity is established, and how trust is verified. Some SSE products use application connectors to create an overlay on top of the enterprise network and do not continuously inspect the traffic between the user and the application. Others implement identity-aware segmentation of the network that requires no additional components and perform deep packet security inspection of all traffic.

Elastic, High Performance Security Inspection
SSE is a cloud-native and cloud-based solution that is delivered through a global backbone comprised of points of presence (PoPs). The PoPs must be able to secure the traffic at any scale without impacting the user experience. To achieve that, PoPs must easily scale vertically and horizontally, reside within 25ms of every business location and user, and leverage optimal routing for both local and global traffic. SSE providers choose between building their own clouds on low-overhead physical infrastructure or host their SSE PoPs in the public cloud (AWS, Azure, GCP) nodes that can handle the compute requirements.

Improved Security Posture
SSE providers are security and cloud specialists. The SSE provider’s SOC monitors the threat landscape and deploys mitigations to emerging threats, offloading this critical activity from the customers’ IT staff. The SOC extends the customer’s skill set with unique expertise that ensures users are always protected and the attack surface is limited.

SSE Reduces IT Workload without Customer Involvement
SSE providers have established processes to continuously update the cloud service with new enhancements and fixes without any involvement from the customer. This self-maintaining capability is key to reducing the total cost of ownership of IT infrastructure and diverting key IT resources to business-focused activities instead of the grunt work of “keeping the lights on.” As a cloud service, the underlying PoPs should backup one another, and users and locations should seamlessly move to another PoP if one becomes inaccessible. This improves uptime and eliminates the need for complex high availability design.

Cato SSE 360: Total Visibility, Optimization, and Control of All Enterprise Traffic
Cato SSE 360 goes beyond the limited scope of SSE internet security, to provide total visibility, optimization, and control of all traffic, users, and applications everywhere. And with a seamless path to SASE the benefits of streamlined networking and security infrastructure can be extended even further. With Cato, enterprises realize an improved security posture, deeper cost savings, and greater business agility.

You have probably heard of SASE by now, but maybe it’s the first time you’re hearing about SSE. So, SSE vs SASE: What’s the difference? In this article, we’ll compare SSE and SASE, to set the story straight.

What is SASE?
The Secure Access Service Edge (SASE) category was created by Gartner in 2019 to define the convergence of networking and security capabilities into a single cloud-native service. SASE has, therefore, two pillars: networking and security.

The networking pillar of SASE focuses on the resiliency and optimization of access and includes capabilities such as SD-WAN, WAN optimization, and quality of service. The security pillar of SASE secures network traffic and application access by converging SWG, CASB, ZTNA, and FWaaS, to enforce corporate security policies on all users and locations.

What is SSE?
Two years after introducing SASE, Gartner introduced a new category called Security Service Edge (SSE). SSE describes a limited scope of network security convergence, which combines SWG, CASB/DLP and ZTNA into one, cloud-native service. SSE provides secure access to internet, SaaS and specific internal applications, without directly addressing secure access to WAN resources. These remain part of a separate technology stack including technologies such as SD-WAN, Next Generation Firewalls (NGFWs), and global network backbones.

SASE vs SSE: What’s the Difference?
SSE can be thought of as a key portion of SASE’s security pillar. SASE takes a broader and more holistic approach to secure and optimized access, addressing both optimization of the user experience and securing all access and traffic against threats, attacks, and data loss.

SASE or SSE: Which Will You Choose?
IT professionals are faced with the decision of how they approach the “converged future” of their IT infrastructure. Some enterprises will opt for full SASE convergence and others will approach their transformation journey in multiple phases, starting with SSE-driven security transformation and later converging the SD-WAN layer, as needed. Opting for SSE solution that is part of a single-vendor SASE platform is a strategic decision, that leaves the path open for future network transformation, as well as architectural convergence, greater business agility, operational simplicity and lower TCO.

Cato SSE 360: Total Visibility, Optimization, and Control with a Seamless Path to SASE convergence
Cato offers both Cato SSE 360 and Cato SASE Cloud, to provide maximum flexibility in your journey to transform your networking and security architecture. Cato SSE 360 goes beyond Gartner’s limited scope of SSE, to provide total visibility, optimization and control for all traffic, users, devices, and applications everywhere. Not only does it provide secure and optimized access to the internet and public cloud applications, but also to WAN resources and cloud datacenters, reducing your attack surface and eliminating the need for additional point solutions like firewalls, WAN optimizers and global backbones. And, Cato SSE 360 provides a clear path to SASE convergence through gradual migration.

Cato SASE Cloud connects all enterprise network resources, including branch locations, the mobile workforce, and physical and cloud datacenters, into a global and secure network. Cato SASE Cloud runs on a private global backbone of 70+ PoPs connected via SLA-backed capacity across multiple tier-1 network providers. The backbone’s cloud-native software provides global route optimization and WAN optimization for maximum end-to-end throughput, self-healing capabilities for maximum uptime, and full encryption. With all WAN and internet traffic consolidated in the cloud, Cato applies a suite of security capabilities to protect all traffic at all times. Current security capabilities include FWaaS, SWG, standard and next-generation anti-malware (NGAM), managed IPS-as-a-Service (IPS), and Managed Threat Detection and Response (MDR)

When it comes to SSE vendor selection, not all vendors are alike. SSE is a relatively new market category of network security convergence, created by Gartner in 2021. And while SSE combines SWG, CASB and ZTNA into one, unified, cloud-native service, that’s where the similarities end. SSE vendors vary greatly in terms of their architecture, scope of convergence, ease of management, threat protection and detection, and resiliency. So, when it comes to SSE vendor selection, how do you decide which vendors to shortlist? In this article, we understand the five key considerations to remember when selecting the right SSE service for your enterprise.

Total Visibility and Control Across All Edges and All Traffic
SSE solutions must be able to see all traffic between all “edges” (sites, remote users, and cloud resources) across all ports and protocols, and in all directions (WAN and Internet). Total visibility enables SSE to enforce one set of security policies for the complete enterprise. Yet, some SSE solutions are built to secure access to web applications only or are unable to inspect private application traffic, creating visibility and control gaps.

Global Footprint with High-Performance Security
The SSE cloud service must be available globally and within 25ms of most users and applications. Cloud service points of presence (PoPs) should be built for intense compute to ensure high performance and low-latency security inspection including decrypting and re-encrypting TLS encrypted traffic. Leading SSE providers rely on physical PoPs to reduce overhead and maintain tight control over routing and service availability. A global private backbone further extends SSE’s ability to optimize global traffic over the “middle mile” to WAN and cloud destinations.

Converged Management and Analytics in a Single Pane of Glass
All SSE policies, events, and analytics must be accessed through a single pane of glass. A truly converged SSE platform allows the creation of a granular set of policies that leverage the full context available to the SSE platform across device, identity, network, application, and data. All events across users, threats, data, and application access should be accessible through a common set of analytics dashboards.

Future-proof and Resilient SSE Service
The SSE cloud service should seamlessly evolve to deliver new capabilities and optimize security posture. A converged, single-pass architecture creates the basis for new inline capabilities that extend the current offering to address emerging requirements within the same architecture. The cloud service itself should scale to support customer growth in both users and bandwidth without structural changes to the deployment. Resiliency must be built-in to ensure continuous inspection even if PoPs become unavailable or their performance degraded.

Seamless Path to SASE Convergence
SASE is the convergence of networking, specifically SD-WAN and WAN optimization, and a cloud-based security service, which is SSE. A single-vendor SASE platform that provides both SD-WAN and SSE maximizes the benefits of infrastructure convergence by eliminating edge appliances like routers, firewalls, and third-party SD-WAN appliances and places visibility into and management of the end-to-end connection under a single application. SSE that can be easily and gradually converged with SD-WAN and WAN optimization will let the organization reap the benefits of SASE, if and when the organization is ready, without disrupting IT processes or the business.

Cato SSE 360 vs. SSE: Choosing the Right Solution
When it comes to selecting between SSE vendors, make sure you’re selecting the right solution. Traditional SSE services offer some combination of converged SWG, CASB / DLP, and ZTNA, delivered as a cloud-native service. But they only provide secure access to internet applications, leaving your WAN traffic unprotected. Cato SSE 360 moves past the limitations of traditional SSE’s blind spots, providing you with full visibility and control over all traffic: including internet, WAN and cloud traffic.

FWaaS: How quickly are you able to respond to zero-day threats that appear?  How well are you able to implement new security policies as they apply to changes and priorities in your business?

How much time is your IT staff today spending on managing legacy or next generation firewalls?

SWG: What % of your employees currently work remotely at least some of the time?  How are you currently managing remote workers access to allowed and not-allowed web destinations?

ZTNA: How are you supporting BYOD with your employees? What does the next 3 years look like for your work-from-home strategy?

CASB:  Of all the business applications used by your organization, approximately what percentage is currently public cloud-resident?  How are you getting visibility to all SaaS apps?  How are you enforcing access to rogue apps?  How are you protecting sensitive corporate data that may be in those apps?