Providing Out-of-Band Connectivity to Mission-Critical IT Resources

Security Service Edge (SSE) Implementation Guide for Enterprises

shutterstock_1771738652

Security Service Edge (SSE) is an emerging network security model that rolls up technologies like zero trust network access (ZTNA), cloud access security broker (CASB), secure web gateway (SWG), and next-generation firewalls/firewall as a service (FWaaS) into a cloud-centric security stack.

With these cloud security services, you can provide secure access to the cloud and software as a service (SaaS) resources for both on-premise and remote workers. This blog will dive into the essential technologies to achieve security service edge. We’ll also discuss the benefits these technologies can provide to your enterprise, as well as tips and best practices for streamlining your SSE implementation.

SSE implementation guide for enterprises

Enterprises may choose to implement SSE by purchasing an all-in-one solution that includes the core components of security service edge. Other teams prefer to buy each security technology separately so they can select the best vendor for their particular use case, or because they already have some SSE capabilities with their existing security stack and only need to supplement with one or two additional solutions.

Let’s take a look at the key security service edge technologies that you need to implement to achieve SSE for your enterprise.

Zero trust network access implementation

ZTNA, or Zero Trust Network Access, is a remote access security solution based on the zero trust security model and follows the principle of “never trust, always verify.” Unlike a VPN, which gives authenticated remote users full access to an enterprise network, ZTNA only allows remote users to access specific resources one at a time. With ZTNA, you can create contextual access control policies that limit a user’s privileges depending on the relative risk of that specific request. So, for example, a user connecting at 1 PM from their home office may get more ZTNA privileges than a user connecting at 1 AM from their mobile device in another country.

A ZTNA solution needs identity and access management (IAM) capabilities to authenticate users and dynamically assess their trustworthiness. For instance, ZTNA typically uses multi-factor authentication (MFA) to provide an extra layer of verification before a user can access enterprise resources. User and entity behavior analytics (UEBA) are also commonly used by ZTNA because these can track account and device behavior on the enterprise network to spot anomalous behavior and provide analyses of a user’s trustworthiness.

ZTNA can be deployed as physical appliances in data centers, or you can choose an entirely cloud-based solution. Using ZTNA as a cloud service will save you from needing to purchase, configure, deploy, and manage more physical hardware, plus you’ll be closer to achieving an ideal SSE implementation by keeping more infrastructure in the cloud. In addition, purchasing IAM and ZTNA capabilities as one solution is not needed if you already have an existing IAM (or a particular vendor you wish to use)—just make sure your ZTNA and IAM support integrations with each other. Implementing ZTNA for SSE helps you bring zero trust security to your cloud and remote traffic.

Cloud access security broker implementation

A CASB, or Cloud Access Security Broker, is essentially a software gatekeeper that sits between enterprise users and cloud services. It provides visibility into how enterprise users interact with your cloud services, using technology like UEBA to detect unusual behavioral patterns and assess risk.

CASB serves numerous vital cloud security functions, including:

  • Implementing enterprise policies to cloud resources to enforce the same level of security on all your on-premises and cloud infrastructure equally.
  • Auto-discovering all cloud applications, data, and services in use so you can identify risk factors and prevent shadow IT (technology in use by your enterprise that your IT teams might not know about).
  • Extending data loss prevention (DLP) and data governance policies to your cloud data, to prevent the exfiltration of sensitive and proprietary data, and ensuring your enterprise complies with data privacy regulations.

As part of an SSE implementation, there are two CASB deployment modes to choose from, depending on your enterprise’s unique needs. You can use a proxy-based CASB, which is an HTTP proxy that sits between remote users and the cloud to monitor and direct traffic. Or you can use an API-based CASB, which interfaces directly with cloud and SaaS providers to inspect traffic.

Each deployment has pros and cons that need consideration with your enterprise’s goals and requirements in mind. Generally, a proxy-based CASB may cause network slowdowns because all your remote, cloud-destined traffic is funneled through a single device. Regardless, it’s still flexible considering it can work with any vendor or application. On the other hand, An API-based CASB often suffers from vendor lock-in since it integrates with a specific provider (like Microsoft 365 or Salesforce), but it causes less latency. It doesn’t require any physical or hosted hardware. Either way, deploying CASB for your SSE implementation helps monitor and protect traffic to and from your cloud services.

Secure web gateway implementation

An SWG, or Secure Web Gateway, is precisely what it sounds like—a secure gateway between your enterprise and the web. It filters malicious content from the internet and blocks dangerous user activity (like clicking unsafe links or downloading files from untrusted websites). Enterprise IT teams have been using traditional SWGs for years in physical appliances or as software running on proxy servers.

For SSE, an SWG is a cloud-based solution that can route all remote and branch office traffic to bypass your data center altogether. That means you don’t need to backhaul remote traffic through the SWG at a data center. However, you still get to apply enterprise web filtering, acceptable use policies, and internet security. Implementing an SWG for SSE allows you to treat your remote web traffic the same way as your on-premises traffic, providing consistent security across the board.

Next-generation firewall/Firewall as a service implementation

An NGFW, or next-generation firewall, improves the capabilities of a stateful firewall by providing features like cloud threat intelligence, integrated intrusion prevention, and application awareness plus control. An NGFW can be a physical appliance you deploy at the data center. Still, for an ideal SSE implementation, you should look for NGFW technology as a cloud-based service known as FWaaS or firewall as a service.

FWaaS delivers all the functionality of an NGFW, including:

  • Breach prevention, which uses technology such as integrated intrusion prevention, URL filtering, and built-in sandboxing to analyze viruses and other malware.
  • Complete network and cloud visibility with monitoring, UEBA, and automated threat analysis and remediation.
  • Deep packet inspection (DPI) to comprehensively analyze every data packet that passes through your network.

One of the most significant benefits of FWaaS for SSE implementations is that you won’t need to deploy many physical appliances to branch offices and data centers. Plus, you can route remote and cloud-destined traffic through a cloud firewall instead of backhauling it through a physical device, which reduces network latency. FWaaS for SSE provides all the security functionality of a physical next-generation firewall, but as a convenient cloud service.

Zero trust network access, cloud access security brokers, secure web gateways, and firewall as a service are the four key technologies needed to deploy and achieve the SSE model. However, to use SSE technology, you need to route the remote and branch office traffic to those services. This is what’s known as an access onramp, which turns SSE into SASE—secure access service edge.

Access your SSE implementation with Nodegrid

It would be best to have an access solution that seamlessly integrates with your security service edge implementation and simplifies the management of your remote network architecture, like ZPE Systems’ Nodegrid. The Nodegrid SR family of edge routers delivers vendor-neutral orchestration of your remote infrastructure so you can easily spin up and manage your SSE solutions from anywhere in the world.

Learn more about how to access your SSE implementation with Nodegrid.

Contact ZPE systems online or call 1-844-4ZPE-SYS.

Contact Us

Top Security Service Edge Use Cases & Benefits for Enterprises

shutterstock_1608251770

Security service edge (SSE) is an emerging network security model, first announced by Gartner in their 2021 Hype Cycle, that stems from the need to retool the industry’s thinking about SASE (secure access service edge). SSE protects your network edge by combining cloud-based security technologies, including:

  • Firewall as a Service (FWaaS), which rolls up firewall technology into a cloud-based service
  • Zero Trust Network Access (ZTNA), which applies zero trust security principles to remote traffic
  • Cloud Access Security Broker (CASB), which applies enterprise security controls and policies to traffic between the cloud and on-premise networks

Several use cases are driving enterprises to adopt SSE, including securing traffic from remote workers. This allows the migration to cloud and SaaS platforms while applying the same level of security as on-premises, and simplifying the security of an SD-WAN architecture. Let’s dive into the top SSE use cases and benefits for enterprises.

Top SSE use cases and benefits for enterprises

The top use case driving SSE adoption, and the most relevant to many enterprises right now, is the need to provide secure and reliable access for remote employees. We’ll also touch upon how SSE enables secure adoption of cloud and SaaS solutions and how you can combine SSE with SD-WAN technology to achieve the SASE model.

SSE use case #1: Securing remote access for remote employees

The pandemic forced many enterprises to adopt new remote access technologies—or upgrade existing ones—so their employees could safely work from anywhere without affecting productivity. However, even pre-pandemic, many organizations were recognizing the limitations of VPNs (virtual private networks) for a workforce that might need access to enterprise resources from anywhere in the world at any time. VPNs present numerous security challenges for enterprises:

  • To secure remote traffic, you need to route it through a firewall or security appliance at your headquarters or data center. This can create significant bottlenecks on your enterprise network and affect performance for both remote and on-premises users.
  • Typical VPN solutions don’t provide any mechanism for centrally managing your deployments or monitoring the devices that remotely connect to your network. For an enterprise setting, it means you could be allowing hundreds or thousands of remote VPN connections to your primary enterprise network, from devices that may or may not have adequate security controls without verifying the identity or trustworthiness of the person connecting.
  • In addition, once a user or device connects via VPN, they can freely move about your enterprise network just as if they were in the office. If a hacker compromises a privileged account with VPN access, they could jump from system to system, exfiltrating data and causing financial and reputational damage in the process.

SSE benefits for securing remote connections of enterprises, cloud, and SaaS services

Enterprises can significantly reduce bottlenecks by bypassing their headquarters since most remote traffic is destined for services outside the network. SSE eliminates the need for remote, cloud, or web-destined traffic to route through the enterprise network firewall, because it provides security as a cloud-based service. That means you’re routing remote traffic through an SSE solution in the cloud, rather than a physical device through the office or data center, reducing the enterprise network’s load.

SSE uses technology like ZTNA to provide granular visibility, control, and verification of all the remote users and devices connecting to the enterprise resources. For example, with ZTNA, you can apply specific access control policies that grant remote users access to only the specific resource they need for the task at hand. Once a remote user authenticates, ZTNA creates a secure, encrypted tunnel to that application or resource, removing the need for a VPN.

SSE also provides a unified, cloud-based security stack that you can access and manage from anywhere at any time. Through components like FWaaS, you can monitor and track all remote devices from one control panel. For instance, you can ensure all laptops are running the latest security definitions and create rules that block connections from a device that isn’t up-to-date.

In addition, SSE restricts lateral movement on your network, following what’s known as the “dark cloud” principle (also known as software-defined perimeter) to prevent remote users from seeing or interacting with anything except the specific application they’ve been authenticated for. If a remote user needs to access a different resource, their privileges and trustworthiness can be re-verified using specific security policies for that new resource.

SSE addresses VPNs’ security concerns, by providing an alternative way for remote users to securely access the cloud, SaaS, and web services they need without contacting your enterprise network. Using technologies like ZTNA and FWaaS, SSE allows you to centrally manage the remote users and devices, apply highly precise security policies, and restrict lateral movement on the network, while still providing secure and reliable access to enterprise resources. That’s why you should consider replacing VPN with SSE for the work-from-anywhere user base.

SSE use case #2: Public cloud and SaaS adoption without sacrificing security

Security is one of the primary concerns when migrating workloads or services to the cloud. For example, you may find it challenging to apply enterprise security and access control policies to your SaaS or cloud platform, leading to inadequate policy enforcement in the name of convenience.

Another example is when you process regulated data for healthcare or financial systems; you may need to enforce specific data governance policies about who can access what information for which reasons. It can be challenging to gain visibility on how your users are accessing data in the cloud, mainly if you rely on the monitoring functionality provided by individual cloud vendors.

SSE benefits for securing public cloud and SaaS implementation

Cloud and SaaS services need the same level of security as your enterprise network, and SSE makes that possible. SSE uses an integrated CASB to apply enterprise security, access, governance, and compliance policies across all cloud and SaaS platforms. The CASB also uses an API integration to automatically discover data, both at rest and in transit, across all cloud services so you can easily see who is accessing it and how it’s being used. This API integration allows the CASB to scan for malware and policy violations, send alerts, and automatically remediate threats.

SSE doesn’t just benefit remote workforces. Using an integrated CASB, SSE also allows enterprises to migrate from on-premises data centers to cloud and SaaS platforms while applying the same security, access, and data governance policies. We recommend adopting SSE if you’re migrating any critical or sensitive resources to the cloud.

SSE use case #3: Combining SSE with SD-WAN to achieve SASE

Secure access service edge, is a popular network security model introduced by Gartner in 2019. SASE combines a cloud-based security stack with software-defined wide area network (SD-WAN) technology to provide an integrated solution for accessing and securing your network edge.

The SASE stack includes the same technologies as SSE, and you’ve probably noticed the names are very similar. That’s because SASE is essentially SSE plus access—which is provided by an SD-WAN backbone.

Benefits of combining SSE with SD-WAN to achieve the SASE model

There are numerous benefits to implementing both SD-WAN and SSE to achieve the SASE model. For one, SSE doesn’t provide any mechanism to connect your remote and branch office users to the cloud and SaaS resources it’s protecting. SD-WAN’s intelligent and application-aware routing lets you send remote traffic directly to your cloud and SaaS platforms and bypass your enterprise network.

In addition, SD-WAN technology doesn’t come with any mechanisms for security—you still need to use firewalls and other appliances at all your data centers and branch offices to protect that traffic. The more remote locations you add to your SD-WAN implementation, the more security appliances you need to manage. SSE simplifies things by consolidating all your SD-WAN security into a single cloud-based stack.

SSE and SD-WAN complement each other well, and when you combine them, you end up with a comprehensive SASE implementation. If you have an existing SD-WAN architecture and want to simplify and streamline your network security, then you should add SSE to achieve full SASE. And the reverse is also true—if you’re going to implement SSE but don’t have the existing architecture for enabling remote and branch office access, then you should consider SD-WAN technology.

Accelerate your SSE deployment with Nodegrid

If you’re looking for a better way to secure remote traffic, cloud resources, and SD-WAN architecture, then your enterprise may benefit from a security service edge. Suppose you don’t already have an SD-WAN backbone on which to build SSE implementation. In that case, consider a vendor-neutral platform that works with a security service edge provider. ZPE Systems’ Nodegrid partners with top SSE providers, including Palo Alto, to provide a seamless SD-WAN onramp to your security service edge functionality. The Nodegrid SD-WAN platform for enterprise networks is key to making SSE work for your enterprise.

Want to learn more about how Nodegrid can help support your SSE use case?

Contact us online or call 1-844-4ZPE-SYS today.

Contact Us

Understanding Key Components of SSE (Security Service Edge)

shutterstock_1463056847

Modern network management involves a wide variety of distributed technologies. Because of this, enterprises have progressively moved towards the Security Access Service Edge (SASE) model to provide remote users with secure cloud-based services. Even though these services came together to form a comprehensive network and security stack, several providers made inaccurate claims that their products offered an all-in-one solution.

Consequently, the SASE model has undergone a rebranding. The new and improved focus on Security Service Edge (SSE) programs has confused those interested in transitioning to a remote structure. This article will help you understand SSE, its components, and how SSE differs from SASE.

In addition, we will discuss how you can implement SSE into networks and start your journey towards the SSE architecture suited for your enterprise.

What is Security Service Edge (SSE)?

SSE is a combination of cloud-based security technologies designed to protect your edge network. With all its programs combined, it forms half of the SASE framework. SSE provides cloud-based security and SaaS programs to the edge network perimeter, allowing remote users to access these services without being in the office.

What are the key SSE components?

To understand how SSE works, you need to understand its components and how they come together to form a more cohesive edge computing architecture.

Let’s dive deeper into each SSE component to understand them better.

sse components

Zero Trust Network Access (ZTNA)

Zero trust is one of the most important aspects of a robust SSE architecture. Zero trust is a security framework that operates on the central principle that “no device is trustworthy.” This includes devices within a company’s perimeter, which traditional “castle and moat” models ignore.

While zero trust exists as a general security architecture involving a variety of principles, zero trust network access (ZTNA) is the practice of applying zero trust principles to a  comprehensive SSE security stack. When applied correctly, ZTNA uses features such as:

  • Uniform security policies
  • Identity-based authentication
  • Centralized visibility
  • Granular access
  • Threat monitoring following access

ZTNA emphasizes “granular” access since it limits who can access and to what. In this way, it helps prevent the possibility of cyberattacks and minimizes their effects if they happen.

Cloud Access Security Broker (CASB)

CASB works as a form of cloud-based security. Whereas ZTNA focuses on the granular task of monitoring individual points of access, CASB focuses on tracking data transference from one cloud environment to another. When we talk about CASB, it is essential to specify that we mean integrated CASB instead of traditional CASB, which only offers piecemeal security protocols that solely cover data already in the cloud.

Integrated CASB uses an API-based security system that communicates between various SaaS applications commonly used by SSE networks. The significant advantage of taking this approach towards cloud security is updating and automatically possessing integration capabilities as new SaaS programs are introduced. With the rise of SaaS usage by large and small enterprises alike, CASB is undoubtedly a central need for any strong SSE network.

Secure Web Gateway (SWG)

As SSE networks exist almost entirely on the premise of edge computing, it makes sense that users want to emphasize a well-secured access terminal. The purpose of SWG is to provide this terminal in a remote location that exists on the edge of the security perimeter. Secure web gateways protect user access by:

  • Limiting website access once accessed
  • Enforcing security policies
  • Protecting data transfer

By limiting and restricting access, remote users will be less likely to access materials that could contain malware or ransomware, for which Palo Alto cites the ransom amounts having climbed by 82% in the first half of 2020. SWG makes up an integral part of the SSE security stack, providing the access terminal through which users begin to interact with the other programs.

Firewall as a Service (FWaaS)

FWaaS uses a SaaS service structure to provide firewall services for clients. FWaaS offers large and small enterprises with cloud-based firewalls, which they can customize to work around company applications or cloud-based services; without needing to route traffic through a physical firewall appliance at a data center.

The main advantage of FWaaS is adaptability—since it is constantly updated to integrate with new and existing services commonly used in SSE networks. With FWaaS, you avoid all the hassle of deploying and managing hardware at every branch office or the performance issues that come from backhauling remote traffic through a single appliance at the primary data center.

SSE vs. SASE: What is the Difference?

The transition to SSE networks might seem confusing for network administrators who have been working on the SASE model in recent years. This is an understandable confusion, but the differences between them are significant and merit some studies. The basic breakdown is as follows:

  • SASE = Secure Access Service Edge
  • SSE = Security Service Edge

This distinction seems odd on its face. The difference between the two is just the element of access. That essentially means SASE=SSE+Access. The access portion of SASE is also a collection of several components itself. SD-WAN, routers, and gateway all play essential roles in granting remote users access to the programs offered by the SSE stack. Together, the two create the comprehensive SASE architecture, which has become the benchmark for remote access over the last few years.

Why Does “Access” Matter as an SSE Component?

It’s easy to look at the equation above and think that enterprises are losing something with the move to SSE, since SASE seems to have something (access) that SSE does not. This is why it’s important to remember that SASE is a collection of programs and is not offered as an all-in-one system anywhere. This has not stopped various SD-WAN network providers from claiming to provide a SASE connection, confusing the market and necessitating the move in distinction to SSE.

What SSE components can do for your organization

Whether you plan on switching over to an SSE network entirely, the fact remains that many SSE components are good tools to have in your security stack. Even if your company has not gone remote and operates using a traditional “castle and moat” model, things like ZTNA, CASB, and SWG still have a lot to offer in making your business more secure.

For enterprises wishing to switch over to a SASE framework, ZPE’s Nodegrid series of routers offers options for both SD-WAN solutions and Zero Trust Network Access, making it the perfect start on your SASE journey.

Want to learn more?

Contact us for more information on how we can help get your enterprise on the right track.

Contact Us