Security Service Edge (SSE) is an emerging network security model that rolls up technologies like zero trust network access (ZTNA), cloud access security broker (CASB), secure web gateway (SWG), and next-generation firewalls/firewall as a service (FWaaS) into a cloud-centric security stack.
With these cloud security services, you can provide secure access to the cloud and software as a service (SaaS) resources for both on-premise and remote workers. This blog will dive into the essential technologies to achieve security service edge. We’ll also discuss the benefits these technologies can provide to your enterprise, as well as tips and best practices for streamlining your SSE implementation.
SSE implementation guide for enterprises
Enterprises may choose to implement SSE by purchasing an all-in-one solution that includes the core components of security service edge. Other teams prefer to buy each security technology separately so they can select the best vendor for their particular use case, or because they already have some SSE capabilities with their existing security stack and only need to supplement with one or two additional solutions.
Let’s take a look at the key security service edge technologies that you need to implement to achieve SSE for your enterprise.
Zero trust network access implementation
ZTNA, or Zero Trust Network Access, is a remote access security solution based on the zero trust security model and follows the principle of “never trust, always verify.” Unlike a VPN, which gives authenticated remote users full access to an enterprise network, ZTNA only allows remote users to access specific resources one at a time. With ZTNA, you can create contextual access control policies that limit a user’s privileges depending on the relative risk of that specific request. So, for example, a user connecting at 1 PM from their home office may get more ZTNA privileges than a user connecting at 1 AM from their mobile device in another country.
A ZTNA solution needs identity and access management (IAM) capabilities to authenticate users and dynamically assess their trustworthiness. For instance, ZTNA typically uses multi-factor authentication (MFA) to provide an extra layer of verification before a user can access enterprise resources. User and entity behavior analytics (UEBA) are also commonly used by ZTNA because these can track account and device behavior on the enterprise network to spot anomalous behavior and provide analyses of a user’s trustworthiness.
ZTNA can be deployed as physical appliances in data centers, or you can choose an entirely cloud-based solution. Using ZTNA as a cloud service will save you from needing to purchase, configure, deploy, and manage more physical hardware, plus you’ll be closer to achieving an ideal SSE implementation by keeping more infrastructure in the cloud. In addition, purchasing IAM and ZTNA capabilities as one solution is not needed if you already have an existing IAM (or a particular vendor you wish to use)—just make sure your ZTNA and IAM support integrations with each other. Implementing ZTNA for SSE helps you bring zero trust security to your cloud and remote traffic.
Cloud access security broker implementation
A CASB, or Cloud Access Security Broker, is essentially a software gatekeeper that sits between enterprise users and cloud services. It provides visibility into how enterprise users interact with your cloud services, using technology like UEBA to detect unusual behavioral patterns and assess risk.
CASB serves numerous vital cloud security functions, including:
- Implementing enterprise policies to cloud resources to enforce the same level of security on all your on-premises and cloud infrastructure equally.
- Auto-discovering all cloud applications, data, and services in use so you can identify risk factors and prevent shadow IT (technology in use by your enterprise that your IT teams might not know about).
- Extending data loss prevention (DLP) and data governance policies to your cloud data, to prevent the exfiltration of sensitive and proprietary data, and ensuring your enterprise complies with data privacy regulations.
As part of an SSE implementation, there are two CASB deployment modes to choose from, depending on your enterprise’s unique needs. You can use a proxy-based CASB, which is an HTTP proxy that sits between remote users and the cloud to monitor and direct traffic. Or you can use an API-based CASB, which interfaces directly with cloud and SaaS providers to inspect traffic.
Each deployment has pros and cons that need consideration with your enterprise’s goals and requirements in mind. Generally, a proxy-based CASB may cause network slowdowns because all your remote, cloud-destined traffic is funneled through a single device. Regardless, it’s still flexible considering it can work with any vendor or application. On the other hand, An API-based CASB often suffers from vendor lock-in since it integrates with a specific provider (like Microsoft 365 or Salesforce), but it causes less latency. It doesn’t require any physical or hosted hardware. Either way, deploying CASB for your SSE implementation helps monitor and protect traffic to and from your cloud services.
Secure web gateway implementation
An SWG, or Secure Web Gateway, is precisely what it sounds like—a secure gateway between your enterprise and the web. It filters malicious content from the internet and blocks dangerous user activity (like clicking unsafe links or downloading files from untrusted websites). Enterprise IT teams have been using traditional SWGs for years in physical appliances or as software running on proxy servers.
For SSE, an SWG is a cloud-based solution that can route all remote and branch office traffic to bypass your data center altogether. That means you don’t need to backhaul remote traffic through the SWG at a data center. However, you still get to apply enterprise web filtering, acceptable use policies, and internet security. Implementing an SWG for SSE allows you to treat your remote web traffic the same way as your on-premises traffic, providing consistent security across the board.
Next-generation firewall/Firewall as a service implementation
An NGFW, or next-generation firewall, improves the capabilities of a stateful firewall by providing features like cloud threat intelligence, integrated intrusion prevention, and application awareness plus control. An NGFW can be a physical appliance you deploy at the data center. Still, for an ideal SSE implementation, you should look for NGFW technology as a cloud-based service known as FWaaS or firewall as a service.
FWaaS delivers all the functionality of an NGFW, including:
- Breach prevention, which uses technology such as integrated intrusion prevention, URL filtering, and built-in sandboxing to analyze viruses and other malware.
- Complete network and cloud visibility with monitoring, UEBA, and automated threat analysis and remediation.
- Deep packet inspection (DPI) to comprehensively analyze every data packet that passes through your network.
One of the most significant benefits of FWaaS for SSE implementations is that you won’t need to deploy many physical appliances to branch offices and data centers. Plus, you can route remote and cloud-destined traffic through a cloud firewall instead of backhauling it through a physical device, which reduces network latency. FWaaS for SSE provides all the security functionality of a physical next-generation firewall, but as a convenient cloud service.
Zero trust network access, cloud access security brokers, secure web gateways, and firewall as a service are the four key technologies needed to deploy and achieve the SSE model. However, to use SSE technology, you need to route the remote and branch office traffic to those services. This is what’s known as an access onramp, which turns SSE into SASE—secure access service edge.
Access your SSE implementation with Nodegrid
It would be best to have an access solution that seamlessly integrates with your security service edge implementation and simplifies the management of your remote network architecture, like ZPE Systems’ Nodegrid. The Nodegrid SR family of edge routers delivers vendor-neutral orchestration of your remote infrastructure so you can easily spin up and manage your SSE solutions from anywhere in the world.