Your organization may be considering a move to security service edge (SSE). Your top concern may be how to efficiently deploy SSE to modernize your organization's security
In a recent survey of 300 information-security and IT professionals conducted by CyberRisk Alliance (CRA), 77% of respondents said that SSE was "very important" or "extremely important." They cited several reasons for implementing SSE, including protecting cloud-based assets, supporting remote staffers, streamlining security operations and deploying zero-trust network access (ZTNA).
Yet only 10% of respondents said their organizations had actually implemented SSE. Furthermore, the report said, "while 54% of respondents said they knew a lot about SSE through research or evaluation, 46% said they knew only a little or were unfamiliar with the concept."
Here's a look at some of the reasons to deploy SSE, and some of the barriers you may face.
The benefits of adopting SSE
SSE (and its older sibling, secure access service edge or SASE) lets companies bring cloud-based services, including security services such as endpoint protection, security monitoring, data-loss prevention and access control, closer to end users, no matter where the users might be.
In this respect, SSE is ideal for the modern company that has remote workers scattered all over, and which has many or all of its resources in the cloud. As SSE is cloud-based and decentralized, it can reach anywhere that has internet access and doesn't need a data center or security hub to operate.
SSE can monitor and protect remote users far from headquarters without making the users log into a VPN to access the company network. This improves throughput, reduces latency and network lag, and takes a burden off on-premises company servers. As a result, there's no backhaul, no hairpinning, no bottlenecks and no network perimeter.
SSE is referred to as a converged cloud security solution because it merges control of separate security functions into a unified management interface. That consolidated dashboard improves visibility, decision-making and response time, and also reduces operating costs.
"The whole converged-solution concept is about reducing complexity," said Boaz Avigad, senior director of product marketing at Perimeter 81. "You want something that is simple and easy to use and can be managed from a single pane of glass."
Because SSE is a cloud-based, hardware-free service, SSE's core components — a cloud access security broker (CASB), a firewall as a service (FWaaS), a secure web gateway (SWG) and zero-trust network access (ZTNA) — can quickly be updated to address the latest threats and adversarial techniques.
Likewise, organizational policy changes can easily be implemented system-wide, which can be especially helpful during mergers or acquisitions, or when moving individual systems to the cloud. Meanwhile, the ZTNA component restricts lateral movement within the network or cloud, which a VPN cannot do once initial access is granted.
If your organization is considering an eventual migration to a full SASE deployment, SSE gets you halfway there and provides a solid foundation. Organizations that have branch offices would be better off with full SASE because SSE by itself doesn't provide a secure way to connect those offices to the cloud or to SaaS services.
However, for organizations that are entirely remote or have substantial "sunk costs" in network hardware, SSE might be preferable. From an internal standpoint, SSE can be easier to implement because it won't force the network and security teams to merge, a potential obstacle.
"While I had to work with a networking team when I was a CISO, I never had responsibility for networking," said Frank Kim, CISO-in-residence YL Ventures and a SANS Institute fellow. "SSE makes a lot more sense for a CISO because it just focuses on security."
Potential pitfalls in implementing SSE
As with any new technology, moving to SSE can be difficult, though perhaps more in the preparation than in the final implementation.
The biggest obstacle, and the most arduous task, is the need to perform a thorough self-assessment. Your organization must gauge its needs, abilities and goals to achieve a successful SSE deployment.
Do you want to get all your SSE components from a single vendor, which might be easier to implement, or would you prefer to shop around for the best components? Are there technologies you already have in place that could be repurposed for SSE?
Are there long-term software or hardware contracts to consider? Does your organization have regulatory or compliance obligations that might be affected by SSE?
You also need to determine the total cost of migrating to SSE, including staff training, although operational costs should be much less once you get over the initial hump.
"There's typically a labor-cost bubble as you go through implementation, but if you look at 3-4-year ROI, the bubble costs are quickly overcome by run-rate savings, and that starts to happen after about eight months," said Doug Saylors, partner and co-lead of cybersecurity at ISG.
A phased migration might be best in implementing SSE, with the various components — SWG, ZTNA, CASB, and FWaaS — being introduced sequentially.
Once you have a migration plan and a budget sorted out, you need to secure the full backing of your organization's leadership, and to also seek the input of suppliers, vendors and other stakeholders. You don't want any sudden surprises during the implementation phase.
Then you need to thoroughly vet potential SSE vendors. Does a particular component or solution integrate well with other tools or technologies? How scalable is a vendor's solution? What is the vendor's reputation? What is the vendor's product-development road map? And just how good is the vendor's customer support?
"When you have a complex comprehensive offering like SASE or SSE, you know there are going to be integration issues," said YL Ventures' Kim. "You want to be able to quickly connect with the technical SME to resolve problems. You don't want to file a ticket and then wait like you're at the DMV."
Finally, you need to prepare for the possibility that SSE might be disruptive after initial deployment. For example, ZTNA is much stricter about access and lateral movement than a VPN would be. This may hinder programs and algorithms and annoy employees who used to greater freedom to roam through the network — including perhaps those very executives who have greenlit the move to SSE.
