All you need to know about SASE and SSE but never dared ask [Q&A]
The cybersecurity industry loves a good acronym and in recent times SASE and SSE have been among the ones to grab popular attention.
But in many cases a number of disparate technologies have been patched together to fulfill the promise of a unified solution for securing and accessing the service edge. Often this has occurred through company acquisitions.
We spoke to Kunal Agarwal, founder and CEO of new cybersecurity company dope.security, to discuss advice and the pitfalls for both vendors and buyers in assessing these technologies.
BN: SASE is one of today's most popular security frameworks -- is it hype or fact, how did it begin?
KA: When use-cases align, it's common to label the 'solution areas' -- SSE, IAM, EPP, etc with an acronym. They serve a similar purpose, and therefore the underlying products are thought of as better together. Over time, those products might even merge together for a better experience. A great example is Single Sign-On and Two-Factor Authentication which are now two features of the same product.
Gartner defined SASE back in 2019 as a framework for understanding secure enterprise access. But these things are not always correct on the first go. SASE has evolved to SSE (which drops the SD-WAN) and is now the popular term. In my view, this is a framework's intent, give stakeholders the knowledge and background they need, and help push integrated products.
Today's offerings are a little hyped, because while the technologies play nicely, they're multiple products (or entire companies) Frankensteined together -- under the hood it's an acquisition or hand-wavy POC-level code to satisfy an analyst call or demo to a large customer to show ‘vision’.
BN: What's the difference between SASE and SSE, how do the respective technology use cases and architectures differ?
KA: SSE, like SASE, is a Gartner-created category, but a little newer (2021). It's a subset of SASE based on market feedback and focused more on the security technology, rather than network infrastructure. It's all so new, so it can be confusing:
- SASE: offers secure web gateway (SWG), private access (PA), cloud access security broker (CASB), and software-defined wide area network (SD-WAN)
- SSE: has SWG, PA, and CASB but no SD-WAN
Most organizations didn't look at SD-WAN as part of the rest, and, as such, it's become less prevalent in favor of the SSE term.
As far as technology architectures go, the level of integration is still very raw. For example, Zscaler has a completely separate console to manage private access and endpoints, Symantec's SWG (Bluecoat), CASB (Elastica), and PA (Luminate) are three separate companies entirely, and the same goes with Forcepoint. Vendors offer comprehensive solutions, but it’s really more like a house of brands.
I'm a fan of beautiful solutions that work like multiple features in one product -- achieving the use-cases without headaches. But, buzzwords confuse everyone.
BN: How is user performance impacted by integrating a number of disparate technologies?
KA: User performance has always been at the back of legacy vendors' minds. If you look at the actual integration documentation it will say something like, "Plug this into this and somehow configure the certs here," it's incredibly confusing. You need an SE, a PM, and 'someone' to help. Many times, it requires manual effort on the backend too. If it's this bad for an admin, do we really expect a good experience for the end-user?
Fundamentally, the technologies that comprise SASE and SSE frameworks make sense together, but the experience has never been quite right -- lots of clicks, pro services, etc. The disparate technologies weren't supposed to work this way, and it's always been an afterthought to vendors as they create ‘band-aid’ features. But it's not impossible to do it correctly. With the right focus, every admin and end-user can have a first-class experience.
BN: What are the potential pitfalls for both customers and vendors in shaping strategies to fit analyst-defined categories?
KA: The real loss is to the customer. With vendors trying to defend legacy technology with a forward-looking story, customers are stuck with fragmented products that never live up to the demo they were shown. This especially happens with vendors who have an existing footprint, so the proper due diligence isn't done.
Analyst-defined categories are great for learning about the space. The pitfall is vendors often mislead customers with complicated marketing-speak. For example, not every customer needs private access or SD-WAN. Just because it exists, doesn't mean you need it. One size definitely does not fit all in cybersecurity.
BN: Independent of a specific framework or acronym, what are the keys to building effective network security in modern environments?
KA: Categories aside, modern environments are distributed by nature and the majority of access and work occurs with cloud-based applications (like Office 365). Using locally (endpoint) enforced, distributed network security will more holistically secure an organization.
It starts with:
- Authentication (single enterprise identity)
- Access Control (user-based policy for public and private apps)
- Visibility (flight data recorder)
This protection follows a user anywhere, anytime. If a user leaves the company, the continuous authentication removes all access. Organizations should follow this philosophy and framework vs the promise of a silver bullet solution to solve all problems.