SASE (Secure Access Service Edge) is a term conceived by technological research and consulting firm Gartner in 2019. It refers to cloud vendors that can supply network service brokering, identity service brokering, and security as a service, all in a single package.
Because there are relatively few full SASE vendors (opens in new tab), in 2021 Gartner introduced a new term: SSE (Security Service Edge). This is a subset of SASE services that focuses mainly on the security access of SASE.
In this guide, we’ll explore SASE vs SSE further, defining the key differences between both terms.
(opens in new tab)SASE vs SSE: Features
Before the Covid-19 pandemic, most companies’ network traffic was internal, and only a small portion was external, but this was flipped on its head virtually overnight. The old model of tunneling remote workers’ traffic through VPNs (virtual private networks (opens in new tab)) scaled poorly with the increased amount of traffic. The complexity of getting all systems to work together was mind-boggling, and securing such a system was a technical nightmare.
Moving networking and security to the cloud was a logical step for many companies. Gartner suggested this would be best accomplished by choosing a vendor that could provide a broad set of cloud features under one roof. Gartner called this a SASE vendor (generally pronounced “sassy”).
A SASE vendor combines a cloud access security broker (opens in new tab) (CASB), zero-trust network access (opens in new tab) (ZTNA), secure web gateway (opens in new tab) (SWG), firewall as a service (opens in new tab) (FWaaS), and integrated software-defined wide area network (opens in new tab) (SD-WAN) into a single one-size-fits-all solution.
Many of the important providers in the security industry don’t supply all of these services. In late 2021, Gartner defined a subset of SASE as SSE. This dropped almost all the networking requirements from the equation. SSE unifies all the security services, including SWG, CASB, and ZTNA, but it doesn’t include the WAN edge slice such as SD-WAN, QoS (Quality of Service), and WAN optimization (opens in new tab).
SASE vs SSE: Security
As SSE is the subset of SASE functions with a focus on security, both SSE and SASE vendors offer comparable security features.
SSE and SASE vendors offer SWG (opens in new tab), which prevents unsecured internet traffic from entering your internal networks by filtering internet-bound traffic. SSE and SASE providers typically work on a ZTNA (opens in new tab) model, meaning no user or device is trusted without first authenticating with a trust broker service. The trust broker only grants access to entities if you supply the right credentials, and if the context in which access is requested is valid. And instead of gaining permission to use specific networks, you get permission to use specific applications.
SSE and SASE both include a CASB (opens in new tab) that acts as an intermediary between users and cloud services. This monitors and enforces security policies.
SASE vs SSE: Software-defined networking
Where SASE and SSE providers differ is in the WAN edge services they offer. Perhaps most importantly, SSE alone doesn’t provide SD-WAN. One of the major pillars of SASE is this type of software-defined networking, which emphasizes brokering connections from branch offices and remote locations through the cloud.
SD-WAN enhances or replaces traditional routers to create a virtual WAN that has a centralized control function. This intelligently directs traffic across the internet to trusted SaaS (Software as a Service (opens in new tab)) and IaaS (Infrastructure as a Service (opens in new tab)) providers. Full-stack SASE providers can offer you this feature, whereas SSE-only providers cannot.
SASE vs SSE: Network optimization
SSE also doesn’t make any provision for network optimization, QoS, routing, or SaaS acceleration. Where SASE vendors can include software and hardware solutions that speed up and control the flow of traffic between an organization’s data centers, remote workers, SaaS services, and IaaS services, SSE-only providers don’t.
SASE vs SSE: Performance
SSE and SASE can offer better performance than traditional methods of connecting to company resources, such as the use of VPNs.
Previously, all remote users would connect through a single tunnel to the company data center, making for expensive and slow data connections. Moving security services to the cloud means remote users can authenticate with CASB through a ZTNA model before using applications hosted on the cloud. This is less expensive and more scalable, and speeds can be orders of magnitude faster.
Comparing SSE and SASE in performance, companies with multiple branch offices can potentially greatly benefit from the SD-WAN services SASE provides. The WAN optimization features can make the use of unreliable networks less of an issue (for example, as automatic QoS and routing can switch between different networks on the fly, and reroute network traffic over the most optimal route).
SASE vs SSE: Support
SASE and SSE providers can offer you comparable levels of support when it comes to SWGs, CASBs, ZTBA, FWaaS, and RBI (remote browser isolation). For many companies, these are the most important features for enabling people to securely work from any location.
SASE providers can offer support on WAN edge services too, from SD-WAN and routing to SaaS acceleration and content delivery caching. If you also need these features, integrating security and networking with a SASE provider (opens in new tab) could be the most efficient and straightforward way to modernize your WAN.
SASE vs SSE: Verdict
SASE and SSE are relatively new terms in the security industry, and debate continues about their respective relevance and importance for the future of cloud-based services.
In summary, SSE-only vendors provide cloud infrastructure services with a focus on security services, whereas SASE vendors provide WAN optimization and routing services on top of those cloud security services.
For most companies, implementing SSE features is a priority, and these can be less expensive to deploy in the short term than a full SASE solution. On the other hand, having all services provided by one vendor (as with the full SASE model) does make for a superbly straightforward, scalable, and versatile solution.
