SASE vs SSE: What are the differences?

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

SASE (Secure Access Service Edge) is a term conceived by technological research and consulting firm Gartner in 2019. It refers to cloud vendors that can supply network service brokering, identity service brokering, and security as a service, all in a single package. 

Because there are relatively few full SASE vendors, in 2021 Gartner introduced a new term: SSE (Security Service Edge). This is a subset of SASE services that focuses mainly on the security access of SASE. 

In this guide, we’ll explore SASE vs SSE further, defining the key differences between both terms.

Perimeter 81 is one of TechRadar's choices for the best SSE providers

Perimeter 81 is one of TechRadar's choices for the best SSE providers
Leap into the future of cloud networking and discover why organizations like yours are rapidly embracing SSE as part of their long-term security strategy plan. Get all the benefits of ZTNA, FWaaS, SWG, and CASB without the extra costs. Complete cloud security. No hardware hassle. Get your free SSE for Superheroes eBook here.

SASE vs SSE: Features

Before the Covid-19 pandemic, most companies’ network traffic was internal, and only a small portion was external, but this was flipped on its head virtually overnight. The old model of tunneling remote workers’ traffic through VPNs (virtual private networks) scaled poorly with the increased amount of traffic. The complexity of getting all systems to work together was mind-boggling, and securing such a system was a technical nightmare. 

Moving networking and security to the cloud was a logical step for many companies. Gartner suggested this would be best accomplished by choosing a vendor that could provide a broad set of cloud features under one roof. Gartner called this a SASE vendor (generally pronounced “sassy”). 

A SASE vendor combines a cloud access security broker (CASB), zero-trust network access (ZTNA), secure web gateway (SWG), firewall as a service (FWaaS), and integrated software-defined wide area network (SD-WAN) into a single one-size-fits-all solution.

Many of the important providers in the security industry don’t supply all of these services. In late 2021, Gartner defined a subset of SASE as SSE. This dropped almost all the networking requirements from the equation. SSE unifies all the security services, including SWG, CASB, and ZTNA, but it doesn’t include the WAN edge slice such as SD-WAN, QoS (Quality of Service), and WAN optimization.

SASE vs SSE: Security

As SSE is the subset of SASE functions with a focus on security, both SSE and SASE vendors offer comparable security features. 

SSE and SASE vendors offer SWG, which prevents unsecured internet traffic from entering your internal networks by filtering internet-bound traffic. SSE and SASE providers typically work on a ZTNA model, meaning no user or device is trusted without first authenticating with a trust broker service. The trust broker only grants access to entities if you supply the right credentials, and if the context in which access is requested is valid. And instead of gaining permission to use specific networks, you get permission to use specific applications.

SSE and SASE both include a CASB that acts as an intermediary between users and cloud services. This monitors and enforces security policies.

SASE vs SSE: Software-defined networking

Where SASE and SSE providers differ is in the WAN edge services they offer. Perhaps most importantly, SSE alone doesn’t provide SD-WAN. One of the major pillars of SASE is this type of software-defined networking, which emphasizes brokering connections from branch offices and remote locations through the cloud.

SD-WAN enhances or replaces traditional routers to create a virtual WAN that has a centralized control function. This intelligently directs traffic across the internet to trusted SaaS (Software as a Service) and IaaS (Infrastructure as a Service) providers. Full-stack SASE providers can offer you this feature, whereas SSE-only providers cannot.

SASE vs SSE: Network optimization

SSE also doesn’t make any provision for network optimization, QoS, routing, or SaaS acceleration. Where SASE vendors can include software and hardware solutions that speed up and control the flow of traffic between an organization’s data centers, remote workers, SaaS services, and IaaS services, SSE-only providers don’t.

SASE vs SSE: Performance

SSE and SASE can offer better performance than traditional methods of connecting to company resources, such as the use of VPNs. 

Previously, all remote users would connect through a single tunnel to the company data center, making for expensive and slow data connections. Moving security services to the cloud means remote users can authenticate with CASB through a ZTNA model before using applications hosted on the cloud. This is less expensive and more scalable, and speeds can be orders of magnitude faster.

Comparing SSE and SASE in performance, companies with multiple branch offices can potentially greatly benefit from the SD-WAN services SASE provides. The WAN optimization features can make the use of unreliable networks less of an issue (for example, as automatic QoS and routing can switch between different networks on the fly, and reroute network traffic over the most optimal route).

SASE vs SSE: Support

SASE and SSE providers can offer you comparable levels of support when it comes to SWGs, CASBs, ZTBA, FWaaS, and RBI (remote browser isolation). For many companies, these are the most important features for enabling people to securely work from any location.

SASE providers can offer support on WAN edge services too, from SD-WAN and routing to SaaS acceleration and content delivery caching. If you also need these features, integrating security and networking with a SASE provider could be the most efficient and straightforward way to modernize your WAN.

SASE vs SSE: Verdict

SASE and SSE are relatively new terms in the security industry, and debate continues about their respective relevance and importance for the future of cloud-based services. 

In summary, SSE-only vendors provide cloud infrastructure services with a focus on security services, whereas SASE vendors provide WAN optimization and routing services on top of those cloud security services.

For most companies, implementing SSE features is a priority, and these can be less expensive to deploy in the short term than a full SASE solution. On the other hand, having all services provided by one vendor (as with the full SASE model) does make for a superbly straightforward, scalable, and versatile solution.

Richard Sutherland

Richard brings over 20 years of website development, SEO, and marketing to the table. A graduate in Computer Science, Richard has lectured in Java programming and has built software for companies including Samsung and ASDA. Now, he writes for TechRadar, Tom's Guide, PC Gamer, and Creative Bloq.