SSE, SASE or CASB?: Spelling out the right security approach

Mike Schurict, SVP of Product Management at Bitglass, explains Security Service Edge and how it fits in with other cybersecurity concepts, such as SASE and CASB.


This is a contributed article by Mike Schurict, SVP of Product Management at Bitglass, a Forcepoint Company.

The last 18 months spurred many organisations to adopt public cloud services, as we were all thrown into the depths of lockdowns and work-from-anywhere cultures. As a result, organisations were forced to accelerate their deployment of cloud technologies that quickly enabled distributed working, while also delivering productivity and business agility gains. In retrospect, turning to the cloud has been the making of many businesses.

Though the cloud has created a lot of good, it took some business leaders time to get into the right mindset, adapt and shift their digital strategy. For many, security has presented a significant challenge, with the answer coming in the form of flexible, cloud-based network security technologies. The right solutions empower security teams with visibility and control for data that has moved off premises and can now be accessed everywhere.

It’s been a journey revolving around a number of technology approaches, including cloud access security brokers (CASB), secure web gateway (SWG) and zero trust network access (ZTNA). Adding to the mix, however, is the latest Gartner 2021 Hype Cycle for Network Security report, which introduced a further security paradigm: security service edge (SSE).

But what is this new architecture that’s now on the brink of mainstream adoption, how does it fit into the world of CASBs and how is it different from secure access service edge (SASE)? To help navigate the range of acronyms and technologies, it’s useful to run through each in turn:

What is a CASB?

A cloud access security broker is a policy enforcement point that delivers data and threat protection in the cloud, on any device, anywhere. There are three requirements for a CASB vendor: the first is a management capability that provides visibility and clean-up after high-risk events. Next is security to prevent high-risk events such as data leakages and threat intrusions. And finally, zero-day protection addresses both known and unknown data leakage risks and malware threats.

What is SASE?

Secure access service edge, or SASE (pronounced “sassy”), is a cybersecurity concept where organisations can extend security to all of their enterprise resources regardless of location.

Using SASE as a single control point, security teams can configure policies that secure SaaS apps, control access to web destinations, identify shadow IT, and protect on-premises applications. In practice, this can include a company’s headquarters and branch offices as well as home-based and mobile users.

SASE architecture includes cloud access security broker (CASB), secure web gateway (SWG), and zero trust network access (ZTNA) capabilities. As a result, security teams can build less complex environments combining multiple network and security technologies into a single solution to deliver the same network and security services regardless of the user’s location.

What is SSE and how does it fit in with SASE and CASB?

Taking capabilities a stage further, security service edge (SSE) is an integrated, cloud-centric offering that facilitates safe access to websites, SaaS, and private applications. Typically, it will also combine access control, threat protection, data security, security monitoring, and acceptable use control.

Introduced in the recent Gartner Hype Cycle for Network Security, 2021, it is placed ‘High’ on the Gartner Benefit scale and at the peak of the Hype Cycle, but is also seen as an architecture that can have near-term implications on mainstream adoption by security teams.

As pointed out in the Gartner analysis: “SSE allows the organization to support the anywhere, anytime workers using a cloud-centric approach for the enforcement of security policy. SSE offers immediate opportunities to reduce complexity, costs and the number of vendors.”

At its most fundamental level, SSE brings together the capabilities typically found in cloud access security broker (CASB), secure web gateway (SWG) and zero trust network access (ZTNA); each with critical functional requirements.

Security teams adopting an SSE approach are typically focused on reducing the complexity of their infrastructure and improving user experience. This is achieved by consolidating multiple disparate security capabilities into a single-vendor, cloud-centric converged capability. This will often be based around core CASB, SWG, ZTNA requirements.

It’s important to note that SD-WAN services may be separately adopted by infrastructure teams. This may be because users control or own the device, traffic doesn’t traverse their own infrastructure and trusting users by default becomes insufficient.

These processes combine to complete the SASE journey and can be approached in parallel or as separate initiatives. In either case, they will often be impacted by leadership priorities, the availability of relevant personnel, budget constraints and the different refresh cycles that guide existing investments.

These are important considerations in an industry that is changing quickly to meet customer requirements. As the security landscape continues to evolve, organisations that focus on building strategies that deliver the agile protection they need for increasingly complex networks will be well placed to meet the range of challenges they will inevitably face.

Mike Schuricht is leader of the Threat Research Group at Bitglass, a Forcepoint company. He has led the product management and techpubs teams since joining Bitglass in November 2013. Prior to Bitglass, Schuricht was at Palo Alto Networks leading security management and UI strategy. Before that, he held technical marketing and engineering roles at Mentor Graphics.