SSE vs. SASE: What CISOs Need to Know

As a Chief Information Security Officer (CISO), you are responsible for ensuring the security and performance of your organization’s network and applications. You also need to keep up with the latest trends and technologies in the cybersecurity space, which can be challenging given the rapid pace of change and innovation.

One of the most prominent concepts that has emerged in recent years is SASE (Secure Access Service Edge), a framework that converges networking and security functions into a single cloud-based service. SASE promises to simplify network management, improve user experience, and enhance security posture for distributed enterprises.

However, some IT leaders only need a subset of SASE capabilities, preferring to focus mainly on the security aspects and leaving out the networking ones. For those CISOs, Security Service Edge (SSE), an emerging new cloud-native security framework, is potentially a better fit. As a network architect with a background in solution delivery, I have first-hand experience with both SASE and SSE. In this blog post, I will compare SASE and SSE, highlighting their key features, benefits, and challenges. Read on to learn how you can choose the best solution specific to your organization’s needs.

What is SASE?

Secure Access Service Edge (SASE) is a term first used by Gartner in 2019 to describe an emerging architectural framework to design next-generation networks with cybersecurity features. The idea was that employees are geographically dispersed, and IT leaders will need to provide them with secure access to their work resources from anywhere. This framework converges network access with cloud-native security using these five components:

• Software-Defined Wide Area Networking (SD-WAN): A service that optimizes wide-area network connectivity and performance by dynamically routing traffic over multiple paths based on policies, conditions, and monitored metrics.
• Firewall-as-a-Service (FWaaS): A purely cloud-based firewall that inspects inbound and outbound network traffic delivered “as a service” rather than as an on-premises hardware device.
• Cloud Access Security Broker (CASB): A cybersecurity service positioned on a network between users and a cloud provider that enforces cloud-based data access policies.
• Secure Web Gateway (SWG): A cloud-based service focused on web browsing traffic that blocks unwanted and malicious internet traffic based on specific IT policies.
• Zero Trust Network Access (ZTNA): A service that grants granular and conditional access to authorized users and devices based on identity, context, and policies.

For CIOs and CISOs looking to simplify and scale cybersecurity for remote workers and transition to cloud-native environments, the SASE framework is an excellent choice. It offers a cloud-centric approach for the enforcement of security policy so that data and devices are protected that is combined with core networking functions such as:

• Quality of Service (QoS): A service that prioritizes network traffic based on its importance and sensitivity.
• WAN Optimization: A service that reduces bandwidth consumption and latency by compressing, caching, and deduplicating data.
• VPN (Virtual Private Network): A service that creates secure tunnels between remote users and network resources.

When IT leaders were forced in 2020 to enable remote working due to the pandemic, those who had already adopted or were planning to adopt a SASE framework were in a better position to quickly accomplish their goals. But to clarify, SASE is not a “product” in the sense that you can buy a SASE license and your employees are covered, it is an architectural framework. Multiple big-name networking and cybersecurity providers such as Cisco, Fortinet, Barracuda, Palo Alto, VMware, and others use the SASE framework to provide their own solutions. All these companies’ solutions use that SASE framework to cover both the networking and security needs for distributed enterprises.

What is SSE?

The Security Service Edge (SSE) framework was also coined by Gartner, but several years later in 2021. The SSE framework retains most of the core elements of SASE. The key difference is that SSE is designed for IT environments where SD-WAN is not required. SSE fits well for networks that do not have multiple paths to reach destinations without a need for application-based routing decisions. SSE is responsible for secure web, cloud services, and application access. Some of the top business case scenarios for where SSE works best is replacing VPN access for remote employees. With a SSE solution, you can reduce your network’s load and simplify the complex routing of IP traffic through a physical firewall device or centralized data center.

Typically, a CISO considering SSE wants a purely cloud-based security platform that provides a range of security functions at the edge of the network. Like SASE, the big names in networking and security also have SSE options. However, the cloud-native nature of SSE means it is often marketed as a single platform that can be easily deployed, managed, and scaled. For this reason, SSE will likely gain traction at organizations looking to simplify and scale security for remote workers and transition to cloud-native environments.

SSE vs. SASE: A Comparison

The following table summarizes the main differences between SSE and SASE:

Feature	SSE	SASE
Security Functions	Firewall-as-a-Service (FWaaS) Cloud Access Security Broker (CASB) Secure Web Gateway (SWG) Zero Trust Network Access (ZTNA)	FWaaS CASB SWG ZTNA
Networking Functions	None	Software-Defined Wide Area Networking (SD-WAN) Quality of Service (QoS) WAN Optimization VPN (Virtual Private Network)
Scope	Security only	Networking and Security
Benefits	Simplifies the deployment and management of IT security by moving typically on-prem hardware into the cloud Improves security posture and ensures corporate security policies complied to regardless of access method Reduces costs and complexity	Simplifies network complexity and management while reducing total cost of ownership (TCO) Improves user experience Enhances security posture and ensures corporate security policies complied to regardless of access method
Challenges	May not address all networking needs May require integration with other solutions	Single-vendor SASE solutions often create vendor lock-in for IT leaders Multi-vendor DIY solutions are difficult to manage and often have interoperability issues

How to Choose Between SSE and SASE?

The choice between SSE and SASE depends largely on your organization’s specific needs, goals, and budget. As a network solutions architect, here are some questions I ask CIOs, CISOs, and other IT business-decision makers evaluating a cybersecurity-focused solution for their organization:

• What are your current pain points and challenges with your network and security infrastructure?
• What are your short-term and long-term goals for your network and security strategy?
• How distributed and diverse are your users, devices, applications, and data?
• How are you securing remote workers?
• How are you applying a least-privilege access framework to network access?
• How much network traffic do you generate and consume, and what are your performance and reliability requirements?
• How much security risk do you face, and what are your compliance and governance obligations?
• How much budget and resources do you have to invest in a new solution?

Based on their answers, I can easily decide whether SSE or SASE is more suitable for your organization. Generally speaking, SSE may be a good choice if you:

• Have a relatively simple and stable network infrastructure that does not require much optimization or flexibility.
• Have a high demand for security services and a low tolerance for security breaches or data loss.
• Have a limited budget or resources to implement a full SASE solution.

On the other hand, SASE may be a better option if you:

• Have a complex and dynamic network infrastructure that requires constant optimization and adaptation.
• Have redundant network paths or ISP circuits already in place you wish to load-balance or use in an active/active stance.
• Have a high demand for both networking and security services and a low tolerance for performance degradation or user dissatisfaction.
• Have a sufficient budget and resources to implement a comprehensive SASE solution.

Conclusion

SSE and SASE are both cloud-based frameworks that converge security functions. However, SASE also includes networking functions, while SSE only focuses on security. Think of SASE as the comprehensive blueprint for delivering networking and security as a unified service, while SSE is a subset of SASE that covers security-related components such as SWG, CASB, and ZTNA.

The choice between SSE and SASE depends on your organization’s specific needs, goals, and budget. You should evaluate different solutions based on their features, benefits, and challenges, and choose the one that best aligns with your network and security strategy.

If you are interested in learning how SSE or SASE solutions can help you meet your business IT goals, please contact us today. We can help you find the best solution for your organization’s needs.