Sorting Out the Differences in SSE, SASE and SD-WAN

Trends in digital experience, hybrid work, and remote service interactions are leading many IT leaders to recognize how their previous fields of responsibility are now overlapping. Even before the 2020 pandemic, running a network, connecting users to information and defending enterprise data were all becoming interdependent workloads. Today’s business trends are only accelerating the affinity between the network and security.

And where trends go, solutions follow.

The convergence of network and security has led to new overlapping offerings, each with its own acronym. Just when we were catching up to the software-defined networking reality, along comes another new acronym. First it was SD-WAN, software-defined wide area networks. Then it was Secure Access Service Edge (SASE), and now there is Security Service Edge (SSE).

But what is the difference and how do you sort them all out?

The reality is that SD-WAN, SASE and SSE are different from one another, though they overlap and converge in their functions. Each represents a different model or technology package with each playing a similar yet different role in enabling today’s ever-expanding IT estate. Here’s how to keep them straight.

What is SASE?

SASE is not only a new approach to secure network management, it’s also a new category of solutions emerging in the market. As a cloud based solution, SASE aims to consolidate SD-WAN with network security controls at the edge of the network — rather than through a core data center. Analyst firm Gartner coined the term to describe this new approach, and it’s an idea gaining traction.

Research from CIO shows that 94% of IT leaders are accelerating SASE adoption due to the need to support digital services and remote work. The rationale for SASE is that a growing portion of users are requesting enterprise data from far outside the core network. Additionally, much of the enterprise’s data is now hosted in the cloud. SASE solves this problem by connecting devices at the edge instead of routing requests for data through the core data center, which can create all sorts of traffic jams, unnecessary backhauling and needless risk. This way, SASE enables enterprises to support dispersed users and their devices with security and convenience.

Gartner’s definition of SASE requires the integrated functioning of five separate components:
1.  SD-WAN provides the network connectivity.
2. Cloud Access Security Broker (CASB) connects users securely to cloud-based digital assets
3. Next-Generation Firewall-as-a-Service (FWaaS) controls access across the entire SASE environment.
4. Secure Web Gateways (SWG) protects users from web-based threats while enforcing acceptable use policies.
5. Zero Trust Network Access (ZTNA) limits access to verified users based on the Zero Trust model.

What is Security Service Edge?

SSE, also a Gartner concept, refers only to the security elements of a SASE environment. Think of it as SASE without SD-WAN. According to Gartner, SSE is a collection of integrated, cloud-centric security capabilities that include ZTNA, CASB, FwaaS and SWG. SSE is therefore a subset of SASE.

SSE offers secure access to web and cloud services as well as on-premises applications. Like SASE, it avoids routing users through a corporate network for access to cloud-based assets. It connects users to apps and data through the internet. There is no SD-WAN in an SSE environment.

Why have both SASE and SSE?

Why have both the term SASE and SSE? Because one size doesn’t fit all, according to Andrew Lerner at Gartner, who explains that buyers typically have different and distinct needs across SD-WAN, SASE, and SSE. Organizations have different network and security needs, so any given enterprise may not need everything that comes with SASE. For example, one company might have to support a large number of branch locations, but have relatively few remote employees. That might argue for SD-WAN on its own. Another business might be implementing hybrid work and a cloud-first strategy. They could probably benefit from SASE. Keeping the categories separate helps buyers sort out what they need and who offers the best solutions in each category. Even within each category, they should be thought of as a ‘framework’ more than a hard definition

SSE solutions also help describe the blurring lines between security tools like SWG, CASB and ZTNA, which are increasingly offered as multiple tools in one solution, usually from one vendor or manufacturer.

Keeping the SASE and SSE categories separate helps buyers sort out what they need and who offers the best solutions in each category. Even within each category, they should be thought of as a ‘framework’ more than a hard definition.

Don’t miss my other article, Think of SASE as a Framework, Not a Checklist

Can they work together?

Yes, potentially. SASE, SSE, and SD-WAN are different from one another, but all try to solve the same general problem: integrating network and security. How they do this differs a little and customers can have more than one of them in the same overall solution. It is important to understand how these solutions consolidate and work together, so check with your provider(s) to avoid conflict and increased complexity

What is SD-WAN?

An SD-WAN is a wide area network built with software-defined network technology. This might mean using encrypted overlay tunnels to communicate over the Internet, dedicated private circuits, or a combination of different transport technologies. The advantage of SD-WAN over traditional WANs is its ability to simplify WAN management and operations through the decoupling of network hardware from control mechanisms. This allows for the WAN to utilize the proper transport type in order to optimize the performance of each application.

SD-WAN solutions comprise the following components:

• SD-WAN Edge—a physical or virtual network function located in an organization’s branch, regional or central office site or data center as well as in public or private cloud platforms.
• SD-WAN Gateway—software that provides access to the SD-WAN with the goal of shortening the distance to cloud-based services or the user—reducing service interruptions.
• SD-WAN Orchestrator—a cloud hosted or on-premises web management tool that allows configuration, provisioning and other functions when operating an SD-WAN.
• SD-WAN Controller—software that makes forwarding decisions for IP packets, i.e., “application flows.”

Increasingly, security capabilities are paired with SD-WAN, creating a comprehensive solution integrating network and security

Conclusion

The most important takeaway here is to avoid getting caught up in the acronyms. Regardless of an organization’s approach to modernizing its IT secure networking environment, there will be a suitable solution available, whether its SD-WAN, SASE or SSE. The best practice in determining the right solution is to start with your business goals, IT requirements and security policies.

The key is to find a solution portfolio that covers all the latest and greatest capabilities and adapts with you as your needs change. This might mean starting with SD-WAN and then evolving to SASE, or starting with SSE and evolving into SASE. How the solution is managed can be a major part of the thought process. Some vendors provide a managed service for SD-WAN, SSE and SASE. Given how new and potentially complex these technologies can be, it may make sense to outsource some or all of their operation.