SSE vs SASE: What You Need to Know

As an Information Security professional, you are responsible for ensuring the security and performance of your organization’s network and applications. You also need to continuously be aware of the latest cybersecurity tools, technologies and trends, which can be challenging given the rapid pace of change and innovation.

One of the most prominent concepts that has emerged in recent years is SASE (Secure Access Service Edge), a framework that converges networking and security functions into a single cloud-based service. As most know, SASE is pronounced sassy and it aims to simplify network management, improve user experience, and enhance security posture for distributed enterprises.

However, some IT leaders only require a subset of SASE capabilities, preferring to focus mainly on the security aspects and leaving out the networking components. For those individuals, Security Service Edge (SSE), an emerging new cloud-native security framework, is potentially a better fit.

Here’s a guide to help select the best solution specific to your organization’s needs.

What is SASE?

Secure Access Service Edge (SASE) is a term first used by Gartner in 2019 to describe an emerging architectural framework to design next-generation networks with cybersecurity features. The idea was that employees are geographically dispersed, and IT leaders will need to provide them with secure access to their work resources from anywhere. This framework converges network access with cloud-native security using these five components:

Software-Defined Wide Area Networking (SD-WAN): A service that optimizes wide-area network connectivity and performance by dynamically routing traffic over multiple paths based on policies, conditions, and monitored metrics.

Firewall-as-a-Service (FWaaS): A purely cloud-based firewall that inspects inbound and outbound network traffic delivered “as a service” rather than as an on-premises hardware device.

Cloud Access Security Broker (CASB): A cybersecurity service positioned on a network between users and a cloud provider that enforces cloud-based data access policies.

Secure Web Gateway (SWG): A cloud-based service focused on web browsing traffic that blocks unwanted and malicious internet traffic based on specific IT policies.

Zero Trust Network Access (ZTNA): A service that grants granular and conditional access to authorized users and devices based on identity, context, and policies.

For CIOs and CISOs looking to simplify and scale cybersecurity for remote workers and transition to cloud-native environments, the SASE framework is an excellent choice. It offers a cloud-centric approach for the enforcement of security policy so that data and devices are protected that is combined with core networking functions such as:

Quality of Service (QoS): A service that prioritizes network traffic based on its importance and sensitivity.

WAN Optimization: A service that reduces bandwidth consumption and latency by compressing, caching, and deduplicating data.

VPN (Virtual Private Network): A service that creates secure tunnels between remote users and network resources.

When IT leaders were forced in 2020 to enable remote working due to the pandemic, those who had already adopted or were planning to adopt a SASE framework were better positioned to quickly accomplish their goals. But to clarify, SASE is not a “product” in the sense that you can buy a SASE license and your employees are covered, it is an architectural framework. Multiple networking and cybersecurity providers such as Cisco, Fortinet, Barracuda, Palo Alto, Perimeter 81, VMware, and others use the SASE framework to provide their own solutions. All these companies’ solutions use the SASE framework to cover both the networking and security needs for distributed enterprises.

What is SSE?

The Security Service Edge (SSE) framework was also coined by Gartner, but several years later in 2021. The SSE framework retains most of the core elements of SASE. The key difference is that SSE is designed for IT environments where SD-WAN is not required. SSE fits well for networks that do not have multiple paths to reach destinations without a need for application-based routing decisions. SSE is responsible for secure web, cloud services, and application access. Some of the top business case scenarios in which SSE works best is VPN replacement for remote employees. With a SSE solution, you can reduce your network’s load and simplify the complex routing of IP traffic through a physical firewall device or centralized data center.

Typically, those considering SSE want a purely cloud-based security platform that provides a range of security functions at the edge of the network. As with SASE, leading networking and security vendors also have SSE options. However, the cloud-native nature of SSE means it is often marketed as a single platform that can be easily deployed, managed, and scaled. For this reason, SSE will likely gain traction at organizations looking to simplify and scale security for remote workers and transition to cloud-native environments.


How to Choose Between SSE and SASE?

The choice between SSE and SASE depends largely on your organization’s specific needs, goals, and budget. As a network solutions architect, here are some questions I ask CIOs, CISOs, and other IT business-decision makers evaluating a cybersecurity-focused solution for their organization:

  • What are your current pain points and challenges with your network and security infrastructure?
  • What are your short-term and long-term goals for your network and security strategy?
  • How distributed and diverse are your users, devices, applications, and data?
  • How are you securing remote workers?
  • How are you applying a least-privilege access framework to network access?
  • How much network traffic do you generate and consume, and what are your performance and reliability requirements?
  • How much security risk do you face, and what are your compliance and governance obligations?
  • How much budget and resources do you have to invest in a new solution?

Generally speaking, SSE may be a good choice if you:

  • Have a relatively simple and stable network infrastructure that does not require much optimization or flexibility.
  • Have a high demand for security services and a low tolerance for security breaches or data loss.
  • Have a limited budget or resources to implement a full SASE solution.

On the other hand, SASE may be a better option if you:

  • Have a complex and dynamic network infrastructure that requires constant optimization and adaptation.
  • Have redundant network paths or ISP circuits already in place you wish to load-balance or use in an active/active stance.
  • Have a high demand for both networking and security services and a low tolerance for performance degradation or user dissatisfaction.
  • Have a sufficient budget and resources to implement a comprehensive SASE solution.

Making the Decision

SSE and SASE are both cloud-based frameworks that converge security functions. However, SASE also includes networking functions, while SSE only focuses on security. Think of SASE as the comprehensive blueprint for delivering networking and security as a unified service, while SSE is a subset of SASE that covers security-related components such as SWG, CASB, and ZTNA.

The choice between SSE and SASE depends on your organization’s specific needs, goals, and budget. You should evaluate different solutions based on their features, benefits, and challenges, and choose the one that best aligns with your network and security strategy.