Security Service Edge (SSE) is the Way to Go, But How Do You Choose?

This blog was originally published by Lookout here.

Written by Pravin Kothari, Executive Vice President, Product and Strategy, SASE, Lookout.

Gartner® recently predicted that “By 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services and private application access from a single vendor’s security service edge (SSE) platform."*

If you don't know what SSE is, you should read my colleague Sundaram Lakshaman’s breakdown of SSE and Secure Access Service Edge (SASE). The gist of it is that SSE is the convergence of security technologies inside the SASE framework.

I completely agree with the prediction by Gartner. I believe that there are new security requirements that have emerged as a result of the wholesale migration to the cloud. When the pandemic forced organizations to go remote in 2020, they scrambled to give users access regardless of where they work and what devices they use. But now that work-from-anywhere has settled in, a bigger challenge has emerged: the protection of sensitive data.

As operations move to the cloud, IT security teams find themselves guarding data that has scattered across data centers, private clouds and software-as-a-service (SaaS) apps, and are accessed by endpoints sitting on networks they don’t manage. But unlike when everything was neatly inside perimeters, they no longer have the visibility nor the controls to protect their data.

Organizations need to streamline their security operations — that’s where SSE comes in. But not all products are made equal. To reduce risk and protect data, organizations need a SSE platform that is built with native data, user and endpoint protection capabilities.

Not all SSE platforms are created equal

Both SSE and SASE are high profile frameworks, as organizations look for solutions to secure their data amidst their digital transformation, where data is flowing freely between endpoints and cloud apps and circumventing perimeter-based security.

To sell more products, there are now countless vendors marketing their offerings as having some or all of the SSE technologies: Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG).

But some SSE products are unwieldy slapped together through various acquisitions in a way that creates risk. Think about the administrative overhead involved with independently configuring and generating policies for each product. Not to mention the near-impossible tasks of keeping up with alerts and updates from multiple consoles that don’t talk to each other.

This strategy often leaves gaps in an organization’s security posture, such as the inability to understand mobile endpoint-related risks, or prevent an insider from exfiltrating sensitive data. To safeguard your data, you can’t just “check the box” when it comes to a SSE platform.

Here’s what you should look for in a unified platform

A SSE platform must be more than a patchwork of technologies. Not just to cut down on costs and operational complexity but to reduce risk and secure your data. To do so efficiently, you need the visibility and controls in place to make smart Zero Trust access decisions, regardless of the endpoint use, and where your apps and data reside.

Here’s what a converged SSE platform looks like:

Simple, unified policy enforcement

Security solutions need to be integrated into a unified platform, so that your security teams only need to write policy once and have it apply across their entire infrastructure, whether it be to endpoints, SaaS apps, private apps or email clients.

Deeper and proactive data protection

A robust SSE platform should be able to enable collaboration while securing your sensitive data. You need a platform with native and modern Data Loss Prevention (DLP) that recognizes the types of data you have and enforce policies wherever it goes. This includes watermarking or redacting sensitive data within documents. You also need the ability to encrypt content as it gets downloaded with enterprise digital rights management (EDRM).

End-to-end threat protection

In addition to data sensitivity, the platform can detect and respond to threats like ransomware entering your infrastructure or malware present on devices. Your policy enforcement should know the changing risk posture of endpoints.

Deep understanding of users

Not all threats use malware. Data is often leaked by insiders accidentally or on purpose, like with the recent Pfizer IP incident where data was uploaded to a personal device. You will also encounter compromised accounts where credentials are stolen via a mobile phishing attack. You need a platform that has native User and Entity Behavior Analytics (UEBA) to know when a user is putting your data in harm's way.

SSE requires a unified platform with end-to-end protection of your data

2021 was another year of high security incidents and business losses. There were an average of 270 attacks per company in 2021, a 31% increase from 2020.** This means securing your organization in a remote-first world requires a new approach.

To protect your data, you need a SSE platform that converges CASB, ZTNA, SWG and endpoint security, and is elegantly built with end-to-end data protection capabilities. It takes into account telemetry data from users, the risk posture of the endpoint they use and the sensitivity level of the data they seek to access. As a result, we’re able to dynamically enforce data protection policies without hindering productivity.