Fallacy: SSE and SASE Are Different Names for the Same Thing
It’s easy to see why people might confuse SSE and secure access service edge. Both terms were coined by Gartner in just the past few years, and they’re closely related but not synonymous. The easiest way to distinguish them is to remember that the A in SASE stands for “access,” and that refers to SASE’s network access capabilities, such as software-defined WAN. SSE is essentially a scaled-down version of SASE that doesn’t include network access.
SSE is a subset of SASE; SSE focuses on security, while SASE focuses on both security and network access. SASE offers security benefits that SSE doesn’t because SASE provides a more complete picture of what’s going on.
Fact: SSE Is a Relatively New and Evolving Technology
The concept of SSE was first proposed in 2021. While the components of SSE aren’t new, unifying a combination of components is still evolving. There isn’t universal agreement yet as to what all the capabilities of SSE are.
The fundamental pieces are generally recognized as:
- Zero-trust network architectures, which provide stringent access control
- Secure web gateways, which perform content inspection and filtering for web browser–based activity
- Cloud access security brokers, which offer several security functions for Software as a Service applications
Many SSE technologies also include Firewall as a Service, and others include additional security functions within SSE. At this time, different SSE solutions may have significantly different capabilities.
LEARN MORE: These are the 5 keys to an effective cyber strategy.
Fact: SSE Provides Big Benefits Over Traditional Network Security
The adoption of mobile, cloud, IoT and other technologies as well as our increasingly distributed work environments have made traditional network security largely ineffective. Its primary benefit today is in protecting on-premises servers and equipment. For just about everything else, SSE can provide stronger security because it can monitor and analyze network activity regardless of where the users, devices, data and applications are. This enables SSE to find threats against many, if not most, government systems.
Without an SSE solution or any parts of SSE, operators are missing a lot of the security landscape. Unfortunately, that’s going to get worse, because agencies are likely to increase, not decrease, their usage of mobile, cloud, IoT and other technologies. If agencies don’t have SSE in place, they will continue to lose visibility and control over their security posture.
Fallacy: SSE Is the Only Security Solution Required
While SSE is quickly becoming indispensable, it’s not the only security solution agencies need. For example, SSE doesn’t provide many security controls for individual devices, other than some zero-trust capabilities. Officials still need anti-virus services, encryption for stored data, patch and configuration management, and so on. To look for signs of trouble and investigate incidents that occur, they also need technologies such as centralized log management; security information and event management; and security orchestration, automation and response.
And don’t forget that employees need training, with frequent refreshers, on avoiding social engineering attacks. Phishing is endemic, and technology can only do so much to prevent it. Teaching government workers and the public how to recognize and avoid social engineering is a good start, and conducting periodic phishing exercises is even better.
Click the banner below for the latest federal IT and cybersecurity insights.
