Blog

SSE – The Enabler For Zero Trust

Hanna Mathai

By Tony Ferguson, Director of Digital Transformation Strategy, EMEA, Zscaler

5 min to read
SSE – The Enabler For Zero Trust

Architectural simplicity is always a benefit for an enterprise, but unfortunately many organizations have built complex networks and added layers of security appliances over time. However, ‘more’ doesn’t always equal ’better’ from an administrative and security-oriented point of view. Complex security does not automatically mean tighter security, and it certainly doesn’t deliver a better user experience. To solve this growing problem, the SASE framework was introduced in 2019 to guide enterprises through their digitalization journeys; a journey driven primarily by the adoption of cloud and mobility.

One of the key problems this framework addressed was that the firewall and the entire security stack were stuck at the office, and therefore weren’t following users. This was one of the core fundamentals SASE solved at that time. The new Security Service Edge (SSE) pillar of SASE goes one step further and defines a new security approach, that removes SD-WAN and dependencies on the network itself. This ensures the policy follows the user, not bound to any network, enabling any user, app, or device to be secured with Zero Trust policy from any location on any network.

Simplifying the IT landscape

The Jericho Forum that was founded in 2004 by some practitioners was the basis for Zero Trust. Commandment number 5 stated: “All devices must be capable of maintaining their security policy on an un-trusted network”. Networks need to be treated as un-trusted and should, in fact, only have two functions: to move traffic as quickly as possible, and as reliably as possible.

The new SSE framework is helping companies simplify their IT landscape by removing point security products and bringing new, more flexible and dynamic security functions as a service. This approach is helping organizations extract security controls away from the network. It addresses the fact that building security into a network has never been easy and has driven up cost, complexity and, worst of all, reduced the user experience at the same time.

One good example is Network Access Control (NAC). It becomes extremely complex and difficult to secure users and applications at the network level. Therefore, many companies are re-assessing these types of projects, especially for the sake of the user experience. This especially doesn’t make sense in the hybrid working world when half of the users may no longer be in the office. When security controls are more dynamic, they can follow the user or workload, and this helps the organization itself to become more agile and reduce complexity.

Don’t let hardware slow you down

One of the factors that has amazed me about companies taking up this new framework and way of working is the speed at which they can adopt and adapt to this concept. We all know that hardware can slow us down, and especially at the moment when there are supply chain issues. The SSE doesn’t require hardware for the customer, as the SSE concept leverages shared cloud hardware for security control and enforcement. I have seen companies of tens, to hundreds of thousands, of users move to this model in weeks. You simply need some software installed on the endpoint and a policy to configure, and that’s it. No changes are required to the hardware or the network at all. This SSE is an overlay technology that sits on top of your legacy infrastructure. That, in fact, is where the hard work actually starts. Removing legacy is difficult, especially when networking components, such as cabling, routing and VLAN, are involved.

How to choose an SSE platform

One of the challenges in moving towards the SSE approach is making sure you choose the right SSE platform. Companies that move towards this model soon realize the importance of the SSE vendor’s role in keeping the lights on. The traffic for all applications is now traversed via this SSE fabric, therefore it must be reliable and address all your needs, including those legacy applications that you still have on-premise and those new SaaS applications you have just rolled out.

The ecosystem and integrations with other systems like M365 and your EDR solutions will become important. Ensuring user performance monitoring and troubleshooting IT tickets will be paramount to bringing visibility into the SSE fabric.

Therefore, the following are recommendations to consider when choosing an SSE platform. Firstly, the SSE vendor must:

  • Offer a documented SLA based on loss of or degradation of service
  • Deliver Zero Trust controls for all authorized enterprise users, workloads, and devices through any protocol
  • Integrate with best-in-class ecosystem players (like CSPs, SD-WAN, IAM, SOAR/SIEM, EDR, etc.), bringing complete in-depth control and security to the entire enterprise landscape
  • Provide its in-line inspection through a proxy cloud architecture ensuring minimal latency and enabling full visibility of all web traffic (up to and including TLS 1.3)Provide its solution centrally managed and deployable in multiple forms to address customer location, region, locality, and function customization
  • Provide its solution centrally managed and deployable in multiple forms to address customer location, region, locality, and function customization
  • Be able to seamlessly pilot the functions and locations needed by the enterprise in production
  • Optimize the user experience by monitoring and diagnosing performance issues for enterprise services (Teams, Zoom, etc.)

In addition, the SSE solution from the vendor must:

  • Offer enforcement at all sites that are in-line globally and within within carrier-neutral peering points, ensuring the most effective path to customers
  • Deliver a service agnostically over any network
  • Be extended to provide protection for unmanaged BYOD, third-party and partner access with the same level of granular control as employees
  • Be integrated with the vendor itself to provide orchestration to minimize operational overhead
  • Provide multiple security controls through a single memory scan architecture for unique scalability advantages for decryption at scale
  • Collect metrics from application paths, endpoints and network layers to identify anomalies and provide insight to support teams
  • Be simply extensible without the need for additional hardware or agents, allowing enterprises to grow their SSE use through a phased approach

SSE is disrupting 35 years of Networking and Security Architecture, don’t wait to be disrupted by the adversary, embrace Zero Trust security to accelerate the business not slow them down. Choose an architecture that doesn’t need hardware, doesn’t care what network you are on, and at the end of the day is simpler and more secure.

Share this article