SSE kicks the ‘A’ out of SASE

Security Service Edge separates cloud-delivered defenses from SD-WAN as debate rages

Analysis The emergence of secure access service edge (SASE) dominated the networking market for the last few years as enterprises sought to address increasingly distributed IT environments.

SASE hit the lexicon after 2019 took hold as enterprises started to see a possible route in the convergence with software-defined WAN (SD-WAN) and network security functions for threat protection, zero-trust features, firewall-as-a-service (FWaaS) and cloud access security broker (CASB), all delivered as a cloud service.

Now comes security service edge (SSE), which pulls back the security functions in SASE into a unified services offering that includes CASB, zero-trust network architecture (ZTNA) and secure web gateway (SWG). SSE came in the wake of the COVID-19 pandemic, with most employees being sent home to work and putting in motion the ongoing trend toward hybrid work.

With many people working from home at least part of the time, the role of branch offices is lessened and the need for security features that follow workers where they are – with work days starting from home and then moving to offices or other locations – is growing.

Hybrid work and networking

What the role of SSE is in the larger network security space is and what it means for the future of SASE are the subjects of some debate in the industry. However, it puts a spotlight on the ongoing evolution of networking as the definition of work continues to change and the focus of IT shifts from the traditional central data center data and workloads in the cloud and at the edge.

Once the pandemic hit, "it was no longer about branch offices," said John Spiegel, director of strategy at Axis Security, which in April launched Atmos, its SSE platform. "It was our users taking their branch office to the home, to their garages, to their basements ... [and] collaborating with their fellow workers via Zoom. The whole thing changed and that's where we saw the utility of SD-WAN really decline."

Enterprises could put WAN devices in every employee's home, but that's expensive and complex, Spiegel told The Register.

"Instead, we pivoted back to this SSE model, which is really about delivering applications," he said. "At the end of the day, that's what a CIO, a leader cares about. It's the delivery of an application. We're getting down to that lowest common denominator and that's the user and that's really where secure service edge is and that's where we see the opportunity."

Gur Schatz, founder and COO at Cato Networks, sees it another way. The company recent months has added such features to its SASE platform as risk-based application access control to address what officials see as limitations in offerings that focus only on ZTNA and SSE and a CASB. People will continue to go to offices to work, there will always be SD-WAN and firewalls, data centers and cloud providers like Amazon Web Services and Microsoft Azure, Schatz told The Register.

The long-term trend will be adding more functions into the SASE environment, he said. SASE is not easy for enterprises to adopt and SSE is a step down the inevitable path toward SASE, which addresses issues of cost and complexity when trying to merge networking and security

"Maybe the topology changed from having branch offices communicating with headquarters to branch offices communicating with data centers or with SaaS applications, but the network is still there with you," Schatz said. "Everything converges and you have a single security posture that covers holistically what you need. … It's unreasonable to get this amount of complexity and try to maintain security on top of it."

Security vendors and their SSE platforms

Gartner, which defined SASE, did the same with SSE last year and in February released its SSE Magic Quadrant, with Zscaler, Netskope and McAfee (which created Skyhigh Security by combining its SSE tools with FireEye's) as leaders and others like Palo Alto Networks, Cisco, Forcepoint and Lookout in play.

In addition, Gartner analysts last fall listed both SASE and SSE as must-have cloud security technologies for 2022, with SASE predicted to have a transformational impact in the next two to five year and SSE a high impact over three to five years.

While global SD-WAN revenue did slow in 2020 due to the pandemic and the dramatic to work-from-home, Dell'Oro Group analysts said the market came roaring back last year, growing 35 percent year-over-year and hitting record revenue of more than $2 billion as organizations optimized their branches for cloud services and adopted SD-WAN for their widely distributed workforce.

That said, there are issues with SD-WAN, including the costs that come with adopting it and an implementation phase that can take years, according to Netskope Chief Strategy Officer Jason Clark. In addition, SD-WAN tends to be an on-premises technology that addresses east-west network traffic, which doesn't fit as well when users are going into the cloud.

"For anything north-south, I'm going to my SSE," Clark told The Register.

Creating a monster

SASE essentially has been trying to create a Frankenstein monster-like tool package, with network technologies coming from networking vendors and security tools from various security players, he said. Palo Alto is one of the few companies that owns both and is working to meld them together.

"The reality is that you have a really strong SD-WAN vendors who suck at security," Clark said. "You have really, really good security companies, but they're not SD-WAN companies. Then you've got people who are trying to play in the middle. … What happened is the buyers told Gartner the security-minded buyers need the best-of-breed security. Two-thirds of them said, 'I need the best SD-WAN and I need the best security. I found nothing that does both awesome.'"

When a user moves off the SD-WAN and into the cloud from home, a lot of the controls in the on-prem network are gone. Netskope's worldwide network is designed to deliver security capabilities once the user hops into the cloud, which is important given that about half an enterprise's traffic is in the cloud, Clark said. Before the pandemic hit, it was about 15 percent, he said.

David Hughes, who was founder and CEO of SD-WAN vendor Silver Peak until Hewlett Packard Enterprise bought it last year for $925 million and folded it into its Aruba Networks business, said Gartner defining SSE is a plus because it clarifies what SASE is – the on-prem SD-WAN and cloud-delivered security services.

"It gives the IT administrator a clearer idea of the tradeoffs they would be making if they go with one vendor for everything vs. going with a cloud vendor plus an on-prem vendor," Hughes, now Aruba's chief product and technology officer, told The Register.

"We've always felt that, especially for the larger enterprises, going with a leader in the cloud-delivered security plus a leader on-prem [is best]. That's what we see happening in the large enterprise. As you come down-market, there's a desire for being able to have one throat to choke. What the Magic Quadrant shows is as you come down there, you're having to make some compromises. The split in the analysis helps people see what those compromises might be."

However, the evolving demands for networking security will continue to push the market toward convergence, Cato's Schatz said.

"Eventually all roads lead to SASE," he said. ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • This startup says it can glue all your networks together in the cloud
    Or some approximation of that

    Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

    The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

    The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading

Biting the hand that feeds IT © 1998–2022