Architecture Matters When it Comes to SSE

By John Spiegel

by John Spiegel, Director of Strategy, Axis Security

Gartner just released the 2023 version of their “Magic Quadrant” for Secure Service Edge or SSE. Cheers are being heard from the companies who scored upper righthand and jeers being shouted for those companies who did not enjoy where they landed on Gartner’s matrix. Over the next few months, there will be a lot of noise coming from all the vendors. Some are useful, and some just distracting. Overall, SSE now has a place in the industry. This is good. As you read the news, cyber-attacks are still on the rise and now we’ve drifted into national security concerns with the leaks about the war in Ukraine by a junior-level, 21-year-old Massachutures National Guard airman. SSE provides a framework to finally bring together networking and security in a modern manner to secure our future in a truly least privileged way.

While the Gartner MQ provides a plethora of helpful information to the network and security leader, one area I found needing improvement was how these solutions are architected. As Winston Churchhill famously said, “We shape our buildings: thereafter they shape us.” Or said another way, “architecture matters”. More importantly, you need to understand how a particular solution deploys its network “points of presence” or PoP. To paraphrase a well-known movie from 2002, “SSE, it’s all about the PoPs.”

The fundamental concept of both SSE and its bigger brother Secure Access Service Edge (SASE) is to place network and security functions close to the employee and endpoint device. This is critical in overcoming the dilemma of selecting either network performance or security scanning. The PoPs are where the action happens. Through centralized policy, security treatments like malware scanning, web filtering, and data leakage protection, occur close to the employee, 3rd party, or device. These PoPs can be placed in the SSE providers owned regional data centers, and telecom hotels, as well as in several of the “Cloud Giants” (AWS, Azure, Google Cloud). The closer you place the PoPs to the employee and their device, the better the performance and security of a given application. How these PoPs are created, deployed, and managed also needs to be understood as they impact a given solution’s resiliency.

Before we dive into this critical topic, let’s take a step back and level set. Why should you care, and why are all PoPs not created equal? In the past, the WAN network, which both SASE and SSE are replacements for, was constructed on a private network owned by a large telecom vendor who would provide service level agreements. Performance was consistent and when there was an outage, the service vendor was on the hook for resolution. That was when applications lived in the private data center. Cloud changed the game in the 2010s and led the enterprise to move to an “internet as the WAN” for connectivity. Why? Gartner provides several statistics to help us understand the reason:

· Gartner surveys in 2020 showed 80% of enterprises using IaaS are multi-cloud
· In 2024, 60% of IT spending on application software will be directed at Cloud technologies.
· By 2026, SaaS workloads will dominate the enterprise software market.

As the internet is now the onramp for Cloud and SaaS-based applications/services, SSE and SASE will be the means to access them. Therefore, it brings up the question of resiliency and how you should build out your SSE/SASE platform as downtime is, in this day and age, not acceptable.

In another recent research paper, Gartner analysts Evan Zeng and Jonathan Forest called this out. The paper was titled “Leverage Cloud Connect Infrastructure to Improve Connectivity Experience for Cloud Workloads for SASE Solutions”. If you have access to a Gartner license, give it a read. If not, the cliff notes are – as applications become Cloud dominant, Secure Access Security Edge (SASE) product leaders must consider how to architect their WANs. Meaning, it is enough to purchase the service from either a vendor or a telecom and call it good? Application performance and security must be accounted for. As an example, if my company leverages Azure for PaaS services, is it good enough that my SSE/SASE vendor only runs on Google Cloud? Is it OK if my SASE vendor built out their PoPs in their own data centers? If so, I need to account for this and the result may be that I need to add my own interconnects into Azure or similar services. This costs money, adds complexity, and also increases the “keep the lights on” (KTLO) burden. It also, most importantly, causes the network/security engineer back into the performance vs security dilemma. Not ideal.

To address this, a few vendors in the space have taken a different path. One which puts the network/security engineer back in the driver’s seat. Instead of a “take or leave it approach” to the PoP that harkens back to the big telco days for WAN services, the engineer can select the best placement of a PoP to realize the value of SSE/SASE, and application performance with security. As an example, consider this option. Start with the Cloud Giants as a massive network underlay. Use all of them. AWS, Google Cloud, Azure, and Oracle Cloud. The result is this. You don’t need to transit from Google Cloud to access services in Azure. The SSE/SASE platform does the work for you. It also provides resiliency. If AWS suffers an unfortunate outage, PoP services can be handled by Azure, Google Cloud, or Oracle Cloud. Additionally, vendors are also offering a local edge option that can be installed in an on-prem data center. This is a smaller scale version of the standard PoP running in the traditional data center providing the full suite of services, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP) and Zero Trust Network Access(ZTNA). Then take it a step further. What if you are in an area where there is no option for a local edge and the closest Cloud Giant data center is 800 miles away? Are you in what is called a “PoP desert” and you have a latency-sensitive application? Can the SSE/SASE provider spin up a PoP as a colocation facility to extend their services closer to you?

Choice in how you construct, create resiliency, and provide performance with security must be at the core of how you evaluate the various SSE/SASE solutions on the market. While the Gartner MQ is a good first pass, it is critical to dive into the architecture of each of the solutions listed in the MQ and not included. Ask the critical questions. Ask about the location of a vendor’s PoPs. How quickly can they build a PoP? How can they increase capacity rapidly to meet your demands? How resilient is their network of PoPs. Are all services provided in each PoP. If their answer is one size fits all, think really hard before continuing the conversation. If their answer is fully redundant, ask how. Dive deep. Much like you would architect your data center network and power systems or your WAN, these answers matter. Ask them. You are the enterprise engineer on the front lines. Don’t be pigeonholed into a solution that is flawed or results in compromises and puts you right back into complexity with limited resiliency. Downtime and its cousin, the slow, insecure application is no longer acceptable.


No posts to display