John Spiegel, Director of Strategy, Field CTO, Axis Security
Evaluating Security Service Edge (SSE) solutions can be confusing and complex. While the problems to solve are known–securing the workforce, securing applications, and reducing operational complexity (to name a few)–how to go about evaluating the plethora of solutions available is the new challenge. Why? Because there are so many.
At last count, Gartner’s short-list, the SSE Magic Quadrant, listed ten vendors, and this did not include a whole raft of startups and vendors pivoting into the space. Since SSE crosses several technical boundaries and includes what were previously siloed products such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and remote access Virtual Private Network (VPN), to name a few, where to start your evaluation becomes a daunting question.
One approach is to ask the obvious question, “What problem am I looking to solve?” This is a great place to start because it frames the process as solving a business challenge. The problem can be how to put securing data at the center of my security strategy with a tool that easily integrates with securing Internet access, as now my critical company assists are spread across SaaS, Cloud, and on-prem. Here SSE can help. While the approach, “what problem am I looking to solve,” can be successful, it may also be shortsighted when it comes to SSE. That’s because once you start asking deeper questions, another challenge emerges, and it involves trust.
The problem of trust and its solution, Zero Trust, is that it’s become the marketing buzzword over the last five years. Almost every vendor at major conferences, such as RSA and Blackhat, washed their booths and materials with Zero Trust. This was, of course, until AI hit the headlines (a topic for another day). While Zero Trust, the marketing term, has taken a beating, Zero Trust, the business strategy, is the journey we must all be on. That’s because, before 2010, applications lived in the data center and large fortifications in the form of firewalls stood watch, carefully observing the comings and goings of data and applications. The firewall was a WatchGuard “inline” as traffic flowed in and out of the data center.
The cloud changed the game. Then, in 2020, the same thing occurred with the workforce. Applications, data, and the people who needed them left the warm comforts and protections of the castle and its walls. All of IT became distributed in a matter of a decade. The concept of trust can no longer be as simple as “trusted and untrusted.” New layers are required. Enter Zero Trust Network Access (ZTNA), a critical element of an overall Zero Trust business strategy.
As you investigate various SSE solutions, you will find most view ZTNA as a remote access VPN replacement technology. While valid in certain situations, a larger business challenge is being missed. When you strip ZTNA down to its core, it is about delivering an application and/or data to an employee or resource with security and speed. In the pre-Cloud era, security was handled in the data center, and speed was provided by the network. Packets flowed, and the threat vectors needed to storm the castle to gain entry. This is no longer the case.
Applications, data, and employees are everywhere, which means that attackers must now land a simple beachhead and pivot to expand their foothold to win larger prizes. How do you overcome this? Consider ZTNA as the new mechanism for how you deliver applications. How does ZTNA, in the context of SSE, improve application delivery? It acknowledges the need to distribute networking and security as a global platform. ZTNA accomplishes this by building a fabric of points of presence (PoPs) and placing them as close as possible to the employee, applications, and resources. Network traffic is routed to PoPs, where security inspections take place along with network acceleration. Put another way, ZTNA becomes a globally available system for securing and delivering applications and data. It’s the modern foundation for security and networking in the age of 2020 and beyond.
Why is this critical in how you approach evaluating SSE solutions and why must you start with ZTNA? As was true in the era of firewalls (1990-2010), you must be “in-line” for security to be successful. Visibility is key. You must be able to see data, applications, and threats while having eyes on the bad actors. If you are not “inline,” you are not seeing the threats. Therefore, you must start with ZTNA. Get visibility back online with a 360-degree context. See the complex threat landscape from a common lens with context including such items as device state, identity and data to name a few.
Once you’ve made ZTNA the core or the foundation of SSE, you can then view the other aspects of the SSE suit as features. They build off ZTNA. Need to secure the remote workforce from the Internet? Start with ZTNA and then add SWG. Need SaaS application security? Add CASB services to your existing ZTNA/SWG platform. Then build. Turn on DLP and Digital Experience Monitoring (DEM). Gain insight into where data is moving and how applications are performing.
The key takeaway is to not focus on a particular capability of SSE, such as protection from the Internet (SWG) or securing SaaS applications (CASB). Take a holistic approach and view SSE as a strategic investment. It’s a foundational element that you can build your zero trust business strategy on. At the end of the day, SSE is about delivering business outcomes. Start the SSE journey with ZTNA.
Image by Freepik
