Secure Service Edge

Secure Service Edge (SSE)

SSE provides a secure way to access web, cloud and the private network. Organizations as they start using SaaS based offering, and adapting to public cloud while still having some applications on prem, have long struggled to consolidate various security products to provide visibility, data security, governance, compliance, remote connectivity, intent based access, protection against online threats and protection against infection.

Gartner coined the term SSE as a converged security service, once adapted by an enterprise, and hopefully by a single vendor, can improve the visibility, monitoring and overall security posture.

There are three fundamental pillars of SSE

CASB

The perimeter-less network, clients are often outside of the perimeter and going directly to Paas, IaaS and SaaS, it increases the footprint of where the data is used and stored.

Data loss can have serious consequences especially if it has sensitive data. There are laws and regulations being introduced to protect data, such as, GDPR , HIPAA, California Consumer Privacy Act and Australian Notifiable Data Breaches Act, there are financial penalties if the data is lost due to a breach, whether it is accidental or malicious.

CASB is designed to provide visibility to applications used in the cloud and helps an organization put the governance, secure sensitive data and offers data loss prevention.

There are four major pillars of CASB:

Secure Web Gateway

A Secure Web Gateway (SWG) based on Software-as-a-Service (SaaS) ensures the protection of an organization against web-based threats and infections while enabling compliance with regulations like the Child Internet Protection Act (CIPA). By utilizing the SaaS-based SWG, organizations can maintain a high level of security comparable to on-premises solutions, eliminating the need for managing hardware and software locally.

Zero Trust Security

Ransomware can not only cause financial damage to your company, it can also impact reputation, especially if you have Intellectual property, Protected health information, and financial data.

Spyware, ransomware and malware are not only attacked from the Internet, they can also be manifested internally by phishing attacks, your defense must encompass guards on perimeter and inside.

Each user, each client, must be treated as an island, a compromise on one client shouldn’t impact other sensitive data in the rest of your environment.

Zero trust security practices can help guard against such attacks, US DoD has recognized the importance of this architecture to help protect the country against external and internal threats:

https://www.defense.gov/News/Releases/Release/Article/3225919/department-of-defense-releases-zero-trust-strategy-and-roadmap/

Zero Trust has following building blocks

EndPoint Security

A continues device posture evaluation, authentication and authorization of users are validated before allowing access to application and data, the solution must encompass baselining, alerting and remediation

Zero Trust Network

Access Malware can easily spread in a flat network, like a wildfire, access to network must be checked against the identity and should only grant a granular access to intended application vs a traditional access to the entire corporate network

Zero Trust Identity

Identity and Access management is a key component for Zero Trust architecture, it needs to ensure MFA are checked for critical and sensitive application, this adapted practice should also account for sudden change for user behavior, a user logged in from Network York shouldn’t appear from China at the same time.