SASE adoption has been skyrocketing since the start of the pandemic. Secure access service edge, a term Gartner coined in 2019, combines security and networking in a single, scalable, cloud-based platform that fits well in a world in which employees work from home and mostly access cloud-based apps and services.
Now Gartner is pushing a new acronym. Turns out, companies might prefer to get their SASE without the “A” — just security service edge, or SSE. Gartner this month published a Magic Quadrant for SSE (something the company never did for SASE); it’s available from vendors listed in the report (here and here, for example).
How’s SSE different from SASE?
SASE combines five major technologies: cloud-access security broker, secure web gateway, zero-trust network access, integrated SD-WAN, and firewall as a service. Few vendors offer all five, and few enterprises are looking to buy all five at the same time in the same package.
As a result, the SSE offering, which includes the first three technologies — CASB, SWG, and ZTNA — might make better sense, especially in the short term, experts say.
Gartner introduced SSE in its 2021 Strategic Roadmap for SASE Convergence, and it’s predicting IT buyers will gravitate to this bundling option over the next few years. By 2025, 70% of organizations that implement agent-based ZTNA will choose an SSE provider rather than a stand-alone offering, up from 20% in 2021, Gartner predicts. And, by 2025, 80% of organizations buying SSE-related security services will purchase a consolidated SSE solution, rather than stand-alone cloud access security broker, secure web gateway and ZTNA offerings, up from 15% in 2021.
Eventually, however, companies should migrate to the full SASE stack, says John Watts, senior research director at Gartner. “Gartner recommends long-term to consolidate SASE offerings to a single vendor or two explicitly partnered vendors,” he says.
SSE is particularly important for enterprises today, since they have figure out how to securely connect work-from-home employees to enterprise services.
SSE’s three main components target different areas of exposure:
- Secure web gateways help connect employees to the public Internet, such as websites that they might be using for research or cloud apps that are not part of a company’s official SaaS roster.
- Cloud-access security brokers connect employees to SaaS applications like Office 365 and Salesforce.
- Zero-trust network access connects employees to private corporate applications that run in on-prem data centers or in the cloud.
By having all three in a single platform, it becomes easier for enterprises to manage and scale security services. Companies can set universal security policies that apply everywhere their employees go and can track user behaviors and traffic across all three channels.
“Integration is a natural migration and natural evolution of things, and it made sense to converge all those things together,” says Mike Wood, CMO at SASE provider Versa.
The issue of the past is that companies were buying different tech for different flavors of the same problem, says Jason Clark, chief strategy officer at Netskope. “All of our senses to do security have been separate, and what I see SSE doing is taking this collection of senses and merging them together into one nervous system, into one brain,” says Clark.
Brink’s moves from VPNs to SSE
Companies were trying to get off VPNs even before Gartner came up with the term SASE and before the pandemic created a major shift to a remote workforce.
“The problem with VPNs is that everyone needs to connect to the VPN gateway,” says Mustapha Kebbeh, CISO at Brink’s, the global security company best known for their armored trucks.
When employee traffic is backhauled to the data center, it creates unnecessary congestion, he says.
Often, what employees are accessing are cloud-based apps and SaaS platforms, and adding a hop to the data center is an unnecessary step. “And if you’re bringing everyone back to the home office then you bring in additional security risks,” he says.
Brink’s started to look at other options in 2017 for its global workforce of 75,000 employees. The company began working with a couple of vendors, including Zscaler and what was then called the Zscaler Private Access service. “We wanted ease of access, applications, and to isolate the uses, with better authentication, and a better user experience,” Kebbeh says.
Brink’s started with secure web gateway functionality and zero-trust network access, and added the cloud-access security broker later.
“Prior to the pandemic, we were not a fully remote workforce,” Kebbeh says. But when the company was forced to switch to mostly remote, the technology was in place to support them, and 70% of the workforce has already moved over.
“By the time the pandemic hit, we had a fully fledged product – not yet fully integrated for everyone, but we knew what it looked like,” he says.
Usage continued to expand since then, he says. “By the end of [February] we’re shutting down the remaining VPNs at our enterprises.”
The moment Brink’s started moving their users from traditional VPNs, the company could see what people were accessing, what applications they were using, and could add additional security capabilities.
VPNs might have made sense a few years ago, when the majority of applications used by employees were run by enterprises in their data centers. But over the past few years, companies have been rapidly migrating from on-premises platforms to cloud-based ones.
As a result, the use of SaaS apps has exploded, says Netskope’s Clark. A company that had 300 SaaS apps three years ago might have 3,000 today, he says.
According to a July 2021 Netscope report, in the first six months of 2021 alone, cloud app adoption increased 22% — and concerningly, a majority of those apps are shadow IT, unmanaged and often freely adopted by business units and users.
According to data Netscope released last month, the average enterprise has around 1,000 SaaS applications.
“Traditional cybersecurity strategies and tools cannot adequately protect the distributed, application-centric enterprise,” says John Grady, senior analyst for cybersecurity at Enterprise Strategy Group.
Security needs to be able to follow people and data, and that’s really the big outcome of SSE, says Jim Fulton, VP of product marketing at cybersecurity company Forcepoint.
“SSE grew up around the fact that SASE security took off, was amazingly successful and was already taking off faster than Gartner expected before the pandemic, and it started accelerating even faster after the pandemic,” he says.
The internet is becoming the new corporate network, says Amit Bareket, cofounder and CEO of cybersecurity company Perimeter 81.
“What we’re going to see now is that security services are moving from on-premise appliances to cloud-based solutions, like SASE and SSE,” he says.
SSE and SD-WAN have different buyers and value propositions
When Brink’s was looking for a security solution for its remote workforce, SD-WAN wasn’t a consideration — they already had SD-WAN from Velo Networks, it worked well, and it combined easily with Zscaler’s SSE offering.
The important thing is to have seamless integration, Kebbeh says. Having everything in one product would be a harder sell. So it makes sense, he says, for SSE to be a separate technology category.
Kebbeh is one of the founding members of the SSE Forum, an industry group whose other members include executives from GlaxoSmithKline, Coca-Cola, DocuSign and Kayak. It’s organized by cybersecurity vendor Axis Security.
The SSE Forum was launched last month, says Chris Hines, Axis Security’s VP of product marketing, with 15 founding members. The idea is to create a consortium of thought leaders to drive the development of an SSE roadmap, he says.
“Security is starting to drive IT,” Hines says. As companies are migrating more resources to AWS or Azure, SD-WANs are becoming less relevant. “If 90% of your traffic is to SaaS, then do you need the SD-WAN at all?” Hines says.
When a company does have an SD-WAN, that buying decision often comes from a different side of the company than the security team enabling a remote workforce, says Sanjit Ganguli, vice president for transformation strategy at Zscaler, one of the top three Gartner Magic Quadrant leaders for SSE. “A lot of the networking teams are making different buying decisions than those that are making security buying decisions,” Ganguli says
Top SSE vendors
The three leaders in Gartner’s Magic Quadrant for SSE – Zscaler, Netskope, and McAfee Enterprise – have full SSE capabilities and strong market positioning.
Zscaler was one of the early leaders in this space, and it has recently consolidated its position with acquisitions and support for more API integrations with SaaS applications. It’s known for ease of use and a large market share, Gartner says, as well as strong partnerships with SD-WAN vendors and tighter integrations.
Relying on SD-WAN partners fits in with the SSE philosophy, says Zscaler’s Ganguli.
“SSE takes a very network-agnostic approach,” he says. “We don’t care how you connect — we care about the security. The SSE part, where we focus, is on all the security controls. One fo the benefits of Zscaler is that because we’re creating that secure tunnel, it actually abstracts the network entirely. We provide a secure overlay.”
Netskope’s total private funding of an estimated $1 billion makes it one of the best-funded private companies in the SSE market, Gartner says. Like Zscaler, Netskope has been acquiring other companies to consolidate its position,
According to Netskope’s Clark, 60% of the questions he gets from customers are about the company’s CASB offerings, 30% about the secure web gateway, 9% about ZTNA and the final 1% about the egress firewall which allows users to connect to legacy systems like mainframes.
But it’s all the same problem, he says, how to connect users to their applications securely.
“Previously, all this security has been separate,” he says. “Now, I’m securing them with the same technology, it’s just that my controls are going to be different.”
McAfee isn’t often thought of as an SSE company, and its ZTNA offerings are more recent. Plus, it’s gone through some ownership changes. The fact that the company name is associated with an anti-virus product doesn’t help.
But the company does now offer a complete and tightly integrated suite of SSE services, Gartner says, including SWG, CASB and ZTNA. McAfee calls its SSE product the MVISION Unified Cloud Edge.
Other players in Gartner’s Magic Quadrant for SSE
Cisco and Palo Alto Networks are deemed challengers in Gartner’s SSE Magic Quadrant. Niche players are Broadcom, Forcepoint, Iboss, and Versa. Bitglass (acquired by Forcepoint in October 2021 but listed separately in the MQ) and Lookout are dubbed visionaries.
For honorable mentions, Gartner lists: Akamai, Cato Networks, Cloudflare, Menlo Security, Microsoft, and Proofpoint.
Copyright © 2022 IDG Communications, Inc.