Americas

  • United States
Neal Weinberg
Contributing writer, Foundry

10 questions to ask about secure service edge (SSE)

Feature
Sep 06, 202311 mins
Enterprise Buyer’s GuidesNetwork SecurityNetworking

IDC and Gartner have identified a broad range of vendors that provide converged security services. Here's what to ask before choosing a platform.

questions to ask a vendor curious hand with question mark tablet ipad by stevanovicigor getty
Credit: Getty Images

In 2019, Gartner created the term secure access service edge (SASE) to describe a cloud-based service that combines networking and security in order to give remote workers safe access to internet-based resources.

Gartner had put its finger on a new set of challenges that enterprise IT faced as employees shifted to remote work during Covid and applications migrated to the cloud. But Gartner overshot the runway a bit; vendors were caught flatfooted and scrambled to cobble together full suites of SASE features.

[ Download our editors’ PDF SASE and SSE enterprise buyer’s guide today! ]

On the customer side, a recent Gartner survey of CISOs revealed that “a majority of buyers are planning for a two-vendor strategy for SASE,” with security and networking teams making separate buying decisions rather than opting for single-vendor SASE. In response to these realities, Gartner coined a new term, secure service edge (SSE), which is essentially SASE minus SD-WAN, the network access part of the equation.

In Gartner parlance, SSE includes, at a minimum, secure web gateway (SWG), cloud access security broker (CASB) and zero trust network access (ZTNA). It can also encompass a constantly growing laundry list of additional features such as firewall-as-a-service (FWaaS), browser isolation, sandboxing, data leak prevention (DLP), and web application firewall (WAF).

IDC splits the difference between SASE and SSE. It uses the term network edge security as a service (NESaaS) to describe a converged approach that includes SWG, CASB and ZTNA as prerequisites, but treats networking capabilities like SD-WAN or digital experience monitoring (DEM) as “optional points of integration.”

“SSE is but one side of the coin. The other side is networking, which, unfortunately, still tends to be overlooked too often. An SSE vendor should have a strategy for taking their customers on the complete SASE journey.”

Mauricio Sanchez, research director at Dell’Oro Group

Dueling definitions aside, both IDC and Gartner have identified a broad range of vendors who provide these services, giving enterprise IT leaders lots of choices.

SSE vendor landscape

Most enterprises have longstanding relationships with a group of established vendors that turn up regularly on any short list of prospective candidates for new products and services. But SSE is different; some of the top players might not be familiar to IT leaders, which makes it even more important to ask their right questions when evaluating vendors.

For example, the latest Gartner Magic Quadrant for SSE puts Netskope in a leadership position, along with Zscaler and Palo Alto Networks. In the visionary category, there’s Skyhigh Security, Forcepoint and Lookout. Cisco, probably an automatic on everybody’s list of potential vendors, is described as a challenger by Gartner because it lacks integration of the many SSE components and doesn’t offer a full-featured zero trust solution.

IDC has slightly different criteria (SSE vs. NESaaS), but a similar assessment. IDC’s Marketscape lists Netskope, Zscaler, and Palo Alto Networks as the Big 3, but adds Cloudflare and Akamai to the leadership category. IDC says Skyhigh, Fortinet, Cisco, Checkpoint, Forcepoint, Lookout, and Broadcom are major players, while Gartner puts Cloudflare, Broadcom and iBoss in the niche category.

When it comes to Cisco, IDC agrees with Gartner, noting that Cisco “currently lacks a traditional ZTNA product” and “still has significant progress to make in integrating its vast portfolio into a single, consolidated product.”

Here are snapshots of some of the major players in SSE:

Netskope: IDC says, “Netskope is a natural short-list option for organizations that prioritize data protection and cloud capabilities based on the company’s expertise and strength in CASB and inline proxy controls. Enterprises looking for digital transformation may well be served by the performance and reliability of the Netskope NewEdge private cloud network.” On the other hand, Gartner clients report that Netskope is “usually one of the most expensive options in a competitive pricing situation.”

Palo Alto Networks: Palo Alto Networks has a large installed base of customers who use its on-premises security tools. The company has put together a compelling SSE/NESaaS offering that provides customers with the opportunity to manage both environments from a single console. Palo Alto has a strong ZTNA offering, and can provide SD-WAN for organizations that want to take the single-vendor SASE route.

Zscaler: With its vast global cloud network, Zscaler’s strength is the ability to pass all traffic through its platform, where all manner of security processes can be applied. Zscaler offers ZTNA, CASB, SWG, firewall-as-a-service, and DLP at its core. Sandboxing analysis, remote browser isolation, WAF, deception, and user experience monitoring are also on the menu.

Akamai: Akamai has the global cloud platform required to deliver SSE, and a strong track record; it offers SWG, CASB and ZTNA, but might not have the broadest suite of add-ons, and in some cases requires integration with third-parties, rather than offering a full-blown single-vendor integrated approach. Its strong points are performance and ZTNA.

Cloudflare: Cloudflare is trying to expand beyond the SMB market and attack the enterprise with an offering that includes ZTNA, CASB, SWG, DLP, firewall-as-a-service, browser isolation, WAF, DDoS mitigation, and bot management. On the plus side, Gartner says Cloudflare offers the largest number of PoPs, a 100% SLA for uptime, and its geographic coverage means “there is rarely significant latency to reach a Cloudflare PoP.” Gartner cautions that Cloudflare lacks some features, such as file malware sandboxing, DEM and full-featured built-in reporting and analytics.

How to approach SSE vendor selection

Before engaging with potential SSE vendors, organizations need to get their own ducks in a row. “I think it’s critical to focus on outcomes that you are able to execute and drive in a reasonable time frame,” says Gartner analyst Charlie Winckless. “What do I need to deliver? What are my priorities?”

All of the vendors have strengths and weaknesses, particularly when it comes to SSE, which is an amalgam of multiple technologies. Winckless cautions that going with the vendor who offers the longest list of features might end up being too expensive and might not address the organization’s most pressing needs. The key question to ask is: Which vendor best fulfills the capabilities that are most important to me?

Other considerations are how well the SSE service coincides with existing refresh cycles, and integrates with the organization’s IT stack. Winckless says organizations also need to investigate the financial stability of the vendor and their track record of innovation.

Pablo Riboldi, CISO at BairesDev, a global provider of software development services to enterprises, said his main driver for adopting Zscaler’s SSE was ZTNA. He said the company had been using AWS VPN and Open VPN for remote access, but he wanted to integrate the VPN with advanced security features, as well as implement two-factor authentication in the VPN associated with users’ Google Workspace accounts.

After trying out several different vendors, Riboldi says his security team recommended Zscaler. They liked the performance features of the Zscaler cloud, which enables users to connect from anywhere “at a great speed,” as well as the fact that the Zscaler agent has a monitoring feature for bandwidth, and enforces device security postures.

Riboldi says, “We have many initiatives in our roadmap. We need to focus on the ones that provide more business value for each dollar to keep our company a secure environment while threats grow.” He adds, “Securing client IP is a great concern. We can achieve that thanks to DLP and CASB.”

10 questions to ask prospective SSE vendors

  1. What is your SASE strategy?
  2. What integration points do you support?
  3. What is your track record for scalability, reliability and performance?
  4. Does your delivery network align with my business needs?
  5. How many agents do I need to install on end user devices?
  6. What are your strength and weaknesses?
  7. Drill down into ZTNA: What can you do?
  8. What is the management setup?
  9. How easy is it to apply security policies?
  10. What is the customer experience?

1. What is your SASE strategy?

“SSE is but one side of the coin,” says Mauricio Sanchez, research director for networking, security and SASE/SD-WAN, at Dell’Oro Group. “The other side is networking, which, unfortunately, still tends to be overlooked too often. An SSE vendor should have a strategy for taking their customers on the complete SASE journey.”

2. What integration points do you support into the larger third-party technology ecosystem?

SSE is a small part of a larger technology landscape, so an SSE vendor should be able to show integrations with client security (EPP/EDR), identity and access management (IAM), security management (SIEM/SOAR/XDR), as well as integration with the hyperscalers, says Sanchez.

3. What is your track record for scalability, reliability and performance?

Sanchez points out that SSE vendors are responsible for keeping the network running smoothly, while processing encrypted traffic at scale for threat detection purposes, which he describes as “a computationally intensive process.” He adds, “I’ve heard horror stories of enterprises burnt by SSE clouds that underperform and generate more headaches than they solve.”

4. Does your global delivery network align with my business needs?

Multinational companies need to make sure that the SSE vendor has points of presence that correspond to their locations. Be sure to ask where the PoPs are, what the roadmap is for adding more, what the plan is for covering gaps, and what the plan is for surviving an outage, says David Holmes, a senior analyst at Forrester.

5. How many agents do I need to install on end user devices and what is the cost per device?

Holmes recommends that prospective buyers pin vendors down on whether a single agent can handle VPN, ZTNA, SWG, etc., or whether more than one agent is required. And in today’s BYOD world, with end users connecting to the network on multiple devices, what operating systems and mobile devices are covered? Is there an extra charge per device, or is the service per user?

6. What are your strength and weaknesses?

Ask the vendor for an honest assessment of which technology in the SSE smorgasbord is their strongest, and make sure that aligns with your requirements. If they say it’s SWB, but your main driver is CASB, then Holmes says it might make sense to “continue your search.”

7. Drill down into ZTNA: What can you do?

Holmes recommends that prospective buyers ask the vendor what ports and protocols they cover; how they handle VoIP/SIP and UDP protocols. Can they integrate with multiple identity providers concurrently? “Not all can,” says Holmes, “and this is an important management feature for larger organizations that want to give partners zero trust access to their applications.”

8. What is the management setup?

Winckless says organizations need to implement SSE in a way that is seamless for administrators to configure and monitor. Will I have fewer consoles? Or more?

9. How easy is it to apply security policies?

Organizations need to make sure that they retain the ability to apply the same rules across multiple channels, says Winckless.

10. What is the customer experience?

All of that backend technology is great, but organizations need to make sure that the SSE delivers a smooth and seamless user experience. That last thing you want, says Winckless, is to disrupt the way the company does business.