Hello! In today's world, with the widespread adoption of cloud computing and remote work, you've likely realized that traditional perimeter security models are no longer sufficient to safely protect your organization's assets. It's like having a big lock on your house, but people are working outside the home, sometimes even from coffee shops. Amidst these changes, two important security concepts have emerged: SASE (Secure Access Service Edge) and SSE (Security Service Edge). Today, we'll delve deep into what these two models are, how they differ, and which one might be more suitable for your organization.
Interestingly, many people confuse SASE and SSE or even consider them the same thing. In reality, while closely related, they have distinct differences. This is a crucial distinction that shouldn't be overlooked by simply thinking, 'Aren't they just different names?' From an attacker's perspective, such conceptual ambiguity often creates vulnerable gaps for infiltration. Security teams must clearly understand and properly implement these concepts to minimize potential 'gaps' that attackers could exploit, right?
Technical Overview: What Exactly Are SASE and SSE?
First, let's clearly define what SASE and SSE are. SASE is a concept defined by Gartner in 2019, referring to an architecture that integrates network and security services in a cloud-native manner to provide security at all connection points—users, devices, and applications. Simply put, it offers network functions like SD-WAN (Software-Defined Wide Area Network) alongside security functions such as ZTNA (Zero Trust Network Access), SWG (Secure Web Gateway), CASB (Cloud Access Security Broker), and FWaaS (Firewall as a Service) within a single, integrated cloud platform.
The core value of this concept lies in moving beyond complex legacy security stacks, applying consistent security policies, and ensuring optimal network performance no matter where users are or what applications they access. As remote work and cloud migration accelerate, it became increasingly difficult to efficiently handle user traffic or protect it securely with data center-centric security. SASE emerged as a solution to address these challenges.
So, what is SSE? SSE is a concept defined by Gartner in 2021 by isolating and defining only the 'security services' portion of SASE. In other words, it provides only the security functions (ZTNA, SWG, CASB, FWaaS, etc.) among SASE's components, delivered in a cloud-based manner. While SSE provides SASE's core security capabilities, it does not focus on network optimization or network infrastructure integration like SD-WAN. It might be more suitable for organizations that have already built network infrastructure like SD-WAN or prefer to manage networking and security separately. You can think of it as similar to installing only security apps on a smartphone.
Architecture Analysis: Integration or Specialization?
Looking at the architectures of SASE and SSE, their differences become even clearer. SASE emphasizes 'integration' of network and security, whereas SSE focuses on 'specialized security functions.' It's like building a house: SASE is an 'all-in-one' construction method that integrates all infrastructure and security systems from the design phase, while SSE can be seen as closer to adding only the latest security systems to an existing house.
SASE architecture is primarily served through globally distributed points of presence (PoPs). No matter where a user connects from, they are routed to the nearest PoP, which then performs network routing, optimization, and various security inspections. Users can access corporate resources securely without a VPN. The data flow typically involves traffic moving from the user's device to the nearest SASE PoP, where necessary security policies (authentication, threat prevention, data loss prevention, etc.) are applied, before being forwarded to the destination cloud application or data center.
Conversely, SSE focuses more on the security service layer provided by these SASE PoPs. Network optimization and SD-WAN functions are not included in SSE's direct scope. Therefore, organizations can 'layer' the SSE security stack on top of their existing network infrastructure or SD-WAN solutions. The data flow involves traffic connecting from the user's device to the internet, then being sent to the SSE service for security inspection, and then proceeding to its final destination. In this process, various security functions like ZTNA, SWG, CASB, and FWaaS work in organic conjunction.
An important point here is that both architectures share the characteristic of being 'cloud-native.' This means that all security functions are delivered as services from the cloud, eliminating the need to build and manage separate hardware or software. This significantly contributes to reducing the complexity of security operations and enhancing scalability. Especially when integrated with unified threat detection and response platforms like SeekersLab's Seekurity SIEM/SOAR, all security events and logs generated by SASE or SSE can be collected and analyzed in one place, enabling a faster response to threats through automated response playbooks.
Key Mechanisms: Understanding the Layers of Security
Let's take a deeper look at the main security features provided by SASE and SSE. These functions are powerful individually, but when integrated, they create synergy, effectively helping defend against attacker's threat attempts.
Zero Trust Network Access (ZTNA)
ZTNA is a technology that applies the 'never trust, always verify' Zero Trust principle to network access. Unlike traditional VPNs, which grant broad access privileges to users within the network perimeter, ZTNA applies the 'least privilege' principle to all requests from users, devices, applications, and more. Even if an attacker succeeds in initial penetration, ZTNA makes it much more difficult to perform lateral movement within the internal network. This is because it thoroughly verifies user authentication, device status, and application-specific permissions every time access is requested. For example, you can grant granular permissions so that a specific user can only access a particular application. This makes it difficult for an attacker to proceed to the next stage even if they compromise an account.
Secure Web Gateway (SWG)
SWG inspects and filters web traffic to protect users from malware, phishing attacks, and harmful content. It's like having a security guard watching over you while you browse the web. SWG provides URL filtering, antivirus/anti-malware scanning, and data loss prevention (DLP) capabilities, preventing users from accessing malicious websites or downloading malicious files. Especially when combined with AI-based sandbox technologies like KYRA AI Sandbox, you can establish a robust defense system capable of detecting and analyzing even unknown threats like zero-day attacks or Advanced Persistent Threats (APTs).
Cloud Access Security Broker (CASB)
CASB is an essential solution for managing security risks that arise when using cloud applications. It allows organizations to control not only approved cloud apps but also 'Shadow IT' that the organization may not be aware of. CASB prevents data exfiltration within the cloud, ensures compliance, and provides visibility into cloud usage. For example, it can detect and block in real-time if files containing sensitive information are uploaded to unauthorized cloud storage. When used with FRIIM CNAPP/CSPM solutions, you can achieve comprehensive cloud security, from the security settings of the cloud infrastructure itself to cloud app usage patterns.
Firewall as a Service (FWaaS)
FWaaS refers to the provision of traditional physical firewalls as a cloud service. This firewall is located at the internet edge, inspecting all inbound/outbound traffic and allowing or blocking it according to policies. It solves the problem of consistently applying firewall policies to all points in a distributed environment, which was previously challenging. It's like always passing through a powerful central firewall inspection, no matter where you connect from. This makes it difficult for attackers to find network entry points, and even if they do penetrate, they can be immediately detected.
Feature Comparison: SASE vs SSE, What Are the Differences?
Since SASE and SSE differ in their purpose and scope, it's difficult to definitively say which model is 'better.' The optimal choice varies depending on each organization's circumstances and requirements. Here, we'll compare their key characteristics to help you decide which model is more suitable for your organization.
| Feature | SASE (Secure Access Service Edge) | SSE (Security Service Edge) |
|---|---|---|
| Primary Goal | Integration and optimization of network and security functions | Specialization in cloud-based security services |
| Included Functions | ZTNA, SWG, CASB, FWaaS, SD-WAN, WAN optimization | ZTNA, SWG, CASB, FWaaS (security functions only) |
| Suitable for Organizations | Seeking simultaneous network infrastructure modernization and security integration (new deployment or large-scale transformation) | Wishing to enhance security capabilities while maintaining existing network infrastructure (e.g., SD-WAN) |
| Implementation Complexity | High (network and security integration) | Relatively Low (focus on security functions only) |
| Cost Efficiency | High potential for long-term integrated management and operational cost savings | Recoup existing infrastructure investment, efficient for initial security enhancement |
| Vendor Integration | Ideal with a single vendor or integrated solutions from a few vendors | Flexible integration with various security vendor solutions |
As you can see, SASE is more suitable for large-scale projects involving a complete overhaul of network and security, while SSE can be a good choice when prioritizing security enhancement first while valuing compatibility with existing network infrastructure.
Practical Implementation: How Can We Apply It to Our Organization?
When introducing SASE or SSE into your organization, several important implementation steps must be followed. Beyond simply purchasing a solution, a strategic approach that considers the organization's unique characteristics is essential.
1. Current Environment Analysis and Requirements Definition: First and foremost, you must thoroughly analyze your organization's current network environment, security posture, user distribution, and cloud usage. This means identifying which applications are frequently used, what data is sensitive, and how many remote workers there are. You then need to define specific requirements, such as which security problems you want to solve and how urgent network performance improvement is. At this stage, utilizing SeekersLab's FRIIM CNAPP/CSPM will be of great help in accurately identifying the asset status and security vulnerabilities in your cloud environment.
2. Solution Selection and PoC (Proof of Concept) Execution: Select a SASE or SSE solution vendor that meets your requirements and conduct a PoC under conditions similar to your actual environment. During this process, you need to thoroughly test how flexibly the solution integrates with existing systems, its ease of management, and whether its actual performance is satisfactory. Let's consider a simple example of configuring and testing a ZTNA policy for specific cloud application access.
# ZTNA Policy Example (Conceptual)
policy_name: "Access to Internal HR Portal"
description: "Allow access to HR portal only for HR team from corporate devices"
users:
groups:
- "HR_Team"
devices:
os_type:
- "Windows"
- "macOS"
security_posture:
enabled:
- "Endpoint_DLP_Agent"
- "Antivirus_Active"
version_min:
"Antivirus_Active": "1.2.3"
applications:
url:
- "https://hr.internal.example.com/*"
protocol:
- "HTTPS"
action: "Allow"
# Logging and Alerting
logging:
enabled: true
alert_on_denial: true
This configuration is a policy that allows HR team members to access the internal HR portal via HTTPS only when using corporate devices (Windows or macOS) with a specific DLP agent and the latest antivirus version activated. It also raises an alert if access is denied. Through such granular policies, it's difficult for an attacker to easily access internal systems even if they compromise a specific account.
3. Phased Deployment and Integration: It's common to deploy SASE or SSE incrementally rather than implementing everything at once. For example, you can start by applying ZTNA for remote workers, and then expand SWG for web traffic security. During this process, it's crucial to adopt an integrated strategy of managing all security event logs centrally by integrating with Seekurity SIEM/SOAR and continuously monitoring the security status of your cloud infrastructure with FRIIM CNAPP/CSPM.
Monitoring and Operations: Continuous Vigilance is Required
Implementing SASE or SSE doesn't mean all security concerns are over. Rather, continuous monitoring and operation after deployment determine the success of the security framework. Attackers constantly try to breach our defenses with new methods. It's in the same vein as installing a smart home security system but still needing to check alerts regularly and perform periodic inspections.
Key Monitoring Metrics:
- Access Control Logs: Closely analyze allow/deny logs based on ZTNA policies to identify any abnormal access attempts.
- Web Traffic Activity: Monitor web-related threats detected by SWG, such as access to malicious websites, attempts to download malware, or access to harmful content.
- Cloud Application Usage: Monitor for Shadow IT usage, data exfiltration attempts within the cloud, and abnormal cloud app usage patterns via CASB.
- Network Performance Metrics: For SASE, network latency, throughput, and other metrics must be continuously checked as they directly impact user experience.
These metrics can be integrated into Seekurity SIEM to be monitored in real-time on dashboards, and it's advisable to configure automatic alerts when specific thresholds are exceeded or patterns are detected. Seekurity SIEM specializes in efficiently collecting, analyzing, and correlating vast amounts of log data generated by SASE/SSE solutions to uncover hidden threats.
Operational Considerations:
- Regular Policy Review: As business environments and user requirements constantly change, ZTNA, SWG, and CASB policies must be regularly reviewed and updated.
- User Training: User education on new security models is essential. Especially in a ZTNA environment, device security status is crucial, so users should be guided to adhere to basic security protocols.
- Threat Intelligence Updates: Continuously updating threat intelligence feeds is also important to reflect the latest threat trends.
- Incident Response Scenarios: Incident response scenarios must be established and practiced in advance to ensure rapid response in case of service disruption or security incidents. Utilizing Seekurity SOAR allows for the automation of initial responses based on playbooks—such as isolation, blocking, and patch recommendations—upon threat detection, thereby reducing manual effort and shortening response times.
Conclusion: The Choice for Your Organization's Future
So far, we have thoroughly examined SASE and SSE, from their concepts and architecture to their core mechanisms, and practical implementation and operational strategies. Ultimately, SASE aims for 'complete integration' of network and security, while SSE can be described as a model that focuses on 'specialized security functions'.
The choice of model depends heavily on considering your organization's current situation, future strategy, budget, and existing infrastructure. If you are simultaneously pursuing modernization and security integration across your entire network infrastructure, SASE will be a more robust choice. However, if you already have well-established network infrastructure like SD-WAN and primarily want to enhance security capabilities, you can quickly elevate your security capabilities through SSE.
The important thing is that no matter which choice you make, a cloud-based, integrated security approach is no longer an option but a necessity. Attackers always target the weakest link. To safely protect your organization's assets and ensure business continuity, we must not let our guard down regarding modern security models like SASE or SSE. SeekersLab's integrated security solutions—FRIIM CNAPP/CSPM, KYRA AI Sandbox, and Seekurity SIEM/SOAR—can be reliable partners on your SASE/SSE journey. Based on the information provided today, we encourage you to consider the most suitable security strategy for your organization.