Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Secure Service Edge (SSE) is Broken: Here’s the Fix

service mesh
(Source: Pixabay)

Digital transformation is accelerating faster than ever before challenging the status quo of rigid IT practices and the underlying infrastructure. Today, applications are shifting to the cloud, accessed by mobile phone and other connected devices. Complicating matters, “hybrid” workforces are increasingly distributed across a mix of home, office, and mobile locations. This is forcing enterprise companies to evaluate solutions that can atone for cloud application performance, pervasive security, network connection, and ease of use. But one of the growing problems we’re seeing is that IT departments are under-staffed and under-skilled, using limited bandwidth just to “keep the lights on” versus fully enabling digital transformation.

At the same time, the security landscape is changing rapidly with the introduction of new attack surfaces. Users and applications are no longer in the confined perimeters, devices or fixed locations, which is causing perennial security problems with regards to access control, availability, compliance, authorization, fraud mitigation, and visibility/observability.

Hybrid workplace employees expect a seamless experience that embraces flexibility without compromising quality of connection or application performance. And because applications are anywhere and users are anywhere, we need to see a paradigm shift where security is everywhere and wherever it’s needed.

The problems with Secure Service Edge (SSE)

The main problem with SSE, which separates the network component from secure access service edge (SASE), is that it defeats the core premise of the integrated application-centric approach to serve applications anywhere from users anywhere.

As it stands, SSE completely ignores/underestimates the complexity of traffic aggregation and management from multiple sources such as branch offices and remote/mobile users. While we have solved connectivity problems to a very large extent, as the traffic patterns change for users anywhere to apps anywhere, there is an exacerbated problem of bad user experience due to packet loss impacting most commonly used video and voice-based applications. The biggest challenge here is the rapidly changing WAN/5G accessibility which does not guarantee application (and network) performance and availability. 

SSE also does not solve the practical security services insertion decisions that a customer needs to architect the network for. A holistic approach to security requires multiple security enforcement points between users and the application. For example, an egress firewall handles user and application access control, and then the certain types of traffic, such as http/https, are then forwarded to secure web gateways with another for domain name system (DNS)/email and so on. Then comes content filtering for data loss prevention (DLP), which needs to be done for all traffic and not just specific protocols. This decision making and network architecture with fragmented solutions along with lack of skilled resources puts a tremendous burden that often leads to misconfiguration and exposures.

What’s more, SSE does not account for unique needs of application security for software-as-a-service (SAAS) vs. infrastructure-as-a-service (IaaS) or the public cloud. For example, when the traffic goes to SaaS applications, a cloud access security broker (CASB) is relevant but when the user is accessing IaaS or a public cloud, the biggest challenge customers have is compliance and data protection. The million-dollar question is how do you protect the workloads in a public cloud or IaaS if you don’t even know about their existence? Even if you know of the existence, how do you do traffic redirection via SSE and ensure acceptable performance and a good user experience? For instance, workloads in Amazon US-West will be very slow for users coming from EMEA or APAC unless you “replicate” same regionally inside each Amazon availability zone. This essentially doubles or triples the public cloud cost.

The reality is that SSE stretches the fixed location based, network-centric approach of point security solutions to now move the finite capabilities of their box into edge/cloud. It is not the modern application first-centric thinking and hence it’s really DOA.

SSE further fragments the accountability of ensuring security posture because any traffic that can directly go to the IaaS/public cloud OR on the intranet is a cesspool of attack traffic that does not even traverse the SSE. With these two attack surfaces wide open, what good is the security for a portion of traffic alone?

The fix

Integrated networking and security with end-to-end (user to application) visibility and control is what is needed.

Enterprises in the past were conditioned to think in a very network-centric way that assumes a rigid and static, location-based approach with applications and workloads protected inside the confines of their own data center while users were typically in the offices. 

With applications anywhere and users anywhere, the constructs of network-centric thinking of perimeter security has become irrelevant. More and more customers are transitioning from, “How do I solve WAN connectivity?” to asking, “How do I deliver applications securely with best user experience?”

As customers embark on this journey from being network-centric to application-centric, they need fast and agile network provisioning to meet the speed of business while ensuring security and compliance. Ultimately, what customers seek is end-to-end observability of the entire user experience accessing the business applications.

Following the customer journey of digital transformation absolutely requires integrated networking, security and observability.

SASE was a promise to fulfill that vision by integrating SD-WAN and security. However, it fell short due to the technology dependencies across the organization’s boundaries from practical implementation, management to end-to-end operationalizing of workflows. For instance, when the connectivity is provisioned by the networking team, does the security team have all necessary controls and audits for compliance? Does the application owner have a sign off from the networking team to confirm the availability as well as the security team? These answers are impossible to get from fragmented technological approaches.

One way to practically solve for the technology fragmentation problem and operationalizing across different organizations is to:

  • Ensure security enforcement closest to the secured asset, aka the distributed data plane. In the case of user-generated traffic for outbound, this could be at the branch customer premise equipment (CPE) or as a client on the remote user laptop. For application inbound traffic, this would mean closer to the datacenter (DC) or x-cloud boundary.
  • Ensure consistent security policies across all the enforcement points, aka the unified control plane. This is particularly important when it involves handling encrypted traffic and sensitive data analysis within to avoid multiple hops and encrypt/decrypt.
  • Ensure role-based access controls and accountability, aka observability. Provide relevant data, alerts, and access mechanisms for different teams in the organization to perform their roles for smooth operations and hand offs between the teams.  

When evaluating solutions for the best application performance and security, think about the “life of a packet” all the way from the user to the application. Minimize handoffs across multiple vendor solutions and reduce misconfigurations due to those from last mile, middle mile to the far mile. In the current state of technology, a tightly integrated dual-vendor SASE solution may be a better fit for many enterprises. Make sure the solution you’re evaluating stitches the data plane between networking and security controls with security where needed. Make sure it supports fully automated onboarding of new sites, users, locations with preconfigured security. And finally, if evaluating a fully managed service, make sure that it supports visibility of ALL sites, CPEs and traffic patterns across all your networks.

Renuka Nadkarni is Chief Product Officer at Aryaka.

Related articles: