If you’re involved in network security or thinking about taking on a network modernization initiative, you’ve likely heard some new terms from IT industry analysts and vendors in the last few years. Secure Access Service Edge (SASE) and Security Service Edge (SSE) were both introduced by Gartner®. SASE focuses on joining networking and security, while SSE converges only security functions into a single cloud service.
But do you really need one of these solutions? What could it do for you? What are the risks and consequences of not having one? In this blog post, we’ll take a quick look at the differences between SASE and SSE and then offer four key questions to consider as you’re contemplating what SASE and SSE might mean for your organization.
No matter what cloud networking and security solution you choose, you need to be intentional about charting your path. If you’re not deliberate about familiarizing yourself with the range of options out there, you might find yourself saddled with superfluous costs or disappointed by a solution that doesn’t fulfill its promise.
You have lots of choices on how to address cloud networking and security. You can adopt packaged SASE and SSE solutions or purposefully design a solution with building blocks that fit the precise needs of your organization. But you need to do the upfront work to understand your options and their implications for your organization’s future.
What’s the difference between SASE and SSE?
Before we dive into the most important questions to think about as you plan your next steps, let’s look at the differences and similarities between SASE and SSE.
SASE—a term coined by Gartner[i]—delivers converged network and security as a service capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA). SASE supports branch office, remote worker and on-premises secure access use cases. SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.
In case you’re not familiar with all the abbreviations, SD-WAN is software-defined wide area network, SWG stands for secure web gateway, CASB is cloud access security broker and NGFW stands for next-generation firewall.
SSE—also coined by Gartner[ii]—secures access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring and acceptable-use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components.
As you can see, SASE is broader since it incorporates networking and security services, while SSE is more narrowly focused on security.
4 essential questions as you consider your SASE and SSE options
We can’t emphasize enough the importance of thinking through IT buying decisions carefully. The choices you make—not only around networking and security but also around where you put your infrastructure—will help decide the future of your business, for better or worse. As you start to weigh your options, you should think about both technical and business priorities.
Do you want to take on networking and security transformation together or focus on just one area for now? Likewise, what have you already invested in? Does your organization already have SD-WAN? Are you ready to optimize and extend your SD-WAN or find ways to get more value from it? Or do you what to change your course?
Here are some important considerations to think through so you can be intentional and clear as you move forward with either SASE or SSE:
1. What are the costs, now and in the future?
No matter which converged cloud security solution you choose, you’ll have costs, direct or indirect. But where does SASE or SSE hit your budget? What will the upfront, ongoing and long-term costs be? Are you spending your money on cloud egress fees or putting yourself into a vendor lock-in situation? Are you making a long-term commitment through hardware investments or moving to an OPEX-based as-a-service model? In addition, you have to think about staffing. Do you have the expertise in-house or is this a case where you need additional talent?
These cost considerations are where your FinOps team can provide insight and governance. When cloud-enabled networks shift away from circuits toward internet transport, they become subjected to the most expensive method of public cloud consumption—and it can start faster than you realize. Many organizations begin migrating services and workloads to public cloud providers via internet connectivity and suddenly realize the costs for data egress exceeded their forecasts. Device sprawl is another area for exponential spend increases. Having edge devices located with public cloud providers can resemble development, test and production instances, sometimes for just a single application. Scale this across multiple applications, multiple regions and multiple cloud providers—and you end up with a sprawl of instances. Understanding your options for a cloud-optimized architecture is critical as you think about your choices for SASE and SSE.
2. When would I feel comfortable getting started?
Both SASE and SSE are relatively new on the market, and it can take time for solutions to mature. Do you tend to be an early adopter, or would you rather wait for others to go first? This question probably speaks to your company’s risk tolerance and inclination to be the first off of the starting line. Since SASE has been around longer and uses well-established components like SD-WAN, it may include fewer unknowns.
3. How customizable is a given SASE or SSE solution, and should I do it myself or have it managed?
Some vendors now provide packaged SASE and SSE solutions, so one option is to deploy a new out-of-the-box offering. However, you might pay a premium and be among the first to try the solution. Alternatively, you may prefer a more customizable solution that keeps your options open for the future. The last several years have shown how important flexibility and agility are in IT.
Relatedly, to what extent are you willing to put together SASE or SSE components yourself using a DIY approach as opposed to having someone manage it for you?
4. How will the choice I make now impact my organization’s future?
We recommend thinking of an IT investment as a commitment to go on a journey. Once you start down the path of SASE or SSE, it may not be easy to change direction anytime soon. For example, if you only have internet-enabled locations, will this meet the requirements of your organization? If you’re certain that your locations are sufficient with internet connectivity, and egress fees are not of concern, SSE might be a good fit. If you want to have flexibility to accommodate latency-sensitive traffic or can’t rely on the internet as your transit network, then SASE would seem appropriate.
Whatever you invest in will likely be part of your IT landscape for a long time, so it’s important to think about the long-term impact of today’s decisions. Are the services available in all the markets you’re interested in today? What about future expansions? Is the approach “portable” enough to mix different deployment options based on scale, timelines or your own local capabilities? Is the direction you’re taking in line with your organization’s broader goals when it comes to assets, sustainability and organizational changes?
Giving yourself optimal flexibility and choice
We know you have a lot to think about regarding how to design your infrastructure for digital transformation. Equinix is a place where you can gather the building blocks for SASE or SSE and design a custom solution that’s the right fit for your organization. If flexibility and choice are a high priority—now and for the future—Equinix can maximize your options through private access to components of SASE and SSE. And we make it as easy on you as possible with on-demand digital infrastructure and easy access to industry-leading vendors.
At Equinix, we offer a VNF automation environment—Network Edge—that allows you to deploy networking and security services flexibly and easily. We also have a rich ecosystem of industry-leading cloud and network service providers, as well as security services vendors—all on a vendor-neutral platform, giving you the ultimate in possible choices for your future.
In fact, services like Network Edge, Equinix Fabric® software-defined interconnection services and Equinix Metal® Bare Metal as a Service (BMaaS) have been shown to deliver tangible cost benefits as well as flexibility. Data from the Total Economic Impact (TEI) study by Forrester Consulting, commissioned by Equinix—based on a composite organization comprised of interviewees with experience using Equinix Digital Services—shows that digital infrastructure and interconnection services on Platform Equinix® delivered a 142% ROI. The composite organization in the TEI study reduced internally managed infrastructure costs by 60% and decreased the cost of connections by 30% over a three-year period, while also increasing productivity and cutting operational downtime.
As organizations transition from a traditional, centralized network to a distributed one, they’re often looking to identify next steps. If you’re in this position, SASE and SSE could come into play for you. If you’re considering one of these converged cloud security solutions, think carefully about the pros and cons, and the implications for the future of your business. And let us know if you want to learn more about how Equinix can help.
Read the Forrester TEI study to learn more about the benefits realized from using Equinix Digital Services.
[i] Gartner IT Glossary, Secure Access Service Edge (SASE).
[ii] Gartner IT Glossary, Security Service Edge (SSE).
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.