SSE: Security Service Edge

What is Security Service Edge?

In 2021, Gartner introduced a new category, the Security Service Edge (SSE), to describe the convergence of certain network security functions in the cloud. SSE converged SWG, CASB/DLP, and ZTNA, into a single cloud service. SSE is a subset of the security layer of SASE that can be deployed as a standalone capability or as a step in a full SASE transformation journey.

Security Service Edge provides secure access to internet- and cloud-based applications without directly addressing global application access optimization and east-west WAN traffic security. Extended visibility and control to all traffic is a key feature in competing SSE architectures.

Check Out Cato SSE 360

Security Service Edge (SSE)

What is Driving Adoption of SSE?

Legacy networks built around physical datacenters

The move to the cloud forces a re-architecture of networking and security to support users access to internal applications in physical and cloud datacenters, and public cloud applications, anytime and anywhere.

Backhauled Internet traffic slows secure cloud access

As the volume of Internet and cloud-bound traffic increases, it doesn’t make sense to send all traffic through the datacenter firewalls. Direct secure internet access must be enabled at every location and down to every remote user to enforce full visibility and control in a way that doesn’t impact the user experience.

Enterprise IT Goes Hybrid

With the shift to a hybrid work model, enterprise IT security must also adapt. Work from anywhere requires a platform with the agility and scalability to ensure full security and policy enforcement across all edges (users, locations, applications, application, clouds), wherever they are located.

Legacy Security Appliances Can’t Scale

Legacy security appliances are incompatible with today’s enterprise requirements: they’re location-bound, require constant maintenance, and cannot scale with increased load. Supporting a hybrid workforce requires a flexible, and scalable security architecture that can secure the entire workforce at any location: in the office, at home, or on the road.

Disjointed solutions introduce complex management

Point solutions increase the manual work IT needs to perform in patching and upgrading, and the potential for errors and oversights. As-a-service delivery model can eliminate the need to update security infrastructure and maintain security posture.

What are the Benefits of Security Service Edge?

Consistent Policy Enforcement

SSE establishes a global fabric that connects all edges into a common security platform. All traffic between any two edges is inspected, and corporate policies are enforced for threat prevention and data protection.

Reduced Attack Surface

SSE implements zero trust access, ensuring users only have access to authorized applications via least privilege access. Application traffic is continuously monitored for anomalies, threats, attacks, and sensitive data loss.

High-performance Security Inspection

SSE is a cloud-native solution, delivered through a global backbone of PoPs. Security Service Edge seamlessly inspects all traffic, scales vertically and horizontally with traffic growth and minimize latency with each PoP residing within 25 ms of every user and location.

Improved Security Posture

SSE offloads IT of the burden of manually deploying mitigations for emerging threats. The expertise of the Security Service Edge provider’s SOC ensures that end-users are always protected, and the enterprise attack surface is minimized.

Reduced IT Workload

The SSE provider continuously enhances all cloud-delivered capabilities as part of a self-maintaining service. This reduces IT workload and shifts focus to business-critical activities, rather than having to focus on “keeping the lights on.”

Introducing Cato SSE 360: Total Visibility and Control for All WAN, Cloud and Internet

Cato SSE 360 goes beyond the convergence scope of SSE to provide total visibility, optimization, and security for all traffic, users, devices, and applications everywhere.

Most traditional Security Service Edge solutions provide secure access to the internet and cloud applications, as well selected internal applications. But enterprises need to optimize and secure all traffic, to all WAN, cloud and internet applications and resources, and across all ports and protocols. This requires additional point solutions like firewalls and global backbones to fill these security gaps.
And, when combined with Cato Edge SD-WAN, Cato SSE 360 offers a clear path to SASE convergence.

“Security at the core of the infrastructure helps us meet our audit and business requirements and maintain standards without having to maintain and manage a lot of security appliances.”

“We can gather information about circuit quality at each branch and get security alerts for quick remediation of attacks or malware infection.”

Dave Oliver,
IT Manager, Grant and Stone

Challenge

Securing and Optimizing All Traffic Everywhere is Costly and Complex

Disjointed security point solutions overload resource-constrained IT teams, impacting security posture, and increasing overall risk due to configuration errors.

Traditional SSE convergence mitigates these challenges but offer limited visibility and control that only extends to the Internet, public cloud applications, and select internal applications. Thus, leaving WAN traffic uninspected and unoptimized.

And, Security Service Edge platform that isn’t part of single-vendor SASE can’t extend convergence to SD-WAN to complete the SASE transformation journey.

Disjointed security point solutions overload resource-constrained IT teams, impacting security posture, and increasing overall risk due to configuration errors.

Traditional SSE convergence mitigates these challenges but offer limited visibility and control that only extends to the Internet, public cloud applications, and select internal applications. Thus, leaving WAN traffic uninspected and unoptimized.

And, Security Service Edge platform that isn’t part of single-vendor SASE can’t extend convergence to SD-WAN to complete the SASE transformation journey.

Cato Solution

Cato SSE 360 Offers Total Visibility, Optimization, and Control over All Traffic Everywhere

Cato SSE 360 provides the only complete SSE platform with full visibility, optimization, and control over all enterprise traffic, including SaaS, web applications and WAN.

Cato SSE 360 provides a smooth and seamless transition to a full SASE deployment, by opting to converge all physical locations’ connectivity with Cato SD-WAN, if required.

Cato SSE 360 provides the only complete SSE platform with full visibility, optimization, and control over all enterprise traffic, including SaaS, web applications and WAN.

Cato SSE 360 provides a smooth and seamless transition to a full SASE deployment, by opting to converge all physical locations’ connectivity with Cato SD-WAN, if required.

SSE vs. Cato SSE 360

Traditional SSE Solutions

Traditional SSE Solutions

Cato SSE 360

Cato SSE 360

Visibility and Control

Traditional SSE Solutions

Limited Visibility And Control

Traditional SSE address point solutions fragmentation through convergence. But, by design they inspect only SaaS and web traffic and specific internal applications. This creates a blind spot in securing and optimizing east-west WAN traffic.

Cato SSE 360

Total Visibility, Optimization, and Control

Cato SSE 360 is built on the Cato Single Pass Cloud Engine architecture to provide total visibility, optimization, and control of all traffic (WAN, Internet, and Cloud) across all edges (users, locations, applications and clouds).

Global Access Optimization

Traditional SSE Solutions

No global optimization

Traditional SSE providers drop traffic at the PoP to the public Internet and lack an optimized global private backbone with global route optimization. This results in latency, packet loss and jitter, and an inconsistent user experience.

Cato SSE 360

Optimized Global Private Backbone

Cato SSE 360 optimizes global access to all applications, WAN, Internet, and cloud using a global private backbone with built-in traffic acceleration that overcomes the unpredictability of the public Internet.

From SSE to SASE

Traditional SSE Solutions

Dead-end Point Solution

Traditional SSE providers can’t expand to a full SASE, because they lack SD-WAN convergence. IT is left to cobble together its own SASE solution from complicated point solutions and appliances.

Cato SSE 360

Seamless Path to SASE

Cato is the only SSE solution that offers a seamless path to full SASE transformation, by expanding the deployment to include Cato Socket Edge SD-WAN devices.

Traditional SSE Solutions

Cato SSE 360

Visibility and Control

Limited Visibility And Control

Traditional SSE address point solutions fragmentation through convergence. But, by design they inspect only SaaS and web traffic and specific internal applications. This creates a blind spot in securing and optimizing east-west WAN traffic.

Total Visibility, Optimization, and Control

Cato SSE 360 is built on the Cato Single Pass Cloud Engine architecture to provide total visibility, optimization, and control of all traffic (WAN, Internet, and Cloud) across all edges (users, locations, applications and clouds).

Global Access Optimization

No global optimization

Traditional SSE providers drop traffic at the PoP to the public Internet and lack an optimized global private backbone with global route optimization. This results in latency, packet loss and jitter, and an inconsistent user experience.

Optimized Global Private Backbone

Cato SSE 360 optimizes global access to all applications, WAN, Internet, and cloud using a global private backbone with built-in traffic acceleration that overcomes the unpredictability of the public Internet.

From SSE to SASE

Dead-end Point Solution

Traditional SSE providers can’t expand to a full SASE, because they lack SD-WAN convergence. IT is left to cobble together its own SASE solution from complicated point solutions and appliances.

Seamless Path to SASE

Cato is the only SSE solution that offers a seamless path to full SASE transformation, by expanding the deployment to include Cato Socket Edge SD-WAN devices.

How Does Cato SSE 360 Work?

Total Visibility, Optimization, and Control for All Traffic

SSE 360 sees traffic from all edges, across all ports and protocols, and in all directions: WAN, Internet, and Cloud. SSE 360 uniformly applies all security inspections and optimizations to all traffic across users, devices, applications, and locations.

High-Performance Security, Everywhere

SSE 360 is deployed across 75+ cloud PoPs (Points of Presence), that are built for multi-gig traffic processing, to ensure low latency (<25ms from every user and locations) and high performance over the “middle-mile” to both cloud and WAN destinations.

Converged Management Console

All SSE 360 policies, events and analytics are accessed through a single pane of glass and allow for granular policy management. All events across users, threats, data, and application access are available in a single, unified, analytics dashboard.

Future-proof, Resilient SSE Service

A converged, single-pass architecture easily allows for new security capabilities to be seamlessly added via the SSE 360 cloud service. The SSE 360 cloud is designed with high availability to ensure continued security inspection in case of a PoP or network failure.

Seamless Path to SASE

Cato SSE 360 offers a seamless path to full Cato SASE deployment by expanding the deployment to converged Cato’s SD-WAN and WAN optimization further streamlining customer’s IT infrastructure.

What Are the Components of Cato SSE 360?

Cloud-native Security Service Edge

Cato’s Single-Pass Cloud Engine (SPACE) is the foundation of Cato’s global, converged, cloud-native service that delivers multi-gig packet processing and real time policy enforcement. Current SPACE capabilities powering Cato SSE 360 include: SWG, ZTNA, CASB/DLP, RBI, FWaaS and Advanced Threat Prevention (IPS, Next Generation Anti-Malware.)

Cato Global Private Backbone

Cato’s global, geographically distributed, SLA-backed network of 75+ PoPs interconnects multiple, Tier 1 carriers. Each PoP runs the full set of SSE capabilities across multiple compute nodes and SPACEs to ensure minimal latency, deliver global routing optimization, and fully automated self-healing service.

Cato ZTNA/SDP Clients for Users

Users connect via lightweight clients to Cato. They can optimally and securely access the internet, internal applications, on-premises and in cloud datacenters, and global public cloud apps. Clientless access through an application portal is available for 3rd parties.

IPsec-enabled Devices and Cato Socket SD-WAN for Locations

Physical and cloud locations connect with an IPsec enabled third-party devices or Cato Socket SD-WAN edges. Customers can opt to use current firewalls or SD-WAN edges that reside on their networks and benefit from Cato’s deep security capabilities. The Cato Sockets provide last mile resiliency and QoS and overcome blackouts and brownouts with application-based dynamic path selection and packet loss mitigation.

Comprehensive Management Application

Our comprehensive management application provides clear security and network analytics, with full, granular policy configuration. Managed services include site deployment, intelligent last-mile monitoring, network configuration, security policy change, and Managed XDR.

  • What is Security Service Edge (SSE)?

    In 2021, Gartner introduced the Security Service Edge (SSE). SSE converges secure application access functions including SWG, ZTNA and CASB/DLP, into a single cloud service. SSE enables enterprises to move away from rigid, disjointed IT architecture to a converged security platform delivered as a cloud-native service. With SSE, enterprise IT can rapidly address new business and security requirements such as cloud migration, adoption of public cloud applications, and work from anywhere. SSE’s converged architecture reduces cost and complexity with simple management through a single pane of glass, self-healing infrastructure, and automatically evolving defenses that seamlessly mitigate emerging threats.

  • What is the difference between security point solutions and SSE?

    Traditionally, enterprise IT built a security stack featuring multiple point solutions and legacy appliances. Enterprises are increasingly slow to adapt to ever-changing business and technical requirements and the evolving threat landscape. This is compounded by scarcity of cybersecurity skills, limited resources and budgets, and the high cost of outsourced support.

  • Why is Security Service Edge important?

    SSE is a first step in achieving security-driven transformation, by converging secure, consistent access to all applications for all users. SSE, that is part of a single vendor SASE platform, keeps the path open for a full SASE transformation at a later stage, with converged SD-WAN and WAN optimization. The deeper the IT convergence, the more an enterprise enjoys the benefits of increased visibility, lower cost, greater operations savings and added business agility.

  • What is the relationship between SSE and SASE?

    Two years after introducing SASE (Secure Access Service Edge), Gartner introduced SSE (Security Service Edge.) SASE converges SD-WAN and cloud-native security (FWaaS, CASB, SWG and ZTNA,) into a single cloud service. SSE defines a more limited scope of converged network security functions, consisting of SWG, CASB / DLP and ZTNA. SSE is focused on providing secure access to applications, without addressing end-to-end optimized network connectivity and east-west WAN security.

  • What is the difference between traditional SSE providers and Cato SSE 360?

    Traditional SSE solutions are based on a web proxy architecture that supports access to web sites and SaaS applications. To enable ZTNA for all applications, transitional SSE vendors had to introduce yet another architecture of application connectors. Even with that extension traffic generated by enterprise edges like IoT, app-to-app traffic, and most WAN traffic remain outside the scope of SSE.
    Cato SSE 360 is built on the Cato Single Pass Cloud Engine architecture to provide total visibility, optimization, and control of all traffic (WAN, Internet, and Cloud) and across all edges (users, locations, applications, and clouds). Cato SSE 360 optimizes global access using a global private backbone with built-in traffic acceleration that outperforms the unpredictable public Interent. Lastly, Cato offers a seamless path to full SASE transformation by expanding the deployment to include Cato Socket Edge SD-WAN devices.