What Higher Ed Institutions Should Know About Security Service Edge

Fallacy: SSE and SASE Are Different Names for the Same Thing

It’s easy to see why people might confuse SSE and secure access service edge, or SASE. Both terms were coined by Gartner in just the past few years, and they’re closely related but definitely not synonymous. The easiest way to distinguish them is to remember that the A in SASE stands for access, and that refers to SASE’s network access capabilities, like SD-WAN. SSE is essentially a scaled-down version of SASE that doesn’t include network access.

SSE is a subset of SASE; SSE is focused on security while SASE focuses on both security and network access. SASE offers security benefits that SSE doesn’t because SASE provides a more complete picture of what’s going on.

Fact: SSE Is a Relatively New and Evolving Technology

The concept of SSE was first proposed in 2021. While the components of SSE aren’t new, unifying the particular combination of components that make up SSE is new and is still evolving. There isn’t universal agreement yet as to all the capabilities of the technology, but the fundamental pieces are generally recognized as:

• Zero-trust network architecture, which provides stringent access control
• Secure web gateway, which performs content inspection and filtering for browser-based activity
• Cloud access security brokers, which offer several security functions for Software as a Service applications.

Some consider Firewall as a Service to be a part of SSE, and others include additional security functions. At this time, different SSE solutions may have significantly different capabilities.

Fact: SSE Provides Big Benefits Over Traditional Network Security

The adoption of mobile, cloud, IoT and other technologies as well as today’s increasingly distributed working environments have made traditional network security largely ineffective. Its primary benefit today is in protecting on-premises servers and equipment. For just about everything else, SSE can provide stronger security because it can monitor and analyze network activity regardless of where the users, devices, data and applications are. This enables SSE to find threats against many, if not most, of your university’s systems.

Click the banner below for insight into this year's biggest technology trends.

Without an SSE solution (or any parts of SSE), you’re missing a lot of the security landscape. Unfortunately, that’s likely to get worse as your university increases its use of mobile, cloud, IoT and other such technologies. If you don’t have SSE in place, you’ll continue to lose control and visibility over your university’s security posture.

Fallacy: SSE Is the Only Security Solution You Need

While SSE is quickly becoming indispensable, it’s not the only security solution your university needs. For example, SSE doesn’t provide many security controls for individual devices, other than some zero-trust capabilities. You still need anti-virus services, encryption for stored data, patch and configuration management, and so on. To watch for signs of trouble and investigate incidents that occur, you will also need technologies like centralized log management; security information and event management; and security orchestration, automation and response.

And don’t forget that your users still need training, with frequent refreshers, on how to avoid social engineering attacks. Phishing is endemic, and technology can only do so much to prevent it. Educating your students, faculty and staff about social engineering and how to recognize and respond to it is a good start; conducting periodic phishing exercises is even better.

LEARN: How security maturity assessments can protect against cybercriminals.

Fact: It’s Important to Evaluate Both SSE Solutions and Providers

When you’re considering SSE for your university, be sure to evaluate both the solution — the technologies — and the provider responsible for operating and maintaining those technologies.

In evaluating providers, look for a mature company that’s been doing cloud-based security solutions for at least several years. Ask the company about its software development practices and its supply chain safeguards, because attacks are increasingly entering environments from compromised vendor software.

For evaluating the SSE solution itself, there are at least three major considerations.

The first is the quality of each component of the SSE in terms of performance, accuracy (such as false positives and false negatives) and usability.

The second is how tightly integrated all of the SSE components are. Having a piecemeal collection of tools loosely thrown together behind an interface, with no deep integration and data sharing among the tools, will dilute many of SSE’s promised benefits.

Finally, many SSE adopters are choosing to implement SSE as a step — a big step — in implementing a full-fledged SASE solution. If you think your university might want to transition to SASE in the coming years, make sure to look at the SASE products offered by SSE vendors and the migration path you’d take to move from SSE to SASE with their solutions.

UP NEXT: Use workforce training to maximize ROI on cybersecurity tools.