SSE or SASE for service providers?

While the concept of SASE (Secure Access Service Edge) appeared a few years ago now, the idea of ​​consuming network and security services from the cloud has spread to the market. According to Gartnerat least 40% of businesses will adopt the SASE model by 2024. It’s no surprise, then, that Internet Service Providers (ISPs) have been thinking about how to offer a variety of SASE services.

Today, companies are increasingly adopting Security Service Edge (SSE) which represents the set of security tools within a SASE architecture. Also, ISP product management teams are considering the implications of ESS for their business. Is this a new threatening competition from cloud service providers? Or is it the opportunity to launch a new service in the market?

ESS is half of the SASE framework. It is the brain that integrates a specific set of security services. The other half is WAN Edge services – SD-WAN, application optimization, connectivity and everything in the network.

ISPs are good for SASE

If an ISP offers a managed SASE, it must have SSE functionality. However, Gartner states that a future-proof SASE strategy enabled by HSE should exhibit the following properties: Consistent policy enforcement regardless of location, consolidated policy control plan, visibility and sensitive control data. Therefore, if a vendor already offers a managed SASE service, it should verify that its capabilities meet these criteria and then ensure that the service goes beyond simply offering specific products and meets the latest requirements.

ISPs are ideally placed to bring the SASE framework to life by providing a comprehensive service. Instead of offering a variety of different solutions tailored to specific use cases, they can use their extensive network and expertise in serving large markets to launch a cohesive service that fits the spirit of SASE; that is, connect every user to every cloud service and ensure data protection.

Integration of SSE functionalities into SASE

In an effort to reduce time to market, ISPs may consider positioning their already used WAN Edge Services features as SSE. The current SD-WAN offering is probably equipped with some security elements, such as a firewall (next generation) or a Unified Threat Management (UTM) system, which however alone cannot qualify for SSE.

SSE goes far beyond the functionality of traditional firewalls, providing more security controls for a wider range of use cases. The combination of CASB (Cloud Access Security Broker) and SWG (Secure Web Gateway) allows a single policy to control cloud and web traffic for every application and every user. Remote browser isolation and zero trust network access (ZTNA) are part of this policy, leveraging the context data collected by CASB and SWG. All these services are tightly integrated within ESS and revolve around the concept of data protection.

To effectively deploy an HSE service, it is essential to analyze end-user expectations that will influence the decision-making process:

1/ One console, one policy set, one data lake for logs. The SSE concept was born from a market consolidation of SWG, CASB and ZTNA components. The last thing users want is to manage multiple products across multiple consoles and APIs. Additionally, service providers seek to avoid operations that duplicate the same policies across multiple vehicles, increasing internal operational costs.

2/ Cloud activity visibility that is easy to understand. Customers appreciate intuitive dashboards that help them better understand areas of risk and where to focus. What applications are used? Do employees share company data using personal SaaS instances (such as Gmail or Office365)? Where is the sensitive data? Are there signs of risky behavior among users? By managing to answer these questions, it is possible to demonstrate the ability to provide very complex functions in a user-friendly way.

3/ There is no performance impact when all security controls are enabled. When using security services from a cloud service provider, businesses expect consistent performance, wherever they are. To do this, an Internet service provider must determine from which points of presence (PoP) the security services will be provided and how the location of the PoP affects the addressable market. At the same time, within each PoP, performance should not depend on the type of security controls that are enabled. “Once-through” architectures should be preferred over “service chains” where user traffic passes through a stack of multiple security functions in a serial process.

4/ Costs. To stay competitive, an Internet service provider must imperatively find the right price for its service and control its internal costs. Perhaps the most important decision is whether to build the infrastructure needed to provide SSE services or partner with an existing cloud security provider. While building your HSE capabilities often makes sense in the long run, it’s important to consider the unknowns that can drive up costs. Network functions licensing costs are generally underestimated, as are those associated with developing network functions virtualization orchestration; not to mention potential scalability limitations and performance volatility that also cause costs to fluctuate.

ESS as a component of SASE is not a threat but an opportunity for Internet Service Providers. As organizations embark on their network and security transformation, they need a proven and mature vendor that can help and support them. In this quest, ISPs are ideally positioned to provide a high-quality SASE service.

from Julien FournierNW in Southern Europe in Netscope

Read also:

Cyber ​​security: exceptions should not become the rule…

SASE & Zero Trust: the key combination for security…

SASE: a technology that fits naturally in creating the networks of the future.

Why finding the right SASE vendor will future proof the network?

Leave a Comment