Defense in Depth for Cloud services Access and how SASE, SSE and Cloud Services intertwine.
One of the biggest challenges in Security is architecting Defense in Depth properly. Add Cloud to the mix and you have a recipe for failure if you don’t use the right tools.
This is where frameworks come to help. And any discussion and resources that help us improve Security strategies to Cloud services, are gold IMO!
This is what SASE (and SSE, to a degree as we’ll see) help us achieve.
./challenge
The challenge here is securing access to Cloud, but what Cloud? All models, but I want to focus on the one you cannot control, SaaS.
There are a number of technologies that can be placed between users and these services.
./definitions
Just to cover our bases, let’s remember what’s SASE and SSE.
First off let me start by defining each of them, and then we can dive into where they intertwine.
Secure Access Services Edge
This is a framework and term defined by Gartner, so essentially a buzzword 😅, it represents technologies that secure users, systems and endpoints located anywhere, to cloud, instead of to Data Centers.
SASE gained industry notoriety back in 2019 when vendors started realizing what to do with their SD-WAN solutions: It’s your road to SASE, they all claimed.
According to a SASE provider:
The secure access service edge (SASE), pronounced like “sassy”) is a framework identified by Gartner as a means to securely connect entities such as users, systems, and endpoint devices to applications and services that may be located anywhere. Crucially, SASE is not one technology. In its 2019 report “The Future of Network Security is in the Cloud,” Gartner defined the SASE framework as a cloud-based cybersecurity solution that offers “comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.”
Looking back at our diagram to SaaS, with SASE it looks someothing like this, bear in mind that there can be even more layers and services securing this access.
Security Services Edge
Yet another term coined by Gartner. It was first mentioned in a Gartner document mapping out a roadmap to SASE, so you can tell that SSE is a by-product or is somewhat connected to SASE framework.
In their own words:
Security service edge (SSE) secures access to the web, cloud services, and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components.
Palo Alto also explained this, in a slight different manner:
According to Gartner, SSE is a collection of integrated, cloud-centric security capabilities that facilitates safe access to websites, software-as-a-service (SaaS) applications and private applications. Specifically, SSE-related security capabilities include Zero Trust Network Access (ZTNA), cloud secure web gateway (SWG), cloud access security broker (CASB), and firewall-as-a-service (FWaaS) technologies.
SSE being then, a subset of SASE, without the Access component, it would look something like this in our diagram:
SASE vs SSE
There are a few differences betwheen them, essentially SSE focueses on the services part of Security to Cloud. Now, I do understand vendors can be biased in their own definitions, but this is Zscaler’s definition of SSE:
SSE can be considered a subset of the secure access service edge (SASE) framework with its architecture squarely focused on security services. The secure service edge comprises three core services:
Secure access to the internet and web by way of a secure web gateway (SWG)
Secure access to SaaS and cloud apps via a cloud access security broker (CASB)
Secure remote access to private apps through zero trust network access (ZTNA)
./cloudServices?
What Cloud services can be protected by these frameworks? Well, they are fit for any Cloud model: IaaS, Paas or SaaS services.
Whilst controls such as CASB, and SWG are especially concerned with SaaS or Internet traffic inspection. And this is really relevant to user access to cloud.
SD-WAN services also benefit user experience to cloud services, and not the infrastructure itself, although, of course the infra can benefit from WAN optimization and SaaS accelerated content.
Notice how some contols mentioned by SASE such as ZTNA, for example, are extremely relevant to any cloud model, including IaaS and PaaS, on top of SaaS, of course. However, SASE leaves out some noticeable IaaS and PaaS — these platforms require other set of controls, as I’ve discussed before. Additional controls to IaaS and PaaS are CSPM, Information Management, Archiving, CWPP and possibly others too.
Microsoft, a heavy hitter when it comes to Cloud Security, has several controls for Information security, Compliance, Data classification, Labeling and more for SaaS — plus for IaaS and PaaS security their Workload protection and CSPM (Defender for Cloud) means they offer a wide and deep set of controls for these challenges.
./conclusions
SASE is an all-around framework for securing access to cloud services from ever since the access layer. SSE focuses on the services components of this security mechanims.
Both are frameworks that can guide enterprises adhere to an effective Defense in Depth strategy and to Cloud, especially to SaaS applications, IMO anyway.
They are not all that is required to secure your cloud workloads though, but part of a larger discussion to securing your environment. Let me know your thoughts/comments on the subject.
Follow me on twitter: Camillo (@iamcamillo) / Twitter
Learn more about my Cloud and Security Projects:
Web: www.cloudnsec.com
Listen: bit.ly/cloudnsecspotify
Watch: bit.ly/cloudnsecyoutube
Thank you for reading and leave your thoughts/comments!
./references
Scattered throughout the document.
