Buyer’s guide: Secure Access Service Edge (SASE) and Secure Service Edge (SSE)

The company focuses on mid-size enterprises and managed service providers.

Check Point’s Perimeter 81 unit: Perimeter 81’s SASE product, the Cybersecurity Experience Platform, was developed in-house and includes ZTNA, FWaaS, and SWG. Perimeter 81’s cloud-delivered ZTNA was recently recognized by Forrester as a Zero Trust leader. The analyst firm called it the best option for smaller enterprises that need a ZTNA service because they can sign up quickly and onboard dozens of applications in less than a month using its self-service portal.

Cloudflare: Cloudflare began as a content delivery network provider. Its Cloudflare One solution offers ZTNA, SWG, and FWaaS along with remote browser isolation, Domain Name Service (DNS) filtering, DDoS protection, and other threat and data protections using a single management interface.

Iboss: Iboss offers a containerized Zero Trust service that’s deployed in more than 100 PoPs globally. It provides SWG, CASB, ZTNA, FWaaS, remote browser isolation, antimalware, and antiphishing features. It doesn’t offer SD-WAN but says it integrates with all major SD-WAN solutions.

According to the company, its Zero Trust platform differs from that of other vendors because it covers both internet-facing and internal network edges with the same security edge, while other companies have different edges for internet and private connections, resulting in different levels of protection and visibility.

Gartner says Iboss SASE customers automatically receive a license for the ZTNA product, instead of having to pay separately for the Zero Trust feature.

Lookout: Gartner says Lookout appears less frequently on shortlists but has strong data security capabilities and a strong sales strategy for a relatively small vendor. Lookout’s SASE offering is called Lookout Security Platform, and the company partners with Broadcom VMware, HPE, and Versa for its SD-WAN.

The Lookout Security Platform has CASB, ZTNA, SWG, user and entity behavior analytics, DLP, and enterprise digital rights management. FWaaS is not offered.

Netskope: Netskope is considered a leader in Gartner’s Magic Quadrant for SSE and appears frequently on clients’ shortlists. Netskope’s SASE offering is called the Netskope Intelligent Security Service Edge.

Netskope Intelligent SSE offers security components including SWG, CASB, ZTNA, cloud security posture management (CSPM), FWaaS, DLP, and user and entity behavior analytics. SaaS security posture management and remote browser isolation were also introduced in the last year. Netskope doesn’t offer SD-WAN, but it says it can integrate with SD-WAN technologies.

Zscaler: Zscaler is a leader in Gartner’s Magic Quadrant for SSE and is frequently seen on shortlists. In 2022, it improved its CASB offering by introducing API integrations with more SaaS applications, integrating remote browser isolation, and improving data security features. Zscaler offers SWG, CASB, FWaaS, and ZTNA, and it has a global presence through more than 150 of its data centers. The company is missing the SD-WAN piece but offers it through partners including Silver Peak, Viptela, and VMware. According to Gartner, it has stronger partnerships with tighter integrations than other vendors.

What to ask before buying SSE and SASE

Because every enterprise is different, you need to get a clear grasp on your specific needs, capabilities, and resources before engaging prospective vendors and then choosing specific solutions for SSE and SASE.

10 questions to ask prospective SSE vendors

1. What is your SASE strategy? “SSE is but one side of the coin,” says Mauricio Sanchez, research director for networking, security, and SASE/SD-WAN at Dell’Oro Group. “The other side is networking, which, unfortunately, still tends to be overlooked too often. An SSE vendor should have a strategy for taking their customers on the complete SASE journey.”
2. What integration points do you support into the larger third-party technology ecosystem? SSE is a small part of a larger technology landscape, so an SSE vendor should be able to show integrations with client security (EPP/EDR), identity and access management (IAM), and security management (SIEM/SOAR/XDR) tools, as well as integration with the cloud hyperscalers, says Sanchez.
3. What is your track record for scalability, reliability, and performance? Sanchez points out that SSE vendors are responsible for keeping the network running smoothly, while processing encrypted traffic at scale for threat detection purposes, which he describes as “a computationally intensive process.” He adds, “I’ve heard horror stories of enterprises burned by SSE clouds that underperform and generate more headaches than they solve.”
4. Does your global delivery network align with my business needs? Multinational companies need to make sure that the SSE vendor has points of presence that correspond to their locations. Be sure to ask where the PoPs are, what the roadmap is for adding more, what the plan is for covering gaps, and what the plan is for surviving an outage, says David Holmes, a senior analyst at Forrester.
5. How many agents do I need to install on end user devices and what is the cost per device? Holmes recommends that prospective buyers pin vendors down on whether a single agent can handle virtual private networking (VPN), ZTNA, SWG, etc., or whether more than one agent is required. And in today’s bring-your-own-device (BYOD) world, with users connecting to the network on multiple devices, what operating systems and mobile devices are covered? Is there an extra charge per device, or is the service per user?
6. What are your strength and weaknesses? Ask the vendor for an honest assessment of which technology in the SSE smorgasbord is their strongest, and make sure that aligns with your requirements. If they say it’s SWG but your main driver is CASB, then Holmes says it might make sense to “continue your search.”
7. What can you do with ZTNA? What can you do? Holmes recommends that prospective buyers ask the vendor what ports and protocols they cover; how they handle VoIP/SIP and UDP protocols. Can they integrate with multiple identity providers concurrently? “Not all can,” says Holmes, “and this is an important management feature for larger organizations that want to give partners Zero Trust access to their applications.”
8. What is the management setup? Winckless says organizations need to implement SSE in a way that is seamless for administrators to configure and monitor. Will I have fewer consoles? Or more?
9. How easy is it to apply security policies? Organizations need to make sure that they retain the ability to apply the same rules across multiple channels, says Winckless.
10. What is the customer experience? All that back-end technology is great, but organizations need to make sure that the SSE delivers a smooth and seamless user experience. That last thing you want, says Winckless, is to disrupt the way the company does business.