Security Services Edge (SSE) is a powerful tool for securing Application access, but it's no replacement for intrinsic network-layer security, Aruba CTO David Hughes told SDxCentral.

“What customers need is not just connectivity,” he said. “They want secure connectivity.”

This, he explains, can be broken down to two core problems. First, how do you secure access to applications spread across multiple clouds, data centers, and Software-as-a-Service applications? The second challenge is securing the growing number of IoT devices that can’t run an endpoint agent.

“Remember, for every user today, there are five IoT devices. And by 2025 there will be 10,” Hughes said.

In the past, firewalls were the anchor for secure access to corporate resources. But as Enterprise apps moved to the cloud, and organizations adopted SaaS apps en masse, alternatives have emerged. Two of the hottest are Gartner’s SSE and secure access service edge (SASE) product categories.

“What COVID has driven is the idea of cloud-delivered services the likes of Zscaler, Netskope and others,” Hughes said. “Gartner got really clear with SSE that SWG, Cloud Access Security Broker, and DLP are all coming together and becoming a cloud-delivered service rather than a firewall-delivered service.”

As a result, the firewall as an anchor is quickly becoming a thing of the past.

However, SSE can only address half the network security challenge. What about all the devices out there that it's either impractical or impossible to run an SSE agent on, Hughes asks.

“IoT devices are a major point of vulnerability no matter what you do. If you’re deploying hundreds of IoT devices per location, [from] all the different vendors, eventually one of those devices is going to have a security vulnerability,” he said.

Aruba’s strategy addresses demands by distributing security functionality across the entire networking stack.

“What you need is intrinsic security in the networking elements themselves,” Hughes said. “It needs to be everywhere. It needs to be in the access points. It needs to be in the switches. It needs to be in the web gateways.”

Using technologies like ClearPass or the company’s recently announced NetConductor, microsegmentation and security policies can be extended across the company's entire product stack. The ability to automatically segment user and IoT traffic helped Aruba score a massive Department of Defense contract to modernize the Pentagon’s campus network in early 2020.

“At Aruba we’ve been investing heavily in security in all our devices. So all our APs, all our switches, all our gateways have firewall and Intrusion Prevention System and IDS, layer-7 visibility, and with our NetConductor announcement, unified policy across all of that,” Hughes said.

While many SD-WAN vendors scramble to build or buy their way into the SASE space, Aruba maintains its policy of partnering with leading SSE vendors is the superior option.

“There’s really no one-stop shop that gives you great cloud-delivered security in a comprehensive network portfolio,” Hughes said.

The company supports Netskope, Zscaler, Check Point, Palo Alto Networks, and Cloudflare for remote access.

SD-WAN remains a core piece of the puzzle as enterprises grapple with which traffic they can and can’t offload to SSE point of presence (Network Point Of Presence), Hughes adds. “A big part of what we do with our SD-WAN gateways is we let customers decide what traffic they treat which way because for many it's not a matter of flipping a Switch.”

In an ideal SASE architecture all traffic would traverse through the SSE or SASE N-PoP, but this isn’t always possible, let alone practical, as several SSE vendors are unable to support voice-over-IP or Office 365 traffic.

“There may be some other legacy applications that they want to bring back to the data center and send through their traditional security stack,” Hughes explained.