With so many buzzwords floating around the industry, there is a general state of confusion around acronyms like security services edge (SSE), Dell'Oro Group Research Director Mauricio Sanchez said at this week’s Security in the Cloud-First Era digital event hosted by SDxCentral in partnership with Dell'Oro.

Sanchez moderated the event's “Demystifying Security Service Edge” panel, where industry experts discussed the new set of technologies and solutions under the banner of SSE.

Matt De Vincentis, VP of marketing at Palo Alto Networks, kicked off the panel by defining SSE as the convergence of what were traditionally physical security hardware appliances into the cloud. He added the SSE consists of four elements: zero trust network access (ZTNA) – which he said is replacing legacy VPN – secure web gateways (SWG), cloud access security brokers (Cloud Access Security Broker), and Firewall-as-a-Service (FaaS).

In an ideal world, De Vincentis explained, SSE is a “massively scalable cloud services across the globe.”

De Vincentis said SSE can add more capability, improve the performance and the agility of businesses, and reduce cost at the same time, calling the approach an “absolute no brainer.”

Netskope Digital and Information Officer Mike Anderson pointed out the industry has “been in an environment where mergers and acquisitions have been at an all time high,” which he said has led to tool redundancy for many organizations. “What you have is a lot of technical debt, you have a lot of complexity, and so there's a consolidation opportunity that people are looking at,” he said. 

Anderson said on the technical side of things, traditional networking security approaches won’t fly in today’s world of hybrid work. Before, applications ran in data centers and employees worked from one location, so many security controls and networking were built around that environment, he explained. 

Now, cloud has become so pervasive that it no longer makes sense for security stacks to only reside in data center environments.

Omri Guelfand, director of systems engineering at Cisco, said “protecting users both on and off the network is really key.” He added SSE functions -- the security functions that run in the cloud -- enable a consistent set of security policies regardless of whether users are on-prem or working remotely. 

Guelfand noted as organizations start to secure endpoints, SSE should be looked at as a “fully distributed ability to enforce policies.” 

The notion of distributed enforcement, Guelfand explained, should be possible both at the endpoint and at the branch. 

But ultimately, certain functions “definitely need to be brought and consolidated in a cloud environment,” he said. “That really allows you to unlock a better experience, not only for the admins, but also for the end users.”

SSE is often talked about in tandem with secure access service edge (SASE)– Gartner’s term for a unified infrastructure with converged networking and security. 

De Vincentis said SASE can be defined as the convergence of SSE with SD-WAN delivered as a scalable cloud services. “What you have is all of the connectivity and security that you need to essentially enable any user, on any device, from any location to be able to securely access any Application that's hosted anywhere,” he said. 

Guelfand went one step further to say that convergence is more than just running those security functions and SD-WAN together in the cloud, but on-prem devices or a physical edge can participate in SASE as well. 

He added many of the security controls that organizations have on-prem could be leveraged to a model in which there is a centralized policy, centralized control, and centralized management, but with distributed enforcement that could be done in the cloud or on-prem. 

“This is really, in my view, the true convergence of some of those functions. We've seen SSE convergence, security functions, we're now seeing SASE start to bring a lot of those elements and converge them together as well,” he said.