What is SASE, and How Does it Differ from SSE?
For remote and hybrid work-first companies, your network is where work gets done. But a growing number of devices and users spread across different locations pose a mounting security challenge for IT teams.
With an increasingly decentralized network and an expanding cloud footprint, hundreds of users to monitor, and thousands of access attempts every day, your attack surface balloons. If you don’t have the right solutions, you won’t have enough visibility into network performance and security, putting your company’s central nervous system at risk. The elegant answer to the complexity of cloud-based networking is secure access services edge, or SASE.
In this article, we’ll go beyond answering, “What is SASE?” and talk about its (less sassy, more secure) sibling, security service edge (SSE) to give you a better understanding of which solution is right for your organization.
What is SASE?
Secure access services edge (SASE) is a cloud-native networking architecture comprised of a software-defined wide area network (SD-WAN) and security functions including next-generation firewall (NGFW) and/or firewall as a service (FWaaS), secure web gateway (SWG), zero-trust network access (ZTNA), and cloud access security broker (CASB).
SASE makes it possible for users, and their devices and systems, to securely access apps and resources within your network, no matter where they are. It protects both physical and logical edges, enabling you to control who can access your cloud-based network and secure data even if it moves outside of your on-premesis, physical perimeter.
SASE allows businesses to bring their networks into the cloud for faster, more reliable remote access while simultaneously levelling-up their network security across an ever-expanding edge.
SD-WAN vs WAN
One of the main benefits of adopting SASE is the network upgrade that comes with migrating to SD-WAN from a traditional wide-area network (WAN).
WAN connects users at their workstations in the office to resources and apps hosted on servers which could be located in the branch office or back at the corporate data centre. WAN setups can use a variety of connectivity methods including virtual private LAN service (VPLS), ethernet virtual private line (EVPL), dedicated internet (DIA), broadband, or multiprotocol label switching (MPLS) circuits to facilitate long-range network connections. In many cases, WAN setups use virtual private networks (VPNs) to allow remote network access, but they’re neither reliable nor secure enough to handle the demands of today’s hybrid or fully-remote teams.
Rather than backhauling traffic to the data center, the SD-WAN component of SASE architecture automatically connects users to secure cloud gateways nearby. SD-WAN uses several transport options, including MPLS, LTE, and broadband, and selects the optimal paths for traffic, making connections more reliable. It can be layered on top of an existing WAN setup, but switching to an SD-WAN provider is cheaper and enables centralized, remote network management. It’s far easier to add new locations, increase bandwidth, and make changes to network configurations with SD-WAN than traditional WAN.
What is SSE?
Security service edge (SSE) is the cloud-based security component of SASE—without the SD-WAN networking capabilities—that’s made up of FWaaS, SWG, ZTNA, and CASB. In other words, when you combine SD-WAN with SSE, you get SASE architecture. You can think of it a bit like hockey equipment: if SASE is the full package that includes a jersey, shorts, socks, skates, pads and a helmet, SSE is just the protective gear—you’d need to own or buy the other clothing items separately.
In general, you can expect SSE solutions to offer similar security functions that you’d find in a SASE solution. Some vendors provide individual security components on their own so that you can completely customize the SSE functionality you need around the networking or security architecture you already have.
SASE vs SSE: Which One Should You Choose?
Rather than thinking of SASE vs SSE as an either/or decision, it’s helpful to think of these two technologies as points on the spectrum of modern network architecture adoption. Gartner (the originator of the term SASE) broke SSE out as a component of SASE because for many businesses, fully overhauling their networks and rolling out new security architecture is a mammoth task. Focusing just on SSE at first, businesses can stick with their existing network provider and implement security layers on top to create a bespoke solution on their journey towards full SASE.
Ultimately, the choice depends entirely on your organization’s existing network, maturity level, and IT roadmap.
Choose SASE if you need to modernize your entire network for cloud-based access and remote work.
Full SASE is the goal for most modern remote- or hybrid-first organizations and businesses that need to offer greater connectivity to teams in the field—like telecom, delivery, or construction companies and contractors. SASE makes it easier to manage network performance alongside security: everything is unified within a single solution, which reduces complexity and provides greater visibility. SASE takes a Zero Trust networking approach, which means you can use security functions like conditional access to control who gets into your system, no matter where they’re trying to log in from.
Choose SSE if you already have an existing SD-WAN or WAN architecture and you want to consolidate security subscriptions into a single, cloud-based solution.
SSE is a good option for businesses that use direct internet access and cloud-based apps and don’t necessarily need to upgrade to SD-WAN in the near future. It might also be the more cost-effective option for businesses that primarily employ on-site teams, like workshops or manufacturing plants and healthcare facilities. SSE gives these organizations the flexibility to allow for hybrid work when needed, without compromising on security. It can also help them keep their internet-of-things (IoT) systems secure. If you’re working with a collection of different security solutions, a single SSE solution can bring everything together so it’s easy to manage in one place.
It’s worth noting that many vendors offer solutions that can help you transition to SASE gradually, using a combination of SD-WAN and SSE products. For example, HPE offers HPE Aruba EdgeConnect SD-WAN is, a secure SD-WAN solution that lays the foundation for adopting a unified single-vendor SASE solution—namely, HPE Aruba Networking SASE—down the road.
Here’s a quick comparison table that gives you a snapshot of what SASE solutions and SSE solutions provide:
| Attribute | SASE | SSE |
|---|---|---|
| Offers built-in SD-WAN networking capabilities (direct cloud access, automated traffic management, remote deployment, etc.) | ✔ | ✖️ |
| Unifies network and security management | ✔ | ✖️ |
| Offers cloud-delivered security services (including FWaaS, SWG, ZTNA, and CASB) | ✔ | ✔ |
| Secures every edge, across users, apps, and devices, no matter where they’re located | ✔ | ✔ |
| Supports a Zero Trust approach | ✔ | ✔ |
| Best for growing remote- and hybrid-first organizations | ✔ | ✖️ |
| Best for organizations making the transition to SASE | ✖️ | ✔ |
Using Microsoft SSE Solutions to Protect Your Network
Microsoft Security solutions can deliver the SSE components of your SASE architecture. Microsoft Entra Global Secure Access is the brand’s out-of-the-box SSE solution, which is made up of Microsoft Entra Internet Access and Microsoft Entra Private Access. It can be combined with Microsoft Defender for Cloud Apps to secure access to all of your apps and resources, no matter where users are located.
Microsoft Entra Internet Access protects access to the internet and your SaaS apps using an identity-based SWG. Meanwhile, Microsoft Entra Private Access provides secure, remote access to private corporate resources. Together, these solutions make it easy for team members to intuitively log in and seamlessly work across the internet, apps, and internal systems they need to do their job every day. Microsoft Defender for Cloud Apps can provide CASB capabilities so that you can identify, manage, and protect all your SaaS apps in one place, so you don’t have to assess or configure apps individually.
Global Secure Access uses Microsoft Entra ID to facilitate access. Entra ID is the foundation of the Microsoft Entra suite of identity and network access products. It provides cloud-based identity and access management services that enable organizations to establish Zero Trust access controls and deliver secure employee access. For organizations that need it, Entra ID can also be used to extend secure access to customers or partners and secure workload identities for increased automation across services.
Part of the Entra ID suite of solutions, Microsoft Entra Conditional Access is the company’s Zero Trust policy engine. It analyzes signals from various sources (like the user or group identity, IP location, and the device or app being used) to make dynamic access policy enforcement decisions. This could look like requiring MFA for users with admin roles or blocking access from specific locations.
| SASE / SSE Component | Microsoft Security Solution |
|---|---|
| Zero Trust network access (ZTNA) |
Microsoft Entra / Microsoft Entra ID Microsoft Conditional Access Microsoft Entra Private Access |
| Cloud access security broker (CASB) | Microsoft Defender for Cloud Apps |
| Secure web gateway (SWG) | Microsoft Entra Internet Access |
| Firewall-as-a-service (FWaaS) | Not provided |
The IX Solutions team can walk you through which Microsoft SSE and access solutions are right for your business. We can work with you to determine which products address your security priorities while providing seamless remote access that feels just like being in the office.
IX Solutions also works with providers like Cisco, Palo Alto Networks, Aruba, Valtix, and Fortinet to facilitate network design and deployment for our clients. Our team can assess your environment and help build out a networking and security stack that fits your unique business needs today. If you’re ready to move toward full SASE, we can offer tailored guidance and develop a roadmap to get you there.
Get Your Network Ready for the Cloud-First Future of Remote Work
Layering security onto your existing network or migrating to an integrated SASE solution can be a challenge for lean IT teams who have to balance support tickets and routine maintenance with business-building projects. For today’s remote and hybrid companies, implementing SSE and working towards full SASE is non-negotiable and planning for change is essential. IX Solutions can help you identify gaps in your network security and performance, build a cloud security framework, and support you with deployment, monitoring, and maintenance every step of the way.
Looking for a better way to offer seamless network connectivity to your users while securing every edge? Get in touch with our team for an assessment and learn how SSE fits into your network security strategy or find the support you need to transition to full SASE.