Defense in Depth for Cloud services Access and how SASE, SSE and Cloud Services intertwine.

(Security) At the Edge of the Cloud

One of the biggest challenges in Security is architecting Defense in Depth properly. Add Cloud to the mix and you have a recipe for failure if you don’t use the right tools.

This is where frameworks come to help. And any discussion and resources that help us improve Security strategies to Cloud services, are gold IMO!

This is what SASE (and SSE, to a degree as we’ll see) help us achieve.

./challenge

The challenge here is securing access to Cloud, but what Cloud? All models, but I want to focus on the one you cannot control, SaaS.

There are a number of technologies that can be placed between users and these services.

./definitions

Just to cover our bases, let’s remember what’s SASE and SSE.

First off let me start by defining each of them, and then we can dive into where they intertwine.

Secure Access Services Edge

This is a framework and term defined by Gartner, so essentially a buzzword 😅, it represents technologies that secure users, systems and endpoints located anywhere, to cloud, instead of to Data Centers.

SASE gained industry notoriety back in 2019 when vendors started realizing what to do with their SD-WAN solutions: It’s your road to SASE, they all claimed.

According to a SASE provider:

The secure access service edge (SASE), pronounced like “sassy”) is a framework identified by Gartner as a means to securely connect entities such as users, systems, and endpoint devices to applications and services that may be located anywhere. Crucially, SASE is not one technology. In its 2019 report “The Future of Network Security is in the Cloud,” Gartner defined the SASE framework as a cloud-based cybersecurity solution that offers “comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.”

Looking back at our diagram to SaaS, with SASE it looks someothing like this, bear in mind that there can be even more layers and services securing this access.

Security Services Edge

Yet another term coined by Gartner. It was first mentioned in a Gartner document mapping out a roadmap to SASE, so you can tell that SSE is a by-product or is somewhat connected to SASE framework.

In their own words:

Security service edge (SSE) secures access to the web, cloud services, and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components.

Palo Alto also explained this, in a slight different manner:

According to Gartner, SSE is a collection of integrated, cloud-centric security capabilities that facilitates safe access to websites, software-as-a-service (SaaS) applications and private applications. Specifically, SSE-related security capabilities include Zero Trust Network Access (ZTNA), cloud secure web gateway (SWG), cloud access security broker (CASB), and firewall-as-a-service (FWaaS) technologies.

SSE being then, a subset of SASE, without the Access component, it would look something like this in our diagram:

SASE vs SSE

There are a few differences betwheen them, essentially SSE focueses on the services part of Security to Cloud. Now, I do understand vendors can be biased in their own definitions, but this is Zscaler’s definition of SSE:

SSE can be considered a subset of the secure access service edge (SASE) framework with its architecture squarely focused on security services. The secure service edge comprises three core services:

Secure access to the internet and web by way of a secure web gateway (SWG)

Secure access to SaaS and cloud apps via a cloud access security broker (CASB)

Secure remote access to private apps through zero trust network access (ZTNA)

./cloudServices?

What Cloud services can be protected by these frameworks? Well, they are fit for any Cloud model: IaaS, Paas or SaaS services.

Whilst controls such as CASB, and SWG are especially concerned with SaaS or Internet traffic inspection. And this is really relevant to user access to cloud.

SD-WAN services also benefit user experience to cloud services, and not the infrastructure itself, although, of course the infra can benefit from WAN optimization and SaaS accelerated content.

Notice how some contols mentioned by SASE such as ZTNA, for example, are extremely relevant to any cloud model, including IaaS and PaaS, on top of SaaS, of course. However, SASE leaves out some noticeable IaaS and PaaS — these platforms require other set of controls, as I’ve discussed before. Additional controls to IaaS and PaaS are CSPM, Information Management, Archiving, CWPP and possibly others too.

Microsoft, a heavy hitter when it comes to Cloud Security, has several controls for Information security, Compliance, Data classification, Labeling and more for SaaS — plus for IaaS and PaaS security their Workload protection and CSPM (Defender for Cloud) means they offer a wide and deep set of controls for these challenges.

./conclusions

SASE is an all-around framework for securing access to cloud services from ever since the access layer. SSE focuses on the services components of this security mechanims.

Both are frameworks that can guide enterprises adhere to an effective Defense in Depth strategy and to Cloud, especially to SaaS applications, IMO anyway.

They are not all that is required to secure your cloud workloads though, but part of a larger discussion to securing your environment. Let me know your thoughts/comments on the subject.

Follow me on twitter: Camillo (@iamcamillo) / Twitter

Learn more about my Cloud and Security Projects:

Web: www.cloudnsec.com

Listen: bit.ly/cloudnsecspotify
Watch: bit.ly/cloudnsecyoutube

Thank you for reading and leave your thoughts/comments!

./references

Scattered throughout the document.

--

--

--

Cloud and Security technologies, Career, sometimes Music and Gaming easter eggs. Technical Specialist @Microsoft. Opinions are my own.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Security, Silos, and Sovereignty

Important Announcement!

The Looming Disaster Of Immunity Passports And Digital Identity

Pentesting a Crypto Exchange for fun and profit

{UPDATE} kropk'i Sudoku Hack Free Resources Generator

Mailfence with Thunderbird on Windows 10

Trade More, For More

Developers: Don’t Make These Top 10 Security Mistakes in Your Applications

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andre Camillo

Andre Camillo

Cloud and Security technologies, Career, sometimes Music and Gaming easter eggs. Technical Specialist @Microsoft. Opinions are my own.

More from Medium

It’s the right time for you to Threat Model — here’s why and how

The untold story behind User Behavior Analytics

IBM QRadar User Behavior Analytics User Interface

How to do a free security review of AWS Cloud : PROWLER

FalconFriday — Detecting realistic AWS cloud-attacks using Azure Sentinel — 0xFF1C