Applications today run partly in the company's own data center, partly in cloud environments, while employees access them from anywhere. The classic security architecture with a central firewall at the main site fits this reality ever more poorly: traffic is rerouted through central nodes it no longer needs from a functional standpoint. This costs performance and creates blind spots. SASE/SSE answers this development with an architecture model that brings together network and security functions and provides them as a distributed cloud service. Inspection and filtering happen where users and applications actually are, instead of at a single central location.
What is SASE/SSE?
The term Secure Access Service Edge (SASE) was coined in 2019 by the market research firm Gartner. It describes the convergence of the wide area network and IT security: functions that used to sit as individual appliances in the data center migrate into a distributed cloud platform with access points close to users and sites. Two years later, Gartner added the term Security Service Edge (SSE) for the pure security layer of this model, that is, for the part without the network functions. Because both terms belong together, the notation SASE/SSE has become established in practice. The basic idea stays the same: security follows the user instead of pulling traffic back to the central site. Behind this stands a simple observation: if applications and users are distributed, control must also happen in a distributed way.
How it works
A SASE/SSE platform bundles several services that are controlled through shared policies:
- ZTNA: Zero Trust Network Access checks identity, device state and context and connects users specifically with individual applications instead of with entire networks.
- Secure Web Gateway: The web traffic of all users is filtered in the cloud, including protection against malware and control of risky destinations.
- CASB: A Cloud Access Security Broker makes the use of SaaS services visible and enforces rules for data access and sharing.
- FWaaS: Firewall as a Service shifts firewall rules into the platform, so that sites can do without their own security appliances.
- SD-WAN: On the network side, software-defined WAN manages the connection of the sites and selects the appropriate transmission path per application.
- Central policies: A management console defines rules once and applies them to all users and sites, regardless of location.
Technically, every user and every site connects to the nearest access point of the platform. There the policies take effect, and afterwards the traffic flows directly to the target. The decision about who may access what thereby moves from the site perimeter to the edge of the network, close to the user.
Why it matters
- Security rules apply uniformly at the site and in the home office.
- Traffic takes the direct path to the application; detours through the data center fall away.
- Operating individual security appliances at every site falls away, as do their update backlogs.
- Access follows the Zero Trust principle and replaces blanket network approvals.
- New sites and user groups can be connected quickly via the platform.
- Visibility over users and data flows emerges at a central point.
Typical scenarios
- A mid-sized company replaces remote access via VPN with ZTNA and thereby reduces the attack surface reachable from the internet.
- A business with twelve branches connects the sites via SD-WAN and filters all web traffic centrally in the cloud.
- After a cloud migration, the use of SaaS services is to be controlled, including the detection of unapproved services via CASB.
- A company with many external access needs grants service providers targeted access to individual applications, without setting up network access for them.
- An internationally active company manages security policies for all regions from one console and thereby simplifies audits.
SASE/SSE or SSE only: where is the difference?
The two abbreviations are often used synonymously but denote different scopes. The full framework covers security and network functions, so it explicitly includes SD-WAN. SSE is limited to the security services, at its core ZTNA, Secure Web Gateway, CASB and FWaaS. SSE is thus the security subset of the overall model. The distinction becomes practically relevant during introduction: many companies start with the SSE services, because these can be introduced independently of the existing network, and modernize the site interconnection in a second step. Anyone who already operates an SD-WAN combines it with an SSE platform and thereby reaches the full model.
KAEMI as your partner
KAEMI accompanies you from the analysis of the existing access paths to the ongoing operation of the platform. As a managed service provider for secure enterprise networks, KAEMI connects the security services with the interconnection of your sites, so that policies and support come from a single source. This includes the operation and adjustment of the policies as well as the ongoing monitoring of the platform. You will find the scope of services under SASE/SSE: Sicherer Zugriff . If the site interconnection is part of the project, SD-WAN complements the platform with the network side. For an initial assessment of your starting situation, get in touch with us .