SSE
Buyer’s
Guide
Choosing the Right Security Service Edge Soluon
March 2024
Table of Contents
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Introducon
Understanding Security Service Edge (SSE)
Key Consideraons for an SSE Soluon
SSE Feature Evaluaon Criteria
Secure Web and Cloud Usage Requirements
Zero Trust Network Access Requirements
Plaorm Requirements
Conclusion
Appendix I – SSE Feature Evaluaon Checklist
03
03
04
06
05
09
11
14
15
2
As organizaons navigate today’s evolving digital landscape, securing their
networks and data has become an increasingly complex undertaking. Tradional
security approaches are proving themselves outdated in a new era of expanding
cloud services, IoT devices, flexible work, and sophiscated threats. To adapt
enterprise security to this new reality and address these challenges more
robustly, a new approach called Security Service Edge (SSE) has emerged that is a
logical outgrowth of recent advances in cloud and networking technologies. This
buyer's guide aims to help you choose the right SSE soluon for your
organizaon's security needs. A well-chosen SSE soluon, grounded in Zero Trust
principles, can serve as the cornerstone of your organizaon's security
architecture.
Introducon
SSE is a cloud-based soluon that delivers an integrated set of security
capabilies at the network edge, shiing security closer to users and devices
while eliminang poorly integrated products, slow user experiences, and the
management complexity of the past. SSE provides secure access to web,
cloud, and private applicaons, threat protecon against web and network
aacks, and data leak prevenon. It combines mulple point soluons into a
single converged security service delivering Secure Web Gateway (SWG),
Next-Gen Firewall (NGFW), Cloud Access Security Broker (CASB), Data Loss
Prevenon (DLP), and Zero Trust Network Access (ZTNA).
For more background, see the white paper
Understanding Security Service Edge (SSE)
3
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
SSE: A New Strategy to Secure Every Edge
4
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Key Consideraons
for an SSE Soluon
To help you evaluate different SSE soluons, we begin
immediately below with a discussion of several “first
principles” as general guidance on what you should be
looking for, followed by discussion of specific
requirements in the ensuing SSE Feature Evaluaon
Criteria secon. We have organized these
requirements into three categories – web and cloud
security requirements, zero trust access requirements,
and plaorm requirements. You will also find a
one-page “at-a-glance” checklist of these
requirements at the end in Appendix I.
SSE should improve your security posture
Cyber threats today are faster and more sophiscated than ever. An SSE soluon
plays a crical role in enhancing your organizaon's security posture by providing
a comprehensive and adapve security framework that protects against a wide
range of cyber threats. By integrang various security funcons such as data
protecon, threat prevenon, and secure access within a unified cloud-based
plaorm, an SSE soluon ensures that security policies are consistently enforced
across all users, devices, and locaons. This is parcularly crucial in an era of
increased remote work and cloud adopon, where tradional perimeter-based
security models are no longer adequate. An SSE soluon also facilitates the
implementaon of a Zero Trust security model, which assumes that threats can
exist both inside and outside tradional network boundaries, thereby requiring
connuous verificaon of all access requests regardless of their origin. This
approach significantly reduces the aack surface and minimizes the risk of data
breaches, making it an essenal requirement for organizaons aiming to
strengthen their security posture in a dynamic threat environment.
The following are general expectaons you should have for any SSE soluon:
5
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
SSE should give you x-ray vision
If you don’t have visibility, you don’t have security. Visibility into network and
user acvies through detailed reporng and analycs is vital for informed
decision-making and compliance management, and the premise of an integrated
soluon should both simplify AND enrich your ability to understand what is
happening throughout your network.
SSE should be comprehensive
In evaluang an SSE soluon, an essenal consideraon is the
comprehensiveness of its security framework. It should include robust data
protecon measures like encrypon and malware detecon, advanced threat
prevenon tools such as sandboxing and intrusion prevenon systems, and
granular access control policies anchored in Zero Trust principles. The soluon
should offer seamless secure access to a wide range of cloud services and
applicaons, while ensuring an efficient and consistent user access experience
regardless of the user's locaon at any given me. Security measures should not
compromise the user experience, maintaining high performance and low latency
connecvity for remote users and branch offices.
SSE should work with what you have
Integraon capabilies and scalability stand out as crical consideraons. The
chosen SSE soluon should easily integrate with exisng security infrastructure,
support identy provider systems for authencaon, and be capable of scaling to
accommodate future growth in user numbers, devices, and data traffic. The
soluon should align with the organizaon's compliance requirements and data
sovereignty concerns, especially for operaons across mulple jurisdicons.
SSE should deliver on TCO
Evaluang the soluon's total cost of ownership, alongside the vendor's
reputaon, support offerings, and the richness of their ecosystem, is
fundamental. Opng for a vendor known for innovaon, reliability, and
comprehensive support can significantly enhance the value of the SSE
investment. Organizaons should engage in thorough market research, including
proof-of-concept tests and consultaons with industry peers, to ensure the
chosen SSE soluon aligns with their security needs, operaonal demands, and
business objecves, seng a solid foundaon for secure and efficient
cloud-based operaons.
6
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
SSE Feature
Evaluaon Criteria
An-malware and an-virus defenses
The soluon should scan all incoming web and cloud applicaon traffic for
malware, ransomware, and other advanced threats. By analyzing files and
executable downloads in real me, the soluon can idenfy and block threats
before they reach the user's device.
Advanced threat protecon
Effecve threat detecon and response are crucial to protect against advanced
cyber threats and maintain the integrity and availability of services. Key
requirements for advanced threat detecon within an SSE framework include the
deployment of mulple defensive layers ulizing a combinaon of signature-based,
heurisc, and behavior-based detecon methods to idenfy known and unknown
threats, coupled with AI/ML-enhanced sandboxing to detonate and analyze
suspicious files and URLs in a secure and isolated environment to idenfy paerns,
anomalies, and emerging threats based on large data sets and predicve analysis.
Securing cloud and web usage is a crical component of an
SSE soluon, focusing on protecng users, data, resources,
and IoT devices across the infrastructure. An SSE offering
should integrate various security funcons to provide
comprehensive security for cloud-based services and
internet access. This includes SWG, NGFW, CASB, and
DLP capabilies.
Secure Web and Cloud Usage Requirements
7
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Automated threat response
Once threats are detected, automated threat response should be enacted such
as isolang infected devices, blocking malicious traffic, and/or revoking user
access in real me to prevent the spread of a potenal incident or threat.
SSL/TLS decrypon and inspecon
With the majority of web traffic being encrypted, SSE soluons must decrypt
SSL/TLS traffic to inspect the content for malicious acvity, potenal data
exfiltraon, and policy violaons. This ensures that encrypted traffic does not
serve as a blind spot for security controls. The soluon needs to deliver these
decrypon and inspecon services while liming or eliminang user experience
issues like connecvity performance — note that this decrypon and inspecon
can be a processing boleneck for many cloud-based SSE soluons due to the
stac nature of their environments, having an elasc environment allows the
soluon to adapt to the customer’s needs without noceable issues.
IoT security
Internet of Things (IoT) devices are becoming increasingly pervasive in enterprise,
medical, and industrial networks. Securing their communicaons is crical due to
their sensive data and the potenal point of entry into the overall network
they are connected to. Key capabilies to look for from an SSE soluon include:
device fingerprinng and idenficaon for OT, IoT, IIoT, and IoMT devices; the
ability to apply Zero Trust policies and appropriate segmentaon; AI/ML-based
threat detecon for these devices based on anomalous behavior; and the ability
to dynamically adjust these devices network access based on threat detecon.
Web usage policy control
The soluon should enforce organizaonal policies on internet use, ensuring
security, corporate compliance, and efficient use of resources. This includes
policy definion and management, user and group-based policies, category and
reputaon-based filtering of URLs and IP addresses (e.g., adult content, social
media, entertainment, gambling), and keyword and content filtering.
8
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Cloud app discovery (Shadow IT)
This capability provides comprehensive visibility into all cloud services being used
within an organizaon, including sanconed, tolerated, and unsanconed
applicaons. This visibility is crucial for understanding the organizaon’s cloud
footprint and for idenfying potenal security and compliance risks.
Cloud app idenficaon and risk scoring
Once cloud applicaons are idenfied, the SSE soluon should assess each app for
potenal security, compliance, and governance risks. This involves evaluang the
security features and pracces of the cloud service providers, such as data
encrypon standards, authencaon mechanisms, and compliance with relevant
regulaons (e.g., GDPR, HIPAA). The soluon should be able to idenfy all major
cloud applicaons on the internet.
Cloud app usage management
The soluon should allow organizaons to enforce granular access control policies
for cloud applicaons. These policies can restrict access to cloud applicaons and
specific controls and funcons within cloud applicaons based on user roles,
locaons, device types, and me of access, ensuring that only authorized users
can access sensive applicaons under specified condions.
Data protecon
Data Loss Prevenon policies are central to a cloud data protecon strategy.
These policies prevent unauthorized sharing, transfer, or storage of sensive data
based on predefined rules and detecon techniques. The soluon should enforce
DLP policies across cloud applicaons, taking acons that violate these policies
such as informaon redacon or by prevenng the upload of sensive documents.
9
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Identy-based access control
Robust Identy and Access Management (IAM) are used to verify and authencate
users before granng access to resources. This requires integrang with exisng
identy providers (IdPs) and supporng mul-factor authencaon (MFA) to
ensure that access is securely controlled and based on verified user idenes.
Device assessment and enrollment
Devices aempng to access the network need to be assessed for compliance
with the organizaon's security policies. This process involves checking the
security posture of the device, using mulple contextual controls like the
operang system version, the presence of required security soware (anvirus,
an-malware), and the absence of known vulnerabilies or compromised states.
Devices meeng these and addional criteria are only then allowed to connect.
Least privilege access
Least privilege access is applied to ensure that each user or device is only able to
access the specific applicaons, resources, or data they need to fulfill their job
responsibilies. This minimizes the potenal for lateral movement within the
environment by creang micro-segmentaon for SSE users/devices and network
resources.
ZTNA is a crical component of SSE soluons, embracing
the principle of "never trust, always verify" to provide
secure access by users and devices to private applicaons
and resources.
Zero Trust Network Access Requirements
The key requirements for ZTNA as part of an SSE soluon include:
10
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Connuous posture assessment
Client posture monitoring provides real-me assessments of risk and compliance
by performing regular host checks to ensure that the device, while connected
without forcing any disconnects, sll complies with the assessment performed
during inial enrollment.
Dynamic policy enforcement
ZTNA soluons must enforce access policies based on the user privilege and
context of each access request based upon the criteria set during the inial
enrollment of the user/device. If a device falls out of compliance for any reason,
the system should automacally restrict access to sensive resources or
disconnect/quaranne the device from the network altogether unl the issues
are resolved.
Encrypon
All communicaons between users/devices, enterprise-owned resources either
on-premises or in a hybrid environment, and the SSE plaorm should be
encrypted, ensuring data privacy and the applicaon of consistent security
policies and access controls across a company’s enre digital estate. This applies
to data in transit and oen extends to data at rest, providing comprehensive
protecon against intercepon and eavesdropping.
11
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Cloud-nave architecture
The soluon should be built as a cloud-nave plaorm to ensure scalability,
flexibility, and the ability to seamlessly integrate with cloud services and adapt
to evolving security needs. This architecture supports rapid deployment, easy
management, and automac updates.
Hybrid environment support
Look for an SSE soluon that supports dynamic segmentaon across hybrid
environments, including mul-cloud and on-premises setups.
Integraon with your exisng ecosystem
The soluon should integrate seamlessly with an organizaon's exisng tools
such as an endpoint protecon suite, identy provider, network monitoring
soluon, security analycs plaorm, automaon plaorm, and mobile device
management suite.
Global cloud backbone
An SSE soluon should have a globally distributed network of points of presence
(PoPs) interconnected with each other so that traffic engineered data can be
passed from PoP to PoP to ensure low-latency access for users anywhere in the
world. The soluon must also know to select and use the security policy
enforcement point that is closest to the user/device, considering not just
geographic locaon, but also interconnecon latency values for the specific
applicaon access being made. This is crical for maintaining high performance
and a posive user experience, especially for remote and mobile workers.
Characteriscs of the soluon from a
plaorm design and operaons perspecve
that bear special aenon include:
Plaorm Requirements
Scalability and reliability
The plaorm must be elasc to support peak demand bursts and the overall
growth of an organizaon’s users, devices, and data, demonstrang the ability to
acvate addional global PoPs and processing resources as needed and on
demand. It should offer high availability and reliability to ensure connuous access
to applicaons and services.
Advanced AI and ML capabilies
Arficial intelligence (AI) and machine learning (ML) can contribute advanced
capabilies for threat detecon, response, and predicve analycs. Using AI/ML
to enhance the analysis of network traffic and user behavior can uncover
Indicators of Compromise (IoC) and establish security baselines. The soluon
should perform predicve analysis for potenal threats before they materialize,
allowing automated prevenve measures to be taken through dynamic controls
based on the risk profile of a user or device.
Visibility, analycs, and real-me reporng
The soluon should provide deep visibility into threats and vulnerabilies and
collect a wide range of data types from various sources, including network traffic,
user acvies, applicaon usage, security events, and threat events, and process
data in real me as a foundaon for comprehensive analycs and reporng.
Employing AI/ML to enhance analycs can help in idenfying paerns,
anomalies, and trends in the data. An effecve real-me reporng system must
include an alerng mechanism that nofies relevant personnel of crical events
or indicators of compromise (IoCs).
Unified management and operaons
A unified approach to SSE should mean a single management console. This
simplificaon reduces the complexity of managing disparate security tools,
enabling more efficient policy configuraon, enforcement and updang across the
enre security infrastructure. Note that some vendors have acquired and “bolted
together” disparate security tools to try to create this unified approach – make
sure to evaluate the ease of administraon, policy management, analycs, and
troubleshoong across all SSE funconal capabilies.
12
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Cost efficiency
Consolidang security services into a unified plaorm will result in significant
cost savings. Organizaons can reduce the overhead associated with licensing,
integrang, and managing mulple standalone security products. Addionally,
operaonal efficiencies gained through centralized management can further
reduce total cost of ownership.
User experience
A unified SSE plaorm should deliver a seamless and consistent user experience,
regardless of where users are located or what resources they are accessing.
Security measures should not impede performance or usability, which is
parcularly important for supporng flexible workforces – who may be working
from home, an office, and on the road in a given week or even day – using
cloud-based applicaons.
Compliance
The SSE soluon should meet major compliance standards (SOC type 2, ISO
27001, GDPR, HIPPA, PCI, etc.), taking into account that your data is being
transported by and residing in hosted infrastructure. By centralizing the oversight
of data protecon and access controls, organizaons can easily generate reports
to streamline and validate compliance during yearly audits.
13
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
14
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Conclusion
Selecng the most suitable SSE soluon is a pivotal step for organizaons
aiming to bolster their cybersecurity in an era marked by complex digital
threats and distributed work environments. It will enable you to maintain
the strongest possible security posture across all cloud services, web
access, and private applicaons, irrespecve of where your users are
located or what devices they are using, and without compromising their
producvity.
A comprehensive SSE soluon should not only address immediate security
challenges, but also be capable of adapng to the evolving landscape and
scaling with the organizaon's growth. It must deliver robust threat
protecon, vigilant data protecon, granular access control, and
connuous monitoring while ensuring a seamless user experience.
As you embark on the journey to secure your digital perimeters, consider
not just the technical capabilies, but also the vendor's reputaon, the
soluon's integraon ease, and the overall value it brings to your
organizaon. A trusted vendor with a proven track record, robust support
structure, and a clear vision for the future of cybersecurity will be a
valuable partner in safeguarding your enterprise's assets. Remember, the
right SSE soluon is more than just a tool — it is an investment in the
resilience and sustainability of your business operaons in an
interconnected digital world.
Appendix I
SSE Feature Evaluaon Checklist
15
SSE Buyer’s Guide
Choosing the Right Zero Trust Soluon
Plaorm Requirements
Cloud-nave architecture
Hybrid environment support
Integraon with your exisng ecosystem
Global cloud backbone
Scalability and reliability
Visibility, analycs and real-me reporng
Unified management and operaons
Advanced AI and ML capabilies
Cost efficiency
Seamless user experience
Simplified compliance management
Zero Trust Network Access Requirements
Identy-based access control
Device assessment and enrollment
Least privilege access and microsegmentaon
Connuous posture monitoring
Dynamic policy enforcement
Encrypon
Secure Cloud and Web Usage Requirements
An-malware and an-virus defenses
Advanced Threat Protecon
Automated threat response
SSL/TLS descripon and inspecon
IoT security
Web usage policy control
Cloud app discovery (Shadow IT)
Cloud app idenficaon and risk scoring
Cloud app usage management
Data protecon
Versa Networks, the leader in single-vendor Unified SASE plaorms, delivers
AI/ML-powered SASE, SSE and SD-WAN soluons. The plaorm provides
networking and security with true multenancy, and sophiscated analycs via
the cloud, on-premises, or as a blended combinaon of both to meet SASE
requirements for small to extremely large enterprises and service providers.
Thousands of customer’s globally with hundreds of thousands of sites and
millions of users trust Versa with their mission crical networks and security.
Versa Networks is privately held and funded by Sequoia Capital, Mayfield, Ars
Ventures, Verizon Ventures, Comcast Ventures, BlackRock Inc., Liberty Global
Ventures, Princeville Capital, RPS Ventures and Triangle Peak Partners.
About Versa Networks
SSE Buyer’s Guide
Choosing the Right Security Service Edge Soluon
For more informaon, visit www.versa-networks.com
Follow us on @versanetworks
Securely connect any user, device or locaon to any workload or app
Versa Unified SASE Plaorm
SD-WAN
NGFW
NaaS
CASB
SWG
FWaaS
ZTNA
N
e
t
w
o
r
k
i
n
g
S
e
c
u
r
i
t
y
Versa
Unified
SASE
Versa
Unified
SASE
Any Locaon
Any User
Any Device
Any IoT
SaaS
Applicaons
Internet
Private
Applicaons
