Most organizations struggling with technical debt realize that much of it is due to the procurement of vendor technologies over the years that fail to interoperate.
Worse is the so-called “platform” offered by a single vendor that is not really integrated, but a collection of acquired point products that have no real integration beyond a dashboard. Often these vendor technologies require specialized skills to operate and maintain a fragile coexistence with accompanying technologies. Security service edge can eliminate much of this technical debt with a unified security platform in the cloud supplied by a single vendor. Given this vision, SSE still lives among an ecosystem of complementary technologies, and vendors must regard interoperability with this ecosystem as a primary objective. This ecosystem consists broadly of other security, network, and cloud solutions.
To ensure fast, easy, and secure deployment and integration, the SSE vendor must provide integrations with leaders in:
- Cloud service providers (CSPs), both IaaS/PaaS and SaaS
- Endpoint detection and response (EDR)
- Identity and access management (IAM)
- Security information and event management (SIEM)/security orchestration, automation, and response (SOAR)
- Orchestration tools
These integrations must allow for orchestration between the SSE vendor and adjacent vendors to reduce complexity, TCO, and improve security posture.
Cloud Service Providers (IaaS/PaaS and SaaS)
For internal applications shifting to the cloud or being built natively in the cloud, the SSE vendor must integrate leading IaaS/PaaS providers like AWS, GCP, and Azure to provide zero trust secure remote access connectivity to those applications. Doing so ensures that these applications are never exposed to the Internet, making them completely invisible to unauthorized users, connecting via inside-out, policy-based connectivity versus extending the network to them.
This approach ensures direct-to-cloud access without connecting through a remote access VPN, with the ability to leverage the scale advantages of the cloud provider without adding any network segmentation complexity. It doesn’t rely on any virtual or physical appliances and brings the advantages of zero trust to eliminate the attack surface.
For popular SaaS applications, SSE vendors should provide one-click integrations. In the case of Microsoft 365, the SSE vendor’s integration should map all Microsoft IP ranges and domains for listed M365 apps, enabling transparent forwarding of end-user traffic to their cloud. In addition, peering with Microsoft 365 reduces round trip time, improves scale, and allows for faster file downloads and DNS resolution.
SSE integration with other SaaS vendors like ServiceNow can improve data protection. By scanning new and existing ServiceNow data, the SSE vendor should identify sensitive data based on DLP policies and block outbound upload of sensitive data files. Integration with ServiceNow Security Incident Response can orchestrate response actions, including updating custom blocklists. Risky IPs, domains, and URLs can be blocked without manual intervention, while cloud misconfigurations can be closed to help reduce the risk of a breach.
Endpoint Detection and Response
The SSE vendor should integrate with various endpoint security partners to share telemetry, enhance mutual visibility, and orchestrate responses. Such integration allows for defense-in-depth to implement zero trust effectively and efficiently. This integration should provide the ability to assess the user’s identity, location, and device posture to implement appropriate conditional access policies automatically. In addition, cross-platform correlation and workflow can accelerate investigation and response. This entails:
- Assessing device health and automatically implementing appropriate access policies.
- Identifying zero-day threats, and correlating with endpoint telemetry to identify impacted devices to enact rapid responses with a cross-platform quarantine workflow.
- Investigating threats with endpoint and network context for effective detection and decision making.
The SSE vendor should integrate with SD-WAN vendors to simplify traffic routing from the branch and make it easy to establish secure local Internet breakouts.
A joint SSE/SD-WAN solution can enable secure, policy-based access to the Internet and business- critical applications, and provide identical protection for all users, wherever and whenever they connect to cloud applications and the open Internet. SD-WAN solutions can be integrated with SSE through API integration. With this combined solution, enterprise branch offices can manage the surge of cloud and Internet traffic without backhauling to the centralized DMZ in the data center, using a hybrid WAN architecture for network transformation along with robust security.
It should be noted that any SSE vendor should be network-agnostic, and not exclusively tied with any network underlay solution. In fact, many of the benefits of SD-WAN are from its “software- defined” capabilities, but not necessarily the WAN, which inherently extends the corporate network and allows for lateral movement of threats. SSE decision makers should evaluate carefully the reasons for continuing to extend the corporate network to the branch and consider alternate approaches (like Internet-only) that are more secure.
Identity and Access Management
SSE vendors should provide integrations with IAMs to enforce device posture-driven zero trust access and more effective enterprise-wide threat protection.
Using standards like Security Assertion Markup Language (SAML), deploying the integration should be easy. Users should be able to authenticate and secure Internet and internal application access. The IAM manages the end-user access to applications through a combination of SSO and MFA while the SSE vendor secures the connection. Support for the System for Cross-domain Identity Management (SCIM) protocol enables all user information to be kept in sync between the two systems, including user group or job role changes and account deletions for instances of users moving on from the company.
SIEM and SOAR
SSE vendors should include integrations with SIEM and SOAR vendors in order to enable efficient and effective risk and compliance management with information enrichment and automation.
SSE vendors must have the ability to send log data in near real-time to both on-prem and cloud-based SIEM/SOAR solutions to facilitate log correlation from multiple sources, thus allowing organizations to analyze traffic patterns across their entire networks. Additionally, organizations must be able to leverage log data in the SIEM to conduct extended historical analyses (> 6 months). Doing this ensures compliance with regulatory mandates through local log archival.
As infrastructure as code (IaC) and DevSecOps forces security teams to “Shift-left,” SSE vendors must provide the APIs for orchestration. Here, the focus is on internal applications where the instantiation of zero trust access is part of the application delivery lifecycle, enabled by orchestration scripts (such as Ansible or Terraform), particularly for user-to-application or workload-to-workload segmentation settings. Such orchestration allows zero trust capabilities to align with agile methods used by software developers.
SSE vendors offering rich, API-based third-party integrations provide operational efficiencies stemming from the ability to orchestrate best-of-breed solutions and reduce chances of vendor lock-in:
- SSE vendors that integrate with leading ecosystem players (like CSPs, SD-WAN, IAM, SOAR/SIEM, EDR, etc.) future-proof their technology and reduce technical debt.
- An orchestrated ecosystem of integrated vendors reduces operational complexity, overhead, and can decrease operator errors.
- SSE vendors that cobble together a solution portfolio through acquisition tend to fall behind in product innovation and often lack interoperability with third parties.
Part 1: SSE solution series: why a global, scalable cloud platform matters
Part 2: SSE solution series: the criticality of a zero trust architecture foundation
Part 3: SSE solution series: choose SSL/TLS inspection of traffic at production scale
Part 4: SSE solution series: virtues of broad blanket protection
Part 5: SSE solution series: the user experience imperative
Editor's note: This content is adapted from The 7 Pitfalls to Avoid when Selecting an SSE Solution