SSE
What is SSE?
SSESSE is the security half of SASE — a cloud-delivered bundle of SWG, CASB, ZTNA, and often DLP and FWaaS that protects user traffic to internet, SaaS, and private apps.
Security Service Edge (SSE) is a Gartner-defined subset of SASE that focuses exclusively on the security services, leaving SD-WAN out of scope. A typical SSE platform inspects encrypted user traffic in cloud points of presence and applies a unified policy across three control planes: secure web gateway for internet, cloud access security broker for sanctioned and shadow SaaS, and zero trust network access for private applications. DLP, RBI, and FWaaS are commonly included. Organizations adopt SSE when they want to consolidate VPN, proxy, and CASB tools and apply identity-aware controls to a remote and hybrid workforce without re-architecting their WAN.
● Examples
- 01
Replacing a legacy VPN and on-prem proxy with one SSE vendor covering SWG, CASB, and ZTNA.
- 02
Enforcing DLP rules on user uploads to unsanctioned SaaS through an SSE platform.
● Frequently asked questions
What is SSE?
SSE is the security half of SASE — a cloud-delivered bundle of SWG, CASB, ZTNA, and often DLP and FWaaS that protects user traffic to internet, SaaS, and private apps. It belongs to the Network Security category of cybersecurity.
What does SSE mean?
SSE is the security half of SASE — a cloud-delivered bundle of SWG, CASB, ZTNA, and often DLP and FWaaS that protects user traffic to internet, SaaS, and private apps.
How does SSE work?
Security Service Edge (SSE) is a Gartner-defined subset of SASE that focuses exclusively on the security services, leaving SD-WAN out of scope. A typical SSE platform inspects encrypted user traffic in cloud points of presence and applies a unified policy across three control planes: secure web gateway for internet, cloud access security broker for sanctioned and shadow SaaS, and zero trust network access for private applications. DLP, RBI, and FWaaS are commonly included. Organizations adopt SSE when they want to consolidate VPN, proxy, and CASB tools and apply identity-aware controls to a remote and hybrid workforce without re-architecting their WAN.
How do you defend against SSE?
Defences for SSE typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SSE?
Common alternative names include: Security Service Edge.
● Related terms
- network-security№ 969
SASE
SASE is a cloud-delivered architecture, coined by Gartner in 2019, that converges SD-WAN with security services like SWG, CASB, ZTNA, and FWaaS at the network edge.
- network-security№ 1272
ZTNA
ZTNA is a model that grants users access to specific private applications only after continuous identity, device, and context checks — never network-level access by default.
- network-security№ 1119
SWG
A Secure Web Gateway (SWG) is a proxy — on-prem or cloud — that inspects user web traffic, enforces acceptable-use policy, and blocks malware, phishing, and data exfiltration.
- cloud-security№ 148
CASB (Cloud Access Security Broker)
A policy enforcement point that sits between users and cloud/SaaS applications to enforce visibility, data protection, and threat controls.
- privacy№ 278
Data Loss Prevention (DLP)
A set of technologies and policies that detect and block unauthorized exfiltration of sensitive data across endpoints, networks, email, and cloud services.