What is the difference between SASE and SSE?


What are the differences between SASE and SSE? A fair comparison between SASE vs SSE comparison starts with what use cases you’re seeking to solve. This will give you a great overview of how Secure Access Server Edge (SASE) and Secure Service Edge (SSE) can be utilized in your organization.

In 2010, the world was a different place. Most applications lived in a data center, and the concept of Cloud and SaaS was new and thus a curiosity. But today, revenue-generating applications are built on Cloud giants such as AWS and Azure, and SaaS has taken off like a rocket ship. The drastic change created new challenges for both networking and security solution providers as well as their customers: networking and security. 

Rather than designing a networking system to route to a “default data center,” networking engineers had to figure out how to “route to all points of the globe” and the internal data center. 

The original intent of networking was to connect all the devices, PCs, Printers, and laptops back to a central data center.  This is where all the applications lived.  Cloud and SaaS flipped the script. Now applications lived outside the traditional data center, residing at virtually all points across the globe.  The result? Traditional networking became very complex. 

Software-defined networking (SDN) and software-defined wide area networking (SDWAN) both provided a software-based approach to address the challenges of the Cloud and SaaS, but security was a concern. SDN and SDWAN were optimized to deliver network traffic to a destination over the best path available at scale; security was secondary, which resulted in less-than-optimal results. SASE and SSE solved this issue.

The difference between SASE and SSE.

The difference between SASE and SSE comes down to the diversity of access points. SASE is best for companies that have centralized hubs, whereas SSE is best for distributed networks and the remote office.

The Secure Access Service Edge or SASE acronym was coined in 2019 by the analyst firm Gartner.  The model would create a security “fabric” to address both the network and security concerns Cloud and SaaS created. SASE overcomes the challenges of deciding security over networking by distributing both networking and security processing at the edge. 

What is SASE?

What is SASE? Instead of forcing traffic back to a regional hub, traffic can be scrubbed for security at what are called Points of Presence (PoP) and then accelerated by SDWAN to their ultimate destination.  The brains of the operation, known as the “control plane” is centralized via a controller to allow the system to operate at scale and minimize operational overhead. Then 2020 changed everything. 

What is SSE?

What is SSE? The world’s response to COVID-19 negatively impacted the traditional office, in turn this negatively impacted the SASE model. The gravity of the network moved outside the campus and the office and focus became the remote worker. Enter the Security Service Edge or SSE. Similarly designed to address the security challenges faced by Cloud and SaaS, SSE focused on four main pillars: 

  1. Zero Trust Network Access (ZTNA) or private application access
  2. Secure Web Gateway (SWG) for Internet access
  3. Cloud Service Access Broker (CASB) for managing access to cloud and SaaS services
  4. Data Leakage Protection (DLP) to secure access to critical data.  


SASE vs SSE: While SASE is great for a distributed network with well-defined access points or PoPs, SSE is ideal for a hybrid workforce where the office is essentially everywhere. It seems like a solution without a problem, correct? After all, aren’t VPNs designed to protect the network?

SSE vs SASE: what’s best for my network?

Deciding what is best for your network is important to get right. The SASE vs SSE issue comes down to a single question: what problem are you looking to solve? This is the best place to start with our SSE and SASE comparison.

Choose SASE if you have branches or offices

If connectivity to a traditional branch or campus office is the greatest concern, SASE might be the best option. Because SASE includes SDWAN, this solution will address traffic optimization challenges associated with accessing applications both in the Cloud, on SaaS and finally in the traditional data center.  Security is included thru services like Firewall as a Service (FWaaS)..  

Choose SSE for hybrid

If securing the hybrid workforce and “everywhere office” is your need, SSE is likely the best option. SSE addresses remote access, but also up-levels security thru zero trust networking. This is a critical difference from SASE. Zero trust is about delivering an application to an employee and only the applications the employee requires to perform their job.  It “cloaks” the rest of the corporate network so the employee cannot gain access to systems they do not require.  

SSE also layers on services like SWG, CASB and DLP.  Some offerings include additional services like Digital Experience Monitoring (DEM) to provide insight into how an employee is experiencing the application providing data such as how fast their service is, what may be inhibiting speed, network status, and even remote worker wifi status. Similar to the SASE crowd, if you start with SSE, make sure to consider integrations with SDWAN services.  

What is Unified SASE?

It’s also important to briefly touch on Unified SASE. The objective of unified SASE is to provide a fully integrated solution, including a single unified management plane, a single policy for both network and security services, a single data lake for analysis and most importantly, a single pass security service. Presently, this approach is a bit of a unicorn, and it sounds exciting, but it has some kinks to work out.

Many traditional vendors are touting Unified SASE, but when you pull back the covers, it’s a horse with a horn glued on the head. This option is a simple combination of traditional vertical technologies like SDWAN, CASB, SWG, and DLP. In some cases, the vendor has acquired brownfield solutions and glued them with their existing portfolios. 

If your strategic plans are to move to a unified SASE solution, due diligence is a must. 

SSE and SASE Vendors

Many of the traditional players in the networking and security space are making the move to both SASE and SSE.  For SASE vendors, Palo Alto Networks, Versa, and Cisco are all quickly converging on SASE.  For SSE, the primary players are ZScaler, Netskope, and Axis Security, 3 Tree Tech’s preferred partner. 

All have strong ZTNA solutions matched with SWG and CASB capabilities. Many of the SSE vendors also partner with strong SDWAN vendors like Aruba Networks and VMware VeloCloud to bring together a best-of-breed SASE (SDWAN+SSE).  If you are currently an Aruba customer, it’s worth your time to investigate integrations between SDWAN and SSE.

In the end, it’s not really a debate of SASE vs SSE, it’s more about understanding your network’s unique needs.


John Spiegel. Director of Strategy, Axis Security.

Spiegel is an industry pioneer in software-defined networking (SDN) and software-defined WANs (SD-WAN). He’s a frequent speaker at conferences produced by Gartner, InterOp, VMWorld, Palo Alto Networks Ignite, and others. He has advised VMware, Palo Alto Networks, Cisco Systems, and disruptive startups to bring products to market, resulting in successful exits.

Photo by Headway on Unsplash