Full Report
KuppingerCole has the go-to guide on what to look for, how to evaluate platforms, and an expert POV on Symantec Security Service Edge (SSE)
Analysis Summary
# Best Practices: Selecting and Implementing a Security Service Edge (SSE) Platform
## Overview
These practices, structured around the guidance from KuppingerCole's Buyer's Compass, provide a structured framework for evaluating, selecting, and implementing a Security Service Edge (SSE) platform. The goal is to transition from fragmented, siloed security tools to a unified, cloud-delivered solution that strengthens protection, simplifies operations, and enforces consistent security across distributed users, data, and applications.
## Key Recommendations
### Immediate Actions (Establish Foundation)
1. **Identify Primary Use Cases:** Immediately document your current operational reality by defining *how* and *where* your organization works today (remote, cloud-centric, hybrid) to determine which specific security challenges (e.g., securing remote work, cloud access control) must be solved first by the SSE.
2. **Define Required Core Capabilities:** Compile a definitive list of the necessary SSE functions that must be consolidated into the new platform (e.g., SWG, CASB, DLP, ZTNA).
3. **Mandate Consistent Policy Enforcement:** Establish the requirement that any evaluated platform must support policy enforcement that applies *uniformly* across all access vectors (web, cloud services, private applications), regardless of user location or access method.
### Short-term Improvements (1-3 months)
1. **Assess Endpoint Coverage:** Evaluate platform capability to consistently cover the diverse and sprawling range of endpoints currently in use across the organization.
2. **Verify Zero Trust Alignment:** Require that the proposed SSE architecture fundamentally operates on Zero Trust principles, emphasizing continuous authentication and authorization based on identity, device posture, and context.
3. **Validate Threat Intelligence Integration:** Prioritize platforms that integrate with robust, large-scale global threat intelligence networks (e.g., Symantec Global Intelligence Network) for multi-layered threat analysis.
### Long-term Strategy (3+ months)
1. **Plan for Full Traffic Visibility:** Strategically plan the rollout to ensure complete visibility into all traffic, including the capability for necessary SSL/TLS decryption where security policies require it.
2. **Establish Integration Roadmap:** Verify that the chosen platform possesses modern APIs and partner connectors that align with future goals for modernization, scaling, and integration with existing critical third-party security tools.
3. **Support Hybrid Architecture:** Ensure the platform supports a full hybrid model, allowing secure enforcement for both cloud-native access and traffic destined for existing on-premises resources during migration phases.
## Implementation Guidance
### For Small Organizations
- **Focus on Consolidation Wins:** Prioritize SSE offerings that offer the simplest deployment model (e.g., single agent for core capabilities) to rapidly achieve operational simplification and reduce management overhead associated with multiple siloed tools.
- **Lean on Cloud-Native Performance:** Select a cloud-native solution leveraging high-performance backbones to ensure optimal user experience without requiring significant local infrastructure investment.
### For Medium Organizations
- **Phased Rollout by Use Case:** Implement the SSE platform by first addressing the most urgent functional gap (e.g., rolling out SWG/web protection first, followed by CASB integration).
- **Enforce Uniform Policy Testing:** Test policy consistency across various access scenarios (mobile user accessing SaaS vs. office user accessing private app) before general deployment to validate the unification objective.
### For Large Enterprises
- **Leverage Hybrid Support for Transition:** Utilize the platform's full hybrid support feature to maintain security continuity and apply consistent policies while gradually migrating legacy application access from on-premises proxies to cloud enforcement points.
- **Mandate Architectural Deep Dive:** Insist on detailed evaluation of the underlying architecture (e.g., proxy-based SWG architecture) to ensure it supports complex enforcement actions and deep content inspection at scale without introducing unacceptable latency.
- **Develop API Dependency Map:** Create a formal map detailing planned API integrations with existing SIEM, orchestration, and identity management systems to ensure seamless data flow and operational consistency.
## Configuration Examples
*(Note: The source text focuses on evaluation criteria rather than specific configuration instructions for a singular product. The following recommendations are based on the required features.)*
1. **Deep Content Inspection Enablement:** Configure all relevant traffic inspection profiles (web, email, file uploads) to employ multi-layered threat analysis, ensuring suspicious files and content undergo thorough sandboxing or advanced malware analysis before being delivered to the endpoint or allowed to transit.
2. **Policy Engine Standardization:** In the central management console, create standardized policy object groups (User Groups, Data Classifications, Application Tags) that are universally referenced by SWG, DLP, and ZTNA rules to guarantee policy equivalence across the SSE stack.
3. **SSL/TLS Inspection Thresholds:** Define and document clear organizational standards for when and where SSL/TLS decryption must occur to gain full visibility (e.g., inspection required for all internal traffic and untrusted external sites; exemption lists for financial/health portals).
## Compliance Alignment
- **Zero Trust Architecture (NIST SP 800-207):** The platform must inherently support NIST Zero Trust principles by requiring continuous verification of identity and context for every access request.
- **Data Protection (ISO 27002):** Configuration must align with ISO 27002 controls via the integrated Data Loss Prevention (DLP) capabilities to safeguard sensitive information discovered during content inspection.
- **Secure Web Gateway Mandates (CIS Controls v8):** The integrated SWG component directly addresses lower-level CIS controls related to internet control and malware defense by providing web threat protection and content inspection.
- **Cloud Security Foundations (CSA CCM):** The CASB functionality inherently supports controls related to visibility and governance over cloud application usage as defined by the Cloud Security Alliance.
## Common Pitfalls to Avoid
- **Ignoring Use Cases:** Selecting a platform based solely on feature checklists without first understanding organizational workflows, leading to a powerful tool that doesn't solve real-world, distributed access problems.
- **Assuming Seamless Consolidation:** Assuming that integrating disparate legacy tools into a new SSE platform will automatically create consistent policies—enforcement must be explicitly verified across all consolidated controls.
- **Underestimating Visibility Gaps:** Choosing a solution that cannot decrypt and inspect SSL/TLS traffic, resulting in significant blind spots that attackers can exploit.
- **Neglecting Integration Future State:** Selecting a platform lacking modern, open APIs, hindering future integration efforts required for orchestration, automation, and scaling beyond the initial rollout phase.
## Resources
- **KuppingerCole Buyer’s Compass for Security Service Edge:** Use as the structured framework for technical and functional evaluation.
- **Forrester Total Economic Impact™ Study:** Review documented customer experiences and measurable outcomes to support the business justification for SSE adoption.
- **Documentation on Zero Trust Principles:** Reference [NIST SP 800-207] for architectural guidance on identity-centric access control.