Security Service Edge (SSE) are security solutions that aim to protect endpoints, users, and data that lie on the “edge” of a network – essentially any device that operates outside of a centralized data center. These devices, and their associated information and data, are often the most at risk from malware, security breaches, and data loss, making implementing SSE for enterprises a smart solution to prevent risk.
The solutions on this list often compromise of a range of security technologies and features, such as Cloud-Access Security Broker (CASB), Firewall-as-a-Service (FWaaS), Zero-Trust Network Access (ZTNA), and Secure Web Gateway (SWG). DLP is also often included. SSE aims to secure access to applications and servers, provide secure internet access, and secure remote access to private applications.
With the unprecedented rise in employees working from home, and more and more devices being connected to work servers, protecting your data when it rests and travels outside of your company’s centralized data center is crucial. Read on for a list of leading figures in edge security solutions to find a product that suits your business needs.
NordLayer is a remote access solution offered by Nord Security, a leading security and privacy provider based in Lithuania. The cloud-based solution provides zero trust access to all areas of a network, with user authentication, network segmentation, and traffic encryption, to help prevent threat actors gaining access to corporate data and applications.
NordLayer Features:
- The NordLynx VPN protocol provides a constant, immediate connection between the user and the network, which is protected with AES 256-bit encryption
- Robust cloud firewall, combining packet inspection with stateful network traffic analysis, intrusion prevention, and threat intelligence
- Device posture security feature monitors all devices connected to your network and prevents non-compliant device access
- The Kill Switch feature automatically cuts off internet traffic if the connection to the server breaks
- Network segmentation ensures users can only access the areas of the network they need to do their jobs, in line with the principles of zero trust and least privilege
- Automatic restriction of access to untrusted or potentially malicious websites prevents users from accidentally downloading malware onto their devices, or visiting phishing pages
- Intuitive, streamlined management via a centralized console, from which admins can manage user accounts, permissions, and gateways
- Support for third-party MFA and single sign-on via Azure AD, Google Workspace, Okta and OneLogin
Plans And Pricing: NordLayer is available via four plans: Lite, Core, Premium and Custom. Pricing starts at $8 per user, per month for the Lite plan.
Expert Insights’ Comments: NordLayer is a powerful zero trust network access solution that enables businesses to secure user access to all areas of the network. Delivered as-a-Service, NordLayer is highly scalable and is easy to deploy and integrate alongside other third-party security tools. This makes it suitable to larger enterprises. However, the platform’s extensive technical support options and inclusion of a dedicated account manager for ongoing support also make NordLayer accessible for, and well suited to, SMBs.
Twingate, based in Redwood City, CA, has developed a secure network access platform that unifies access, authentication, and controls in a single streamlined solution. Rather than using a VPN to ensure secure access, Twingate establishes direct peer-to-peer connections between devices, ensuring that data is protected before it is shared. The platform ensures compliance with CPRA, GDPR, PCI DSS, and SOC 2 regulations.
Twingate Features:
- Enforce security and privacy standards across BYOD policies
- Gain visibility and control over network traffic
- Rapid connection – lower latency than a VPN
- Lightweight deployment – the solution does not demand much space on endpoints
- Use Admin API, Terraform, and Pulumi to automate access controls
- Set granular permissions for specific groups
- Ability to access multiple clouds or other environments simultaneously
Plans And Pricing: In addition to a Free plan, Twingate offers two subscription plans: $5/user/month and $10/user/month. The $5 plan is designed for up to 100 users with up to 3 admins, working across 20 remote networks. The $10 plan is for up to 500 users with 10 admins and up to 100 remote networks.
Expert Insights’ Comments: Twingate is a robust and powerful zero trust network access solution. The platform is easy to deploy and integrates well within your existing technology stack. Admins and providers can configure specific policies with granular controls to be deployed across specific network areas, ensuring that your organization is protected as necessary. We would recommend Twingate for small- to medium-sized organizations that require an effective, robust, and secure network access solution.
Cisco Umbrella is a unified, cloud-based security solution from San Jose-based Cisco. It offers threat intelligence solutions, Firewall, Secure Web Gateway, DNS-layer security, and CASB in a single platform. It can be deployed alongside Cisco SD-WAN, offering a fully integratable SASE framework.
Cisco Umbrella Cloud Security Features
- User logs and emerging threats immediate accessible via the dashboard
- Cisco Umbrella Investigate tool which provides insights on relationships and changes of internet domains files, and IPs which helps teams detect anomalies and predict future threats
- DNS layer security
- 80 content categories that covers billions of web pages
- CAn block malicious domain, IP addresses, and cloud applications before a connection can be established
Pricing: Pricing for Cisco Umbrella’s SSE solution is available upon request and is tailored to business needs and size. A 14 day free trial is also available.
Expert Insights Comments: Cisco Umbrella offers admins insights on relationships and changes of internet domains, files, and IPs, allowing for admins to detect anomalies and predict future threats. It provides reliable, effective threat scoring and DNS request views in real-time to particular domains, so if there’s a spike in traffic admins are notified, and back-dated lists of key events and tagged security categories in the form of historical data that can be useful for those new to the network. Cisco Umbrella has four service versions: Guest WiFi, Professional (for small companies), Insights, (for mid-sized companies), and Platform (for enterprises). The range of service versions makes it suitable for a range of organizations.
Forcepoint ONE is a cloud-native consolidated SSE solution. Features include SWG, CASB, ZTNA, RBI, CDR, and Sandbox within a zero trust framework. With granular access controls, users can only have access to the apps that they need for their work rather than the whole network. Strong customization policies also extend to risk assessment, with actionable advice offered. A flexible policy builder adapts and learns from various sources, ensuring policies stay up-to-date on potential threats as much as possible.
Forcepoint ONE Features
- Cloud native SSE solution with SWG, CASB, ZTNA, RBI, CDR, and Sandbox features within a zero trust framework.
- Secure web gateway that monitors and controls all interactions with every website interacted with in the network, with blocking access to websites automatically based on website category and risk score, blocking of malware downloads, blocking of sensitive data uploads to non-authorized accounts and networks, and shadow IT control.
- Granular access controls and provides unified access to business apps managed in one place for SWG, CASB, and ZTNA.
- Strong customization policies which include risk assessment.
- Flexible policy builder that aggregates intel from numerous sources, meaning that policies remain up to date on latest threat development.
Pricing: Pricing is available upon request.
Expert Insights Comments: What sets Forcepoint ONE apart from other SSE solutions on the market is its Seamless Handoff feature, which allows for easy automatic switching between the default proxy enforcement mode and local enforcement mode through Direct Connect. The Unified Endpoint tool enables admins to secure users to a single endpoint for DLP, CASB, and NGFW features. This also includes traffic redirection capabilities when needed. With robust security measures and continuous threat detection, we would recommend this product for enterprise level organizations.
Cloud-native, Skyhigh Security Service Edge secures web, cloud (SaaS, PaaS, and IaaS), and private apps to offer air-tight security. UCE is a consolidation of SWG, CASB, ZTNA, DLP, RBI, FWaaS products, implemented alongside SD-WAN to deliver a full SASE network. The product has one management console to deliver a unified admin and user experience.
Skyhigh Security Service Edge Features
- Provides wide and granular coverage of cloud security, with real-time protection on collaboration and strong visibility on events
- Policy enforcement, DLKP delivered incident management across all endpoints, and consolidated data classification
- Advanced threat protection with user and entity behavior analytics (UEBA)
- Data classifications can be set once and applied comprehensively and consistently across all policies, protecting all endpoints, the network, and cloud
- Unified incident management between all control points
- Data loss prevention policies enforced throughout the cloud
Pricing: Pricing is supplied via a quotation request.
Expert Insights Comments: Skyhigh is a globally recognise and respected vendor in the edge security spaces. Their SSE contribution is a cloud-native, for-the-cloud solution that is fully featured with full visibility and control. Their ZTNA feature is data-aware, meaning that it can provide in-depth data inspection by utilizing DLP and classification. Private applications can be protected from potentially risky devices via remote browser isolation web sessions. With complete visibility into all usage, data, devices, users, and services with extensive security coverage, we would recommend Skyhigh Security Service Edge for governmental, financial, and healthcare organizations.
Netskope Security Service Edge is an SSE solution from Santa Clara, California-based software company Netskope. It provides admins with in-depth visibility with real-time granular controls across the entire network. Main tools included are a Cloud Firewall, NG SWG, RBI, CASB-API and SSPM, public cloud security, and ZTNA.
Netskope Security Service Edge Features
- Cloud data loss prevention capabilities
- Capable of setting granular policies and automated workflows for investigations, these policies and workflows are based on AI/ML-enabled app discovery, trust scores for apps and users, and categorization
- Data awareness and real-time enforcement capabilities
- Insight into inline traffic analysis and cloud API interaction
- Uses Closed loop analytics to constantly detect for user behavior anomalies, app risks, and unknown or unverified data movement
- Advanced threat protection across all web and SaaS applications, as well as cloud services
Pricing: Pricing is supplied via a quotation request. Demos can be scheduled before purchase.
Expert Insights Comments: What sets Netskope apart from competitors is its enhanced security policies when it comes to data protection. Netskope’s solution can detect when sensitive data may be at risk through screenshot and image identification detection. They also provide granular control of data movement between personal and corporate apps, making sure nothing goes to where it shouldn’t. We would recommend Netskope for governmental, financial, healthcare, and education organizations.
Prisma Access is a comprehensive SSE solution from Palo Alto Networks, headquartered in Santa Clara, CA, USA. Prisma Access is a comprehensive SSE solution that includes Firewall-as-a-Service, DNS security, threat prevention, Secure Web Gateway, Data Loss Prevention, and Cloud Access Security Broker capabilities. In addition to Prisma Access, Palo Alto also offers a compatible SD-WAN framework that can be deployed alongside, offering full SASE protection.
Palo Alto Networks Prisma Access Features
- A cloud-native SWG prevents web-borne threats through static analysis and machine learning
- DeliverspPatch preparation and deployment, whilst protecting all web and non-web-based traffic
- The platform offers comprehensive protection delivered through a single unified dashboard that offers a single pane of glass view into the entire network and solution, allowing for targeted management, consistent policy application, and shared data between users
- Advanced threat protection delivers security against malware exploits, and command-and-control (C2) traffic through the leveraging of threat intelligence. Additional artificial intelligence and machine learning powered scanning can protect against previously unseen threats.
- FWaaS, sandboxing, DNS security, IoT security, and VPN features available
Pricing: Pricing is supplied via a quotation request.
Expert Insights Comments: Prisma SASE offers a zero-trust approach that safeguards your data, whether it’s in rest or being transported through your network. What sets Prisma apart from its competitors is its SASE framework, which includes Autonomous Digital Experience Management (ADEM) to provide end-to-end visibility, with in depth insights for admins. It monitors the entire network, from endpoint to apps, highlighting any problems that may negatively impact user experience, helping admins quickly isolate and remediate any issues. We would recommend this product for mid-sized to large companies.
Based in Sunnyvale, CA, USA, Proofpoint is a market leader in computer and network security. They offer Proofpoint Information and Cloud Security, a cloud-native SSE platform that provides comprehensive, unified administration capabilities and strong responsive security measures. Admins are granted full visibility and control across web, cloud, email, and endpoint servers.
Proofpoint Cloud Security Features
- Inline access controls, pervasive and adaptive data loss prevention (DLP), and advanced threat protection for all cloud apps in your network
- Granular controls with step-up authentication
- Browser isolation capabilities that can provide read-only access to web pages, ensuring your users can still access things they need to safely
- User and entity behavior analytics that constantly search and detect any risky or anomalous activity within the network
- Advanced threat protection and data loss prevention capabilities
Pricing: Pricing is supplied during a quotation request and consultation.
Expert Insights Comments: The platform includes: Enterprise DLP, CASB, Email DLP and encryption, Insider Threat Management (ITM) with Endpoint DLP, and Web Security with Browser Isolation. Despite being a global, cloud-native platform, Proofpoint’s SSE solution can also store data locally – handy for companies that need to meet location-specific data compliance regulations regardless of where their headquarters are based. We would recommend it for financial, healthcare, and legal organizations.
San Jose, CA native Zscaler is a leading figure when it comes to edge security solutions. They offer a scalable SaaS platform that incorporates Cloud SWG, CASB, DLP, Cloud Firewall and IPS, Cloud Sandbox, Cloud Browser Isolation, Digital Experience Monitoring, and ZTNA in the Zscaler SASE solution. Their ZTNA feature does not trust any IP addresses, instead identifying the user and device with an identity provider first. Admins can tailor access policies to a user, which is enforced by the cloud. Admins are also presented with user logs which give detailed accounts of what is being accessed and by who. It also offers DEM capabilities which collects and analyzes end-user experiences.
Zscaler SASE Features
- The cloud sandboxing feature is an AI-driven malware prevention engine that can enable inline quarantine that prevents emerging threats from becoming fully realized; it operates entirely automatically, with continuous scanning, preventing, and quarantining
- Zero trust is applied consistently through the platform; it connects users, workloads, and devices through the cloud native platform without connecting to the network, thereby reducing the attack surface area which in turn prevent lateral threat movement and data loss
- Access and authentication policies are continually enforced, with user and device verification or workload authorized before access, validation of the context of the connection request, and confirms that the destination is known, confirmed, and contextually categorized
- Every connection is inspected regardless of user, endpoint, app, or encryption
- Proxy-based architecture delivers full inspection of encrypted traffic across SWG, CASB and other tools in your security stack, which can be performed at scale
Pricing: Pricing is supplied via a quotation request.
Expert Insights Comments: Zscaler SASE is a powerful solution that delivers high performance and is designed to be deployed at scale. It is a solution that works well for organizations experiencing rapid growth, due to its flexible nature. A cloud native platform, it excels in delivering SSE to all users and devices. It reduces security risks and complex issues that arise from expanded network surface areas and porous networks. We would recommend it for mid-sized to large organizations.
FAQs
What Are Edge Security Solutions?
Secure service edge solutions (SSE solutions) fall under the category of edge security. Edge security solutions are essentially security tools that protect data that sits on the “edge” of your network–i.e., the furthest away possible from your data center while still being in your network. These devices or edges sit outside of the centralized data center and are transported outside of it also. In reality, these edges can take on various forms, from a remote worker’s laptop that only sees use outside of an office or computers and devices used in flagship offices and stores (such as the smart till for a store that’s part of a wider company).
It’s clear that the edge isn’t strictly definable, and is flexible and porous. While this is great for ease of use and practicality reasons, the edge is often a wealth of attack vectors for threat actors, meaning appropriate use and security must be adhered to to avoid breaches and attacks.
For more on edge security and SSE, check out our blog here:
What Are Edge Security Solutions?
How Does SSE Work?
SSE solutions are effectively a subset of Secure Access Service Edge, which is a conglomerate of cloud-based security tools and SD-WAN capabilities, which is delivered to all users in a network no matter how close to the edge of the network they may be. SSE is SASE without the SD-WAN capabilities, meaning it is a combined solution with CASB, FWaaS, SWG, and ZTNA features. These individual tools can act independently and independently of each other to offer pervasive and adaptive cloud security.
-
Secure Web Gateway (SWG): A SWG acts as a barrier that prevents unauthorized traffic from accessing a network and only allows users to access secure, pre-approved websites.
-
Zero-Trust Network Access (ZTNA): This is a framework that determines how users log-in and when they need to manually login. It is there to restrict access and ensure applications are removed from public view, as well as enforce identity-based authentication.
-
Firewall-as-a-service (FWaaS): Essentially, a cloud or software-based firewall that is managed by a third party to offer robust yet flexible protection.
-
Cloud-Access Security Broker (CASB): A CASB protects the connection between users and their devices to cloud applications. Acting as a security checkpoint between users and cloud service providers, a CASB will secure data, information, and systems through predetermined security policies, malware prevention, and strong encryption capabilities.