SSPM vs SASE
SaaS security posture management (SSPM) and the secure access service edge (SASE) don’t have a lot in common, but they do overlap. Hype about SASE has led to many organizations “doing SASE,” which can mean a lot of different things. There can be confusion about why an organization might need SSPM if it’s implementing SASE. As a result, it’s worth taking a moment to understand what each technology is about, how they are similar, and where they differ.
What is SASE?
The “E” in SASE is the key to understanding what it’s all about. E is for edge. SASE enables endpoints, such as mobile devices or Internet of Things (IoT) sensors to connect securely to applications and data at the edge. The user does not have to connect through a data center, which adds latency and creates network congestion.
SASE is not a product, at least not at this point. As defined by the Gartner analyst firm, SASE is an architecture that combines a software-defined wide area network (SD-WAN), zero trust network architecture (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS) and centralized management. That’s a lot of technology to implement, integrate, and manage. Even if the components are all from the same vendor, it’s still a big job.
SASE, or something just like it, has become a necessity, however. Enterprises need it to support modern work scenarios—where users are accessing cloud and on-premises assets from pretty much anywhere. Allowing users to connect at the edge, via a cloud-based service, is an effective solution.
What is SSPM?
SSPM concerns itself with the collective security posture of an organization’s software-as-a-service (SaaS) ecosystem. This can be a sprawling, complicated environment, with the average organization using 130 SaaS apps as of 2022, up from 110 in 2021. To protect those SaaS apps, and the data they contain, SSPM combines tools, people, processes, and policies to reduce SaaS apps’ inherent cyber risks.
For example, SSPM might monitor SaaS apps for insecure configurations—and remediate configuration problems when they are discovered. Other SSPM tasks include monitoring user sessions for anomalies, examining data access rules to prevent data breaches, tracking third party integrations between SaaS apps, and so forth.
SSPM is a unique, coherent solution, in contrast to SASE, which is basically an architectural pattern. It is comparatively easy to implement. (Realistically, at this point, almost anything is easier to implement than SASE, which requires installing six different products and making them work together…)
Where SSPM and SASE overlap?
SSPM and SASE overlap with a common goal of protecting SaaS apps from malicious users. SASE does provide a number of defenses for SaaS. With SASE, for example, the CASB serves as a policy enforcement point that sits between users and cloud service providers, including SaaS apps. It can handle tasks like authentication, encryption, and threat detection. ZTNA helps ensure that only authorized, verified users, can access SaaS apps. The SWG component of SASE also offers some protections for SaaS apps. For example, an SWG can execute data loss prevention (DLP), by detecting and blocking unusual data transfers out of SaaS apps.
Do you need SSPM if you’re implementing SASE?
On the surface, it seems like SASE mitigates SaaS risk for the enterprise. Going a little deeper, however, a number of significant gaps emerge. Unlike SSPM, SASE does not inspect SaaS configurations, for instance. Its components do not monitor SaaS security settings and flag insecure situations. SASE does not track the use of third-party plugins that integrate one SaaS app with another. Nor does SASE monitor SaaS user sessions with the goal of detecting anomalous behavior.
Without SSPM, SASE leaves SaaS apps exposed to risks related to configuration and third-party integration, among others. And, SSPM solutions, such as Suridata, offer risk prioritization and automated remediation. SASE is a connection paradigm. It’s not a cybersecurity toolset. It does not have built-in SaaS risk remediation capabilities.
Now, it may not be entirely fair to say that SASE can’t perform these tasks. Some SASE components are highly customizable and come with advanced developer kits. It’s probably possible to program a SASE solution to perform most SSPM processes. That would be a huge, unnecessary investment of time, however.
Making SSPM part of SASE
There is a way to resolve SASE’s gaps in SaaS security: make SSPM part of a SASE architecture. SASE already involves acquiring and integrating six or more technologies. Adding SSPM to the mix is not a huge extra step. One reason is that SSPM could operate independently from SASE, though an SSPM platform could feed data into a centralized SASE management tool, as well as related security operations (SecOps) solutions.
Conclusion
SASE and SSPM cover different aspects of SaaS security. SASE protects SaaS apps from unauthorized access and enforces security policies related to data loss, and so forth. Any organization that has people and IoT devices operating remotely is going to need some sort of SASE solution. SASE does not provide complete SaaS security, however. It doesn’t track SaaS configurations and third-party integrations. Nor does it manage SaaS risk remediations. For optimal SaaS defense, the two technologies should ideally be deployed together.
Co-Founder & COO