top of page
Writer's pictureKristen

Critical Capabilities for Security Service Edge [Gartner Reprint]

Updated: Apr 13, 2022

Licensed for Distribution

Published 16 February 2022 - ID G00757039

By Craig Lawson, Charlie Winckless, John Watts, Aaron McQuaid

 

SSE solutions provide a broad set of features to secure access to, and usage of, the web, cloud services and private applications. Security and risk management leaders should evaluate them in relation to four key use cases and 10 critical capabilities to find the one best suited to their needs.


Overview


Key Findings

  • Security service edge (SSE) solutions enable organizations to secure access to the internet and usage of cloud services and private applications. The market for these solutions is emerging rapidly.

  • Vendors have primarily improved their secure web gateway (SWG) and/or cloud access security broker (CASB) offerings, while adding zero trust network access (ZTNA) capabilities, to compete in this converging market. Their backgrounds in SWGs and CASBs often define some of their core strengths.

  • The SSE market is prompting significant architectural changes by security and risk management (SRM) leaders who want to secure users regardless of location, the types of applications they are using, or where their data is accessed and stored.


Recommendations

As an SRM leader responsible for infrastructure security and enabling a secure workplace, you should:

  • Approach the convergence of CASB, SWG and ZTNA differently, depending on your starting point and which elements you already have in place with a focus on your use cases.

  • Start by gaining a detailed understanding of the use cases applicable to your end-user computing environment, the cloud services you use and the data you need to protect.

  • Consolidate your CASB, SWG and ZTNA capabilities by using a single SSE vendor. This will create an opportunity to improve your organization’s agility and ability to prevent, detect, and respond to cyberthreats.

  • If your organization already has an SSE solution, reevaluate the vendor landscape on no more than a two-year cadence, as vendors’ features and pricing are evolving rapidly.

  • If your organization is undertaking a larger secure access service edge (SASE) transformation with a software-defined wide-area network (SD-WAN) as its driver, assess SSE SD-WAN providers with credible SSE capabilities against best-of-breed SSE vendors. This will help you determine whether a dedicated SSE solution is required to meet more granular security requirements.


Strategic Planning Assumptions

By 2025, 70% of organizations that implement agent-based zero trust network access (ZTNA) will choose a security service edge (SSE) provider for ZTNA, rather than a stand-alone offering, up from 20% in 2021.


By 2025, 80% of organizations seeking to procure SSE-related security services will purchase a consolidated SSE solution, rather than stand-alone cloud access security broker, secure web gateway and ZTNA offerings, up from 15% in 2021.


By 2026, 50% of organizations will prioritize advanced data security features for inspection of data at rest and in motion as a selection criterion for SSE, up from 15% in 2021.

What You Need to Know

Security service edge (SSE) secures access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components.

Analysis


Critical Capabilities Use-Case Graphics

Vendors' Product Scores for Secure Web and Cloud Usage Use Case


Source: Gartner (February 2022)


Vendors' Product Scores for Detect and Mitigate Threats Use Case


Source: Gartner (February 2022)


Vendors' Product Scores for Connect and Secure Remote Workers Use Case


Source: Gartner (February 2022)


Vendors' Product Scores for Identify and Protect Sensitive Information Use Case


Source: Gartner (February 2022)


Vendors


Broadcom

When Broadcom acquired Symantec’s enterprise security business in 2019, it obtained all the associated components, primarily the CloudSOC CASB, Symantec Data Loss Prevention and the Blue Coat SWG. CloudSOC remains the key cloud service usage component in Broadcom’s portfolio. A range of policies can be built using a combination of “securlets” for connecting CloudSOC to SaaS APIs and “gatelets” to configure forward-proxy inspection. Webhooks are available for some cloud services. Broadcom has stopped further development of reverse-proxy functionality, which will be replaced by remote browser isolation (RBI) features.


Broadcom’s catalog of discoverable cloud services is good, as is the depth of attributes tracked for services. Additionally, the ability to adjust scores that contribute to the dynamic risk score is more advanced than that of most competitors. This, however, mainly applies to “cloud service usage,” and does not apply to general internet usage.


Despite owning its product suite for a significant time, Broadcom has done little integration work to build a coherent SSE solution. The suite has separate agents, separate consoles, separate configurations (though the UI is mostly similar) and different reporting consoles. This lack of consolidation significantly compromises the operational efficiencies offered by an SSE solution.


Broadcom is one of only a few vendors in this report also to offer a data loss prevention (DLP) solution. This can be an advantage for organizations that have invested in Symantec’s DLP, as they can reuse complex rules to enforce behavior on traffic destined for the cloud, private applications, email and the web.


Use-case score summary: Broadcom scores just over three (the score equating to “good”) for two use cases, namely “detect and mitigate threats” and “identify and protect sensitive information,” and slightly less than three for “secure web and cloud usage” and “connect and secure remote workers.”


Organizations with investments in other Broadcom security products, particularly Symantec DLP, should evaluate Broadcom for SSE technology.


Cisco

Cisco Umbrella provides acceptable web-filtering capabilities, with the ability to use both DNS and proxy technologies to control access, or to redirect users to an RBI solution. Malware protection is achieved via native integrations with Cisco’s Secure Malware Analytics (formerly Threat Grid), an in-line identity proofing service and Cisco’s Advanced Malware Protection (AMP); it provides competent scanning and protection against threats. Basic DLP capabilities (including prepopulated dictionaries and custom regular expressions [regex]) are available for in-line inspection via Umbrella and via API in Cloudlock. However, if content is deemed unacceptable, the only option is to block it entirely. Additionally, actions like redaction and tombstoning are not fully supported at this time.


Cisco has a collection of tools to address this market, but there is limited integration between them. Policies for DLP, malware and isolation must be configured in separate consoles, and cloud security posture management (CSPM) requires the purchase of a separate solution that has limited CSPM functionality. Cisco’s ZTNA uses a separate platform and is clientless only, with no DLP or anti-malware integration. Additionally, Cisco lacks a reverse proxy or RBI SAML integration, which severely limits its utility for the unmanaged device use cases.


Use-case score summary: Cisco scores less than three (the score equating to “good”) for all four use cases.


Organizations seeking a single-vendor approach across security and networking, with global support, should consider Cisco.


Forcepoint

In October 2021, Forcepoint finalized its acquisition of Bitglass, which has a more sophisticated SSE offering that is evaluated separately in the next section of this Critical Capabilities.


Forcepoint’s other SSE solution, which is evaluated in this section, comprises its Cloud Security Gateway, Cloud Access Security Broker and Private Access products. It offers a robust enterprise DLP capability that can be used across endpoints, clouds, email systems and the web. A flexible reporting engine also includes features such as user-centric reporting on risks and behaviors in order to identify high-risk users. The cloud service risk rating capability is good; it includes seven different categories and lets users adjust attribute weightings in order to easily change risk- and policy-related decisions across all cloud applications.


Although this solution provides capabilities to assess user risk and behavior, it lacks a robust approach to assess user context from a variety of data sources in order to dynamically adjust permissions if the user context changes.


At the time of writing, Forcepoint lacks a CSPM capability to integrate with infrastructure as a service (IaaS) and other cloud services.


Unlike other vendors evaluated in this Critical Capabilities, Forcepoint lacks a mobile agent for iOS and Android. It also lacks the capability to provide a cloud-based firewall as a service (FWaaS) to control all ports and protocols.


Use-case score summary: Forcepoint scores less than three (the score equating to “good”) for all use cases except “identify and protect sensitive information.”


Gartner recommends that clients evaluate Forcepoint’s Bitglass solution and that existing Forcepoint clients investigate the likely nature of the transition from Forcepoint’s current SSE offering to the recently acquired Bitglass solution.


Forcepoint (Bitglass)

Forcepoint acquired Bitglass in October 2021.


Bitglass originally favored deployment scenarios best satisfied by reverse-proxy and API inspection of data in SaaS applications. Forcepoint (Bitglass) now also supplies users with its SmartEdge agent, which enables forward-proxy inspection, native endpoint SWG enforcement and ZTNA to internal applications. It can also deliver this functionality from the cloud and is not tied solely to the endpoint agent. There is, however, no mobile agent, and only unified endpoint management (UEM) pushed configurations are supported for iOS and Android. Combined with the AJAX Virtual Machine (a small bit of code injected into a browser’s document object model), Forcepoint (Bitglass)’s solution provides comprehensive visibility and control for almost all forms of access to, and interactions with, cloud services. In particular, the reverse proxy works extremely well across a broad range of use cases and “bring your own” scenarios.


Forcepoint (Bitglass)’s catalog of discoverable SaaS applications is large and, with approximately 60 attributes tracked, supports cloud discovery and control use cases well. Users can customize cloud attributes to suit their priorities and risk appetite. Forcepoint (Bitglass)’s connected app control includes a history of all activities permitted by an OAuth token. Its access and control policy builder, although fairly straightforward, takes an application-centric approach, in addition to having a global policy capability. RBI is available as an action for most proxy-based policies, and does not require a separate product.


Forcepoint (Bitglass) has strong DLP capabilities as a result of continued refinement. In addition to exact data matching (EDM), its DLP offers many more predefined patterns than most competitors. It can also learn positive and negative matches (via an on-site downloadable tool to ingest an organization’s corpus of content) and automatic optical character recognition (OCR) capabilities. An automated learning capability simplifies the task of teaching the SSE solution to govern an application it has not previously seen and that is not in its catalog. This solution, along with OEM-based malware and threat intelligence integrations, also extends seamlessly to private applications via Forcepoint (Bitglass)’s ZTNA technology.


CSPM and SaaS security posture management (SSPM) features are available and fully integrated, but their capabilities remain basic in comparison to those of competitors. Most Gartner clients have not identified Forcepoint (Bitglass) as a suitable vendor to supply a replacement for a stand-alone tool.


Use-case score summary: Forcepoint (Bitglass) scores more than three (the score equating to “good”) for all use cases, but requires better execution in subcategories like threat defense, enterprise integration and CSPM/SSPM.


Users looking for a complete SSE solution should consider Forcepoint (Bitglass).


iboss

Iboss offers a good SWG and acceptable threat defense, with a single console that controls all functions. Although this leads to a busy and complicated interface by default, it does offer the ability to delegate administrative privilege and to reduce this complexity for less privileged users. Iboss also supports a single unified agent, which can perform (limited) posture checking but has limited SD-WAN integration.

Iboss has a small catalog of API-enabled SaaS applications and many of its in-line enforcements are consumer applications; it has fewer controls that apply to business applications than its competitors have. It does, however, have an RBI solution integrated with SAML redirects, in place of a reverse proxy. RBI sessions can have DLP and malware rules enforced, and this technology is also used for iboss’ clientless ZTNA function. Iboss’ DLP is not as strong as that of the leaders in this market, as it lacks OCR and machine learning capabilities (though it does include EDM functionality).


Iboss has limited ability to inform a user about the risk of applications; this ability is provided by its team without clear metrics or inputs, and adjustments by an end user are simple overrides of the risk score. The risk score cannot be easily used in rules, and this shortcoming is compounded by the user’s lack of ability to adjust the scoring. This combination, together with an inability to push authentication changes during a session, limit the adaptive capabilities of the platform.


Use-case score summary: Iboss scores below three (the score equating to “good”) for all use cases.


Users needing a SSE solution with a heavy focus on SWG features should consider iboss.


Lookout

In March 2021, Lookout acquired CipherCloud, a vendor best known for its CASB. As a result, Lookout now has an SSE offering to add to its background in mobile security.


Lookout’s policy engine and UI is unified and easy to use across SWG, CASB and ZTNA features. Reporting is included, and day-to-day operations are easy using this platform. The console includes the Lookout mobile threat defense (MTD) product set, and the agent is fully integrated. Malware and threat detection are weaker areas for Lookout, but it uses capable OEM solutions and seamless integrations for antivirus and sandboxing. These integrate well into the platform and are able to inform user risk scoring.


Lookout has a tightly integrated DLP and RBI capability that applies advanced data security controls. These include endpoint coverage and detection of sensitive data transfers from the Common Internet File System (CIFS) to and from private, cloud and web channels without requiring a separate DLP module. Lookout’s DLP can tokenize data, add watermarks, and apply classification labels ingested from Azure Information Protection (AIP) and Titus.

Lookout has an excellent ability to discover and report on all forms of devices (PCs and mobile devices, managed and unmanaged) for all access to the general internet, cloud service usage and access to private applications. Additionally, the interface for investigations and other general operations tasks is well laid out and very practical.


Lookout’s support for CSPM and SSPM is well integrated and needs no other management interface. Its ability to govern IaaS is functional and one of the best in this market.


Use-case score summary: Lookout scores more than three (the score equating to “good”) for all four use cases.


Clients looking for a comprehensive SSE solution should consider Lookout.


McAfee Enterprise

In July 2021, Symphony Technology Group (STG) purchased McAfee’s enterprise business and formed McAfee Enterprise as a private company. In October 2021, STG completed the acquisition of FireEye and merged the two acquisitions into a single company. In January 2022, STG launched a new business unit, Trellix, for its extended detection and response (XDR) products, which are separate from its McAfee Enterprise SSE portfolio.


McAfee Enterprise offers a comprehensive, unified and flexible SSE solution called MVISION Unified Cloud Edge (UCE). It controls and monitors all features from a “single pane of glass,” and makes interesting use of the Mitre ATT&CK framework. It supports excellent SecOps views for security analysts using the console from day to day. MVISION UCE also enables users to understand and manage their attack surface, which in turn helps organizations preemptively surface security issues and apply remedial changes in policy to proactively address risks.


McAfee has a long history in the field of DLP, and its DLP engine is integrated across McAfee Enterprise’s SSE offering. This includes traffic traversing web, cloud services and private applications, regardless of location, and additionally utilizes the company’s single agent for endpoint DLP as well.


McAfee Enterprise also has an effective endpoint protection platform (EPP)/endpoint detection and response (EDR) solution — not evaluated in this research — which is evolving into a competitive XDR capability.


McAfee Enterprise has strong CSPM and SSPM capabilities. These enable customers not only to view compliance issues with IaaS and SaaS, but also to permit automated remediation actions for compliance issues.


Although functional, McAfee Enterprise’s offering lacks the deep integration with SD-WAN vendors needed to provide orchestration between partner SD-WAN devices and its SSE service. The management console exposes an extensive range of features and options to customers, but these require deep understanding to fully utilize. This means that for less sophisticated users, the offering is not ideal for customers looking for an SSE solution that is simple and easy to set up and use.


McAfee Enterprise provides good user and entity behavior analytics (UEBA), but there is scope for improvement in terms of how its analytics are used for user monitoring and content detection.


Use-case score summary: McAfee Enterprise is the highest-scoring vendor across all four use cases.


End users looking for a comprehensive SSE solution should consider McAfee Enterprise.


Netskope

Netskope’s SSE offering has advanced data security capabilities that are well integrated with web, cloud and email channels. Techniques like machine learning are used to reduce overall false-positive and false-negative rates for the detection of sensitive content in motion and at rest. Netskope’s advanced analytics module is primarily a chargeable add-on used for reporting; users should evaluate whether it is worth the additional cost.


Netskope’s catalog of discoverable SaaS applications is one of the best examples in the SSE market in terms of size and depth of attributes. The methods used to calculate the risk scores of SaaS applications and of connected applications are similar. Additionally, applications can be grouped for policy simplification — for example, to block contractors from using poor-scoring third-party applications to log into governed SaaS applications. The recent addition of digital experience monitoring (DEM) — following other vendors in this market — adds operational value for heavy users of cloud services.


Data security and DLP capabilities in general include an extensive catalog of predefined data types with frequent updates. These serve as leading examples of how to protect enterprise data that is on the web, stored in cloud services, or in on-premises applications.


Netskope offers a very flexible set of adaptive controls, with broad methods of discovering managed devices and dynamic changes of posture, and the ability to enforce optional controls. For instance, it can enforce multifactor authentication (MFA) on a per-application, per-user or per-device basis to provide additional identity assurance, regardless of an application’s configuration. This flexibility extends to a wide range of data controls, which are tied to Netskope’s excellent data security capabilities. However, Netskope’s SD-WAN integrations are more limited than those of other leading vendors.


Use-case score summary: Netskope scores highly for all four use cases.


Users looking for a comprehensive SSE solution should consider Netskope.


Palo Alto Networks

Palo Alto Networks is a large, high-profile security vendor with a big client base. Its clients value the ability to reduce the number of vendors they use for network security, remote access and threat prevention.


Palo Alto Networks’ DLP capabilities are lacking compared with those of other leading vendors in the SSE market. Furthermore, there are still two different UIs used in the overall SSE offering, one for Prisma Access and one for the product formerly called Prisma SaaS. Prisma Cloud is additionally used for CSPM use cases. Coverage deficiencies include a lack of, or only partial support for, Salesforce, Microsoft Teams and GitHub. Palo Alto Networks does, however, support content tagging with AIP, Bolden James and Titus.


Palo Alto Networks has a smaller discovery database and supports fewer attributes than most vendors in this market. Additionally, it lacks native RBI functionality. It relies on third-party integration partners to improve its threat detection and to provide some core support for “bring your own device” and CASB use cases.


Palo Alto Networks’ SSPM capability is basic, compared with that of other vendors’ solutions. Users require different products (SaaS Security and Prisma Cloud) to achieve some kind of unified cloud management policy covering SaaS and IaaS. Palo Alto Networks’ IaaS product and core posture assessment capability remains with Prisma Cloud. Prisma Cloud cannot remove public links for services like Yammer, GitHub, Amazon Web Service (AWS) Console and Amazon S3, and Salesforce. Prisma Cloud is, however, a competitive CSPM offering, and the Prisma Cloud Resource Query Language (RQL) remains a good way for mature teams to address IaaS control plane security requirements.


To have full SSE functionality, multiple consoles are needed. The Panorama console can manage Prisma Access. Alternatively, Prisma Access can be managed as a SaaS application (SaaS Security is now part of Prisma Access). For IaaS, there is Prisma Cloud. Additionally, for some analytics use cases, Cortex is required, which comes at additional cost.


The recent addition of DEM to the overall solution improves its overall utility in production situations.


Prisma Access primarily appeals to existing Palo Alto Networks customers who either value a hybrid SSE integration with network firewalls acting as a “local edge” or are looking to adopt Palo Alto Networks as their sole SASE provider.


Use-case score summary: Palo Alto Networks scores slightly above three (the score equating to “good”) for all use cases except “identify and protect sensitive information,” for which it scores less than three.


Organizations committed to a consolidated vendor strategy that supports a hybrid model, and that require only relatively basic CASB and data security capabilities, should evaluate Palo Alto Networks.


Versa

Versa’s SSE offering is called Versa SASE. Its highest score is for the “identify and protect sensitive information” use case, as it has advanced data security capabilities, such as encryption, fingerprinting, DEM, watermarking and redaction. These can be applied to data in motion across web, cloud and private application access. They provide basic UEBA functionality, such as superman detection, and can trigger actions such as moving a user to a watchlist where additional restrictions can be applied via policies.


Versa’s general web and cloud usage capabilities are functional for basic use cases. However, the interface is often hard to operate and would be difficult to troubleshoot operationally.

At this stage, Versa has no CSPM or SSPM functionality, so the ability to secure the configuration of cloud services is absent.


Versa is not as strong as some other vendors in relation to the “detect and mitigate threats” use case. Adaptive access controls are available, however, and can use several contextual attributes to change access rules. For example, a user who accesses a risky website can have their session terminated and be forced to reauthenticate as a result. Blocking of JavaScript threats and malicious files does not come with user-friendly notifications. At the time of writing, Versa does not provide a generally available RBI function as part of its advanced threat defense capabilities, but the preview version of this capability appears functional.

Use-case score summary: Versa scores below three (the score equating to good) for all use cases.


Clients looking for a strong SD-WAN offering with security features exceeding those of most SD-WAN solutions should consider Versa.


Zscaler

Zscaler is a long-standing vendor of cloud-delivered security with a background in SWGs, and this platform remains at the core of its SSE solution. Zscaler’s cloud-delivered security fabric remains one of the largest in this market and, despite some outages and performance issues, has a sustained track record for performance and availability.


Zscaler’s DLP capability has improved in the past year and is functional, but still more basic than that of other competitors. Additionally, Zscaler’s ZTNA capability is less advanced than that of leading competitors in this market.


Zscaler’s integration with third parties is very strong. It supports deep integrations with SIEM, security orchestration, automation and response (SOAR), EDR and other third parties that enable telemetry data to be shared and signals to be received. This improves the overall capability of Zscaler’s SSE solution.


Zscaler innovates well in terms of remote working, as shown by its early development of DEM, which enables administrators to diagnose issues easily and provide good support to remote workers. This remote-working support trend is demonstrated in the multiple ways in which Zscaler has to deliver data to its platform, including via LAN-to-LAN VPN, Generic Routing Encapsulation (GRE), SD-WAN and more. However, Zscaler cannot yet perform malware scanning with its ZTNA solution. Furthermore, RBI is not enabled by default and there are charges for selective isolation.


Zscaler’s catalog of discoverable SaaS applications is below average in breadth and depth. Additionally, the number of customizable attributes constituting a risk score is below that of most competitors, as is the number of controllable connected-app permissions.


Use-case score summary: Zscaler scores more than three (the score equating to “good”) for all the use cases except “identify and protect sensitive information,” for which it scores less than three.


Organizations looking for a capable SSE solution with global coverage should evaluate Zscaler.



Context

In 2019, Gartner defined secure access service edge (SASE) as an emerging offering that combined comprehensive network as a service (most notably, SD-WAN) capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure-access needs of digital enterprises.


In today’s market, a set of security-focused vendors offers the SSE portion of a SASE architecture for purchase and use by security buyers. At the same time, vendors in the WAN edge infrastructure market cover the networking portion of the SASE framework considered by networking buyers.


SSE customers are comparing vendors that offer security capabilities, and may pair these with existing edge networking components such as SD-WAN equipment, firewalls and other networking equipment (perhaps in the process of being replaced). SSE customers may also be looking to secure remote users when the organization is virtual, is a heavy cloud consumer, or has no complex networking requirements for satellite locations.


Most large organizations have separate networking and security teams that make independent purchasing decisions or have yet to integrate their SASE planning efforts.


Buyers of SSE services often ask where they should begin, as many organizations already have some components in place. Organizations looking to purchase SSE services should approach the market differently, depending on their starting point. Gartner recommends that:

  • Appliance-heavy organizations align their SSE initiative with business-led SaaS and IaaS adoption efforts, or make it part of the effort to enable a hybrid-working or remote-workforce initiative.

  • Organizations that have already implemented discrete SSE components from more than one vendor consolidate on one vendor.

  • Organizations that already have a fully implemented SSE solution, reevaluate the market landscape on no more than a two-year cadence, as vendors’ features and pricing are evolving rapidly.

  • Organizations undertaking a larger SASE transformation with SD-WAN as the driver can evaluate SSE capabilities from SD-WAN providers against those of best-of-breed SSE vendors. This will help them determine whether they need a separate SSE solution.

  • Organizations do not start with ZTNA when evaluating SSE offerings, particularly if clientless ZTNA is desired. The primary benefit of SSE for ZTNA is that it offers a converged solution and an integrated agent for securing internet usage, cloud usage and access to applications.


Product/Service Class Definition

Security service edge (SSE) secures access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring and acceptable use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service, and may include on-premises or agent-based components.


Critical Capabilities Definition


Secure Admin of Cloud and Web

The SSE solution applies policy and governance across web (via URL filtering) and cloud services, and provides granular visibility and control over user activities and sensitive data.


Advanced Threat Defense

The SSE solution provides both static and dynamic analysis and threat intelligence to defend against advanced threats across web, cloud and private applications.


Enabling Remote Working

The SSE solution enables remote workers and branches to connect to the SSE service via agents, identity integrations and other methods, and applies zero trust principles for accessing private applications and cloud services from managed and unmanaged devices.


Cloud Application Discovery

The SSE solution discovers all cloud services, assigns risk and eases the onboarding of new cloud services.


Visibility and Control of Activity

The SSE solution offers in-line inspection of the web, cloud services and private applications in real time, as well as API integrations with SaaS applications for data at rest, telemetry, and cloud service policy and configuration.


Data Security

The SSE solution applies advanced data security controls, such as tokenization, encryption, machine learning, and exact data matching across web, cloud and private applications.


Adaptive Access Control

The SSE solution uses contextual information, such as device posture, user data and the sensitivity of the resources being accessed, to change access rights to cloud services and private applications, as appropriate for the risk.


User Entity Behavior Analytics

The SSE solution applies advanced analytics to the detection of normal usage patterns across SaaS and private applications to notify and make policy changes in reaction to changes in the normal patterns.


CSPM

The SSE solution integrates with IaaS, platform as a service (PaaS), and SaaS to assess and manage the security posture of customer tenants.


Enterprise App/Service Integration

The SSE solution integrates with UEM, EDR, SIEM, and other technologies to provide broader telemetry data to detect, prevent, investigate, and respond to security events across an increasingly remote workforce.



Use Cases


Secure Web and Cloud Usage

Compliance is a driver for SSE that extends to IaaS, PaaS, SaaS, and enforcement of corporate policies.


An SSE solution enables organizations to view cloud usage and track the compliance and security of web and cloud services across workers, wherever they are working.


CSPM is a key capability for this use case because it enables organizations to track the compliance and usage of IaaS and SaaS services. Securing access to the web, usage of cloud services, and management of cloud service tenancy also enables compliance with, for example, acceptable use policies and the governance of cloud services capabilities.


Detect and Mitigate Threats

SSE provides a central service to detect and prevent threats emanating to and from the web and cloud services for any user accessing services from any device.


Fundamental to SSE is as an added layer of defense against malware, phishing, account takeovers and other threats that can traverse an SSE product’s plane of control.


This use case focuses on advanced threat defense capabilities to detect and prevent malware from infecting endpoints and networks as a result of web and cloud service usage.


Adaptive access control plays a key role by enabling organizations to detect when security posture is insufficient or when contextual changes dictate that a session must be terminated in order to protect SaaS and private applications from compromise.


Connect and Secure Remote Workers

SSE connects and secures remote users when accessing the web, cloud applications and private applications.


Strong SSE vendors offer the most flexibility in terms of how users can connect to the service and access applications. Enterprise application and service integration play a key role, as log and telemetry data from the SSE solution must integrate into a broader threat-centric view of users and devices that are not connected to corporate networks for extended periods. The SSE solution becomes a key source of data for broader security-monitoring capabilities.


Identify and Protect Sensitive Information

SSE enables organizations to detect and control sensitive information across web, cloud, and private applications.


Many organizations prioritize this capability to control sensitive data loss across multiple vectors. By adding protections across the integrated SSE service, organizations benefit from a single DLP or data protection rule to apply across multiple vectors, access methods and device types.


This use case emphasizes cloud application discovery in order to prevent accidental or intentional loss of data to unapproved SaaS applications; data security; and UEBA to detect unusual behaviors and prevent insider threats.



Vendors Added and Dropped


Added

Not applicable, as this is a new Critical Capabilities.


Dropped

Not applicable, as this is a new Critical Capabilities.



Inclusion Criteria

Table 1: Weighting for Critical Capabilities in Use Cases

Critical Capabilities

Secure Web and Cloud Usage

Detect and Mitigate Threats

Connect and Secure Remote Workers

Identify and Protect Sensitive Information

Secure Admin of Cloud and Web

25%

5%

5%

5%

Advanced Threat Defense

3%

30%

10%

2%

Enabling Remote Working

2%

2%

30%

3

Cloud Application Discovery

10%

3%

2%

20%

Visibility and Control of Activity

25%

5%

3%

5%

Data Security

5%

5%

5%

30%

Adaptive Access Control

5%

30%

15%

10%

User Entity Behavior Analytics

5%

10%

15%

20%

CSPM

15%

5%

5%

2%

Enterprise App/Service Integration

5%

5%

10%

3%

(As of 1 February 2022)

Source: Gartner (February 2022)


This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.


Each of the products/services that meet our inclusion criteria has been evaluated on the critical capabilities on a scale from 1.0 to 5.0.

Critical Capabilities Rating

Table 2a: Product/Service Rating on Critical Capabilities

Critical Capabilities

Broadcom

Cisco

Forcepoint

Forepoint (Bitglass)

iboss

Secure Admin of Cloud and Web

2.5

2.0

3.5

3.7

2.8

Advanced Threat Defense

3.9

3.0

3.0

3.0

3.7

Enabling Remote Working

2.3

2.5

2.0

3.7

3.0

Cloud Application Discovery

3.5

2.3

3.5

4.5

2.0

Visibility and Control of Activity

2.3

2.5

2.5

3.5

3.3

Data Security

4.0

1.5

4.0

4.0

2.8

Adaptive Access Control

2.5

2.5

2.5

3.5

2.5

User Entity Behavior Analytics

3.0

1.5

2.5

2.5

1.8

CSPM

3.0

2.0

1.0

3.3

1.0

Enterprise App/Service Integration

3.0

3.0

2.5

2.5

3.0

(As of 1 February 2022)

Source: Gartner (February 2022)


Table 2b: Product/Service Rating on Critical Capabilities

Critical Capabilities

Lookout

McAfee Enterprise

Netskpe

Palo Alto Networks

Versa

Zscaler

Secure Admin of Cloud and Web

4.0

4.5

4.5

3.0

2.0

4.5

Advanced Threat Defense

3.0

4.6

4.0

4.0

2.5

4.5

Enabling Remote Working

4.0

4.0

3.5

3.5

3.0

4.0

Cloud Application Discovery

4.2

4.8

4.5

2.5

1.8

2.5

Visibility and Control of Activity

4.5

4.5

4.2

3.5

2.2

3.5

Data Security

4.5

4.5

4.7

2.5

4.0

3.0

Adaptive Access Control

4.5

4.5

4.5

3.0

3.1

2.5

User Entity Behavior Analytics

3.5

3.5

35

2.5

2.5

2.5

CSPM

4.2

4.5

3.5

4.0

1.0

3.0

Enterprise App/Service Integration

3.0

4.0

3.8

3.5

2.5

4.5

(As of 1 February 2022)

Source: Gartner (February 2022)


Table 3 (a and b) shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.


Table 3a: Product Score in Use Cases

Critical Capabilities

Broadcom

Cisco

Forcepoint

Forepoint (Bitglass)

iboss

Secure Web and Cloud Storage

2.79

2.22

2.71

3.53

2.55

Detect and Mitigate Threats

3.11

2.47

2.72

3.26

2.81

Connect and Secure Remote Workers

2.82

2.35

2.47

3.31

2.68

Identify and Protect Sensitive Information

3.29

1.95

3.17

3.62

2.43

(As of 1 February 2022)

Source: Gartner (February 2022)


Table 3b: Product Score in Use Cases

Critical Capabilities

Lookout

McAfee Enterprise

Netskpe

Palo Alto Networks

Versa

Zscaler

Secure Web and Cloud Usage

4.12

4.45

4.17

3.24

2.12

3.54

Detect and Mitigate Threats

382

4.40

4.14

3.32

2.63

3.43

Connect and Secure Remote Workers

3.85

4.17

3.88

3.26

2.69

3.53

Identify and Protect Sensitive Information

4.12

4.33

4.26

2.75

2.82

2.96

(As of 1 February 2022)

Source: Gartner (February 2022)



To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.


Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.


"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.


In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.


The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.


Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.


Ratings and summary scores range from 1.0 to 5.0:

1 = Poor or Absent: most or all defined requirements for a capability are not achieved

2 = Fair: some requirements are not achieved

3 = Good: meets requirements

4 = Excellent: meets or exceeds some requirements

5 = Outstanding: significantly exceeds requirements


To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.


The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.


© 2022 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.

Comments


© 2018-2023 By Kristen Swearingen - swearingen.me | MiddleChild Tech | eruditeMETA. All rights reserved.

This publication may not be reproduced or distributed in any form with the author's prior written permission. It consists of opinions of the author's research and experience, which should not be construed as statements of fact. While the information contained in this publication has been created and cited where obtained from sources believed to be reliable, the author disclaims all warranties as to the accuracy, completeness, or adequacy of such information. Although this post and cited research may address legal and financial issues, the author does not provide legal or investment advice and its publication should not be construed as such. Your access and use of this publication is governed by the Usage Policy for swearingen.me | MiddleChild Tech | eruditeMETA,, respectively. The author prides his/her/their self on his/her/their reputation for independence and objectivity. The research and publication(s) are produced independently by its authors and organization without input or influence from any third party. For further information, see the Guiding Principles on Independence and Objectivity.

bottom of page