Right now, the hottest ticket in town might be “Dune: Part Two,” but running a close second is SSE — security service edge — which is a fancy acronym for cloud-delivered, user-focused security capabilities that protect the remote workforce. Today, we published our first-ever The Forrester Wave™: Security Service Edge Solutions, Q1 2024, which is an evaluative look at the 11 most important vendors in this space: Broadcom, Cisco, Cloudflare, Forcepoint, Fortinet, iboss, Lookout, Netskope, Palo Alto Networks, Skyhigh Security, and Zscaler.

The Wave evaluation is an assessment of vendors, identifying Leaders, Strong Performers, Contenders, and Challengers. This research also surfaces some major technology themes, which I cover below.


Data Protection: Would You Like A Side Of DLP With That?

One of the trends that became apparent early on into the evaluation was that data protection played a major supporting role, adding a whole other dimension to the solution landscape. Roughly half of the vendors have some sort of data protection heritage, and they uplift their SSE solutions because of it.

Imagine that you are trying to replace VPNs and on-premises secure web gateways (SWGs) with something more granular and modern. At the same time, you find out that you can also replace your aging data loss prevention (DLP)? Mind blown, right?

Many of these solutions can do things that once seemed impossible, like allowing users to use a corporate OneDrive but preventing them from copying sensitive files to their personal OneDrive, or allowing them to use corporate Gmail but preventing sensitive messages from being forwarded to personal or insecure third-party Gmail accounts. For contractors and other third parties, imagine offering an agentless solution that uses remote browsing in reverse to provide a watermarked view of the data, with no ability for it to be filched, printed, or saved to disk.

These capabilities might have seemed like magic just a few years ago (or would have required five separate products). You can now reasonably expect your vendor to provide that level of protection all in one cloud-delivered solution.

Network Infrastructure: Who’s Flinging The Packets?

A major point of SSE is to deliver all these security capabilities from scalable, distributed points of presence near your employees. Obviously, public cloud hyperscalers provide this infrastructure, but many of the vendors in this Wave have their own networks that they’ve built and are quite proud to tout their benefits. Making the call about who is doing this properly, with or without hyperscaler networks, is a huge part of this Wave, and I won’t spoil the surprise in this blog.

That said, there are three features reference customers called out that might be relatable to your organization:

  1. Data residency is still a thing, especially outside the US. Some vendors have more ability to keep your data in a specific country than others.
  2. Many large organizations want dedicated egress IP addresses as they can use these to lock their users to specific third-party services like SaaS. Not every vendor can offer these. The better ones will let you bring your own IP addresses, but this is tricky.
  3. For large multinationals, getting packets into and out of China can be tricky. Not every vendor has a solution that does this, and most charge for it.

Honorable Mentions

SSE is a very competitive market, and we chose the most significant vendors to evaluate based on a set of inclusion criteria. Several vendors did not make the cutoff but deserve an honorable mention, as they are sometimes brought up during client inquiry or have a differentiating aspect to their solution.

  • Microsoft announced an SSE offering in July of 2023, with Microsoft Internet Access (MIA) and Microsoft Private Access (MPA) being the SWG and Zero Trust network access (ZTNA) components to complement its cloud access security broker (CASB) functionality. But MIA and MPA are in “early availability” until mid-2024; therefore, the vendor did not meet the “generally available” inclusion requirement of this Wave.
  • Absolute Software comes to the SSE space after the acquisition of NetMotion. Thus, the vendor brings a uniquely resilient network, optimized for availability and noninterruptability.
  • Blackberry’s SSE offering was too new to be included in this report. The vendor puts forward a CASB and its own Chromium-based browser. Like a handful of other vendors in this report, Blackberry can pair its SSE with its endpoint protection (Cylance).
  • Ericsson/Cradlepoint’s SSE offering was too new to be included in this report. The vendor comes to the SSE space largely through the acquisition of the Ericom remote browser interface and its associated cloud infrastructure.
  • HPE was a Contender in our Wave covering Zero Trust Edge (ZTE). HPE/Aruba comes to the SSE space through its acquisition of Axis Security, which included a unique ZTNA offering and cloud delivery infrastructure.

Ask Me About SSE

The Forrester Wave™: Security Service Edge Solutions, Q1 2024 evaluation will answer many questions that clients have about which vendors to put on their shortlists. Forrester clients who want to pick my brain directly should set up an inquiry or guidance session with yours truly, and we can talk about SSE, secure access service edge, ZTE, or anything else in my coverage areas.