Security

SSE Capabilities: What Healthcare Organizations Need to Know

A security service edge framework delivers security using cloud-based services, which can benefit any organization looking for consistent access management and governance across many locations, users and devices.

Brian Eastwood

Twitter

Brian Eastwood is a freelance writer with more than 15 years of experience covering healthcare IT, healthcare delivery, enterprise IT, consumer technology, IT leadership and higher education.

As both workers and the technology tools they access increasingly move off-premises, enterprises have had to rethink their approaches to security.

“Having security in a data center when users and applications aren’t there any more doesn’t make any sense. It hurts performance and compromises security,” says Robert Arandjelovic, senior director and head of global product and solutions marketing at Netskope.

Increasingly, the answer for healthcare organizations has been the security service edge (SSE) framework that delivers security directly from the cloud. Doing this eliminates the need to define multiple policies for on-premises and cloud-based access. That in turn makes life easier for end users and IT professionals alike, Arandjelovic says.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_03

x_security_q325_animated_click_mobile_03

What Is SSE? Key SSE Capabilities Explained

Gartner’s definition of SSE notes the framework is composed of capabilities that together offer secure access to the web, cloud services and private applications. While distinct capabilities vary, most vendor and consultant definitions mention four key components.

ZTNA

The principle of zero-trust network access grants access to specific applications, users or devices. This addresses the main deficiency of VPNs, which grant access to the entire enterprise network; once an attacker gets in, lateral movement is all too easy.

SWG

A secure web gateway monitors and filters web traffic to ensure compliance with enterprise security policies. Users cannot access risky sites, and malicious files cannot be downloaded to devices.

CASB

A cloud access security broker enforces the same security policies and access controls for all cloud services. This may include features such as multifactor authentication, single sign-on and encryption.

FWaaS

Firewall as a Service provides the familiar functionality of an on-premises firewall at remote sites, through the cloud. To provide the consistent enforcement that’s the hallmark of SSE, FWaaS typically integrates with a software-defined WAN.

Other capabilities may include:

DLP

Data loss prevention services monitor data in motion, at rest and in use — a critical aspect of HIPAA compliance.

IAM

Identity and access management governs role-based access controls and identity authentication.

RBI

Remote browser isolation separates web browsing from user devices, protecting the latter from online threats.

User/Behavior Analysis

These services powered by artificial intelligence help identify suspicious user activity. The analysis is especially nuanced in healthcare, where users’ after-hours access requests for electronic health records very well may be legitimate.

Whatever capabilities are offered, the key theme is that they’re included in one package, says Aaron Rose, security architect manager for vertical solutions in the Office of the CTO at Check Point. “It’s unified. It’s not disparate solutions plugged into different spots,” Rose says. This matters, as users and their applications are no longer restricted to defined spaces in physical buildings.

SSE vs. SASE: Understanding the Difference

SSE is typically regarded as a subset of secure access service edge. In general terms, SSE focuses exclusively on security, while SASE couples security and network management services. Check Point notes that SASE works better for organizations that need access to on-premises and cloud-based resources, while SSE serves organizations working largely, if not entirely, with cloud and Software as a Service resources.

“SSE is a central mechanism to connect users and provide a safe, secure, fast and reliable way to get to any application or website that’s somewhere else,” Arandjelovic says. “SASE offers optimized and high-performance connectivity to branch networks, making sure the whole infrastructure works together.”

As SSE is part of SASE, there tends to be overlap between their core capabilities. SD-WAN, for example, is necessary for network management and performance in the SASE framework and supports FWaaS under SSE. In addition, both depend on the least-privileged access principles that are the cornerstone of ZTNA.

Having security in a data center when users and applications aren’t there any more doesn’t make any sense. It hurts performance and compromises security.”

Robert Arandjelovic Senior Director and Head of Global Product and Solutions Marketing, Netskope

How SSE Supports Healthcare Cybersecurity Needs

On-premises, appliance-based security is difficult to scale and manage in an organic way, Arandjelovic notes. On the other hand, the distributed nature of SSE makes it easier to support multiple hospitals in a network with the same level of access and security controls. “If a hospital expands, there’s no need to buy another box. The ability to manage security per user, and to turn security functions off and on, is really valuable,” says Arandjelovic.

Rose points to two additional benefits of SSE. One is the ability to layer strong security controls onto legacy technology. IT teams cannot change the underlying code base of MRI machines or remote monitoring devices to deploy security updates like they can for other business applications. Access controls, web gateways and other capabilities can keep mission-critical systems secure regardless of where they’ve located.

Another advantage is the potential to define reusable rules and policies. This is helpful in cases such as device management, where the exact number of devices in use each day varies, and user management, where role-based access privileges vary significantly. Provisioning devices and onboarding users is time-consuming and error-prone, but setting rules that automatically apply based on identity improves efficiency and “gives you a lot of flexibility and adaptability,” Rose says.

Meanwhile, Arandjelovic indicates that SSE vendors are exploring how they can support healthcare organizations using increasingly popular generative artificial intelligence tools for documentation and transcription. In this case, the SSE provider could ingest the GenAI application, examine its characteristics and decide whether the app meets enterprise policies for sharing or processing sensitive data.

EXPLORE: Here are four benefits of consolidating with secure access service edge.

Integrating SSE Security into Healthcare Architectures

Rose recommends a gentle approach to adopting SSE. The first step is taking an inventory of the security tools in place, especially those that manage and govern identity, and seeing where they’re being used. If any gaps are in place — for example, those legacy applications that cannot support MFA — then organizations need to determine how to integrate them with their SSE framework.

From there, organizations should apply SSE to a subset of applications, or even to a single app. “You’ll need to fine-tune things as you go,” Rose says, adding that enlisting the help of test groups can cover more bases in identifying issues that need to be addressed.

At a broader level, security teams would also be wise to ensure that SSE capabilities are more than items on a checklist, Rose says: “A vendor can say it follows a certain approach, but if its catch rate for potential threats is low, it’s compliant but not effective. You need to fully assess what the vendor does. A data breach or a hit to your brand isn’t something you get over overnight.”

FatCamera/Getty Images