什么是安全服务边缘 (SSE)？

文章摘要：

• SSE（安全服务边缘）是更大的 SASE 框架的安全组件，专门用于保护远程员工对云的访问。
• 安全服务边缘架构围绕三个核心组件构建：Zero Trust 网络访问 (ZTNA)、安全 Web Gateway (SWG) 和云访问安全代理 (CASB)。
• SSE 通过应用一致的安全策略（如基于身份和上下文的访问控制）来实现强大的 Zero Trust 安全模型，无论用户身在何处。

什么是安全服务边缘 (SSE)？

安全服务边缘 (SSE) 是安全访问服务边缘 (SASE) 的安全方面。SASE 是一个云原生的 IT 模型，它结合了广域网 (WAN) 边缘网络和安全服务，与传统的网络架构相比，它更适合现代企业的运作方式。

SASE 可以分为两组紧密结合的功能：网络服务和安全服务。

SASE 的网络方面：WAN 边缘服务

Gartner 是最早提出“SASE”一词的研究和咨询公司，它认为广域网 (WAN) 边缘服务（包括软件定义广域网 (SD-WAN)）是构建 SASE 所依赖的网络能力。WAN 连接远距离的本地网络。将这些功能转移到边缘可以更好地为分支机构、移动用户和云基础设施提供服务。边缘交付的 WAN 服务也比基于 MPLS 的传统 WAN 更具可扩展性和灵活性。

SASE 的安全方面：SSE

SSE 包括三个核心组件，以及一些额外功能：

1. 零信任网络访问 (ZTNA)：根据 Gartner 的定义，ZTNA 会“在一个应用程序或一组应用程序周围创建一个基于身份和上下文的逻辑访问边界”。
2. 云访问安全代理 (CASB)：包括一些不同的云安全技术，以保护软件即服务 (SaaS) 应用程序。
3. 安全 Web 网关 (SWG)：位于远程和办公室用户与互联网之间，应用可接受的使用和安全政策以防御威胁和保护数据。

这些领域共同构成了 SSE，防火墙即服务 (FWaaS) 和远程浏览器隔离 (RBI) 等其他安全功能通常也包括在内。当从同一网络架构交付以云为中心的边缘 WAN 服务和 SSE 时，组织可以完全部署 SASE 模型。

Cloudflare 如何帮助企业采用 SSE？

Cloudflare 网络遍布全球超过 330 个地点，而且 Cloudflare 长期以来一直是安全、网络性能和边缘计算领域的领军企业。Cloudflare One 平台涵盖了上述 SSE 的所有功能，并且它将 SSE 与网络即服务相结合，实现完整的 SASE 部署。

详细了解 Cloudflare One。

常见问题解答

什么是安全服务边缘 (SSE)？

SSE is the specialized security component of the larger secure access service edge (SASE) framework. It is a cloud-based architecture designed to protect remote workers and branch offices. While SASE as a whole includes networking services, SSE focuses specifically on the security tools required to maintain a safe and reliable digital environment.

What are the three core components of SSE?

A standard SSE architecture is built on three primary pillars: Zero Trust Network Access (ZTNA), secure web gateway (SWG), and cloud access security broker (CASB).

How does SSE relate to the SASE model?

Think of SASE as a complete toolkit for modern business connectivity. It is divided into two halves: the networking side (often involving SD-WAN or WAN edge services) and the security side (SSE). When an organization combines these edge-delivered networking capabilities with the security protections of SSE within a single network architecture, they have achieved a full SASE deployment.

Why is SSE considered more effective than traditional network security?

Traditional security models often rely on a "castle-and-moat" approach that assumes anyone inside the office network is trustworthy. SSE is better suited for modern work because it is cloud-native and delivered at the edge, closer to where users actually are. This allows for more scalable, flexible protection that follows the user regardless of whether they are in a central office, at home, or traveling.

What is the role of Zero Trust within an SSE framework?

SSE is the primary vehicle for implementing a Zero Trust security model. SSE ensures that no user or device is trusted by default. Instead, access is strictly controlled through identity- and context-based policies, meaning a user only gets access to the specific applications they need to do their job, and only after their identity has been thoroughly verified.

In addition to the core components, what other features are often included in SSE?

Beyond the three main pillars, many SSE solutions include advanced security features such as firewall-as-a-service (FWaaS) and remote browser isolation (RBI). These tools provide additional layers of defense by filtering network traffic and executing web browsing in a contained cloud environment to prevent malware from reaching a user’s local device.

How does Cloudflare assist businesses with SSE adoption?

Cloudflare offers a comprehensive platform that delivers all the essential elements of SSE through a global network. By integrating these security services with its existing network-as-a-service capabilities, Cloudflare allows organizations to fully deploy a SASE model that optimizes both security and performance.