SSE: What They Won’t Tell You (But I Will)

Hey, I’m back! Here we go for Round 2 to expand on the topic I started unpacking in the first blog of this real talk series, Part 1: You haven't identified all your requirements. This second installment is all about the data path, so let’s get into it.

Listening to customers pays off big time

Symantec and Carbon Black get hundreds of stellar new feature requests every year (our customers are the best, after all). These great ideas help drive our customer-centric innovation, and also underscore one of the hardest parts about being a product manager: When all the ideas are great, how do you decide what to build? 

The good news is that we’ve gotten pretty good at picking the right new features and building a lot of them into releases. (Hey, it’s not bragging if it’s true). When SGOS 7 for Edge SWG shipped, we closed over 100 customer feature requests. On the cloud side, we recently launched Agent Traffic Manager (ATM), addressing 20 unique feature requests in one fell swoop. I recently dropped a post on LinkedIn (where our marketing overlords can’t control me) showing the pace of Network Security feature request delivery over the past year. Spoiler alert: That team alone delivered 129. 

But the pace of delivery only tells half the story. The real test is if your features get adopted and I’m happy to say that ours usually get adopted by customers in production even before we remove the “Preview” badge. When we say we listen to our customers, we mean it.

And this is paramount to uncovering less apparent (but still important) pain points. 

What may surprise you is that these feature requests are not always as traditionally security-focused as you might think. If you talk to an analyst about SSE or zero trust platforms, they will spend 95% of the time talking about the security capabilities of the various vendors. And that’s not necessarily a bad thing; security is why we’re here after all. 

But what we’ve seen over the last 10 years of fielding customer-generated ideas and building Cloud SWG is that the highest concentration of customer SSE pain doesn’t stem from security efficacy—it’s from the data path. If you’ve deployed SSE, you know exactly what I’m talking about.

Data paths: IYKYK

Analysts dislike talking about the data path. It’s very messy. It’s much easier for them to point out some new “shiny security object” that you don’t have, and help you find where to purchase it (they undoubtedly have a very nice chart for that). You also think the chart is very nice and decide to purchase. Fast forward to a few months after multiple attempts and you still haven’t hit your deployment targets, you’re unhappy with your vendor and you’re left wondering how such a fantastic chart could have steered you wrong.

Unfortunately, this is all too common. The data says a pretty large percentage fail to adopt the vendor’s solution from the chart. Why? My hypothesis: Customers don’t account for challenges in the data path, the topic the analyst conveniently left out of their presentation and off their chart.

Data path, connectivity … tomato, tomahto

Outside the vendor sphere, the more common term for “data path” is “connectivity.” Way back in the olden times, when network security all lived within the confines of the corporate network, connectivity to the security stack was easy. 

But this is not the case with SSE. With SSE, you have to move all the flows that previously terminated in your data center to the SSE stack (someone else’s data center). And depending on exactly how your network is built and how much traffic you have, the job of moving that data can be the single most important challenge of the SSE adoption journey (hence the demand for features that improve the ease of implementing the SSE data path—and our obsession with making it happen). 

Features that make your SSE journey easy (well, easier)

Thanks to our customers' brilliance, our Cloud SWG roadmap has focused primarily on three key features. Simply knowing about these can help you understand more about your own environment, and will hopefully help you avoid the pain of selecting a vendor with more regard for their location on "the chart" rather than for your SSE connectivity needs.

1. Premium Routing. Thousands of content providers wall their apps off to certain source IPs or geolocations (or both). Odds are, your users already have registered your corporate IPs with SaaS apps for this reason. You also probably have unhappy line-of-business teams that struggle to gain access to business-critical applications hosted in other countries, thanks to geofencing. Moving to SSE can break access to these apps if you don’t have something like Premium Routing in place to compensate.
2. Agent Traffic Manager. Before the pandemic, 75% of SSE connections came from site-to-site tunnels. During the pandemic, those numbers flipped and 75% of SSE traffic was redirected to the cloud using an agent. With so many hybrid work scenarios, customers needed more granular and flexible agent traffic intercept policies. Luckily, with ATM, even the most complex hybrid work scenario can be accommodated by our agent.
3. Cloud SWG Express Connect. Connecting large, multi-gigabit workloads to SSE is extremely difficult using traditional site-to-site tunnels. A 10gig workload connected via IPsec or GRE would require 5-10 tunnels with a load balancer to evenly distribute the traffic across the tunnels. It’s very complicated to build, very fragile and very static. But with this new high bandwidth connectivity capability (realized through a partnership with Google and currently in preview, so stay tuned), customers can connect massive workloads (100 Gbps or faster) securely to our SSE without the need for a single tunnel. 

Here’s your homework assignment 

If these feature concepts are not familiar to you, spend some time with your team digging a layer deeper into your data path needs. Make sure you're taking into account the inconvenient but very real corner cases that could derail your SSE adoption.

And pro tip: If you operate virtual desktop infrastructure (VDI), make sure you've completely worked out how you will connect those systems to your SSE vendor before signing. 

The fun’s not over yet! Look for the third (and final) installment of this real talk SSE series coming soon.

See us live in person at RSAC

Register to our accompanying webinar 'SSE: What They Won’t Tell You (But We Will)'