SSE: What They Won’t Tell You (But I Will)

• Cloud network security hype is over and we can take an honest look back to see how the move to cloud has gone.
• The emerging global political scene is making big cloud bets an increasingly risky choice for the large enterprise.
• CISOs should maintain an on-premises capability as a hedge to cloud for a variety of practical and strategic reasons.
• Looking for more SSE insights? Part 1 and Part 2 have you covered.

I’m a pragmatic product leader. Pragmatism explains why we continued to invest in our on-premises proxy technology even while competitors were smashing appliances at trade shows. Even so, I’ve championed network security cloud transformations for nine years at Symantec, so I’m no Luddite. There are things you can do with advanced cloud offerings, like on-demand Remote Browser Isolation and policy-based traffic routing, that you simply can’t do with an appliance.

Still, proxy appliances play a vital role in thousands of corporate networks, particularly in the large, heavily regulated enterprise. So why do these organizations continue to operate appliances?

There are three reasons:

1. Control. Cloud offerings have come a long way in their ability to execute complex policy, but the most granular policy capabilities are still available in an appliance.
2. Risk mitigation. Regulated enterprises are risk assessment experts. They meticulously identify risk, classify it and then work to mitigate those risks with an appropriate level of spend and urgency. The model isn’t perfect but it has served them well for decades. In their assessments, many have found that categorically eliminating appliances from the network security discussion introduces a good deal of exposure to geopolitical and regulatory risk. The perception—and I think the reality—is that cloud systems could at some point be used as political leverage with potentially disastrous consequences. Imagine if access to cloud resources were suddenly geofenced by legislative or executive branch fiat? This might have sounded impossible a few years ago, but now it seems a bit too plausible to ignore.
3. Cost. A lot of organizations learned the hard way when signing big contracts with SSE market leaders that their spend only covered authenticated user traffic. Covering server workloads meant additional costs, they found out after the fact. In many enterprises, the server workload is as large, or larger, than the end user workload. So this hidden cost was not insignificant and resulted in a lot of server workloads remaining with on-premises proxies.

Geopolitics, regulations and other risks

On the geopolitical risk side: Wars are increasingly fought, not with kinetic weapons, but with politics. The weapons: Tariffs, data sovereignty legislation and isolationist policy. For decades, we saw both real and metaphorical walls between nations get torn down, ushering in the Global Economy. While that genie will probably never be put back into the bottle, it’s safe to say that the world’s most powerful nations are second guessing their dependence on foreign trade for critical infrastructure. In short: The walls of the cold war era are being reconstructed at least partially and the economic impact to multinational enterprises is only beginning to ramp up.

As you can imagine, data sovereignty laws tend to increase the cost of many goods and services in an economy, not just the obvious cloud IT services prices. One clear example is that every time an SSE vendor has to add a new data center to the map, costs go up. And data center locations are just one of many possible side effects. Are data sovereignty laws increasing? Yes.

Still, we have this long-standing trend where certain vendors and analysts push the “Pure Cloud or nothing” narrative, which can be paraphrased: “If you’re not placing all your bets in someone else’s data center, the problem isn’t the cloud. It’s you.”

Of course, that’s ridiculous. Based on our internal data, I estimate that about 50% of our network security customers operate a hybrid network security environment. So you might be surprised to hear that we generally don’t lean into the hybrid story for marketing reasons. In fact, I’ve instructed account directors at Symantec for years not to lead with a hybrid sales motion for enterprise customers. Not because I didn’t believe that it’s a good idea; it’s a really good idea. I gave this instruction simply because the market didn’t want to hear it. From my real-world experience working with hundreds of the world’s largest enterprises, this point isn’t debatable. What should be discussed is whether or not the market is ready to hear a more balanced and realistic message. 

Says Timothy E. Bates, former CTO for Lenovo and General Motors, in a recent ZDNet article:

"I remember talking to CIOs and DevOps personnel in 2017—several of them had been assigned, to their dismay, to do whatever was needed to move their technology into the cloud. Most felt overwhelmed with the assignment and pushed back. That was during the cloud rush, when having apps hosted in the cloud was a status symbol and a marketing flex." 

The “pure cloud or nothing” narrative is tech monoculture at its worst. We re-learned the dangers of monoculture about a year ago when another vendor’s glitchy software update infamously triggered the IT version of “The Blip.” The reasons for retaining on-premises infrastructure, even with a strong cloud strategy, are entirely reasonable. And I’m not the only one reading the tea leaves. Hybrid architectures have begun to creep back into the cyber zeitgeist as a desirable end state.

Bates continues:

"Large enterprises are increasingly reevaluating the risks and limitations of relying solely on the cloud for critical workloads and intellectual property."

Hybrid: It’s wiser than you think

Hybrid network security is a much wiser play than you think. Not only that, but I’ll even go a step further and officially recommend, especially if you are a multinational enterprise, that you hedge your cloud bet by strategically integrating hybrid elements. Why? Enterprise pure cloud transformations have always been difficult and risky. The way things are shaping up, the risks of a pure cloud strategy are starting to outweigh the potential benefits. It’s time to seriously reevaluate those aspirations.

This brings me to my final thought on the topic: A hybrid environment is also wise for business continuity planning. If you are relying on cloud today to secure mission critical workloads, like your end-user internet traffic, I recommend you look at budgeting and formalizing a continuity plan for 2026. 

There are many good reasons to do this. You might be forced to do it by the Digital Operational Resilience Act (DORA), or you might just be exercising common sense. Either way, I invite you to perform your own risk assessment of your SSE solution. Ask questions like: What stops my SSE solution from going down for a week? What would happen to my business if this happened? How would I protect my company from threats during this outage? How would I respond? Do I feel comfortable using the cloud to back up the cloud? Could a “run on the bank” scenario occur?

When it comes time to think about how you execute a continuity plan, keep us in mind. We have maintained a very high level of investment in all our network security products, introduced many leading innovations, along with flexible programs and technologies that make it easier to implement our solutions in a backup scenario. And then obviously, we have physical and virtual appliances for those that aren’t comfortable backing up the cloud with more cloud. Best of all, we will engage you through one of our excellent local Catalyst partners to create long-term price stability for you and your procurement people (I know, crazy right?). Just let us know when it’s time to talk.