Solution Overview
HPE Aruba Networking Security Service Edge (SSE) securely connects any user to any business application or resource at any location in minutes using a single, centrally managed service. HPE Aruba Networking SSE provides continuous, application-centric visibility and Zero Trust controls to enable and secure organizations in today’s age of digital transformation, work-from-anywhere, and integrated employee/contractor/third-party business models.
Table of contents
Zero Trust Network Access
Zero Trust Network Access (ZTNA) is an approach to network security that shifts away from the traditional perimeter-based security model that assumes that everything inside the network is trusted and everything outside is untrusted. ZTNA, also known as the “Zero Trust” model, operates under the principle of “never trust, always verify.”
In a ZTNA model, access to applications and resources is granted based on strict verification of identity, device posture, and other contextual factors, regardless of the user’s location or network connection.
Secure Web Gateway
A Secure Web Gateway (SWG) controls and monitors inbound and outbound web traffic to protect organizations from web-based threats and enforce security policies. It acts as a gatekeeper between users and the Internet, inspecting all web traffic in real time and applying security controls to prevent malicious activities and enforce corporate policies.
Cloud Access Security Broker
A Cloud Access Security Broker (CASB) is an enforcement point between users and cloud applications. Using the CASB features, a network operator can define specific behavior that is or is not acceptable within the SaaS application.
HPE Aruba Networking SSE in-line CASB capabilities provide easy control of SaaS app traffic, including accessed, uploaded, or downloaded data, and give IT the power to apply policy easily, in seconds.
Architecture
The following diagram describes the HPE Aruba Networking SSE Architecture. Each component is reviewed in more detail below
The HPE Aruba Networking SSE Platform is the Application Access Broker that serves as the central control point for managing access to corporate applications and resources. It handles authentication, authorization, and session management, ensuring that users can access the applications they need securely, based on their individually permissions and policies. The platform dynamically brokers connections between users and applications, enforcing access controls and security policies in real time.
The platform is cloud native, across many cloud providers. This allows optimal access between the users and the platforms, often referred to as “points of presence” (POPs), to provide an optimal user experience and maximized uptime. Traffic is never backhauled because of Atmos cloud architecture, Atmos automatically chooses the best connectivity path with smart routing capabilities
The Atmos Security Client is a lightweight software component installed on users’ devices to facilitate secure communication with the platform. It provides endpoint visibility and security posture assessment, ensuring that only trusted devices are allowed to access corporate resources. The client also enables seamless integration with existing security infrastructure, such as endpoint protection platforms and identity providers.
The HPE Aruba Networking SSE Security Portal is a web-based management interface that enables administrators to configure and manage access policies, user profiles, and application resources. It provides a centralized view of user activity, application usage, and security events, so administrators can monitor and analyze access patterns and potential security threats. The portal also offers reporting and compliance features, enabling administrators to generate audit logs, compliance reports, and usage statistics.
HPE Aruba Network SSE integrates with various identity providers, including Active Directory, LDAP, SAML, and OAuth, to authenticate users and enforce access controls. By integrating with established identity providers, organizations can use existing user directories and authentication mechanisms, streamlining the user provisioning process and ensuring consistency across authentication methods. Determining the identity providers to be used during the design is an important step.
Application Connectors are preconfigured connectors that facilitate seamless integration with a wide range of corporate applications and resources. These connectors support various protocols and authentication mechanisms, allowing users to securely access applications such as web-based portals, remote desktops, SSH servers, and virtualized environments. The connector is deployed in a network segment near the application and is a required component in providing remote access to applications.
HPE Aruba Network SSE provides APIs and software development kits (SDKs) for integrating the platform with third-party security tools, identity providers, and custom applications. APIs help automate deployment and management tasks, customize access workflows, and extend the functionality of the platform to meet specific business requirements.