The dialogue around secure access service edge (SASE) and its core component, security service edge (SSE), has been pervasive. Born from earlier concepts like software-defined perimeter (SDP) and significantly accelerated by the widespread shift to remote work, SSE initially promised a unified platform for all secure access needs. However, many organizations now find that the vision of a single, all-encompassing platform often feels more like chasing a "mythological unicorn." At Appgate, we believe it's crucial to look beyond broad marketing terms and focus on pragmatic, impactful solutions.
For CISOs and security leaders, the appeal of a single platform can quickly diminish when confronted with a collection of disparate products—SD-WANs, Secure Web Gateways (SWGs), and more—that don't always integrate into a seamless whole. The experience can be likened to an outdated cable TV subscription: a vast array of channels when only a select few are truly needed. This often leads to a preference for best-of-breed solutions, meticulously chosen to address specific challenges effectively, without the burden and complexity of superfluous features.
A foundational understanding in today's security landscape is that controlling access to the public internet and securing private applications are fundamentally distinct challenges. These resources reside in different environments, demand different protection strategies, and cater to varied user requirements. It's unrealistic to expect a single vendor to optimally address both. This inherent distinction means most organizations are, by default, operating in multi-vendor environments. Recognizing and embracing this reality allows for the development of more tailored, robust, and effective security postures by strategically separating approaches for public and private application access.
The User Experience Dilemma in Modern Application Access
The ideal scenario for application access is one of elegant simplicity: a user, their familiar browser, and the application—all seamlessly and securely connected. Yet, the journey to achieve this seemingly straightforward goal is often fraught with complexities that can significantly impact user productivity and satisfaction. Consider the common hurdles:
Costly and time-consuming processes for provisioning and shipping devices.
A considerable learning curve for users who must adapt to various VPN clients or VDI infrastructures, often different from their previous experiences or personal tools.
The inconvenience of launching separate, distinct clients for on-premises resources versus cloud-based services.
The widespread practice of backhauling traffic to an SSE provider's cloud, a method that frequently mandates SSL break-and-inspect for visibility, DLP, and malware detection. This reliance on a global network of Points of Presence (PoPs) can, ironically, introduce latency and degrade performance.
In some intricate scenarios, traffic is even routed back to on-premises infrastructure to access internal applications, adding further convoluted steps to the access chain.
This intricate and often cumbersome setup not only creates friction for end-users but also introduces operational inefficiencies and, critically, potential security gaps.
A Streamlined Future: The Enterprise Browser Meets Direct-Routed ZTNA
We advocate for a more streamlined, user-centric, and inherently secure approach by combining the strengths of two best-of-breed technologies: Island’s Enterprise Browser for SaaS and general web application access, and Appgate ZTNA, a direct-routed universal Zero Trust Network Access (ZTNA) solution for securing private applications.
The Enterprise Browser: Familiarity, Intrinsic Control, and Enhanced Productivity
The concept of the Enterprise Browser, as pioneered by our partners at Island, masterfully leverages the universal familiarity users have with standard web browsers. Built on the Chromium open-source project, it provides an identical look, feel, and functionality, thereby eliminating the retraining often associated with the deployment of new security tools. More than just a modified browser, it evolves into a comprehensive application delivery platform with natively integrated governance and security capabilities. Policy, intelligently driven by rich contextual information – such as user identity, device posture, geolocation, and application tenancy – dynamically follows the user. This allows for fine-grained control over the application's presentation layer, enabling sophisticated actions like selective data redaction, precise copy-paste restrictions, and secure file interaction management, all while actively enhancing user productivity through workflow automation and seamless resource access.
Appgate ZTNA: Direct, Invisible, and Secure Access to Private Applications
For private applications residing within an organization's data centers or private cloud environments, Appgate offers a universal ZTNA solution designed to secure access not only for human users but also for IoT devices, servers, and third-party contractors, ensuring comprehensive protection. Appgate ZTNA’s architecture is distinguished by its elegant simplicity, primarily comprising just two core components: a lightweight client on the user's endpoint device and a secure gateway deployed within the data center.
A critical differentiator of Appgate ZTNA is its direct-routed architecture. This means that user traffic to private applications is not redirected through an intermediary third-party cloud service This direct connection yields significant advantages:
Enhanced Scalability and Performance: Direct routing inherently minimizes latency and ensures more predictable, high-performance user interactions with critical applications.
Inherent Resilience: Appgate ZTNA’s distributed architecture supports self-healing capabilities, ensuring continuous availability.
Data Center Cloaking through Single Packet Authorization (SPA): A cornerstone of Appgate's security model is SPA. This patented technology evaluates a cryptographically secure key exchange before any connection is established. If the exchange is successful, access is granted based on precise entitlements; if not, the data center edge presents no open ports, effectively rendering it invisible to unauthorized entities. This dramatically reduces the attack surface and provides robust protection against zero-day threats and reconnaissance attempts.
The Power of Synergy: Unified Policy, Seamless Experience
The true transformative power of this best-of-breed approach emerges when these two leading solutions—Island’s Enterprise Browser and Appgate’s direct-routed ZTNA—work in concert.
Users benefit immensely from a simplified and unified experience. Whether on corporate-managed or personal BYOD devices, deployment is straightforward. Upon launching the Enterprise Browser, users are presented with a single, seamless homepage displaying both their SaaS applications and internal private applications, all governed by a centrally managed and dynamically applied policy.
SaaS application access becomes direct and secure. The Enterprise Browser, by its very nature, terminates SSL traffic locally on the endpoint. This allows security policies, such as DLP or content filtering, to be applied effectively before data is rendered on the screen, without requiring cumbersome, performance-degrading external break-and-inspect processes.
Internal, browser-based applications are accessed with the same ease and consistency. The Enterprise Browser manages the necessary name resolution, and the local device routing table intelligently directs traffic through the secure, encrypted tunnel established by the Appgate client directly to the Appgate gateway protecting that specific application.
This deep integration facilitates unified policy enforcement. The same granular governance rules and security controls apply consistently across both public SaaS applications and private internal resources. This streamlines security management, enhances compliance, and ensures a consistent, predictable, and secure experience for all users, regardless of application location or access method.
Strategic Value for the Modern, Agile Enterprise
This combined strategy offers compelling and practical solutions for several critical enterprise use cases:
- Securing access to vital SaaS and internal applications with consistent, dynamic, and unified policies that adapt to risk and context.
- Effectively managing secure access for contractors, third parties, and BYOD users, ensuring that appropriate security measures are applied regardless of the device or user type.
- Reducing dependency on traditional, often cumbersome and costly, VDI solutions for application delivery.
- Streamlining and accelerating IT integration during mergers and acquisitions by enabling rapid, on-demand, and secure access provisioning to acquired resources.
From a CISO's perspective, this modern, integrated model adeptly balances non-negotiable security control with the flexibility required by today's dynamic business environment. It delivers robust access without compromising usability and provides clear, auditable visibility into "who has access to what," all while empowering business agility and innovation. The solution is designed for scalability, ensuring it can support organizational growth and adapt to evolving compliance landscapes.
By moving beyond the often-limiting constructs of monolithic SASE platforms and embracing a strategic, best-of-breed approach that leverages the strengths of technologies like Island’s Enterprise Browser and Appgate ZTNA, organizations can achieve a more secure, efficient, and user-friendly access model. This isn't merely a theoretical advantage; it's a practical and proven pathway to a stronger security posture and enhanced enterprise productivity, which we at Appgate are committed to delivering.
Read the Appgate + Island solution brief to learn more.