HPE Aruba Networking Secure Service Edge (SSE)

  • 1. Service Overview

    HPE Aruba Networking Secure Service Edge (SSE) (the “Service”) is a Software-as-a-Service that provides a comprehensive cloud-based solution that ensures secure access, visibility, and governance across all business applications. It represents a unified security model that integrates core security components such as: Zero Trust Network Access (ZTNA) for safeguarding private applications, Secure Web Gateway (SWG) for managing web access, Cloud Access Security Broker (CASB) for securing SaaS applications, and Digital Experience Monitoring (DEM) for ensuring an optimized digital experience across all access needs.


    SSE offers a simplified and flexible enterprise licensing model based on End Customer’s security features (multiple user-based subscriptions available), users (three tiers available), Customer Success Packages (three tiers available) and site-based (Bandwidth) requirements.


    In addition to user and or site-based subscriptions, different feature add-on subscriptions can be purchased separately.

  • 2. Service Structure

    The service can be purchased using any of the following user-based or site-based subscription tiers and feature add-ons. The End Customer purchases any of the user-based subscription based on total number of users and customer success package requirements. For site-based subscription, the End Customer purchases the subscription based on the total anticipated bandwidth requirements per site.


    Below is a quick overview the Service structure across user/site-based subscriptions and feature add-ons:

Fig. 1
TAP IMAGE TO ZOOM IN

Fig. 1

  • 3. Core service features

Feature

Details

Common Features across SSE subscription tiers

HPE Aruba Networking SSE delivers following common features across all subscription tiers:

  • Multi-cloud Architecture - Access to +500 global edge locations across the most reliable cloud providers – AWS, Azure, GCP
  • Admin Portal - Centralized access management for admins through a unified UI to enforce zero trust policies across all business resources. (Admin RBAC controls available)
  • User Portal - Secure, single access point for users to easily access all their authorized applications in one place
  • SSE Policy Tags - Smart tagging allows admins to set up granular zero trust policies with just a handful of rules, versus hundreds
  • SSE Agent - Lightweight endpoint agent compatible with laptops, phones, and tablets devices and operating systems, including Windows, Mac, Linux, Android, and iOS
  • SSE Connectors - Lightweight VM that front-ends apps to provide a secure, outbound-only, zero trust connection from authorized app to the SSE cloud. (Up to 1,000 connectors)
  • Universal SSL Inspection - Enforce SSL Inspection at scale across all forms of traffic – private, SaaS, internet
  • Analytics and reporting - Real-time analytics of all traffic and user behavior within the SSE dashboard. Gain insights from high-level SSE dashboards down to granular individual session logs
  • Branch connectivity - Secure branch connectivity for Internet and Internal traffic with IPSec support and easy integration with SD-WAN services
  • Smart routing - Optimize user connectivity through automatic routing across the fastest access path via 500+ edge locations Partner Integration
  • Partner Integration - Integrate with additional services within your Cybersecurity Mesh, such as SIEM, Identity, MDM, Endpoint, and various APIs
  • Built-in Identity - Leverage our native HPE Aruba Networking IdP service within SSE – Great for third-party access
  • Multiple IDP support - Effortless integration with one or more IdP providers of your choice and enable SAML/SCIM support
  • Device posture - Understand the security posture of end-point devices and enforce security based on their changing context
  • Log streaming - Easy integrate SSE with the SIEM provider of your choice and get even more out of your data with SYS Log and API integrations
  • Custom block pages and user alerts - Help users understand why access is denied with customized block pages and posture block notifications via the agent and minimize IT Tickets in the process

Foundation (ZTNA Only)

In addition to common features, this user-based subscription includes HPE Aruba Networking Zero Trust Network Access (ZTNA), a modern solution designed to provide secure access to private applications. As part of the broader SSE framework, HPE Aruba Networking ZTNA ensures that only authorized users can access authorized private applications, thereby reducing the attack surface and enhancing security. This subscription includes following features:

  • All ports and protocols - Secure access to all private applications with support of all ports and protocols
  • Robust agentless access - Delivers agentless access to private apps for employees, third parties and BYOD users with a simple web browser. Supported agentless apps: MS SQL, GIT, SSH, RDP, VNC, Web apps
  • Server-initiated flow - Enable the support of legacy thick-client apps like VOIP and AS400 with Server-Initiated Flow
  • Multi-regional app support - Apps in multiple regions are supported across multiple connector zones allowing the best access path to be selected based on latency
  • DLP for private apps - Enable session control and visibility for private applications. Apply DLP policies to scan traffic for malware, run sandbox, and control upload/download actions
  • Simplified domain setup - Deploying apps with ZTNA is easy with both CNAME and DNS Rewrite. Rewrites eliminates the need for DNS changes allowing for faster application rollout

Foundation SWG

In addition to common features of HPE Aruba Networking SSE solution, this user-based subscription delivers HPE Aruba Networking Secure Web Gateway (SWG) feature set securing access to the internet effortless and safe for all work locations. The cloud service acts as a security broker between an organization’s mobile users, offices, branches, and the open Internet. HPE Aruba Networking SSE inspects internet traffic and brokers the fastest connection possible via cloud, allowing companies to replace various network-centric outbound gateway appliances as part of a larger SSE platform. This subscription includes following features and functions:

  • DNS/URL filtering - All 8 BW Tier licenses allowed (purchased separately) – 20Mbps/50Mbps/100Mbps/200Mbps/500Mbps/1Gbps/2Gbps and Unlimited.
  • Threat intelligence protection - Use smart algorithms and real-time data to block risky URLs and domains based on their content, domain details, and reputation
  • Data loss prevention (DLP) - Prevent data leakage with use of Data Security Profiles, Regex Pattern Matching, and action enforcement for more control, and less risk
  • Malware and anti-virus scanning - Protect against known viruses and malware through repeatable hash and AV scanning – Database signatures

Foundation Plus (ZTNA and SWG)

This subscription delivers the combination of the feature set and functions of Foundation (ZTNA) and Foundation SWG subscription tier capabilities stated above.

Advanced

In addition to common features, ZTNA and SWG feature set and functions, this user-based subscription delivers HPE Aruba Networking SSE platform called Cloud Access Service Broker (CASB) solution that provides end-to-end visibility, allowing centralized management of user access, downloads, and sharing permissions. HPE Aruba Networking CASB’s operation is straightforward: it proxies traffic to avoid risky passthrough connections, validates identities, applies policies, and securely connects users to resources while inspecting traffic and monitoring user experience. The features and functions include:

  • In-Line CASB - Track and control activity for over 10,000 SaaS applications with no limit on SSL inspection
  • Compliance and regulations - Predefined Dictionaries and Custom Dictionaries help meet compliance standards (i.e., HIPAA, PCI-DSS, GDPR, NIST)
  • Multi-Regional topologies – max available allowed
  • Orchestrator statistics retention period – custom depending on the customers data storage allocation in their private server

Advanced Plus

This user-based subscription includes all features / functionalities of Advanced subscription tiers and following:

  • Cloud firewall (FWaaS) filters network traffic in the SSE cloud and supports all ports and protocols and allows/denies access
  • Advanced DLP - Adding to DLP functionality, advanced DLP includes Optical Character Recognition (OCR)
  • Sandbox - Test files with real-time sandbox scanning, offering both Fast and Deep Scanning options, while ensuring 99% of files are analyzed in under a minute with no downtime
  • Local Edge - Deploy your own software-based SSE Local Edge and bring access even closer to your users and devices at the network’s edge (Unlimited number of local edges)

SASE SWG BW

This is a site-based subscription that protects unmanaged devices at any network site from web-based threat vectors using HPE Aruba Networking SSE’s cloud-delivered SWG features and functions.

Each subscription license entitles the customer to 10mbps bandwidth from a network site to the Service for SWG inspection. These licenses can be stacked based on the network site requirements.

This offering can be used in conjunction with HPE Aruba Networking EdgeConnect SD-WAN solution and delivery Unified SASE capabilities or can also protect devices of organizations with third-party SD-WANs by establishing an IPsec bandwidth-licensed tunnel from the SD-WAN solution to HPE Aruba Networking SWG.

The features and functions included in this subscription are the same as the Foundation SWG subscription tier mentioned above.

  • 4. Optional Service Features

    4.1. Sandbox - Test files with real-time sandbox scanning, offering both Fast and Deep Scanning options, while ensuring 99% of files are analyzed in under a minute with no downtime. This feature is included in the Advanced Plus subscription and can be purchased separately with Foundation SWG, Foundation Plus, Advanced subscription tiers only.


    4.2. Local Edge - Deploy your own software-based SSE Local Edge and bring access even closer to your users and devices at the network’s edge. This feature is included with Advanced Plus subscription and can be purchased separately with Foundation, Foundation Plus and Advanced subscriptions tier only. It’s recommended to deploy this in pairs per site.


    4.3. Cloud Managed Connector - The Managed Connectors service deploys dedicated connectors (in pairs) for organizations, providing them with a Static IP for streamlined access. This is available


    4.4. SASE SWG BW - This is a site-based subscription that protects unmanaged devices at any network site from web-based threat vectors using HPE Aruba Networking SSE’s cloud-delivered SWG features and functions. This can be purchased separately as an add-on if the customer already has any of these user-based subscription tiers - Foundation SWG, Foundation Plus, Advanced and Advanced Plus subscription tiers.

  • 5. Support

    5.1. User or site-based subscriptions offered by this Service are packaged and offered with three different tiers of Customer Success Packages (CSP), each one offers different Service Level Objectives (SLO’s) and support coverage to the end customer. See the table below.

Features

Basic

Select

Premier

Support Coverage

9X5x365

24x7x365

24x7x365

SSE Support Portal

24x7x365

24x7x365

24x7x365

Service Level Agreement

Standard Per Terms

S1: 1hr, S2: 2hr. S3: 8hr, S4: NBD

Standard Per Terms

S1: 1hr, S2: 2hr. S3: 8hr, S4: NBD

Enhanced

S1: 30min, S2: 1hr, S3: 4hr, S4: 8hr

Architecture and Deployment Services

N/A

Add-on

Included

Designated Customer Success Manager

N/A

Automated Self Service CSM

Included

Deployment Health Checks

N/A

Add-on

Bi-annual - Included

5.2. Optional Professional Services


Health Checks - The Axis Security Health Check service reviews the configuration of the Axis Security Connectors, usage, application, policies and overall utilization with the outcome of providing recommendations for improvement. The Premier Package includes these checks which are scheduled every six months


Architecture and Deployment Services - For the duration of a customer’s implementation, and post-deployment, as users and applications or services are added. Axis Security’s Architects will provide design and product configuration guidance, ensuring that customer outcomes are optimized for user performance, manageability, and security. Included as a Premier Package benefit.


5.3. Response Times

Severity

Basic

Select

Premier

Critical (P1)

1 Hour

1 Hour

30min

High (P2)

2 Hours

2 Hours

1 Hour

Medium (P3)

8 Hours

8 Hours

4 Hours

Low (P4)

Next Business Day

Next Business Day

8 Hours

5.4. Support Priority Definitions:

Priority

Definition

P1

System is inoperable

P2

System is operable but major product features and functions are not operable

P3

System is operable but major product features and functions are not performing properly

P4

System is experiencing minor operational problem or general questions on the operational aspects of the product.

  • 6. Exclusions

    6.1. Pre-Release Materials

    HPE may make available to Customer certain software, features, functionality, improvements, and/or enhancements in advance of their general availability (Pre-Release Materials). Customer agrees the Pre-Release Materials: (i) are not to be used in a production environment; (ii) may or may not ever be made generally available by HPE as part of an update or otherwise; (iii) are not under warranty or support; (iv) are not at the level of compatibility, performance and/or scalability of the Service as the case may be; (v) may not operate correctly; and, (vi) may be subject to additional terms and conditions that are specific to such Pre-Release Materials. Customer agrees to notify HPE of any bugs, errors or problems with respect to Pre-Release Materials.


    6.2. Unless explicitly mentioned, Professional Service(s) is not included with purchase of any product subscription tier.


    6.3. Unless explicitly mentioned in the description of the purchased subscription, Feature add-ons must be purchased separately.

  • 7. Customer responsibilities

    7.1. All access codes and passwords are personal to the individual to which it is issued. The customer and its Personnel are responsible for maintaining the confidentiality and security of all access codes and passwords issued and ensuring that each access code and password is only used by the individual authorized. To the extent HPE assigned Customer with administrative rights to create access codes and passwords for its Personnel, Customer shall be responsible for issuing such passwords


    7.2. Customer is responsible for all access, activities, and charges associated with Customer's Account, whether or not authorized by Customer, except for unauthorized access, activities, and charges that can reasonably be determined to be the result of Company's mistake, omission or negligence in providing sufficient safeguards against unauthorized third-party access to Customer's Account. Customer must promptly notify Company of any unauthorized use of Customer’s Account.


    7.3. Fair Use Policy - Ensure that you order a correct number of user or site-based licenses. If additional user or site-based licenses are needed during the subscription term, contact the HPE Aruba Networking Sales team to identify the next steps and order additional licenses accordingly. HPE Aruba Networking periodically reviews the usage (total number of users and/or aggregated data transfer) to ensure compliance with the purchased licensing terms.


    7.4. Subscription term expiration policy – HPE Aruba Networking may disable the access to the Service at the end of Evaluation (“Proof of Concept”) or subscription term. Customer is responsible to contact HPE Aruba Networking Sales team prior to the end of Evaluation or subscription term to obtain an extension agreed by both parties.

  • 8. Service level objectives (SLO) commitments

    8.1. HPE will use commercially reasonable efforts to ensure that the SaaS (hosted in HPE’s cloud) Services will be available 24 hours per day, 7 days per week, with monthly uptime of 99.9%, excluding any Scheduled Downtime.


    8.1.1. A minimum of seven (7) days advance notice will be provided for all scheduled downtime to perform system maintenance, backup and upgrade functions for the SaaS Services (the “Scheduled Downtime”). Daily system logs will be used to track Scheduled Downtime and any other SaaS Service outages.


    8.2. As a part of the SaaS Services, HPE shall maintain a backup of all Customer Data that HPE is required to retain as a part of the SaaS Services, as described in a particular Order. In the event the Customer Data becomes corrupt, HPE shall use commercially reasonable efforts to remediate and recover such corrupt data from any backup that has been agreed upon in a particular Order.

  • 9. Applicable Terms

Applicable terms

URL

Data Privacy and Security Agreement

https://www.hpe.com/psnow/doc/a50009396enw

List of sub-processors

https://www.hpe.com/psnow/doc/a50010435enw?jumpid=in_pdfviewer-psnow

Data processing & security measures

https://www.hpe.com/psnow/doc/a00138898enw?jumpid=in_pdfviewer-psnow

HPE aaS Terms for Customers (unless otherwise stated in the Change Order Form.)

https://www.hpe.com/psnow/doc/a50009054ENW

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. Changes will not affect effective agreements referencing this document and will be posted as a new version together with the effective date. Previous versions of this document will remain accessible. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. All third-party marks are property of their respective owners.

a50011048enw, V2

Recommended for you