SD-WAN Is Made SASE-Ready with the Right Security Private Cloud

What is the ideal role of SD-WAN in a SASE architecture?

Both SD-WAN and SASE hold great promise, sharing the common goal of securely connecting users to the data and applications critical to doing their jobs and demonstrating the tightening linkage between networking and security investments. Without the right security private cloud, however, SD-WAN lacks the necessary complement that will help organizations fully realize a SASE architecture, especially for addressing remote workers.

SD-WAN’s Role

Leveraging the concept of a virtualized network overlay to connect branch offices, SD-WAN allows organizations to better tap the public Internet and low-cost broadband to save on expensive, legacy MPLS connections. Various analysts estimate SD-WAN can help enterprises cut costs by as much as 65% compared to traditional alternatives. SD-WAN benefits run deeper than just infrastructure savings, also including increased network availability, better traffic prioritization, and more intelligent path selection.

SD-WAN is sometimes perceived as lacking the cloud-native mindset that’s going to be increasingly necessary for building networks and security as the world aggressively adopts cloud services. That is true, to an extent. SD-WAN is a great enabler for organizations to get traffic to and from the cloud in a more efficient and cost-effective way, but it was designed to address the challenges of managing connectivity between hundreds or thousands of enterprise branches, not necessarily an enterprise where the majority of employees are now remote workers. Even when the COVID-19 pandemic is finally over, organizations will have their old ways of doing business upended.

So how should SD-WAN evolve to support this new normal?

The Intersection of SD-WAN and SASE

Using SASE, the concept of the perimeter and branch changes—or you could say “moves”—with the user. This connection from a single device or endpoint to the service edge or new WAN edge is at the heart of SASE, combined (most importantly!) with the critical security delivered as a cloud service necessary to protect the user and their traffic while in motion.

Security considerations have always been imperative to SD-WAN architectures, including creating secure tunnels to protect critical application traffic in-transit while also guarding against the risks and data protection challenges associated with going direct-to-net. In the past few years, this created natural advantages for cloud security and SASE-focused vendors because traditional approaches that steer traffic to a few security control points are costly and inefficient (i.e., why would you backhaul traffic to remote locations if you didn’t have to?).

With the pivot to cloud and SASE, however—whether it’s users safely browsing the web, accessing their SaaS apps and workloads in the public cloud, or even remotely connecting to their private apps—significant gaps exist for optimizing connectivity between these destinations and the new WAN edge. For example, it’s not just safe to say it’s all HTTP and HTTP-based protocol traffic bound for the Internet, and performance can simply be addressed by adding more bandwidth or relying on an antiquated backhaul architecture.

While some of the SD-WAN vendors have attempted to layer security capabilities into their SD-WAN offerings, claiming they are SASE-ready, many of them are using bolt-on, poorly integrated acquisitions or a slimmed-down, incomplete set of security features. Fundamentally, SD-WAN is the domain of networking experts working in the world of routing traffic, enhancing network reliability, and exploiting optimization techniques for an improved application experience. Security technologists, however, address challenges using critical knowledge of the threat landscape, and are able to identify users, threats, data, and application instances, and stitch these contexts together to improve security posture. The right SD-WAN isn’t some hastily assembled combination of networking smarts with security parts; it’s a robust, best-of-breed pairing of SD-WAN combined with a cloud-native security stack.

SD-WAN allowed for a near-total transformation of the WAN back when security could be centralized. But security is no longer centralized. The role of SASE is to deliver the right security where and when it’s needed—ideally at the Internet edge, which is also where most SaaS apps and websites live. That leaves only one connection left for SD-WAN to optimize in most scenarios—the one from the users to the security stack at the Internet edge.

The number one concern of networking professionals is whether their network is up and running. Then they focus on its performance, wanting to ensure it is fast, responsive, and able to handle their critical business traffic. But what good is the very best SD-WAN solution paired with cloud security if this new SASE-ready WAN edge doesn’t perform? What if it slows down business processes, impacts user productivity, or (in a worst-case scenario) drives users to exploit workarounds to get the speed and experience they demand? And even worse, what if this cloud security approach then fails to adequately protect valuable data, achieve compliance objectives, or guard against threats?

Performance, Coverage, and Connectedness Matter

Many vendors in cloud security focus on features, overlooking or underinvesting in the network, especially when delivering security as a service. Or, in some instances, vendors talk about checkbox integrations with networking investments, like SD-WAN or peering, and meet only the minimum level of acceptable capabilities.

Those approaches won’t help an organization fully embrace SASE, and neither will relying on security solutions built on public clouds, with their inherently unpredictable performance. The right support for SD-WAN is a security private cloud that can apply Zero Trust Network Access to data and resources, provide seamless and direct access to public clouds, provide protection for private applications, and simplify IT operations overall. Plus, with users off-net, working remotely, the traditional network perimeter has dissolved and Zero Trust Network Access provides a more secure, targeted way to provide app access without the performance and backhaul issues of legacy VPN architectures, while de-risking against threats from lateral movement. This makes Zero Trust Network Access a perfect complement to SD-WAN at the branch, extending fast, secure access for users connecting from anywhere.

Forward-thinking organizations have already cast aside the idea that SD-WAN alone will be enough for SASE, or that SD-WAN with security bolted-on will get there. They’re finding the right combination is choosing best-of-breed, bringing together robust SD-WAN capabilities and then using a security private cloud to make those even better.

With the NewEdge network from Netskope, we’re not taking any shortcuts – like trading off performance for robust security – to deliver the modern cloud security services most needed for a SASE architecture. Learn more about Netskope and NewEdge.