A Secure SD-WAN is More than Just “Nice to Have”
The trend towards increasingly distributed organizations has only been possible due to the availability of business-critical, cloud-based applications and tools. But many cloud-based applications and services place a great deal of demand on legacy WAN infrastructures, especially as expectations for a high-quality user experience continue to increase. To meet these demands, many organizations—especially those with multiple remote offices—have begun switching from performance-inhibited wide-area networks (WANs) to software-defined WAN (SD-WAN) architectures.
Before the recent pandemic, many enterprises had already begun adopting SD-WAN to cloud-enable their businesses, close skill gaps in the IT organization, increase network agility, and improve visibility into networks and applications. But the need for reliable access to critical resources became even more pronounced over this past year to support organizations looking to quickly adopt a work-from-anywhere business strategy. Solutions like SD-WAN and ZTNA have played a critical role in lessening the impact of a global quarantine by ensuring business continuity, maintaining user productivity, and helping businesses thrive. The fact is if recent events had occurred even just a few years earlier, a lot of companies open for business today would have had to close operations permanently.
Like many keystone technologies, SD-WAN was the right solution in the right place at the right time. Modern business runs on applications, so maintaining user experience for all users everywhere is a top priority. SD-WAN enhances branch networking with significant simplification, improved application performance, and faster cloud on-ramp for optimal access to SaaS and UCaaS applications. It can also monitor and modify connections to maintain bandwidth and prevent latency, jitter, and packet loss that can impact bandwidth-hungry applications and services like digital voice and video. Branch simplification, reliable performance, and optimal user experience are why the global SD-WAN market size is expected to grow to $8.4 billion by 2025, a CAGR of 34.5%.
Security Limitations of Traditional SD-WAN
While SD-WAN has revolutionized branch connectivity and user experience, it also has some shortcomings—especially when it comes to security. These include:
- Siloed Visibility: By its nature, an SD-WAN installation is highly dynamic. It is constantly monitoring, correcting, replacing, and restoring connections to maintain optimal application performance. Security solutions that are added on top of an SD-WAN solution struggle to keep up with these changes. And if these solutions are not part of a fully integrated security strategy, it becomes impossible to track applications and workflows end to end. These and similar challenges resulting from a non-integrated SD-WAN security overlay approach can leave temporary gaps in protection that can be targeted and exploited
- Complexity: SD-WAN architectures can be difficult to manage and harder to troubleshoot across all your branches without the right solution and capabilities. This becomes even more challenging when you extend SD-WAN to additional use cases, such as cloud-to-cloud and cloud-to-datacenter, or to remote workers who need a more robust connectivity solution. In addition to looking for an SD-WAN that can support the widest array of use cases, it should also integrate networking, connectivity, and security functions into a single, centralized management console. Without that, efforts to ensure consistent security policies and enforcement across all use cases and maintain centralized control of your SD-WAN infrastructure add to the burden on limited IT staff and often create defensive gaps for threat actors to exploit.
- Over-Reliance on VPN: Over the past year, literally millions of companies replaced their expensive, enterprise-grade security solutions with VPN technology that is decades old. They did that because workers were no longer inside the perimeter. Cybercriminals exploited this by targeting and compromising the older, unpatched, consumer-grade devices located in home networks and then hijacking VPN connections back into the corporate network. SD-WAN makes pretty much the same trade. While branch offices receive flexible and reliable access to applications, they are no longer protected by the security deployed in the corporate data center. Far too many organizations are now protecting their branch offices with little more than VPN, and because a chain is only as strong as its weakest link, they have exposed their entire enterprise to an unacceptable level of risk.
- Minimal Security. Branch offices require a full suite of enterprise-grade protection that can adapt to the dynamic nature of SD-WAN. Organizations are encouraged to look for SD-WAN solutions that include a full range of proven and validated security tools. But that is only half of the challenge. Effective SD-WAN implementation will also require additional security across the enterprise infrastructure to secure the multiplicity of connections a meshed SD-WAN implementation can create while inspecting high traffic volumes at application speeds—all without inhibiting network performance.
- Can’t Inspect Encrypted Traffic: Most SD-WAN solutions cannot inspect secure sockets layer (SSL)/transport layer security (TLS) encrypted traffic, which now comprises about 85% of network traffic. Specifically, as cybercriminals leverage encryption to infiltrate networks and exfiltrate data, organizations either put themselves at risk by letting it pass uninspected, or they must purchase additional appliances to inspect encrypted traffic at the edge of the network. And as a note of caution, inspecting encrypted traffic is a weak spot for most firewalls, causing even the most robust system to drop to its knees—and undermining your
The Answer is Secure SD-WAN with built-in ZTNA support
The challenge is that for most SD-WAN solutions, security is not integrated into the solution. And if security is not integrated, direct internet access opens the door to all kinds of new threats. Not only should SD-WAN contain a full suite of enterprise-grade security solutions, security and networking functions must also operate as a unified system. This is crucial. This approach, known as security-driven networking, allows security to seamlessly adapt and scale with SD-WAN connectivity, preventing security gaps that can occur with an overlay security solution.
Likewise, upgrading traditional VPN with zero trust network access (ZTNA) provides encrypted access to applications, but also ensures that no user or device can access any application until they have been verified. And it can hide applications from the internet to reduce the potential attack surface. And when critical security functions are enhanced with AI and custom-built processors to accelerate things like inspecting encrypted traffic, performance never has to be sacrificed for protection.
Secure SD-WAN that consolidates SD-WAN, NGFW, advanced routing and access proxy for ZTNA support plays a critical role in enabling a distributed digital business model. Enabling employees to work from anywhere, on any device, with seamless security in tow, means you can maintain productivity and continuity, attract and retain top talent, and exceed customer demands. But that requires seeing SD-WAN security as more than just as something nice to have. To compete effectively in today’s digital marketplace, it’s a necessity.
Take a security-driven networking approach to improve user experience and simplify operations at the WAN edge with Fortinet Secure SD-WAN.
Copyright © 2021 IDG Communications, Inc.