Written by Alain Penel, Regional Vice President – Middle East, Fortinet
The one common drawback to most SD-WAN solutions is that they address your WAN connectivity needs as if they exist in isolation. This isn’t unique. One of the biggest challenges facing organizations undergoing rapid digital transformation is that each new network element tends to be designed and implemented in isolation. While this approach has several significant flaws, none is more serious than the impact it has on security.
One of the most critical functions required by security is expansive visibility across the entire distributed network. Deploying separate security solutions in different parts of the network isolates resources and makes it impossible to see, correlate, and respond to systemic threats.
While traditional hub-and-spoke WAN connection models certainly have their shortcomings, they do enable all traffic to be scanned and secured by the centrally deployed security. Once you replace static MPLS connections with flexible connectivity that leverages a public network and begin to support direct links to the internet and SaaS applications, you shift the burden of security to the SD-WAN device.
The Limits of Traditional SD-WAN Solutions
The problem is, most SD-WAN devices offer little more than extremely basic firewall functionality. This means that your critical data is no longer being protected by your full stack of security services, such as IPS, web filtering, anti-virus and anti-malware, and sandboxing. If you want those services, you have to add them as an overlay.
This can add significant overhead to your IT team due to the heavy lifting of designing and deploying a solution, additional maintenance, and the use of separate management consoles. And if not done properly, it can also isolate your WAN security from the rest of your security architecture, both at your core and out in your multi-cloud presence. But that’s only part of the challenge.
Security Needs to Consistently Span the Entire Network
Managing an SD-WAN connection over a platform as unreliable as the public internet requires a significant amount of delicate connection management. Redundant systems need to be in place for immediate failover. Links with deteriorating reliability need to be hot-swapped out, even during live connections. And traffic management tools need to be constantly aware of application bandwidth requirements and prioritization of different connections to continually make micro-adjustments to support latency-sensitive applications like unified communications.
SD-WAN connections require end-to-end security that goes beyond simply encrypting data. Communications between a branch office and a cloud-based application require data inspection at both ends of the connection. To avoid gaps in policy implementation and enforcement, security solutions in the cloud need to be fully compatible with those running at the branch.
Applications not only need to be identified and managed to optimize their performance, but security also needs to see and understand those applications so appropriate levels of security can be applied. In addition, a cloud-based security broker (CASB) solution should be positioned between the user and the cloud to secure access to cloud applications and resources and provide ubiquitous visibility and control. Finally, cloud security solutions need to also be positioned in the internet itself to provide real-time scalability for applications.
SD-WAN Needs to Integrate Network and Security Functionality
But perhaps the most essential element required is the deep integration between SD-WAN network functionality and security. Unfortunately, when security is deployed as an overlay, the best it can do is react to changes in network connections.
This might be good enough for basic connections to the core data center, but securing things like SaaS applications or accessing sensitive data is another matter. The lag time between a network change and the remapping of security to match that new configuration can create security gaps – which can be predicted and exploited. This problem is significantly compounded when such changes can happen on a second-by-second basis.
Rather than deploying security as an overlay, it instead needs to be fully integrated into the networking functionality of the SD-WAN solution itself. When new connections are created, security policies are built and deployed as part of the process. When network connectivity changes, security adapts automatically as part of the protocol. And, should a new connection or adjustment potentially compromise security policy, the integrated security element can prevent that change before it is even made.
The Future Requires Security-Driven Networking
This deep interoperability between security and network functions is the hallmark of the next generation of security known as Security-Driven Networking. By weaving these traditionally separate systems into a single solution, organizations can achieve the visibility and control necessary to truly secure their entire infrastructure. And as machine learning and AI become part of the solution, we will finally realize the sort of self-defending, self-healing network we have been waiting for.
New Secure SD-WAN solutions are the perfect place for this to begin. Deep integration between connectivity and security allows for the seamless and straightforward deployment of a complete solution, while networking and security functions can be managed simultaneously using a single pane of the glass management system, reducing overhead, increasing performance and protection, and paving the way for the next generation of security.