Securing enterprise data and business applications is undoubtedly at the forefront of every IT professional’s mind. However, efforts to secure data and applications competes with the priority to open up resources for a distributed workforce by moving applications and data to multiple cloud and SaaS platforms. It’s the task of the Wide Area Network (WAN) to securely connect cloud apps to the workforce on campus and branch sites. Unfortunately, by circumventing the security layers of the enterprise data center and using direct internet connections, data and devices can be exposed to a host of threats.
Secure, cloud-scale Software-Defined Wide Area Networks (SD-WAN) address these challenges with a designed-in set of features that combines security at scale with implementation flexibility. SD-WAN addresses flexibility with transport independence, enabling connections over direct internet broadband, MPLS circuits, and LTE/5G. Multiple connection types can carry traffic simultaneously so that the best path is automatically selected for optimal application experience, as well as for instant failover protection.
In addition to flexibility, I believe organizations need to address security holistically, with end-to-end networking approach that embeds security layers directly into the SD-WAN fabric along with intelligent analytics to measure and maintain application quality of experience (QoE). Let’s look at three capabilities that SD-WAN needs to have to successfully provide security along with ubiquitous connectivity and high levels of application experience for distributed enterprises.
1. SD-WAN provides security without compromising flexibility, simplicity, and application experience.
By unifying security and networking, enterprises get the flexibility they need with the application experience they want. IT gets simplicity of centralized administration to manage distributed resources. Integrating flexible, transport-independent WAN capabilities with full stack security, all managed from one cloud portal, reduces the inevitable complexities that result from installing, configuring, and managing products from multiple vendors with multiple interfaces. Branch sites gain direct internet access to cloud applications with protection against threats originating from the internet.
SD-WAN flexibility and security can be extended to colocation facilities and cloud platforms to provide connectivity to regional branch sites and minimize the attack surface without deploying edge hardware to each site. Applying unified security and segmentation policies through SD-WAN through a cloud colocation platform keeps personal data regional to help meet regulatory and privacy requirements.
With the ability to centrally manage both the SD-WAN fabric and integrated security stack from a central cloud portal, IT can focus on providing the best application experience for the workforce. SD-WAN Cloud OnRamps for SaaS platforms, for example, provide performance specifically tuned for cloud applications such as Office 365, directing traffic from branches to the closest cloud gateways to meet pre-defined SLAs, and simplifying both connection management and access security.
2. Security is an embedded full-stack solution, not an add-on.
As data leaves the control of tightly-managed data centers and spreads to multiple cloud and SaaS platforms, security controls have to be at the forefront of the network design. When considering the capabilities of an SD-WAN solution, look for a fully-integrated security stack that includes an application-aware enterprise firewall, intrusion prevention, advanced malware protection, and URL filtering operating at the edge or the cloud.
Be aware that when similar security layers are implemented as bolt-on sets of third-party point solutions, they must be individually integrated and managed, requiring additional IT training and time to unify them.
3. Protect data and applications with on-premise or cloud-based security
Where a SD-WAN security stack is deployed is less about the efficacy of protecting data than providing flexibility to adapt to changes in an organization’s operations. A holistic end-to-end solution that encompasses on-premise as well as cloud security—including integration with third-party security vendors—provides maximum flexibility.
- On-box security at each branch edge router, for example, provides flexibility to tailor each instance to branch-specific security, routing, and access policies—guest access, direct internet permissions, VPN tunnels—to meet business requirements.
- Easy-to-implement cloud-delivered security gateways, such as Cisco Umbrella, monitor traffic and apply security policies to guard against accessing known malicious sites, phishing attacks, and ransomware infections.
- SD-WAN with security as Virtual Network Functions (VNFs) hosted in colocation facilities provide connectivity for many regional branch sites with the same capabilities as on-premise branch implementation, along with unified security and segmentation policies to protect and keep data regional to meet regulatory and privacy requirements.
- SD-WAN built-in security is enhanced with knowledge derived from Cisco Talos, the leading cyber threat intelligence team, that constantly monitors emerging threats worldwide and automatically updates SD-WAN security solutions with proactive and actionable resolutions.
Security without Compromise
These three capabilities provide a foundation for evaluating an SD-WAN’s fit in an enterprise’s secure WAN architecture. Since security is a must-have to protect sensitive business data, and application performance is equally important to keep a workforce productive and meet customer experience levels, the two cannot be exclusive—there can be no compromise.
While implementing a flexible, high-performing SD-WAN solution solves a myriad of challenges, without built-in security, every connected resource is at risk. Likewise, installing the best security solutions without a flexible, dependable SD-WAN fabric to optimize application performance doesn’t provide the enterprise workforce with the information they need at the right place at the right time.
To successfully transition enterprise resources to cloud and SaaS computing, an SD-WAN architecture must encompass the best of both security and application performance. An end-to-end software-defined networking architecture embeds security directly into the SD-WAN fabric to provide the optimal solution for IT and a distributed workforce.
By Muninder Sambi
Published with permission from blogs.cisco.com.