Why both WAN and Security transformation are critical to architecting a secure access service edge (SASE)
Many enterprises have already made significant investments in their shift to the cloud, so the ultimate challenge now is how to realize the full transformational promise of the cloud while achieving a multiplier effect from those investments. Many are quickly coming to the realization that their traditional router-centric enterprise WANs and perimeter-based security approaches were never designed for today’s cloud-first world.
Today, more applications are hosted in the cloud than in traditional enterprise data centers, and the majority of these applications are being consumed as software-as-a-service (SaaS). Moreover, an increasing number of employees work outside of the corporate network and connect directly to cloud applications. Both of these dynamics render traditional perimeter-based security ineffective. Finally, the explosion of mobile and IoT devices across the enterprise has dramatically increased the attack surface, exposing enterprises to security breaches that can compromise data and result in network downtime.
To achieve the full promise of cloud and digital transformation, enterprises must transform both their WAN and security architectures — not just one or the other. An enterprise may start with modernizing its WAN or security, but to realize the true value of cloud investments, both aspects must be addressed. By transforming both their WAN and security architectures, enterprises can ensure direct, secure access to applications and services across multi-cloud environments regardless of location or the devices used to access them.
Leveraging advanced SD-WAN to adopt a cloud-first security architecture
An advanced SD-WAN platform automatically identifies and classifies application traffic on the first packet, intercepting it at the network edge and assigning it to an appropriate segment, securing it from other traffic on the network. As shown in Figure 1 below, enterprises can connect directly to the cloud via secure, adaptive internet breakout using an advanced SD-WAN platform. The intelligence to recognize trusted applications enables local breakout from the branch office to the nearest point of presence (PoP), eliminating latency and delivering the highest quality of experience for trusted SaaS and cloud applications such as Microsoft Office 365, 8x8, and RingCentral.
Application awareness also provides the ability to send other internet-bound traffic first to a cloud-delivered security vendor for advanced inspection before forwarding it along to a SaaS or IaaS provider. An advanced SD-WAN platform uses a virtual WAN overlay model and enforces end-to-end micro-segmentation to enable differentiated treatment for different applications, including security policies and controls. For instance, a security policy may be defined to:
- Send all known “trusted business SaaS” traffic directly to the internet
- Send “work from home” recreational applications to a cloud-delivered security vendor such as Zscaler, Netskope, Check Point, McAfee, or Palo Alto Networks for additional inspection, and
- Backhaul all other “untrusted, suspicious, and unknown traffic” to a data center or headquarters-based next-generation firewall from Palo Alto, Fortinet or Check Point
Advanced SD-WAN capabilities orchestrated with modern cloud-delivered security services ensures consistent policy enforcement and access control for users, devices, applications, and IoT.
Figure 1: With an advanced SD-WAN platform, branch office sites can use broadband connections and adaptive internet breakout to directly connect to the cloud, optimizing application performance and user experience.
Best of breed solutions enable enterprise agility
Enterprises need agility to spin up new branches and dynamically adjust QoS and security policy and rules. The ability to propagate policy context is a critical requirement for branch automation. This makes the concept of an advanced SD-WAN solution desirable and can help enterprises eliminate the need for multiple appliances to perform dedicated security functions and simplify and consolidate — or “thin” — their branch WAN edge architecture. An advanced SD-WAN edge platform enables enterprises to transform their WAN by unifying SD-WAN, routing, WAN optimization, segmentation, application visibility and control, and branch security in a single centrally managed unified platform.
As modern cloud-first enterprises continue to migrate applications from the data center to the cloud, they must embrace WAN and security transformation to realize the maximum return from their cloud investments. Gartner coined the term SASE, or Secure Access Service Edge that moves the industry in this new direction. It is important that enterprises consider both WAN and security transformation as they architect a secure access service edge to deliver a seamless experience. Automated orchestration that seamlessly integrates best-of-breed SASE components without compromising networking capabilities or security enforcement capabilities is a foundational requirement.
Ultimately, no single vendor will have the breadth and depth of features and capabilities required to deliver best-in-class network and security technologies across a single platform. With a continuously evolving threat landscape, enterprises must also retain the agility to quickly and cost-effectively adopt new security solutions as they come to market. Enterprises are well-served to evaluate platforms that offer the freedom to integrate best-of-breed network and security solutions. By doing so, enterprises can avoid being locked-in to proprietary single-vendor solutions or settle for basic features and functionality.
To learn more about WAN and Security Transformation, read our latest white paper.
