SD-WAN is an exciting new technology that allows your organization to harness the speed, availability, and comparatively low costs of the internet to manage the lion’s share of your enterprise traffic. As covered in an earlier blog by Alex Teteris, SD-WAN (software-defined wide area network) enables you to route enterprise traffic through the public internet without sacrificing the performance of more traditional MPLS-based routing, which pushes all traffic through a central data center. SD-WAN is more dynamic and flexible than solely using MPLS, as it allows global organizations to route traffic from branch locations through localized internet connections rather than dealing with the latency and expense of routing all of that traffic through a central data center that could be thousands of miles or even a continent away.
But the security of SD-WAN connections needs to be carefully considered, and many companies are understandably wary that using SD-WAN could compromise their ability to protect the enterprise against cyberthreats. To thrive, you need to rebalance your cybersecurity portfolio so that all of the security capabilities in your data centers are available through every portal that your employees may use to connect to the internet via SD-WAN.
This blog describes how to make that possible.
Replicating the data center security stack
One of the prime benefits with the data center model was having a powerful cybersecurity stack with all the desired capabilities in a single place. This was part of the allure of the hub-and-spoke model that leveraged MPLS. While it was expensive, and it might have slowed traffic from branch locations, it made sense to centralize security in the data center when all applications resided there. But, as applications move to the cloud and organizations turn to solutions like SD-WAN, there’s still a need for these capabilities, but it no longer makes sense to centralize them in the data center. What’s needed is a way to have the cybersecurity stack for SD-WAN in each location that they’ve had in the data center. Of course, the next logical question is: how can this become possible?
SD-WAN routes traffic via the optimal path based on the user and metadata about what the user is accessing. In many cases, this may mean enterprises have multiple networks—some using internet connections from local ISPs and others relying on traditional MPLS connections. It is not feasible to replicate the security of the data center stack, building out similar stacks for each localized breakout at each branch location. That would involve buying and installing appliances at each location, negating the benefits of faster speeds, reduced complexity, increased agility, and lower costs you hope to achieve by using SD-WAN in the first place. Instead, companies will need to use cloud providers that offer up the security stack wherever and whenever it is needed.
A cloud-based approach
Your oganization can use a cloud-based security platform to achieve the same level of cybersecurity you've had in the past. With this approach, you're sending traffic through the cloud security provider, rather than through your own legacy data center. Your business is empowered to protect all users consistently because all your security capabilities are in one place.
For instance, one company might be engaged in SSL inspection and have different boxes that handle data loss prevention, sandboxing, and firewalls in its legacy data center. Without a cloud-based security platform, the company would face a complicated configuration process where SD-WAN traffic was sent through a series of different virtual appliances all based in various locations. Such complexity is totally avoided with integrated, cloud-delivered security.
A cloud-based approach has a number of tangible benefits. For one, it helps you overcome the understandable fear that using cloud and SD-WAN will lead to a loss of control and visibility into your network. In fact, a cloud-based security provider actually enhances visibility and control because your centralized policies and security capabilities follow your end users wherever they go.
Cloud-delivered security also allows you to provide identical protections for all users and all locations, with everything from data loss prevention to sandboxing to cloud firewalls and to SSL inspection. Cloud-based security providers like Zscaler offer you the opportunity to deliver the entire stack of security solutions in a single cloud security platform, all without the cost and complexity of physical or virtual security appliances.
You can also enact policies that strictly control where specific forms of traffic are routed, and therefore define what type of security is enforced on that traffic.
But selecting the right type of cloud-based cybersecurity is crucial. Providers must offer multitenancy and scalability through a service-edge cloud, and they must offer a complete set of integrated security services to enable you to leverage the full power of SD-WAN and the cloud. With the right provider, security across your enterprise will be faster, simpler, and more scalable.
Thus, the biggest change you are likely to see in your cybersecurity portfolio as a result of using SD-WAN lies in how security capabilities are delivered. Delivery will not happen through a box or virtualized infrastructure, but rather through the cloud.
Want to learn more? Watch this webinar on what you really need to know about SD-WAN security.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dhawal Sharma is Senior Director of Product Management at Zscaler