Modern Workplace

Zero trust illustrated: WAN transformation

Mar 08, 2023
Zero trust illustrated: WAN transformation

Editor’s note: This is the second in a three part series on the most popular use cases for zero trust transformations. 

As mentioned in part one of this series, zero trust transformations are not led by a desire to adopt some shiny new solution, but by business cases. Often, that business case comes from the head of infrastructure and networking looking to modernize through WAN connectivity. 

WAN transformation allows organizations to convert unsecured, routable, hub-and-spoke networks to true zero trust connectivity, while also improving the user experience. Zero trust architecture (hosted as part of the SSE in PoPs close to population centers) allows direct access to cloud applications via the internet, without the need for MPLS circuits back to the data center. This replaces much of the hardware-based security stack and eliminates the “hairpinning” of traffic that adds unnecessary latency.

Zero trust enforcement for users, sites, and workloads
Zero trust enforcement nodes act as a switchboard, creating connections based on business policy. Apps are destinations, not network resources, and users and applications are never on the same network.

In addition to direct application access and local internet breakouts, WAN transformation also includes zero trust software-defined wide area networks (SD-WAN) and digital experience monitoring (DEM).

Zero trust SD-WAN

SD-WAN has emerged as a technology that aids in WAN transformation by bringing software-defined edge networking and path selection that reduces reliance on MPLS networks. 

While SD-WAN and zero trust can coexist, SD-WAN is not in itself zero trust as it still relies on an underlying WAN. By definition, ZTA should be network-agnostic and not exclusively tied with any network underlay solution. In fact, many of the benefits of SD-WAN are from its “software-defined” capabilities, not the WAN, which inherently extends the corporate network and allows for lateral movement. Decision makers should carefully evaluate extending the corporate network to the branch and consider alternative approaches. 

To secure connectivity for large branches or campuses, an SD-WAN solution can forward internet/SaaS traffic through the zero trust service edge to establish secure local internet breakouts. This can be accomplished through API integration, so that SD-WAN vendors automatically create tunnels to the zero trust service edge. If SD-WAN is required for path selection or centralized management, it should only be considered for large branches, campuses, or factories. In some cases, for traditional applications, some private application traffic may still need to be sent via a site-to-site VPN.

There are alternatives that better conform to zero trust standards for small and medium-sized branches. For example, zero trust SD-WAN replaces traditional WAN connectivity solutions in-branch by applying zero trust principles to user, server, and IoT/OT device connectivity. Zero trust SD-WAN provides branches and data centers fast and reliable access to the internet and private applications with a direct-to-cloud architecture, offering strong security and operational simplicity. It eliminates the network attack surface by establishing direct branch-to-internet and branch-to-private app connections using a full proxy architecture.

Zero trust SD-WAN schematic diagram
Zero trust SD-WAN provides secure access for users and services in branches.

For small branches where there are fewer users, going fully zero trust with no SD-WAN and no routable network is the preferred approach. This basically treats everyone in that small branch as a remote user. An agent installed on the user’s endpoint forwards traffic to the zero trust service edge for secure connectivity to public and private applications.

Digital experience monitoring

An important element of zero trust architecture is the integration of digital experience monitoring (DEM) capabilities. DEM uses telemetry data, collected from the zero trust architecture, to monitor and diagnose end user experience and application performance issues.

Digital experience monitoring data feeds
Visibility from the endpoint to the application is needed to troubleshoot and resolve performance issues.

DEM uses machine learning (ML) to identify performance anomalies and send actionable alerts based on application, endpoint, and network analytics. This includes hop-by-hop network analysis that identifies network issues between the user endpoint and their WiFi, ISP, backbone, and the zero trust service edge; resource issues on an endpoint; or problems with the application provider.

Sample digital experience monitoring workflow diagram
Sample workflow of using ZTA’s DEM telemetry to identify and diagnose a performance issue.

DEM can also prove useful for ensuring network resilience. As opposed to total service failures, brownouts, like those experienced during service degradations can be difficult to attribute. DEMs help identify the root cause of performance issues leading to faster remediations. Simply put, the zero trust philosophy requires parties to be transparent with their identities, intentions, and activities. DEM strengthens a zero trust environment by granting superior visibility into system performance and by discovering where problems are occurring.

What to read next 

When is SD-WAN zero trust and when is it not?

Zero trust or secure service edge (SSE)? Or both