Why security should be the first step on your SD-WAN journey

31st October 2019

Dave McGrail, Principal Consultant, Xalient

One of the compelling reasons to switch from an MPLS network to a Software-Defined WAN (SD-WAN) is the affordability of access circuits. Typically, internet access circuits can be more cost effective, allowing some organisations to achieve notable savings, increase performance by making more effective use of bandwidth and improving business continuity.

SD-WAN is also a game-changer for digital transformation and an enabler for using cloud services.

It changes the way you deliver internet breakout to your organisation. With a conventional WAN, internet breakout is typically centralised at a hub site, where a traditionally-monolithic security stack protects the organisation against cyber threats.

In contrast, SD-WAN can provide local internet breakout for each branch site. Users can enjoy a greatly improved experience when accessing cloud services, with none of the latency associated with backhauling to the hub.

Consequently, you cannot count on the centralised security stack for protection. You need to secure each local internet breakout point.

Historically, that would have demanded investment in security appliances at every site — for many organisations, especially those with large numbers of branch sites this is not an economical option. Neither does this scale effectively with the increased uptake in cloud services and web traffic.

Better protection with Cloud Security

Fortunately, there’s an alternative way to secure local internet breakout at the branch: shift to cloud-based security.

Advanced Cloud Security solutions tend to be those that were purpose-built as cloud platforms, rather than adapted from on-premises offerings. They leverage elastic scalability and benefit from utility-based consumption models that do away with capital investment.

Compared with onsite firewalls and security appliances, Cloud Security also offers additional benefits:

With a predominantly desk-based workforce, access to resources was typically controlled based on IP address or LAN segment. However, as mobility increasingly becomes the norm — especially with BYOD — this approach is no longer sufficient.

The protection provided by on-premise security doesn’t extend beyond the enterprise perimeter. Cloud Security solutions, however, deliver security policy where access to resources can be driven by not only network location, but also a user’s identity and device posture.

The policy follows the user, and provides protection that’s appropriate to the environment they’re in:

• Logging on from the office means less rigorous challenges for access and inspection.
• Logging on from a coffee shop means more access challenges (eg Multi-factor authentication) and more restricted access to sensitive data.

Cloud Security solutions can also offer secure alternatives to traditional VPN-based remote access solutions. Access is governed by a ‘cloud broker’ that allows connectivity between the end user’s device and the corporate resource. All traffic is outbound, and is securely tunnelled via a secure cloud, which prevents the end-resource from being exposed to inbound threats from the internet.

On top of that, sophisticated Cloud Security solutions are starting to use AI and machine learning to protect organisations against zero-day threats.

Back to SD-WAN and why it pays to think about security first

Organisations adopting SD-WAN often begin their transformation with a gradual switch to internet access circuits, typically as their MPLS circuits contracts expire. But here’s the thing: as soon as you implement the first internet access circuit at one of your sites, your organisation’s security posture changes. The site is no longer reaching cloud resources via the central hub and security stack, but via local internet breakout.
Our recommendations are:

1. Think bigger picture – Plan for both network and security transformation as part of the process. Consider what other projects could be delivered through the adoption of SD-WAN and Cloud Security – eg UC and other cloud-migration initiatives.

2. Consider making security the starting point of your SD-WAN journey. Shift your security stack to the cloud and nail down identity and access management.

With Cloud Security and a solid Identity and Access Management platform/strategy, and the confidence that your organisation is protected by a robust and scalable security platform, you should be able to capitalise on all the benefits of SD-WAN — including reduced connectivity and cloud costs, higher quality collaboration and improved network performance/visibility.