Today’s distributed enterprises use various kinds of applications right from basic collaboration tools to complex enterprise applications and everything in between. Users use multiple SaaS applications, Infrastructure, and platform-as-a-service solutions in some way to perform their day-to-day tasks. Users also access random resources on the internet – from social media to news streaming. And Hackers are trying to exploit all possible ways to gain access to the enterprise.
On the other hand, although SD WANs addressed the challenges of backhauling the enterprise traffic at the data center, and significantly reducing the cost of MPLS; they were never as secure as the traditional MPLS. The simple reason was that the SD-WAN uses numerous different transport mechanisms, including LTE, MPLS, and broadband Internet connections. as opposed to the traditional secure MPLS tunnels.
So, now is the time SD-WAN vendors took some serious look at the security functions of their SD-WAN solutions.
Every SD-WAN vendor tried to address security in their own way. In fact, SD-WAN players started adding security features to come up with a “secure” SD-WAN offering. And even the pure-play security vendors created secure SD-WAN solutions by adding networking capabilities to their security products. The result is that almost the entire market offered at least one component of the networking and security mix that they did not have much expertise in. Broadly, there are four types of SD-WAN solutions in the market depending upon the security and networking features. These are SD-WAN appliances with basic firewalling, SD-WAN appliances with advanced firewall, Firewall appliances with SD-WAN, and Secure SD-WAN as a service. The fourth solution, i.e., a secure SD-WAN as a service, offers the characteristics of the much talked about SASE architecture. In the first three types of offerings, SD-WAN appliances with basic firewalling, SD-WAN appliances with advanced firewall, Firewall appliances with SD-WAN, IT teams are left managing separate security and networking domains. Whereas a secure SD-WAN as a service provider offers a fully integrated security and SD-WAN service.
Challenges with SD-WAN+Security solutions of today is that they have not been developed ground up as per the SASE framework. And as SASE is just a few months old concept, it is not even expected from all the vendors to create solutions based on this architecture. The reality is that these solutions are either not a great SD-WAN solution or they do not offer great best of breed comprehensive security features. Some SD-WAN solutions are good at Data Loss Prevention (DLP), while others are more capable of protecting against ransomware and other malware. And some solutions offer just some good email security tools. Most, if not all, do not have the best of the breed functions that are seamlessly integrated and offer smooth manageability. For example, some Firewall appliances with SD-WAN features, developed by vendors that were originally offering security solutions, take up to 30 to 40 seconds to converge on an alternate IP connection. This is in contrast to good SD-WAN solutions that are able to switch to a secondary connection in seconds and, ideally, sub-second, which is required to maintain a session state. Similarly, SD-WANs that claim to offer advanced firewall protection too are not sufficient to prevent sophisticated attacks. An enterprise always needs the best of the breed functions both for security as well as networking in their secure SD-WAN solution because an organization needs to have robust protection against all kinds of threats.
The inability to keep security at the heart of SD-WAN deployments has been one of the key reasons for security breaches across the globe. Security is essential because most SD-WAN’s benefits – cost optimization, improved cloud performance, and agility – rely majorly on secure direct Internet access; and the internet is not as secure as other transport mechanisms. The SASE architecture enables SD-WAN vendors as well as security vendors to offer a comprehensive security solution in their SD-WAN offering. This is possible by architecting a solution with the best of the breed security functions. A robust security offering of an SD-WAN solution must take into account the following:
And for each of the potential security threat touchpoints, there must be at least one or more best of the breed security functions in place. Some of these security functions include, but certainly not limited to, next-generation firewalling, malware protection, advanced threat protection, etc.
In order to make the best of cloud-native security functions, enterprises are looking increasingly at moving security inspection into the cloud as security-as-a-service. Instead of multiple security appliances, security-as-a-service providers converge the functionality of multiple security appliances into a cloud-native software stack. Sites send traffic to the provider’s nearest point of presence (PoP) for inspection and from there directly onto the Internet. Some of the SDN vendors use AWS, Azure, and Google Cloud Platform whereas some other vendors are heavily investing in their own points of presence around the world without depending on what AWS, Azure, and GCP are doing. Here’s a representation of how Network as a service and network security as a service converge in a SASE architecture.
In this new architecture, both Network as a Service and Security As A Service converge and create a seamlessly integrated solution that can be managed through a single console. All the best of the breed network services (such as SD-WAN, Carriers, CDN, WAN Optimization, etc.) and the best of the breed security services (such as CASB, Cloud SWG, ZTNA/VPN, WAAPaaS, FWaaS, DNS, RBI, etc.) converge to offer the real secure SD-WAN architecture. The best part is that NaaS and SECaaS platforms always offer the flexibility to choose from a range of network and security functions and keep updating the stack as new services are developed. The SASE architecture allows a simple plug and play kind of a model to select the best of the breed services based on specific requirements of an organization.
Secure access is a key element of SASE architecture. Access privileges are enforced by policies based on user identities. Other pieces of information that inform policies include the location the user or group’s traffic is coming from, the time of day, the risk/trust assessment of the user’s device, and the sensitivity of the application or data being accessed. The network security functions used in access management are secure web gateways (SWGs), cloud access security brokers (CASBs), firewalls, and zero-trust network access.
Similarly, network security function Data Loss Prevention (DLP) is used for making sure that end users do not send sensitive or critical information outside the corporate network. A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. A remote browser isolates the user’s Internet browsing activity from the end user’s device and from the rest of the enterprise’s networks and systems.
Hence one or many security functions work in tandem to enable a security feature.
This is how the entire converged platform looks like that is centered on user Identity.
The above image shows how identities are the center to access decisions. The context that the users, devices, and applications have determines their level of access to the different clouds to the left.
A SASE architecture enables end-to-end security for everyone across the organization – whether the source is a remote worker, a branch location, the headquarters, or even the customer that interacts with the organization’s networks and applications. Threat prevention capabilities inherent to SASE include encryption of all communications, firewalls, URL filtering, anti-malware, and intrusion prevention systems (IPS). These capabilities are available to all connected network edges across the globe. SASE combines an SD-WAN approach and security functionalities into one cloud-based service. A WAN in a SASE service is not the same as in an SD-WAN. A SASE vendor has a globally distributed network fabric that is made up of their own points of presence (PoPs). And as we mentioned above, an alternative to the vendor’s network fabric is to use a public cloud provider’s PoPs.
To sum up, every organization needs an SD-WAN solution that can support multiple options to select from an always-updated stack of various networking as well as security functions and create a cloud-native capability to completely secure their WAN.