The 2018 Guide to WAN Architecture and Design revealed that increasing security is one of the primary benefits that organizations are looking for when they adopt a Software Defined WAN (SD-WAN). But in fact, most SD-WAN solutions don’t inherently increase security and have a limited, site-centric scope. To significantly increase security, IT organizations that are evaluating SD-WAN solutions must simultaneously evaluate Software Defined Perimeter (SDP) solutions.
Inadequate SD-WAN Security
SD-WAN solutions typically incorporate one or more of the following three approaches to security:
- Do nothing and rely on the existing security functionality
- Rely on traditional security functionality that is virtualized and hosted at each branch office
- Leverage cloud-based security functionality, such as cloud-based firewalls, secure Web gateways and Cloud Access Security Brokers (CASBs)
Except for some of the cloud-based security functionality, none of the above approaches provides any new security functionality. As a result, if network organizations adopt an SD-WAN solution that relies on these approaches they will not achieve their goal of providing increased security.
Requirement to Support Remote Workers
Another significant limitation of SD-WAN solutions is their limited scope. Currently 70% of people work remotely for at least one day a week. As a result, any major upgrade that an organization makes to its WAN must address this large and growing population. However, most SD-WAN solutions don’t provide either connectivity or security to remote workers.
Evaluating Security Solutions
When evaluating solutions to enhance the security of SD-WANs, there are two critical objectives to consider. One objective is adding functionality that eliminates the deficiencies of the current WAN. The other objective is minimizing the complexity of the security solution because complexity results in gaps in security and new attack vectors.
The Lack of a Well-Defined Perimeter
One of the major deficiencies of the current approach to security is that it assumes that the enterprise has a well-defined perimeter. The fact that most enterprise’s employees are remote combined with the overwhelming use of cloud computing means that this assumption is no longer valid. To overcome this deficiency, network organizations must adopt a Software-defined perimeter that follows the user device, regardless of location.
The Failure of Trust
Another major deficiency of the current approach to security is that it assumes that everything inside of an organization’s network can be trusted. One implication of this assumption is that once threats get inside the network they are left unseen, uninspected and free to morph and move wherever they choose to attack the organization.
To overcome this deficiency, network organizations must adopt a zero trust security model whereby all access is denied unless it is explicitly granted and the right to have access is continuously verified. An effective zero trust model also must support a range of access functionality including single sign-on, multifactor authentication and correlation between access and users.
The Advantage of a Software-Defined Perimeter, delivered As a Service
Some Software-Defined Perimeter solutions leverage the cloud to deliver secure access to applications and network resources. This approach leverages the huge operational and technological advantages that are associated with the movement to provide all forms of IT functionality as a service. Since it is provided by a third party, part of the value of using a NaaS solution is that it frees network organizations from the complexity of configuring and managing the enabling infrastructure.
There are several reasons to implement a cloud-delivered SDP. A couple of the reasons were previously mentioned: It provides critical security functionality that SD-WANs don’t provide, and it reduces complexity. Another reason is that in addition to providing enhanced security functionality to an organization’s branch office employees, a cloud-delivered SDP solution can provide both security and connectivity to an organization’s remote workers. In addition, over time such a solution can mitigate the need for a separate SD-WAN solution.
Last but not Least
One of the most important goals that IT organizations are looking to achieve when they upgrade their WAN is increased security. Unfortunately, SD-WAN solutions on their own don’t enable IT organizations to achieve this goal in part because they don’t increase security and in part because their scope is typically focused just on providing connectivity to branch offices. As a result, organizations that are evaluating SD-WAN offerings need to also evaluate additional solutions that provide enhanced security functionality to all users, whether they reside in a branch office or work remotely.
When they evaluate security solutions, IT organizations should look for three key characteristics. First, to respond effectively to their lack of a well-defined perimeter, the security solution that IT organizations adopt must feature an SDP. Second, to eliminate the vulnerabilities that are created by a security model that is based on trust, the security solution must be based on a zero-trust security model. Third, to minimize complexity and the associated security vulnerabilities, IT organizations should look closely at acquiring this functionality as part of a NaaS-based solution, particularly if over time, that solution can negate the need for a separate SD-WAN solution.
Subscribe to the Proofpoint Blog