Improved network security is a top business driver of SD-WAN adoption, as a previous blog in this series revealed. However, SD-WAN isn’t necessarily an off-the-shelf panacea for all your network security challenges. While the typical SD-WAN products include some native security capabilities, an enterprise must take an approach that combines native SD-WAN security with integrated, on-premises, and cloud-based security solutions.
Some early adopters of SD-WAN have failed to take this comprehensive approach. For instance, EMA’s WAN Transformation research found that enterprises that have completed a production deployment of an SD-WAN solution are 1.3 times more likely than the average enterprise to have experienced a security breach in a remote site over the last year. EMA suspects that these particular enterprises have been oversold on the native security capabilities of their chosen vendors.
Nearly every SD-WAN solution offers some baseline network security capabilities, including a zone-based, stateful branch firewall, end-to-end network segmentation, and the equivalent of a site-to-site VPN. However, these should be considered the first line of defense. Given that SD-WAN enables decentralized connectivity, with direct connections from branch offices to the internet and the cloud, enterprises must take a more defense-in-depth approach. In other words, SD-WAN should integrate with other security solutions to create a more complete security architecture.
This security architecture starts with the native SD-WAN security capabilities and continues with a next-generation firewall (NGFW). Few SD-WAN vendors offer these application-aware network security appliances, but enterprises are increasingly deploying them in data centers and regional hubs. SD-WAN solutions can integrate with NGFW technology, which allows them to service chain traffic to and from an SD-WAN gateway and the nearest NGFW installation for application-layer security inspection. Some SD-WAN vendors may also integrate with NGFW management to allow the security and networking teams to manage security policy in one place. Advanced SD-WAN solutions can leverage their native application identification and classification features to identify trusted applications that are safe for direct internet connectivity, and send less trusted or unidentified applications to the NGFW.
Secure SD-WAN doesn’t end with NGFW integration. EMA research found growing interest in integrating SD-WAN with many other security technologies, including intrusion prevention, data loss prevention, sandboxing, and cloud application security brokers. Again, few SD-WAN vendors will offer these security solutions natively, but some of them will integrate with third-party offerings.
As enterprises add new security services to the SD-WAN puzzle, things can quickly become costly and complex. One must ask how many discrete security solutions one wants to deploy at each SD-WAN site. Even if these solutions are deployed as software only, the administrative overhead can be overwhelming.
Thus, EMA has observed growing interested in integrating SD-WAN with cloud-based security services, especially for security functions that aren’t sensitive to latency. When SD-WAN is integrated with a cloud-based security service, a network operator can subscribe to that service and direct traffic from hundreds of sites to the closest cloud-based service point of presence with a few mouse clicks.
One of the leading providers of cloud-based security is Zscaler, and unlike some other leading security vendors, Zscaler has no SD-WAN solution. Thus, it’s neutral toward most SD-WAN vendors. SD-WAN vendors like Silver Peak are deepening their integration with Zscaler and other cloud-based security providers to deliver more value to enterprises and to protect against the breaches that some early adopters of SD-WAN experienced with other vendors. Silver Peak, for instance, can automate the configuration of IPsec tunnels from branch sites to Zscaler ZEN points of presence, vastly simplifying security operations. Deep integration with a security provider like Zscaler can dramatically simplify security architecture while reducing security risk, thus delivering on a key business driver for SD-WAN adoption. To learn more about the Silver Peak Unity EdgeConnect™ SD-WAN edge platform and its integration with Zscaler, click here.