Digital Transformation: Can SD-WAN Help Strengthen Application Security in a Cloud-First World?

The majority of enterprise CIOs are of in the midst of a digital transformation journey, migrating more of their business applications and infrastructure from their own data centers to the cloud. These applications include real-time voice calling, video conferencing, email, storage, CRM, and many other software applications now delivered as a service – “SaaS.” To support digital transformation initiatives and shifting traffic patterns as more applications move to the cloud, 94 percent1 of enterprises are considering, evaluating or have already deployed1 SD-WAN solutions to address evolving WAN requirements. Enterprises are rethinking their WAN approach to better support multi-cloud infrastructures and to actively leverage higher bandwidth (and often lower cost) broadband services to augment existing MPLS transport networks.

In a rapidly evolving cloud-first environment, backhauling cloud-destined traffic to centralized or regional data centers to apply security policies and controls only to send it out to the internet impairs application performance,  adds extra connectivity cost and compromises security models. Backhauling traffic also impacts IT budgets and increases application latency, which can result in a less-than-exceptional user experience.

So, let’s examine the network security implications of migrating applications from the data center to a cloud-hosted model. The use of internet services increases the attack surface and because traffic patterns have changed, the security model needs to be re-architected for cloud-hosted applications. Enterprises should also examine the role that SD-WAN can play in securing applications from branch and remote office sites.

Can an SD-WAN platform augment an IT security strategy when it comes to addressing the following network security challenges?

  • Enforcement of  granular application security policies, regardless of where that application is hosted
    • Directly connecting users in branch offices to applications using the internet (“Local Internet Breakout”)
    • Overcoming a lack of visibility into dynamic application environments
    • Complying with requirements for network and application segmentation
    • Interoperating with existing network security technology vendors

The Silver Peak Unity EdgeConnect SD-WAN edge platform with unified security capabilities addresses these challenges:

  • EdgeConnect software with its application-driven data plane inherently protects application data in flight across public clouds (when EdgeConnect is deployed in public clouds) with IPSec tunnels and by using AES 256-bit encryption to maintain application and data confidentiality. Encryption keys are never repeated and are directionally unique. Silver Peak Unity Orchestrator™ manages the encryption keys and rotations automatically, which reduces tunnel setup time without a loss of service.
  • The Silver Peak First-packet iQTM application identification and classification capability enables intelligent, granular traffic steering. EdgeConnect adaptive, local internet breakout enables users to securely connect to applications and automatically steers trusted SaaS traffic to a local SaaS service PoP without backhauling. This limits outbound destinations, blocks unwanted/unsolicited inbound traffic and filters expected traffic for threats.
  • End-to-end network and application segmentation is extended from the LAN, across the WAN, and to data centers and cloud platforms. Traffic within each segment or “zone” is isolated from traffic in other segments, reducing unauthorized access and limiting the scope of incidents. High-priority applications enjoy faster, more reliable performance across the WAN, increasing application availability and improving the experience and productivity of end users.
  • Control plane security capabilities include a two-step authentication process, enforced by the Silver Peak Cloud portal. A new EdgeConnect appliance must be “approved” by an IT administrator from the enterprise Unity Orchestrator instance. All communication sessions between EdgeConnect appliances, Orchestrator, the Silver Peak Cloud Portal, and administrators’ web browsers are protected with TLS 1.2. In addition, role-based access control and whitelisting specific applications reduces the risk of security breaches.
  • Security certification and compliance with industry regulations, including HIPAA, PCI DSS, SOX and GDPR and FIPS 140-2            

EdgeConnect automates the integration of SD-WAN and security appliances with drag-and-drop service chaining. The unified solution may be either co-located at branch offices, or larger hubs/data centers, or if  all applications are internet-bound traffic, for example, through a cloud-based security service, such as Z-Scaler for layer 7 access control and threat filtering. EdgeConnect can also auto-discover the closest Z-Scaler ZEN PoP and automatically configure secure tunnels for any application within Orchestrator.

These capabilities enable enterprises to easily orchestrate appropriate security policies, from any branch location for more than 13,000 SaaS applications. So choosing the right SD-WAN platform that takes a holistic approach to security, can strengthen enterprise WAN security in a cloud-first environment and pave the way for advancing digital transformation initiatives.

Do you want to take the next step in your SD-WAN journey and become the SD-WAN expert on your team? Silver Peak is hitting the road with a series of COMPLIMENTARY half-day workshops, featuring a hands-on guided lab experience and deep dive into the Silver Peak Unity EdgeConnect™ SD-WAN edge platform. Register here to save your seat!

1 Frost & Sullivan global enterprise SD-WAN survey, 2018