Choose Your Optics: Security Through the SD-WAN Lens in a Hybrid IT World

istock 487774834

When we gaze at the crowded eye-chart of technologies commonly associated with digital transformation, few of the markets we follow have been frothier over the last two years than SD-WAN and cybersecurity.

The rate of change is remarkable by any long-range indicator: revenue growth rates, investment, acquisition and consolidation activity, and innovation speed. Clearly the essential elements of an extended software-defined network deployment and its critical security posture are inexorably intertwined in the future fabric of a cloud-native, Hybrid IT application delivery world.

Unfortunately, many business technologists have a problem of mismatched optics when considering these two arenas. SD-WAN is still too often thought of as an extension of legacy router-based networks and Telco engineering stacks, and cybersecurity often lacks the needed segmentation to support a hybrid architecture beyond the network perimeter or app login.

Just like modern optometry, businesses now have a much greater array of innovative options for viewing security through SD-WAN lenses in today’s hybrid IT environments, where applications and their network definitions are in a state of constant flux.

How can we make the right choices here to see a clearer future state?

Security stretched thin with more open contact points

No illusion: Vulnerabilities across the enterprise WAN keep becoming more difficult to spot, as cybersecurity zooms out to take in the view of today’s hybrid IT environments, which often span multiple historic and acquired generations of applications.

Increasingly, enterprises are replacing monolithic data center-based applications with Saas-based services and cloud-native instances such as Kubernetes, running containers and microservices in ephemeral software-defined infrastructure that can appear and disappear rapidly in on-premises bare metal, in a cloud IaaS or over broadband on remote edge devices.

While all of these dynamically changing elements increase the agility of the business to connect and tailor technology services for customers, they also greatly open up the attack surface. Faulty code and exploitable components await hackers conducting automated scans, looking for their next beachhead.

The landscape is moving so fast now that incumbent security vendors can’t keep up. Startup companies are addressing new threat vectors in databases, containers and devices, but getting acquired as fast as they come out, as larger platform players fill use cases at the edge of their own technology stacks.

This is natural in an arena under constant pressure to innovate ahead of attackers. The average enterprise CISO already has 47 different security tools — and it can be frustrating to bring such a mixed arsenal to bear exactly where and when it is needed most.

Fortunately, we can draw on the benefits of an open source and industry community that is also tackling security as a global problem, rather than a solely proprietary problem.

Walk the floor of an RSA or Black Hat conference, or sift through the MITRE ATT&CK framework, and you find thousands of talented contributors working to document and circumvent the attack playbook, from intrusion detection, to API protocols, data protection and mobile device management.

That’s great news for identifying attack vectors, but it doesn’t solve the management problem of so many security tools at the network edge.

Clearing the fog with the right tools for the application

As we shift applications away from server racks running in data centers, it’s tempting to take a nostalgic view of the days and weeks required to set up and secure hardware-centric environments back in the day — with physical isolation, firewalls and network fencing.

Today’s network and security setups are now far faster, but these complex deployments only improve business agility if they are secure by design.

One key success factor of this migration is the SD-WAN’s ability to provision the best security for the job as part of each new service or network extension, as conventional network and application security installations can now seamlessly co-exist with cloud security service providers such as Zscaler, Check Point Software and Palo Alto Networks that are commonly found in cloud migration scenarios.

Freedom of choice also includes supporting leading authorization and identity services, which may or may not manage access to leading SaaS business suites, for instance Salesforce, Google Apps or Microsoft Office365.

One regional branch office may be best served by a direct connect to O365 applications, and also a secure tunnel to the nearest proximity remote container deployment of a customer data service application on the network edge. The SD-WAN solution should be able to flexibly serve up the best performing application instance for the job, with the most appropriate security orchestration.

SD-WAN orchestrating secure policies with POP

The paradigm of centrally managed software, with locally installed server and device-level security is fading away. The best practice for SD-WAN today supports a business value-driven application availability proposition that works hand-in-hand with secure policies, at the ideal POP (point of presence) to protect all entities on the extended network.

Routing and security policies should be centrally orchestrated by the network, while allowing cloud-based and privately hosted application instances to keep their appropriate security policies and countermeasures intact.

An SD-WAN like the Silver Peak Unity EdgeConnect™ edge platform can centrally automate application functionality, with application requests and workloads dynamically micro-segmented, and securely tunneled to the POP that is prioritized as the closest, most cost efficient, highest performance AND highly secure service instance. Dynamically updating changes across the network assures that users can always connect to applications without manual IT intervention.

From the first introduction of any given network request, user session, data ingress or egress, the SD-WAN is making instant decisions on security, routing work to flow freely through its point of least resistance while directing suspicious or malicious traffic by policy to the security jurisdiction most suited to detect and remediate any impact.

The Intellyx Take

With so many security tools and options in play for cloud-native and Hybrid IT environments, enterprises are starting to lean on the inherent capabilities of advanced SD-WAN solutions as a lens for defining and orchestrating secure policies that touch all branches of a heterogeneous, distributed application suite.

The most sustainable approach to security will not just depend on technology selections but cultivating employee expertise and an ecosystem of partners with the vision to provide clearly defined and auditable security controls to the business-driven network, with actionable results.


Copyright © 2020 IDG Communications, Inc.