SD-WAN products have been available for the better part of five years. Early adopters of the technology focused primarily on transport-related issues such as replacing or augmenting MPLS with broadband. As any technology matures and moves out of the early adopter phase, the buying criteria changes \u2014 and SD-WAN is no different.\nIn 2018, a ZK Research survey asked respondents to rank SD-WAN buying criteria, and security came out as the top response, well ahead of technology innovation and price. (Note: I am employee of ZK Research.) To better understand this trend and what it means to network professionals, I sat down with Fortinet\u2019s executive vice president of products and solutions, John Maddison, who sets the company\u2019s product strategy, making him well versed in both SD-WAN and security.\n\nZeus Kerravala: What is the current state of SD-WAN?\nJohn Maddison: As digital transformation took hold, it became clear that traditional links to branch offices could not support the complex connections required by today's businesses. Something as simple as a split tunnel, where a branch office has a dedicated link back to the corporate headquarters, and a live connection to the internet could undermine the security of the entire organization.\nSD-WAN provides things like support for advanced business applications, the ability to move latency-sensitive data such as voice or video over to reliable, high-speed links, and bonding multiple connections together \u2014 such as links to the core network, connections to multi-cloud networks and services, and live connections to the Internet and mobile devices \u2014 into a single, integrated package.\n Fortinet\n\nJohn Maddison, executive vice president, Fortinet\n\n\nThe biggest challenge we see organizations facing is the result of trying to apply a consistent security framework to this new environment. It needs to not only secure the primary SD-WAN connection, but also be integrated into whatever security solutions that have been deployed elsewhere, such as in the cloud or at the remote network. This allows organizations to implement a single security strategy that includes application protection, web filtering, sandboxing, network access control, SSL inspection, and solutions such as NGFW, IPS, and VPN to protect applications, workflows, and data in motion.\nAs the shift from early adopter to mainstream happens, how does the market change?\nThe\u00a0initial wave of SD-WAN was very transport-centric.\u00a0It was primarily driven by a desire to shift away from MPLS to a combination of MPLS and broadband for more flexibility regarding adopting new applications and services to support digital business requirements.\u00a0Now that businesses are using SD-WAN in production, however, there is more focus on security.\u00a0The branch office cannot become the new weak link in today\u2019s interconnected and distributed networking model.\u00a0There is also a growing interest to extend SD-WAN to LAN and redefine the entire branch with SD-Branch, which provides consistent security, unified policy and\u00a0unified management.\u00a0\nNow that security is a core requirement for SD-WAN, what kind of new challenges have been created?\u00a0\nThe biggest challenge is that traditional security solutions are no longer enough. Legacy security solutions just do not have the performance, flexibility, or interconnectivity that SD-WAN connections require. And to make it more challenging, they very often can't see past the edge connection. It's why we have been developing intent-based segmentation. This strategy can isolate a user, application, workflow, or data based on a number of parameters to provide security along its entire transaction path. Traffic can be forced to conform to specific behaviors, or be isolated to specific users or destinations, to ensure consistent policy application and enforcement from beginning to end.\nThe biggest challenge [for SD-WANs] is that traditional security solutions are no longer enough."\nCan you please expand on user- and intent-based segmentation: what it is, and the benefits it provides?\nWhen a user initiates or receives a transaction, it needs to travel across the public network. Traditional security tools can harden a connection, inspect traffic, and identify and prevent malware or traffic hijacking, but that\u2019s often not enough. Given the growing volume of traffic and the density of other devices traveling through those same connections, it can be easy to lose track of traffic.\nIsolating a user, application, or workflow allows organizations to see and control the devices that can interact with that connection, makes it harder for criminals and insiders to intercept, steal, or corrupt that data, and helps ensure that data and resources are managed and secured as they move across an increasingly expanding network of connected ecosystems. Intent-based segmentation is intelligently segmenting IT assets based on the intent of the business objectives and desired security processes with granular access control to prevent the proliferation of lateral threats spreading in the network.\nWhat kinds of threats does this protect against?\u00a0\nThere are a wide variety of security issues that intent-based segmentation can protect against, including insider threats and even spillover from malware that may have infected some other segment of the network. Intent-based segmentation ensures that cyber criminals who infiltrate the network are quickly detected to prevent the lateral spread of security threats.\u00a0 \u00a0\nOne of the challenges security teams face is that they are already overwhelmed with too many security tools. Doesn't this exacerbate the problem?\nThe real problem is trying to secure a distributed network using tools that were never designed for that. What tends to happen is that security is either applied only at the gateway, which reduces deep visibility into the network, or different tools get selected and deployed for different parts of the network. IT teams can quickly be overwhelmed by security sprawl, and as a result, tools don\u2019t get updated or optimized, or there is inconsistency in enforcement.\nWhat's needed is a single security platform that can provide the consistent enforcement of the policies, regardless of where security solutions have been deployed, and then be managed using a unified management and orchestration console. Security at the core, in the cloud, and at the branch needs to be deployed, implemented, managed and optimized like a single holistic system. Of course, this is easier said than done. Native controls in different cloud environments, for example, can vary wildly. Security solutions need to be carefully chosen based on their ability to be applied and managed consistently regardless of where they are deployed.\nAny other advice you would like to pass on to our readers about SD-WAN?\nOne of the biggest challenges facing organizations considering an SD-WAN solution is wading through all of the marketing hype. New platforms tend not to be very well defined, resulting in vendor solutions that can be very different from one another. Security is an especially challenging issue, as it has recently been identified as one of the top concerns of organizations deploying an SD-WAN strategy.\nOf the more than 60 vendors currently providing SD-WAN solutions, few of them offer any sort of integrated security strategy. While most provide basic VPN connections and some simple stateful security, they do not natively address the majority of security issues that today\u2019s digital businesses are being exposed to. Instead, they depend on other vendors to provide functions such as intrusion prevention, next-generation firewall, web filtering, malware analysis, SSL and IPSec inspection and sandboxing.\nBut given the current security skills gap, this can be a disaster waiting to happen. Deploying advanced security across public networks to next-gen branch offices is not trivial. Deployment, configuration, and optimization alone creates personnel and financial overhead that many organizations just do not have the resources to manage. But any gaps in these can make SD-WAN connections vulnerable to attack.\nInstead, organizations should look for solutions that meet their resource constraints through simple, integrated security and SD-WAN solutions tied together into a single platform.