Cloud-Based Security in the SD-WAN Era
Shamus McGillicuddy | October 22, 2019
Shamus McGillicuddy is a senior analyst for the network management practice at Enterprise Management Associates (EMA).
With SD-WAN, the days of stacking multiple security appliances at every branch office are over. SD-WAN solutions excel at orchestrating various native and third-party network and security services, and this capability is driving many enterprises to adopt cloud-based security services. In fact, EMA research found that 24% of distributed enterprises already prefer to consume security as a cloud-based service, rather than an on-premises technology.
As enterprises transform their networks with SD-WAN, they will find that remote site security is no longer about appliances. SD-WAN can integrate various security solutions onsite as a virtual network function, such as a firewall, but it can also integrate cloud-based security services.
How does this work? SD-WAN allows an IT organization to set global security policies across all sites for different classes of traffic. In many cases, the security technologies that enforce these policies can live in the cloud. For instance, SD-WAN can route basic web browsing traffic to the nearest point of presence (PoP) for a cloud-based secure web gateway. Traffic between a remote site and an enterprise application hosted in an IaaS environment can be routed to the nearest PoP for a cloud-based cloud application security broker (CASB) service. When an SD-WAN vendor partners with and integrates with cloud-based security providers, these policies are easier to implement.
In fact, 95% of distributed enterprises expect their SD-WAN technology to integrate with third-party security solutions or offer native security technology. Many of them prefer SD-WAN technology to integrate with a cloud-based security service. This represents a significant shift from just a few years ago, when mainstream enterprises viewed cloud-based security skeptically.
EMA research found that the cloud-based security services that enterprises are most interested in integrating with their SD-WAN technology include CASBs, advanced threat protection, malware protection, secure web gateways, and intrusion detection.
The Appeal of Cloud-Based Security
There are a variety of benefits to cloud security services. First, enterprises can convert security spend from capital to operational expenses. Depending on the budget strategies of an IT organization, this can be beneficial, since enterprises can pay for what they consume rather than what they own.
Administrative overhead shrinks, too, since security teams don’t have to maintain these cloud services. The service provider handles software upgrades and patches and rolls them out to customers on a regular basis, often without downtime.
Cloud-based security also offers scalability. As global WAN traffic increases or decreases, an enterprise can grow or shrink the capacity of their cloud security service rapidly, without having to provision additional hardware resources onsite.
An enterprise can also expand its security architecture with cloud-based technology. For instance, security services are not confined to remote sites and enterprise locations. The same services can be applied to corporate managed and unmanaged devices at the extreme edge, from users in coffee shops to sensors on vehicles. All traffic can be routed to the nearest cloud-based security PoP.
Given that cloud-based security providers deliver their service from PoPs in multiple geographies, enterprises can improve end-user experience. Rather than backhauling traffic to the nearest corporate location with on-premises security appliances, enterprises can route traffic to the nearest cloud security PoP, which will shorten the distance traffic must travel and reduce latency.
Migrating to Cloud-Based Security
There is still some heavy lifting to do. EMA does not recommend that adopters of SD-WAN rip out all their installed security solutions and replace them with cloud-based security. First, it can be difficult to manage multiple cloud-based services. If an SD-WAN provider has strong cloud security partnerships, making it easier to provision, service chain, and manage multiple security offerings, then the barrier to entry will be lower.
However, enterprises should not neglect existing on-premises security infrastructure. The SD-WAN team should take steps to make sure the technology integrates with incumbent security solutions. EMA believes that many enterprises neglect this aspect of an SD-WAN project. In fact, “integration with existing security architecture” is the most challenging aspect of an SD-WAN implementation, according to EMA research.
EMA also recommends that enterprises establish best practices and document processes for ownership of the security solutions that SD-WAN orchestrates. In many enterprises, ownership of such services may transfer from the security team to the network team, or these services may be co-managed by the two teams. A third group, such as IT service management, may be called upon to define engineering and operational responsibilities. During this transition, everyone needs to get on the same page.
Enterprises should keep in mind that not all cloud-based security services are created equal. IT leaders should interrogate providers about how their services are architected. Some providers will service chain multiple technologies in their PoPs, while others will integrate various security services together using more modern cloud architectures. These design choices can impact the performance of their services and the policy design complexity. Also, IT leaders should ask providers about their cloud footprint. Enterprises will often need a cloud security provider with PoPs that are close to the bulk of their end users.
Unfortunately, EMA sees some signs that the first wave of SD-WAN adoption failed to heed these warnings. Our research found that enterprises that have already completed an SD-WAN implementation are more likely than other enterprises to have experienced a security breach at a remote site over the last two years. This finding suggests that enterprises are stumbling as they transform security with SD-WAN. They need to take a more iterative approach, especially as they transition from installed appliances to cloud-based security.