How Security Appliances Limit Network Visibility, and the Promise of Cloud-Based SD-WAN

How Security Appliances Limit Network Visibility, and the Promise of Cloud-Based SD-WAN


Most organizations’ networks are rapidly growing in complexity. In the past, most of an organization’s network infrastructure was contained within the network boundary and operated on fairly homogeneous systems. In the modern network, internal resources can be hosted anywhere in the cloud, and the network may have computers, mobile devices, Internet of Things devices, and cloud-based applications connected to it.


Securing this new type of network is much more difficult. Many organizations have addressed this problem by deploying a range of specialized point security solutions. However, this has a significant negative impact on its network visibility.



The Race to the Cloud


One of the major driving factors for the switch to SD-WAN is the rapid adoption of cloud computing. As an organization’s infrastructure increasingly moves from on-premises data centers to cloud environments, the way that the organization’s network is used changes dramatically. In the past, routing all traffic through the headquarters office made sense since the destination of this traffic was likely servers within the headquarters network. This made it easy to secure this traffic as well since it all could be routed through security appliances deployed on the headquarters network perimeter.


In the modern world, where over 96% of organizations are using some form of cloud computing, this model no longer works. A large percentage of an organization’s traffic may originate from a location external to the headquarters network (branch locations, mobile devices, etc.) and be directed to another external location, like cloud services. Routing all traffic through the headquarters network for cyber defense and auditing purposes is no longer work due to the dramatic impact on latency.


Limitations of “Standalone” Security



In response to the growth of cloud computing and the need to secure sprawling networks, many organizations have turned to point security products. These standalone appliances are deployed throughout the network, eliminating the need to route traffic through the headquarters network for security purposes.


However, this approach to security is not scalable. The average enterprise has deployed 75 different security products to secure their network. Many of these security products, like next-generation firewalls (NGFWs) and unified threat management (UTM) security appliances have a very localized area of impact, meaning that another standalone device is needed for each network location.


Each additional security appliance deployed on an organization’s network can generate significant and long-lasting costs to the organization. Every appliance must be independently purchased, configured, and deployed to its proper position in the network. Since many of these devices are not designed to interoperate, they may also need to be individually managed and monitored. As organizations’ networks grow more complex and diverse, including cloud, mobile, and IoT devices, the number of specialized point security products needed to address specific security edge cases or operate on different platforms grows dramatically. As this patchwork network of security solutions grows, an organization’s visibility and control of its security decrease, placing it at greater risk of attack.


Achieving Security Visibility with Cloud-Based SD-WAN



The main challenge associated with deploying security appliances is that they have to run on infrastructure under the organization’s control. Since the modern organization’s network infrastructure is spread out over on-premises servers and workstations, mobile devices, cloud computing, IoT devices, and possibly other systems, it is difficult or impossible to find a single security solution that works in all environments and covers all potential security use cases.


As a result, organizations deploy a mess of specialized point security solutions. In the cloud alone, this may require multiple different solutions for different cloud platforms (AWS, Azure, etc.), which is why only 20% of organizations have full visibility into their public cloud deployments. Moving security to the networking infrastructure is one way to solve this problem. A software-defined wide-area networking (SD-WAN) solution with integrated security means that an organization can standardize their security by performing all inspection on traffic as it flows over these links rather than at the endpoints themselves. This approach is more scalable and dramatically improves security visibility.


However, this only works for traffic that is flowing over an organization’s SD-WAN. With mobile and the cloud, a user may not need to connect via the SD-WAN, and forcing them to do so can have significant performance impacts. The reach of an organization’s SD-WAN is limited by where the organization can deploy the necessary technology. Forcing a user to connect to a distant SD-WAN entry point can have similar latency impacts to routing all traffic through the headquarters network.


This is why cloud-based SD-WAN is an ideal solution to the problem of security visibility and network performance. Security integrated into the SD-WAN solution enables full visibility and consistent security policy enforcement across all environments. A cloud-based SD-WAN with points of presence (PoPs) deployed in the cloud can have wide geographic coverage, so forcing users to send traffic over SD-WAN links has minimal performance impacts.


Solving the Network Visibility Issue


As organizations’ networks become more complex, maintaining full network and security visibility becomes more complex. Different environments often require different security solutions since many products cannot operate on every device in an organization’s network. By moving security monitoring and policy enforcement to the network links, an organization can standardize their security infrastructure. However, accomplishing this without causing unacceptable degradation in network performance requires a cloud-based SD-WAN, which uses geographically distributed points of presence with integrated security to meet an organization’s networking and security needs.

...

item