The average cost of a data breach in 2018 is $3.86 million USD according to IBM & Ponemon Institute. This staggering statistic helps drill home the importance of securing IT infrastructure and the costs of not doing so. As workloads become more dispersed, with many businesses outsourcing infrastructure to the cloud by using AWS, Office 365, Azure, G-Suite, etc., the challenge of securing a WAN can become more complicated.
As the industry moves away from the old MPLS (Multiprotocol Label Switching) paradigm, and SD-WAN popularity continues to soar, it is important to understand how to best secure the data that traverses your WAN without unnecessarily sacrificing performance or adding complexity. Premium, cloud-based, SDWaaS (SD-WAN as a Service) is a holistic WAN solution that is uniquely capable of offering enterprise-grade security in a converged, scalable, and efficient manner.
To help explain the advantages of SDWaaS, we’ll first dive into the legacy, appliance-based DIY approach to SD-WAN, the associated security challenges, and then review the features of SDWaaS that help make a converged and secure SD-WAN infrastructure possible.
The appliance-based SD-WAN approach to security
The DIY approach to SD-WAN involves enterprises deploying and maintaining SD-WAN appliances to more efficiently (when compared to MPLS) route Internet-bound traffic. The old MPLS solution generally entailed organizations backhauling data through corporate datacenters or headquarters before then routing it on to the public Internet. This approach creates the “trombone routing” problem many enterprises have struggled with and is inefficient both from a cost and performance aspect.
While DIY SD-WAN solves the trombone routing problem, it generally does not come prepackaged with integrated security. What does this mean? Enterprises are left to craft their own security solutions to add security to their WAN infrastructure. Deployment of security devices in an unconverted, site-by-site manner can lead to a hodgepodge of solutions that are difficult to scale and maintain at the enterprise level. These challenges only become greater when they are compounded with the difficulties of onboarding mobile users or adding new locations (for example when mergers and acquisitions occur). At best, this approach enables enterprises to gain security while also adding complexity and a maintenance burden. At worst, this approach leads to gaps in the security plan and vulnerabilities.
The security benefits of SDWaaS
Given its position in the cloud, SDWaaS is inherently designed to enable a holistic, converged, and scalable approach to SD-WAN. The SD-WAN services (e.g. Policy-based Routing) enterprises expect from any SD-WAN solution are integrated with robust security stack creating an all-in-one, easy to manage solution. Not only does this minimize the potential for blind spots, but it also helps to make an enterprise WAN more secure than the alternatives.
For example, premium SDWaaS providers have Points of Presence (PoPs) across the globe that are connected using fully-meshed encrypted tunnels. Premium SDWaaS providers only allow authorized users to access their SLA-backed, Tier 1 ISP (Internet Service Provider) supported backbones. Further, these backbones are protected using advanced anti-DDoS (Distributed Denial of Service) and DPI (Deep Packet Inspection) technologies.
Further, premium SDWaaS is secure even at the ever-popular “Edge” of networks. Customers using premium, cloud-based SDWaaS connect using encrypted tunnels or via IPsec-enabled devices (e.g. firewalls and mobile clients). The variety of options available here ensure enterprises have the flexibility they need to implement am SDWaaS solution that meets their specific needs.
Advanced SDWaaS security features
Finally, premium SDWaaS networks come with a variety of InfoSec features baked-in. This means enterprises don’t need to allocate additional resources to source and provision them. These features include:
- Next Generation Firewalls (NGFWs)– NGFWs enable enterprises to define and isolate specific LAN segments, which can be vital when dealing with regulatory requirements or sensitive data. NGFWs also enable application and user awareness which means policies that take context into account can be created. NGFWs not only add security, but they also enable security to be implemented in a manner that allows for extensibility and contextual awareness.
- Secure Web Gateways (SWGs)– SWGs act as filters that can block access to websites based on predefined lists and/or categorizations. Users may not love this feature (Netflix is totally work related!), but admins will certainly appreciate it.
- Advanced Threat Protection- This feature refers to the various heuristics that allow SDWaaS solutions to detect and address threats to a network. Anti-malware and Intrusion Protection Systems (IPSs) fall into this category. Threats can be identified based on behavioral characteristics and then contained.
- Security Analytics– Networking and security events are logged and used by premium SDWaaS solutions for incident analysis and troubleshooting. This granular approach to capturing data coupled with advanced analytics techniques enable enhanced threat detection and root cause analysis.
The takeaway: SDWaaS enables converged, secure WAN infrastructure
By coupling the security solutions enterprises would otherwise have to source and provision on their own, with a robust and resilient cloud-based SD-WAN solution, SDWaaS enables organizations to benefit from a converged and secure WAN infrastructure without dealing with the complexity tradeoffs associated with adding security after the fact.