Zero-Trust Network Access

Why SD-WAN Needs a Software-Defined Perimeter (SDP)

Share with your network!

The 2018 Guide to WAN Architecture and Design revealed that increasing security is one of the primary benefits that organisations are looking for when they adopt a Software Defined WAN (SD-WAN). But in fact, most SD-WAN solutions don’t inherently increase security and have a limited, site-centric scope. To significantly increase security, IT organisations that are evaluating SD-WAN solutions must simultaneously evaluate Software Defined Perimeter (SDP) solutions.

Inadequate SD-WAN Security

SD-WAN solutions typically incorporate one or more of the following three approaches to security:

  • Do nothing and rely on the existing security functionality
  • Rely on traditional security functionality that is virtualised and hosted at each branch office
  • Leverage cloud-based security functionality, such as cloud-based firewalls, secure Web gateways and Cloud Access Security Brokers (CASBs)

Except for some of the cloud-based security functionality, none of the above approaches provides any new security functionality. As a result, if network organisations adopt an SD-WAN solution that relies on these approaches they will not achieve their goal of providing increased security.

Requirement to Support Remote Workers

Another significant limitation of SD-WAN solutions is their limited scope. Currently 70% of people work remotely for at least one day a week. As a result, any major upgrade that an organisation makes to its WAN must address this large and growing population. However, most SD-WAN solutions don’t provide either connectivity or security to remote workers.

Evaluating Security Solutions

When evaluating solutions to enhance the security of SD-WANs, there are two critical objectives to consider.  One objective is adding functionality that eliminates the deficiencies of the current WAN. The other objective is minimising the complexity of the security solution because complexity results in gaps in security and new attack vectors.

The Lack of a Well-Defined Perimeter

One of the major deficiencies of the current approach to security is that it assumes that the enterprise has a well-defined perimeter. The fact that most enterprise’s employees are remote combined with the overwhelming use of cloud computing means that this assumption is no longer valid.  To overcome this deficiency, network organisations must adopt a Software-defined perimeter that follows the user device, regardless of location.

The Failure of Trust

Another major deficiency of the current approach to security is that it assumes that everything inside of an organisation’s network can be trusted. One implication of this assumption is that once threats get inside the network they are left unseen, uninspected and free to morph and move wherever they choose to attack the organisation. 

To overcome this deficiency, network organisations must adopt a zero trust security model whereby all access is denied unless it is explicitly granted and the right to have access is continuously verified. An effective zero trust model also must support a range of access functionality including single sign-on, multifactor authentication and correlation between access and users.

The Advantage of a Software-Defined Perimeter, delivered As a Service

Some Software-Defined Perimeter solutions leverage the cloud to deliver secure access to applications and network resources. This approach leverages the huge operational  and technological advantages that are associated with the movement to provide all forms of IT functionality as a service. Since it is provided by a third party, part of the value of using a NaaS solution is that it frees network organisations from the complexity of configuring and managing the enabling infrastructure.

There are several reasons to implement a cloud-delivered SDP. A couple of the reasons were previously mentioned: It provides critical security functionality that SD-WANs don’t provide, and it reduces complexity. Another reason is that in addition to providing enhanced security functionality to an organisation’s branch office employees, a cloud-delivered SDP solution can provide both security and connectivity to an organisation’s remote workers. In addition, over time such a solution can mitigate the need for a separate SD-WAN solution.

Last but not Least

One of the most important goals that IT organisations are looking to achieve when they upgrade their WAN is increased security. Unfortunately, SD-WAN solutions on their own don’t enable IT organisations to achieve this goal in part because they don’t increase security and in part because their scope is typically focused just on providing connectivity to branch offices. As a result, organisations that are evaluating SD-WAN offerings need to also evaluate additional solutions that provide enhanced security functionality to all users, whether they reside in a branch office or work remotely.

When they evaluate security solutions, IT organisations should look for three key characteristics.  First, to respond effectively to their lack of a well-defined perimeter, the security solution that IT organisations adopt must feature an SDP. Second, to eliminate the vulnerabilities that are created by a security model that is based on trust, the security solution must be based on a zero-trust security model. Third, to minimise complexity and the associated security vulnerabilities, IT organisations should look closely at acquiring this functionality as part of a NaaS-based solution, particularly if over time, that solution can negate the need for a separate SD-WAN solution.