Secure, optimized connectivity has historically been a dominant concern for networking teams. Thanks to the rise of software-defined wide area networking (SD-WAN) - a technology I had a hand in shaping - this has become easier to achieve.
The enterprise is now borderless, where users, devices, sites, and clouds are all creating any-to-any connections with new access control requirements. Digital innovation has led to the proliferation of apps and IoT devices where the cloud and web have become an encyclopedia of applications, and networking teams face a new set of challenges.
SD-WAN allows for the management and optimization of a wide area network over MPLS and low cost internet links, and its evolution can be characterized in three stages:
1. The age of costly MLPS: Prior to SD-WAN, enterprise traffic was typically transferred from branch offices to data centers over a costly Multiprotocol Label Switching (MPLS) link. Increasing demand for voice, video collaboration, and cloud applications resulted in a need for increased WAN bandwidth in the branch, but MPLS became expensive, static, and lacked application level visibility and control.
2. From MPLS to SD-WAN: In response to the high cost of MPLS, SD-WAN was born. SD-WAN augmented MPLS with high-bandwidth inexpensive internet links, allowing users in branches to connect directly to distributed on-premise and SaaS applications. SD-WAN's goal was to deliver the same level of performance and security over commodity broadband links, which it efficiently achieved with application aware visibility and control.
Traditional SD-WAN supported visibility for a few thousand applications, which served well at the time, but the sheer volume of cloud applications and IoT devices has since exploded. Organizations are now experiencing immense frustration when it comes to extending the same level of security and optimization to every remote user, device, sites or multi-cloud environment.
3. Context awareness: SD-WAN architecture now needs to evolve so that zero trust security, speed, and network optimization is built-in and an essential part of connectivity, not a bolted-on afterthought. SD-WAN was not built to provide visibility and control for 10s of thousands of applications, or millions of IoT devices, or to extend high performance connectivity for mobile users. The enterprise network requires a rethinking of how we build the modern network that allows for networking and security to tightly integrate based on zero trust principles, which I will explore below.
Parag Thakore is Senior Vice President of the Borderless WAN Business Unit at Netskope.
From being app aware to Zero Trust context aware SD-WAN
You can’t prioritize or secure what you can’t discover. Teams determining network prioritization and security policies need granular insights to drive these and achieve the dual goals of security and performance without trade-offs. Zero trust-enabled, context-aware SD-WAN provides fast, reliable, and secure access to any application and device at any location, with full visibility and the right set of controls. This is possible using contextual policies that include understanding of applications, application risks, user, user risk, device, and device risk, all of which make network operations more intelligent and more secure.
To achieve the necessary visibility to underpin this next generation of SD-WAN, new integrations between networking and security are needed, allowing networking teams to tap into the security teams’ granular, context-aware insights to create adaptive policies that deliver uniform security and improved quality of experience. Despite historic disagreements, networking and security teams are surprisingly united on this as the future.
What does this evolution look like in practice?
Picture a large bank with more than 25,000 remote contact center agents. With customer experience riding on the agents’ network performance, the company deploys old school SD-WAN into everyone’s homes, sending each employee a physical SD-WAN device. IT admins are now maintaining VPN clients, SSE clients and SD-WAN appliances. These disparate technologies are complicated and costly, and the architecture lacks end-to-end visibility. It is also inefficient in identifying and resolving cybersecurity and performance-related incidents.
When users work from home or from a cafe, they should have the same level of high performance connectivity and security as they’d receive in the branch office. Switching to a single software-based SASE agent that includes all the benefits of SD-WAN, SSE and at the same time replaces VPN on the employee’s laptop, provides consistent high performance connectivity, security and access policy, reduces administration burden and remote hardware management logistics.
Brighter days are ahead
Securing and optimizing connectivity for users, sites, and devices to enterprise and cloud resources doesn’t have to be difficult. If enterprises converge their security and networking capabilities through SASE with granular contextual awareness, SD-WAN will get a whole new lease of life, delivering a more consistent and secure employee experience.
