Network Essentials: SD-WAN and Zero Trust

In the world of business, what is considered essential changes over time. Most businesses haven’t used paper accounting ledgers, fax machines, or phone books for years, for example. And now, in many cases, office space isn’t even essential.

The move to remote work caused by the pandemic led many organizations to invest in modern networking and security technologies. And protecting digital assets is becoming increasingly urgent as security threats such as ransomware continue to escalate at the same time traditional network perimeters and the security they provide continue to dissolve.

Network and security support for “work from anywhere” is rapidly becoming a business essential. It’s no longer a choice between having an option that is good for remote workers or one for a mainly in-office situation. Now organizations need solutions that can adapt to different work models with the flexibility to securely address all workforce scenarios. And to provide simplified operations, consistent policy and protection, it’s critical to have unified management for remote users, branches, cloud, and data centers.

The Need for SD-WAN and ZTNA

To support hybrid work models, organizations need both software-defined networking in a wide area network (SD-WAN) and Zero Trust Network Access (ZTNA) capabilities for more secure access and a better experience for remote users, whether they are on or off the network.

SD-WAN has been one of the most rapidly adopted technologies of the last decade. According to a 2020 IDG Research Services report, SD-WAN adoption increased from 35% to 54% between 2017 and 2019. And a recent IDG survey indicated that 95% of respondents expect to shift to SD-WAN within the coming two years.

SD-WAN provides a platform for organizations and service providers to deliver rich services over any WAN link, including broadband. Security is essential for SD-WAN. Most traditional SD-WAN solutions include little to no security. But now organizations don’t just need to use SD-WAN to support traditional branch offices, they use it to enable the home office as the new “branch of one.”

However, combining security with SD-WAN can be difficult.  Few SD-WAN vendors offer a solution that includes a full suite of enterprise-grade security. Instead, most either offer extremely basic (and largely unvalidated) security or, worse, leave security up to the consumer. Even fewer offer a security solution that works seamlessly with SD-WAN connectivity to ensure that dynamic environments don’t leave security tools struggling to keep up—creating security gaps that are easy to exploit.

Supporting Users, No Matter Where They Are

Today’s remote workforce is all about user experience, which means they require networking solutions that work consistently and efficiently. Ultimately, this requires an SD-WAN solution that is responsive to issues like latency and provides granular application access from branch offices and home networks. Features such as advanced cloud on-ramp, secure local internet breakout and application steering on first packet including encrypted traffic also help to optimize application performance and user experience. Whether the applications are hosted on-premise or in the cloud, an ideal SD-WAN solution takes an application-aware approach to manage and monitor traffic to make sure the user experience isn’t compromised.

More users access cloud-based applications that store, transmit, and process sensitive information, which makes them a primary target for threat actors. The security deployed in the cloud to protect applications and cloud infrastructures must share and correlate threat information with the protection embedded in SD-WAN to prevent the spread of malware. The seamless handoff of security policies and protocols between different network environments helps avoid security bottlenecks that degrade performance.

Moving Away from VPNs

ZTNA has received more attention lately because of the rise in remote working. It’s a way of controlling access to applications regardless of where the user or the application resides. The user may be on a corporate network, working from home, or someplace else. The application may reside in a corporate data center, in a private cloud, or on the public internet.

Although traditional VPNs have been around for decades, ZTNA is the natural evolution of VPN technology because it offers better security, more granular control, and a better user experience. Because ZTNA is easier for users and more secure, it provides a smarter choice for securely connecting a remote workforce.

With a traditional VPN, the assumption is that anyone or anything that passes network perimeter controls can be trusted. But ZTNA takes the opposite approach: no user or device can be trusted to access anything until proven otherwise. Unlike a VPN, ZTNA extends the zero-trust model beyond the network and reduces the attack surface by hiding applications from the internet.

A key element of the ZTNA concept is the location independence of the user, whether they are on or off the network users. The application access policy and verification process is the same whether the user is on the network or off the network. Users on the network have no more trust than users that are off the network.

Because users might be off the network, a ZTNA solution should include a secure, encrypted tunnel for connectivity from the user device to the ZTNA application proxy point. The automatic nature of this tunnel makes it easier to use than traditional VPN tunnels, which improves the user experience. It should put applications behind a proxy point, hiding them from the internet.

Only those users who have been verified can gain access to those applications. An organizations ZTNA solution should also simplify management by enabling administrators to easily configure and enforce role-based access control for users and applications with a policy that is the same no matter where the user is located.

Security is Essential

As organizations continue to adapt their networks to meet new needs, office space may not be essential anymore, but security is. It needs to follow data and applications from end-to-end, regardless of how rapidly the underlying network changes or adapts. Doing so is critical to enable flexible, anywhere, anytime, secure remote access.

Because networks are so dynamic and resources have to be protected along the entire data path, security and networking need to function as a unified system. Security and the associated visibility and control required can’t be extended unless you can simplify management and centralize orchestration. But when you have several dozen different security solutions from different vendors deployed in different parts of your network, visibility and control is almost impossible.

Today, organizations need a suite of advanced security and networking functions that extend to every user, device, or application with centralized orchestration and threat intelligence collection and correlation to enable coordinated responses to malicious attacks across the entire distributed network.

Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution.