Security is critical for SD-WAN

Your network architecture is undergoing a transformation with SD-WAN. How can you deliver security to every location while keeping administrative cost and effort under control? 

For nearly two decades, enterprises built wide area networks that sent all traffic back to the corporate data center. Even as companies began adopting public cloud and SaaS solutions, their mostly MPLS-based WANs retained outdated “hub and spoke” architectures. The reason was simple: Moving business-critical apps and IT infrastructure to the cloud decentralizes visibility. The cloud is often semi-jokingly referred to by IT types as “someone else’s computer,” but running in the cloud takes visibility and control away from IT. Retaining the hub and spoke architecture on a corporate network even after cloud adoption means every network packet is sent to a centralized data center for inspection, analysis, and filtering (a scheme network and IT pros call “hairpinning”) before sending it on to SaaS applications or public cloud services.

Secure? Yes. But it’s not a setup that is built for modern workforces in a cloud first/mobile first environment. Some analysts suggest that approximately half of all traffic on corporate networks are destined for internet services such as Salesforce or Google G Suite apps. Hairpinning adds to the lag time between a user request in an app and receiving a response. And for the majority of digital native workers, “slow” is the new “broken.”

Multi-cloud enterprises need decentralized networks

Centralized Network vs. Decentralized Multicloud SD-WAN Networks

On-demand access to cloud apps is complicated by the fact that very few enterprises stick to a single cloud provider. IDC predicted that by 2020, over 90% of enterprises will use multiple cloud services and platforms. A survey by 451 Research claimed that 69% of respondents already have some type of multi-cloud environment today. Some IT departments secure their IP traffic by leveraging hosted security facilities like Cyxtera or add firewalling and cloud-based-security such as Zscaler. 

Since these services basically perform functions similar to hairpinning (i.e. a centralized location for IP traffic inspection), forward-thinking IT executives turn to SD-WAN. Adding SD-WAN strategically to an existing network architecture can increase cloud app performance thanks secure local internet breakout. This allows internet traffic to leave the corporate network from the point of the SD-WAN connect via a locally connected ISP. However, the SD-WAN hardware appliance also can secure that flow to the internet. Depending on the manufacturer or managed SD-WAN service provider, the SD-WAN appliance can secure local internet breakouts via a combo of policies and built-in firewall for access control or add-ons that enhance threat prevention (e.g. sandboxing and DNS security) and data protection (e.g. CASB or DLP). It should be noted that Zscaler has partnered with top SD-WAN appliance makers such as Cisco Viptela, Oracle Talari Networks, and VMware Velocloud to provide scalable secure local internet breakout.

Secure SD-WAN Recommendations

There are numerous options for enterprises wanting to ease into SD-WAN and decentralized networking for a cloud-first workforce. For mid-to-large sized enterprises with internal IT security departments, self-managed SD-WAN appliances from Versa, Silver Peak, and Fortinet can provide excellent cybersecurity and visibility. For SMBs, managed SD-WAN service providers such as Aryaka and Cato Networks balance cybersecurity with app performance and cost.


sd-wan