Branch Security—A Cornerstone of Your Cloud Networking Strategy
New technologies = new vulnerabilities
Cloud is now a primary choice for IT assets. It’s unbeatable in terms of cost, scale and agility. Cloud has been fueled by the powerful, unstoppable digital transformation. It now enables us to achieve far beyond what traditional approaches could ever achieve.
Similarly, digital transformation has bolstered the emergence of Internet of Things (IoT). IoT, like cloud, can deliver a significant competitive edge to businesses across industry verticals if implemented correctly.
However, both IoT and cloud open up new vulnerabilities and create a need for a new approach to IT security where connectivity and threat management cannot be handled in separate silos anymore.
Most distributed organizations are faced with the need to revisit their WAN and branch networking strategy. They need an affordable, unified and easy-to-manage network that is secure and efficient for both cloud and on-premises assets, wherever the users may be—static or mobile.
Depending on the degree of cloud adoption, enterprises are considering multiple options for leveraging Internet-as-transport within their WAN. Cloud-first enterprises are embracing local, in the branch, Internet breakouts while more hybrid IT organizations are using an approach where Internet traffic flows from the branch to several regional hubs. Others are combining these approaches for further performance and security benefits.
On the LAN side, enterprises must isolate business-relevant wired and wireless endpoints and prevent them from being exposed by the growing share of the Internet.
With all these changes, the chain of network and security functions within a branch needs more than a refresh. A whole new approach is required where connectivity and security are handled as one - from the design phase to actual operations and change management.
Two approaches to branch security
With most business applications in SaaS locations, Internet is replacing MPLS as the network backbone of distributed organizations. If a user can directly access the Internet, without a backhaul into the data center, better performance is experienced and lower cost incurred. But, now more than ever, Internet traffic must be inspected and secured before it enters the branch.
Multiple branch security options exist for organizations. They can replicate the full security stack they use in regional hubs or data centers in each branch. Or, they can leverage the power of the cloud by directing Internet traffic to Cloud Access Security Broker (CASB) providers like zScaler or NetSkope.
The chain of functions within a branch becomes a hybrid of on-premises and cloud-based components. That service chain needs to be configured and aligned with the security and performance objectives of the company, sometimes on a per-application basis. Only smart SD-WAN and SD-Security solutions can transcend the limitation of IP Networking and deliver the necessary application awareness by using both on-premises and cloud-based functions for optimized security, performance and efficiency.
Network segmentation is more critical than ever
In a world where IoT devices such as HVAC systems are being used as a platform of attack, leading to critical customer data being stolen, many organizations are taking steps toward network segmentation—building multiple sub-networks (overlays) within a shared network (underlay). Network segmentation is not new but it has been historically cumbersome to implement and manage.
Until now, segmentation of the WAN and segmentation of the LAN were considered independently when, in fact, they are part of the same business imperative. It’s only with the advent of SD-WAN, SD-LAN and SD-Security that organizations can implement network segmentation for application security (and performance) end-to-end, from the data center (on-premises or cloud-based) into the WAN and to end-user devices on the LAN. A comprehensive approach to network segmentation is one that combines the strengths of LAN segmentation, WAN segmentation and next-generation firewalling capabilities. With this approach, connectivity and security for every user can be achieved.
The new software-defined branch is no longer another spoke in the enterprise network; it adopts all the characteristics of a hub, with all its richness and complexity, but without adding significant hardware footprint or operational overhead. But, do solutions exist to manage modern networks that combine cloud, IoT, advanced security and efficient connectivity? Solutions that scale to one, ten, 100, 1000s of sites? Here’s where the divide still exists between:
- legacy solutions that have evolved to embrace this new reality
- newer solutions designed from the ground up to support the security and performance requirements of a fundamentally different enterprise
Enterprises require solutions capable of managing performance and security down to every user for every application. In an era where business priorities change quickly and IT is expected to deliver organization-wide implementations in hours, this cannot be achieved using per-device configurations via CLI. Solutions with centralized, intent-based workflows that extend control of policy across the full footprint of the hybrid enterprise are necessary. These solutions are available today from Riverbed SteelConnect. Such solutions deliver ubiquitous and consistent security with performance everywhere across the distributed perimeter. Take note, this is about security AND performance, not security against performance. No compromises.