As enterprise networks evolve, the need for a secure WAN increases. In the past, sensitive data storage and processing was primarily performed on an organization’s internal network. As a result, it was easy to defend these resources behind the secure network perimeter.

With the growth of mobile and cloud computing, how organization’s networks are structured has changed dramatically. Now, a great deal of sensitive and valuable data is processed and stored in the cloud, on infrastructure outside of the organization’s direct control. Users no longer solely access this data from inside the corporate network, as the use of mobile devices for business grows.

The evolution of the enterprise network has driven a range of digital transformation initiatives, like the adoption of software-defined WAN (SD-WAN). SD-WAN allows organizations to optimize the use of their network infrastructure, and SD-WAN security compares favorably to traditional networks built using multi-protocol label switching (MPLS) or Internet-based VPNs.

However, deploying a secure SD-WAN system is only half of the solution to network security. Securing the modern WAN requires the ability to limit the access of even authorized users within the network. Implementing a software-defined perimeter (SDP) is a crucial step in accomplishing this.

Shortcomings of Traditional WAN Security

Many organizations take a perimeter-focused approach to securing their WAN. This security model is based on the assumption that anyone inside the network has a legitimate right to be there, and that the main security task is ensuring that unauthorized parties cannot get inside. This is accomplished by deploying a robust set of cybersecurity monitoring and defensive solutions at the network perimeter.

However, this security model is incorrect for multiple reasons. First, the concept of the network perimeter no longer applies to the modern enterprise WAN. Currently, 91% of organizations are using public cloud deployments, meaning that systems “inside” the organization’s WAN are hosted on infrastructure owned by a cloud service provider (CSP).

Another issue with the perimeter-focused model for WAN security is that authorized users are often entrusted with access to all resources on the WAN. Since 94% of organizations give external parties (like vendors and subcontractors) accounts on their networks, this opens up these organizations to attack by malicious insiders or external threats who gain access via the breached network of an external partner.

SDP Security Benefits

A software-defined perimeter is a solution for enforcing need-to-know within the enterprise WAN. In most cases, authorized network users do not require complete access to all of the resources on the enterprise WAN, and allowing unnecessary access can result in data breaches or other security incidents through employee negligence or malice.

An SDP takes an identity-centric approach to managing access to assets within the enterprise WAN. With SDP, each user receives individual access to requested resources after having their identity and authorization verified. This creates a “zero trust” network architecture, where users may not even be aware of the existence of, let alone be able to access, assets for which they do not have authorization. 

This provides the organization with several security benefits.

  • Granular Access Control

The “all or nothing” access provided to users under a perimeter-focused security model does not meet the business needs of the modern enterprise. The majority of users on the enterprise WAN only have a legitimate need to access a small portion of the organization’s resources. The design of SDP makes it easy to control user access to assets based upon authorization and need to know.

An SDP built on top of an SD-WAN with integrated security can leverage the capabilities of the SD-WAN to provide optimized, secure access to corporate assets. For example, the use of the deep packet inspection (DPI) capabilities built into the next-generation firewall (NGFW) of an SD-WAN system with security integration can be used to provide continuous protection of traffic both pre and post authentication.

  • Cloud and Mobile Protection

One of the major shortcomings of traditional WAN networking, and even appliance-based SD-WAN, is an inability to provide both high network performance and enterprise-grade network security for cloud and mobile devices.

As organizations increasingly leverage cloud and mobile for business purposes, a growing percentage of enterprise network traffic is flowing over transport links outside of their control. When the enterprise’s public cloud is accessible over the public Internet, rerouting traffic between it and devices outside of the network to perform traffic inspection at the headquarters network creates unacceptable network latency and performance impacts.

On the other hand, if traffic is not routed through the organization’s security infrastructure, devices do not receive the benefits of these devices. These same issues exist with SDP point products as they also must make tradeoffs between security and performance for cloud and mobile users.

Achieving high-performance, secure WAN networking requires cloud-based SD-WAN, where point-of-presence (PoPs) with integrated security functionality can be distributed geographically in the cloud and connected with high-performance network links. SDP built on cloud-based SD-WAN infrastructure has the visibility needed to inspect all traffic in the enterprise WAN, providing comprehensive access control that includes cloud and mobile environments.

Securing the Enterprise WAN with SDP

As enterprise networks evolve, the importance of securing the enterprise WAN only grows. With sensitive data and processing being performed in the cloud and on mobile devices, organizations need the ability to control access within these environments. A software defined perimeter is the solution, offering identity-based access control based upon need-to-know.

Photo by Markus Spiske