Consider your IT security risks before adopting SD-WAN

by Budd Ilic, ANZ Country Manager, Zscaler

As organisations shift more of their IT infrastructure to cloud platforms, ensuring optimal network performance is vital for a fast user experience. Latency and bottlenecks can turn what should be a productivity tool into a daily frustration. 

The challenge is exacerbated by the way in which many corporate wide area networks (WANs) are configured. If a hub-and-spoke architecture has been used, traffic from a remote office has to be routed through the company data centre before accessing the internet. The return traffic then has to follow the same elongated path. It’s a bit like flying from Melbourne to Cairns via Perth.

For a worker in that remote office using a cloud-based service such as Office 365, the result can be a frustrating lag between sending requests and receiving replies. There needs to be a better way.

For a variety of reasons, organisations have been reluctant to break out network traffic locally and send it directly to the internet. One is the complexity of managing multiple local breakouts, particularly where an organisation has dozens or even hundreds of locations. Another is managing the security associated with taking this approach.

To avoid these issues, many organisations have turned to a network infrastructure that uses multi-protocol label switching (MPLS), and the technology has quickly become a standard transport mechanism for companies with multiple branch locations looking to route their traffic back to their data centre and onward to the internet.

However, despite their popularity, hub-and-spoke architectures using MPLS have led to problems for companies as they shift an increasing percentage of their applications to the cloud. MPLS can be both slow and expensive, and it doesn’t connect users to their applications in the most direct and expedient manner.

Finding a better way

As a result, many organisations are turning to a new approach dubbed software-defined wide-area networking (SD-WAN). While SD-WAN is gaining in popularity, it’s still not as ubiquitous as MPLS, so it’s worth understanding exactly what it is and how it will affect enterprise security architectures.  

At its heart, SD-WAN is a new way to route internet traffic that allows organisations to leverage multiple transport services, including fixed broadband, 4G, LTE, as well as MPLS for data centre-bound traffic. The technology monitors application and transport options and intelligently determines the best path based on context and conditions.

As an example, important video conferences can take precedence over less latency-sensitive traffic. Office 365 users in branch offices can enjoy better performance with their traffic sent directly to the internet, rather than being routed through the corporate data centre.

Companies have been adopting SD-WAN for a variety of reasons, with one of the biggest being a desire for an improved user experience. With local internet breakout strategies, which are centrally orchestrated through SD-WAN via the cloud, branch office users are able to go straight to the internet to access their cloud-based applications.

Another business driver for SD-WAN adoption is the reduction in cost. In some cases, an MPLS line could cost thousands of dollars per month whereas a higher-speed SD-WAN connection could be available for hundreds of dollars. By limiting the use of MPLS for traffic that’s heading to the data centre, organisations can optimise their MPLS spending.

Ensuring security for SD-WAN

If a decision is made to adopt SD-WAN, an organisation will need to rethink its approach to security. In the past, all traffic was routed through the data centre because that’s where all applications and security systems were housed.

But now, with direct-to-cloud connections in place, security becomes a different issue. If security is offered, it likely provides only stateful firewall capabilities, which are inadequate to protect against today’s advanced threats. The challenge then becomes how to secure direct-to-cloud traffic.

One option would be to replicate the centralised security stack at each branch office; however, this would be a very expensive and high-maintenance approach to take. After all, a key benefit of SD-WAN is the ability to provision it remotely and manage it centrally.

A better alternative is to send the traffic through a specialised cloud security provider that can deliver the centralised security capabilities at the local level. And this can be achieved without the need for backhauling to the data centre or deploying costly security appliances in each branch office or remote location.

SD-WAN is quickly becoming a preferred way of providing remote offices and workers with high-performance access to cloud-based platforms and resources. With the right security approach, the anticipated business benefits of SD-WAN can be fully realised.