The one common drawback to most SD-WAN solutions is that they address your WAN connectivity needs as if they exist in isolation. This isn't unique. One of the biggest challenges facing organisations undergoing rapid digital transformation is that each new network element tends to be designed and implemented in isolation. While this approach has several significant flaws, none is more serious than the impact it has on security.
One of the most critical functions required by security is expansive visibility across the entire distributed network. Deploying separate security solutions in different parts of the network isolates resources and makes it impossible to see, correlate, and respond to systemic threats.
While traditional hub-and-spoke WAN connection models certainly have their shortcomings, they do enable all traffic to be scanned and secured by the centrally deployed security. Once you replace static MPLS connections with flexible connectivity that leverages a public network and begin to support direct links to the internet and SaaS applications, you shift the burden of security to the SD-WAN device.
The problem is, most SD-WAN devices offer little more than extremely basic firewall functionality. Which means that your critical data is no longer being protected by your full stack of security services, such as IPS, web filtering, anti-virus and anti-malware, and sandboxing. If you want those services, you have to add them as an overlay. This can add significant overhead to your IT team due to the heavy lifting of designing and deploying a solution, additional maintenance, and the use of separate management consoles. And if not done properly, it can also isolate your WAN security from the rest of your security architecture, both at your core and out in your multi-cloud presence.
But that’s only part of the challenge.
Managing an SD-WAN connection over a platform as unreliable as the public internet requires a significant amount of delicate connection management. Redundant systems need to be in place for immediate failover. Links with deteriorating reliability need to be hot-swapped out, even during live connections. And traffic management tools need to be constantly aware of application bandwidth requirements and prioritisation of different connections to continually make micro-adjustments to support latency-sensitive applications like unified communications.
SD-WAN connections require end-to-end security that goes beyond simply encrypting data. Communications between a branch office and a cloud-based application require data inspection at both ends of the connection. To avoid gaps in policy implementation and enforcement, security solutions in the cloud need to be fully compatible with those running at the branch. Applications not only need to be identified and managed to optimise their performance, but security also needs to see and understand those applications so appropriate levels of security can be applied. In addition, a cloud-based security broker (CASB) solution should be positioned between the user and the cloud to secure access to cloud applications and resources and provide ubiquitous visibility and control. Finally, cloud security solutions need to also be positioned in the internet itself to provide real-time scalability for applications.
But perhaps the most essential element required is the deep integration between SD-WAN network functionality and security. Unfortunately, when security is deployed as an overlay, the best it can do is react to changes in network connections. This might be good enough for basic connections to the core data centre, but securing things like SaaS applications or accessing sensitive data is another matter. The lag time between a network change and the remapping of security to match that new configuration can create security gaps – which can be predicted and exploited. This problem is significantly compounded when such changes can happen on a second-by-second basis.
Rather than deploying security as an overlay, it instead needs to be fully integrated into the networking functionality of the SD-WAN solution itself. When new connections are created, security policies are built and deployed as part of the process. When network connectivity changes, security adapts automatically as part of the protocol. And, should a new connection or adjustment potentially compromise security policy, the integrated security element can prevent that change before it is even made.
This deep interoperability between security and network functions is the hallmark of the next generation of security known as Security-Driven Networking. By weaving these traditionally separate systems into a single solution, organisations can achieve the visibility and control necessary to truly secure their entire infrastructure. And as machine learning and AI become part of the solution, we will finally realise the sort of self-defending, self-healing network we have been waiting for.
New Secure SD-WAN solutions are the perfect place for this to begin. Deep integration between connectivity and security allow for the seamless and straightforward deployment of a complete solution, while networking and security functions can be managed simultaneously using a single pane of glass management system, reducing overhead, increasing performance and protection, and paving the way for the next generation of security.
Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution.
Digital transformation at the branch office, including remote retail locations, school campuses, and healthcare and financial offices, is fundamental if today’s distributed workforce is going to be able to keep up with evolving business and consumer demands. Conducting digital business today requires access to critical services and applications located in the cloud. And many of these business-critical applications, such as unified communications, are highly sensitive to bandwidth limitations or things like jitter or lag times that often result from unreliable connections, which becomes an obstacle for efficient operations.
Historically, these remote locations were all connected to business applications and services through a single connection back to the core network. An MPLS connection and WAN router provided reliable, yet static connectivity for millions of offices. However, because this hub-and-spoke model means that all applications and access to online resources need to be backhauled through the core network, local servers are being overwhelmed with huge volumes of traffic, along with the capacity of the fixed MPLS and router combination at the branch office. As a result, productivity and user experience are severely impacted.
While SD-WAN solutions address this challenge with a more flexible and dynamic connectivity strategy, early-to-market solutions failed to consider the security needs of these connections. The one thing that the traditional model had going for it was that all traffic was at least inspected and secured using the full stack of enterprise-grade security solutions deployed at the core. Direct access to cloud and internet services from the branch means that protection is no longer available. Unfortunately, the vast majority of SD-WAN solutions on the market provide little more than a VPN and a stripped down firewall to protect this critical link in today’s distributed networks, which leaves organisations poorly protected and highly vulnerable.
Fortinet believes that our focus on Secure SD-WAN innovation contributed to our placement of highest ability to execute and highest completeness of vision in the Challengers Quadrant of the November 2019 Gartner Magic Quadrant for WAN Edge Infrastructure. Unlike many SD-WAN solutions, we think Fortinet Secure SD-WAN is one of the few solutions on the market that addresses the FULL range of challenges being faced by organisations, combining advanced connectivity and traffic and application management functionality with a full suite of integrated security solutions, including NGFW, IPS, antivirus/anti-malware, web filtering, a full range of VPN options, and advanced threat protection solutions such as sandboxing.
In fact, in the November 2019 Gartner analyst research report, “Critical Capabilities for WAN Edge Infrastructure,” Fortinet received the highest score in the “Security-Sensitive WAN” use case, and ranked within the five highest for all remaining WAN Edge use cases. Gartner went on to recommend that “users consider the set of critical capabilities as some of the most important criteria for [WAN Edge infrastructure] acquisition decisions.”
The marketplace is taking notice. For example, Fortinet’s Secure SD-WAN just received CRN’s 2019 Tech Innovator award in the “Networking — SD-WAN” category, as well as CRN’s 2019 Product of the Year in the Security-Network — Technology subcategory. These awards are just a small reflection of the impact that Fortinet’s Secure SD-WAN solution is having on transforming the market.
We have also been recognised for our work with MEF, the group responsible for defining SD-WAN certifications and standards. In addition to winning two MEF 3.0 Proof of Concept awards – one for developing security standards for secure connections between separate SD-WAN devices, and the other for ensuring application security for SD-WAN services — we also lead a key Initiative in the MEF Applications Committee on Application Security for SD-WAN Services (MEF88).
Additionally, Fortinet’s secure SD-WAN solution has received two consecutive NSS Labs “Recommended” ratings and showcased the lowest total cost of ownership (TCO), resilient high availability for better user experience, and high WAN performance for cloud applications.
With over 21,000 Fortinet Secure SD-WAN customers and counting, organisations are quickly learning that digital transformation without security is a dead end. Instead, manufacturers and businesses alike need to take an aggressive security-first approach that ensures that all innovation includes security-driven networking to ensure that flexibility and adaptability don’t leave organisations exposed to today’s increasingly aggressive — and successful — cybercriminals.
Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution. Read more about Fortinet's recent customer momentum to learn why global service providers such as Orange Business Services, SoftBank Corp, and Ooredoo Kuwait choose Fortinet Secure SD-WAN.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organisation and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
The Fortinet Network Security Academy (FNSA) program is designed to provide industry-recognised Fortinet training and certification opportunities to students around the world.
Cloud services are not new. Many of the technologies, such as remote access to applications, ready-to-use infrastructure and pre-configured environments have been around for many years. What has changed is the scope of different services and the scale they can offer. The idea of having to size a system before deploying it is disappearing as new cloud platforms offer almost infinite scalability.
Recent research suggests that businesses will be spending more on the cloud than ever before with a recent Forbes report finding more than half of the global expenditure on IT to be cloud-based this year and that 60–70% of all software, services and technology spending will be cloud-based within two years.
And a report conducted by Intel recently found that 80% of all IT budgets will be committed to cloud apps and solutions in the coming year with "cloud first" being a common buzzword in corporate boardrooms.
But that opportunity also brings new challenges, particularly when it comes to security. Different types of cloud services provide a wide range of different protection for your applications and data.
For example, when you subscribe to an online accounting or customer relationship system service, you are trusting that the service provider will handle your data appropriately, protecting it when it's at rest and in-flight, as well ensuring it's backed up. In order to ensure those activities are carried out to a level you're satisfied it may be worth adding your own security processes to those of the service provider.
“All public cloud providers provide some level of security, but they also are careful to point out that BYO Security is welcome and encouraged. After all, the data you store whether your own or your clients, is your responsibility, and with great emphasis on accountability and breach reporting, it pays to understand what Security is baked into the public cloud provider’s offering and what gaps do you need to fill yourself," says Swapneil Diwaan, Business Manager, Fortinet at Ingram Micro, the largest Fortinet distributor and Authorised Training Centre.
But platform providers, sometimes called Platform as a Service (PaaS), that offer environments with operating systems, databases and other foundational software provide different service levels, as do businesses that simply provide hardware for you to install everything to. These are Infrastructure as a Service, or IaaS, providers.
A few years ago, public cloud providers were still new to the market and hadn't yet built trust with potential customers, especially the lucrative enterprise and public sectors. Part of building that trust comes through proving compliance with important laws, regulations and standards. This is why the likes of Amazon Web Services and Microsoft Azure have invested heavily in not just building physical infrastructure but ensuring compliance with regulations and standards with hybrid clouds provided by local MSPs filling the gap to secure those services.
However, while hybrid cloud providers have improved their systems, the onus remains on customers to ensure they remain compliant. It is possible to deploy a system on a cloud provider's infrastructure but not ensure compliance or security. That's where trusted partners, like your MSP, Fortinet and Ingram Micro can help as they offer specialty services and systems to ensure your security and compliance go beyond the usual cloud provider checkboxes and differentiate them from competitors that might be using similar service providers.
Compliance is an important element of any business' security planning. And with new regulations such as the recently introduced National Data Breach (NDB) notification scheme in Australia and the General Data Protection Regulation (GDPR) in the European Union taking effect in May 2018, it's important to ensure businesses have their infrastructure and processes in order.
These changes in regulatory systems and the rapid change in how applications are designed, deployed and used have resulted in some significant challenges for companies. Scale is no longer a limiting factor with service providers offering services such as FortiVM that let you quickly deploy virtualised appliances such as firewalls and purpose-specific servers.
There is now a global skills shortage in information security and compliance that has resulted in both a scarcity in the number of qualified and experienced people that can be hired and an increase in their salaries as a result of that supply and demand. Managed service providers are able to assist as they can hire people with the skills needed. And, as one cloud provider can host thousands of environments, one security team can look after all those systems so the costs are shared.
Cloud service providers live and die by their reputations. That makes security one of their highest priorities right through the entire design of the services they deliver. The cloud environments they create are designed to be shared. So the protection of data that ensures one client doesn't see another's data and that unauthorised access is blocked is built into the design of the environment. Security by design is a core service - not something that's added later.
Service providers need to provide services that can meet the needs of many different clients. As a result, they have built their systems so that they can be rapidly updated to take advantage of the latest security features because that's part of their market advantage. That includes ensuring their systems support compliance with international standards such as GDPR.
Getting that right, for new aspiring hybrid cloud service providers seeking to offer more than the players already in the market, means finding the right partners, such as Ingram Micro and Fortinet, can help them build differentiated services that meet the needs of businesses making the move to cloud services.
The expertise that service providers bring to this goes beyond the technical. The right service provider for your business won't just provide a room filled with server hardware and applications. A trusted partner, like Fortinet, will support you so the deployment of your systems is done with the utmost attention to security and compliance.
As cloud service continue to become the first option for businesses, finding the right partner that can offer services, systems and support that deliver the best options to support your business are vital. That means finding someone that can work with you to choose the right cloud solutions, with training and support for your business so that it remains secure and compliant.
For more information on how to build and configure your hybrid cloud offering, contact Ingram Micro's Solution Architects:
Andy Hill — firstname.lastname@example.org