Industry Trends

Ensuring Performance and Security at Cloud-Enabled Branch Offices

By Fortinet | December 02, 2019

This is a summary of an article written for Security Now by Fortinet’s Nirav Shah. The entire article can be accessed here.

These days, it’s typical for branch offices to depend on a central connection that provides users with an access route to company data and apps on the network. Being tethered this way ensures security and central control. But as apps, data, and workflows increasingly shift to the cloud, branch organizations can face serious limitations when traffic still needs to be backhauled through a central connection. 

Cloud app traffic hauled through the central network hub before it reaches branch locations seriously compromises application performance – and user experience along with it. It also puts enormous strain on your core network when traffic volume grows exponentially. 

Organizations are addressing this problem with cloud-ready branch strategies that revolve around SD-WAN for direct Internet access. That way, cloud access is fast and cloud apps operate at peak performance, opening the door for increased productivity and better user experience. 

Security in the Cloud-Enabled Branch

Securing the cloud-enabled branch is a major concern. Without central security resources that would traditionally be available from the core network, direct cloud access requires its own full security stack. And most SD-WAN solutions only provide basic firewall functionality. Many organizations don’t realize until it’s too late, that they also need next-generation firewalls (NGFWs), IPS, web filtering, sandboxing, and more. They end up trying to replicate core security as an overlay solution for cloud security. The result is often an issue-prone, complex mess that costs money and wastes time.

Another stumbling block of most security solutions is that they tend to slow down critical app functionality, especially when decrypting and inspecting traffic. And since at least 80% of your traffic is now encrypted when you use cloud resources, that’s a big problem. In fact, it’s such a big problem that many NGFW vendors hide their performance stats for this very reason. 

The takeaway is to ensure that you’re deploying a branch cloud security solution that’s actually designed to meet the needs of today’s cloud-enabled branch office and its stricter performance requirements. 

Optimizing Cloud Applications in Branch Offices

While security is important, it’s only part of a branch office solution. You also need to ensure the connection between your business users and your cloud apps is optimized everywhere, not just between the branch and the internet. For functionality to be consistent, whatever solution you choose should also work between your routing and security solutions. Only an SD-WAN solution designed to work with cloud-native solutions (and optimized for all major cloud providers) can do this.

Covering the “middle mile” – and every other mile, not just the last one – means deploying an SD-WAN that can handle link classification, link monitoring, and link management. That way, it can self-heal unreliable internet links for optimal app performance.

Compliance Considerations 

Once you’ve untethered your branch location from your central network, you’ll also need to rethink compliance. How will you continue to monitor end user behavior on the cloud so you don’t end up with violations? The use of cloud resources must still be authorized and data must still be accessed within policy standards and regulations. Unauthorized users and apps must be prevented from penetrating your branch cloud environment, making Cloud Access Security Broker (CASB) solutions yet another critical component of your SD-WAN, cloud-ready branch strategy. A CASB will provide an enforcement point in the cloud for your security policies that exist between cloud providers and end users. With a CASB, cloud transactions are monitored and managed, ensuring regulatory compliance and the discovery of shadow IT systems.

Unified Management 

Visibility and management are always a concern, and with all the moving parts in today’s networks needing to work together more closely than ever, there needs to be a unified solution. With a single dashboard view that covers both networking management and security, branch locations are truly cloud-enabled for peak performance. You have deep visibility extending across multiple branch locations, central networks, SaaS applications, mobile users, and multi-cloud environments – your entire distributed network. 

Minimize Risk Exposure with Integration 

These days, any good strategy for a move to the cloud is always going to involve integration. That begins with tying all of your security solutions together into a single fabric that stretches across your entire network. Security absolutely has to evolve along with networks and adapt to changing network dynamics, which are continually in flux due to the breakneck speed of digital innovation and business requirements. Organizations can’t afford to simply react to network changes with security policies and after-the-fact solutions. In short, networking and security need to be cut from the same piece of cloth and woven together to support a dynamic environment where decisions can be made on-the-spot without putting the organization at risk. 

This is a summary of an article written for Security Now by Fortinet’s Nirav Shah. The entire article can be accessed here.

Learn more about how Fortinet’s dynamic cloud security solutions give organizations the confidence to deploy any application on any cloud infrastructure.

Read these customer case studies to see how Cuebiq and Steelcase implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud.