This is a summary of an article written for Security Week by John Maddison, EVP Products and CMO at Fortinet. The entire article can be accessed here.
Digital transformation impacts every facet of how business is conducted these days. But those who perhaps feel the deepest sense of change are those who work to secure our networks. Security teams both large and small are faced with the dilemma of a growing cybersecurity skills gap combined with an ever-expanding network to secure. Unfortunately, the challenge of securing new digital infrastructure will only grow unless digital transformation stakeholders not only broaden their focus to include security, but begin building their networks with security in mind from day one.
The problem is not only an expanding digital footprint, but the way in which networks are expanding. They often grow ad hoc from within individual business units as employees and managers seek better digital products, without any centralized control or management tied to the larger corporate security strategy – or even input from security teams. With a fast-growing catalog of mobile workers, IoT devices, cloud/virtual environments, SaaS subscriptions, DevOps projects, and BYOD, security teams are scrambling to achieve visibility and maintain control and secure their organization’s networks and critical digital assets. And those efforts are less effective as they fall behind due to disconnected or isolated network and application development and adoption projects.
The result is anything but simple. In the eyes of security professionals, complexity is a red flag for security blind spots, gaps in policy enforcement, and overall increased cyber risk for their company. Vendors that offer isolated security solutions compound the problem further as those solutions not only can’t be easily monitored or managed. That means extra resources are spent hand-porting policies to the growing assortment of different devices that come under the company’s digital realm. Visibility and threat correlation are limited, which opens doors for, but can’t participate in a unified response to an active threat. As a result, cyber adversaries are waiting in the wings to take advantage of a complex environment that’s getting more complicated by the day, becoming virtually impossible for security teams to manage.
With networks changing so rapidly, security teams are often left asking things like: how do you remove complexity in a dynamic environment like SD-WAN? Or when should intent-based segmentation be deployed?
When faced with a traditional hub-and-spoke network design where traffic is backhauled through the hub via static WAN connections, security teams face immense challenges. They’re continuously adapting the core network to keep up with fast-paced changes in the workplace. Static network configurations are ever-changing and most static routers and MPLS configurations simply can’t keep up with the broadband performance requirements or intent-based segmentation strategies that today’s teams now must deploy. With the ever-mounting pressure to support and dynamically adapt to business-critical digital transformation projects, security must evolve significantly and quickly, and legacy solutions based on static designs simply need to be replaced.
One area of good news is that, unlike a traditional static WAN, SD-WAN solutions can support advanced networking requirements, adapt to dynamically evolving business-critical applications, and support intent-based segmentation to keep critical data isolated. The only caveat is finding an SD-WAN solution that doesn’t increase risk because it does not include adequate security designed to respond dynamically to network and application changes. In fact, one of the biggest mistake’s organizations make is not considering the security cost until after an SD-WAN has already been deployed. Sure, SD-WAN appliances offer greater flexibility and improved performance, but their use of direct internet connections makes them a potential security risk. This forces security teams to not just deploy additional devices and expend more resources to secure their SD-WAN solution, but to add them after the fact so that they increase IT overhead and TCO while introducing gaps in security because of the reactive nature of a security system bolted on after the fact.
Building such overlay security solutions for an SD-WAN is expensive and time-consuming. That goes not just for the initial deployment, but on a continual basis as well given all the additional overhead these afterthought solutions require. The extra security devices, the nonstop fine-tuning, the real-time traffic shaping, and other factors that drive up the total cost of ownership make overlay security frameworks a less-than-ideal solution.
Security-Driven Networking is how modern security teams are solving the problem of having to grow their networks in a dynamic environment without compromising on security. In fact, letting security drive your approach to networking is really the only way to ensure that, going forward, any new network environment or solution won’t pose serious risks to the company’s digital estate.
The first step to achieving a security-driven network is to draft a comprehensive security policy that covers everything a new network or solution should have before anyone even considers deploying it. That means crafting an overarching document that covers how network additions will be assessed, what protocols they must follow, how they will be inspected, the technology that’s used to enforce policies, and what protections they must offer.
The next step is choosing and integrating your arsenal of security tools so that you end up with unified threat intelligence and a seamless solution that works across virtually any environment that your company requires. These security tools are key and must include:
Security solutions that can integrate networking and security at the outset require equipment and processors that optimize functionality, manage complex activity, accelerate critical transactions without damaging performance, and unify network and security policy and functionality into a single, integrated management and control system.
The next generation of security solutions that provide true security-driven networking is already here with Secure SD-WAN solutions that are integrated into next-generation firewalls (NGFWs). This approach provides a built-in, full stack of security functions that understand and start protecting the network the instant you deploy. That includes functions that, until recently, were only available via the data center in the core network. And it’s all managed through an easy-to-use console offering single-pane control over the entire network.
Learn how Fortinet’s Secure SD-WAN Solution uses a security-driven networking approach to improve user experience and simplify operations at the WAN Edge.
Read these customer case studies to see how Warrior Invictus Holding Co., Inc. and the District School Board of Niagara implemented Fortinet’s Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.