Connecting the Branch to the Cloud
The expansion of the network is about much more than adding new devices and platforms. Maximizing the benefits of an extended, scalable, and highly elastic network requires dynamic interconnectivity and orchestration between all of the various elements.
Nowhere is this more apparent than in the need to connect edge networks – such as branch offices, remote retail locations, and even satellite school campuses – with data, applications, and other resources deployed in the cloud. The primary goal for any such connectivity strategy is to provide faster access to multi-cloud resources and the efficient adoption of SaaS for the best possible user experience. When properly deployed, it enables remote workers and resources – including essential IoT, networking, and end-user devices – to more effectively participate in their organization’s digital transformation.
The first hurdle to overcome to make this happen is to replace the rigid, static connections currently in place between remote locations and the central data center – a classic hub and spoke design that reduces visibility, bottlenecks bandwidth, and hampers agility – with new SD-WAN connectivity. This not only enables direct access to critical cloud-based resources, but it also enables direct branch-to-branch connections that can be dynamically created and torn down as needed, eliminating the need to backhaul traffic through the central data center.
Your Secure SD-WAN Solution Needs to Support All Cloud On-Ramp Scenarios
The cloud represents a radically new approach to developing, managing, storing, and accessing resources. On-ramping branch offices and other remote locations to the cloud through SD-WAN extends the cloud’s power, flexibility, and productivity gains to all users.
On-ramp strategies generally follow three distinct use cases: Basic on-ramping of small or branch offices to SaaS solutions that empower users with powerful web application tools that increase productivity and efficiency. Enterprise-wide on-ramping that integrates branch locations with multi-cloud infrastructures – public and private – to extend SaaS and custom web applications across a large and distributed WAN Edge. And on-ramping to service provider co-locations designed to simplify the management and orchestration of extensive SD-WAN deployments across hybrid, multi-cloud environments.
Each of these strategies is outlined below:
SaaS On-Ramp – For basic implementations, Secure SD-WAN simplifies and secures branch connections to a single cloud and SaaS environment. In this scenario, the Secure SD-WAN Edge device – an NGFW appliance combined with advanced connectivity services – enables on-demand and/or automated direct connectivity to the cloud while supporting cloud native VPN.
An essential component of any effective Secure SD-WAN solutions is a cloud access security broker (CASB). Fortinet’s FortiCASB solution not only controls and monitors access to SaaS applications and functions, but can also root out Shadow IT by authenticating cloud applications against an authorized set of services, while also monitoring and maintaining consistent user behavior to identify abnormal behaviors such as the bulk uploading or downloading of data.
Enterprise On-Ramp – Secure SD-WAN also supports and secures the more complex branch-to-cloud and branch-to-branch connections that larger organizations require. Utilizing cloud native VPN combined with upward scalable bandwidth ensures maximum connectivity support.
However, for SD-WAN solutions that don’t include fully integrated security, maintaining a consistent security enforcement strategy can be much more complicated. Effective and consistent policy enforcement requires a seamless security fabric that spans the WAN Edge, the core data center, and all cloud environments. This includes:
- Automated integration of cloud native VPNs with branch-to-branch connectivity using meshed VPN for total data protection
- Dynamic support for scaling up and scaling out at cloud locations to ensure availability without compromising on security
- Seamless interoperability across all security solutions for consistent policy enforcement and security functionality
And as with the previous example, any enterprise on-ramp strategy also needs to include a fully integrated secure access strategy to SaaS Applications. In addition to monitoring and securing SaaS connections, any CASB solution, such as FortiCASB, needs to manage critical applications such as O365, Salesforce, and Box by ensuring that end users are authorized to access applications and related data and resources, control and monitor application behaviors, and inspect content to ensure a consistently secure SaaS implementation.
xSP – Service Provider On-Ramp – Not every organization wants to deploy or manage their own SD-WAN environment – especially when its size begins to overwhelm available IT resources. As a result, any reasonable Secure SD-WAN solution needs to also automatically support Service Provider infrastructures. And this is difficult to do if you have cobbled together your SD-WAN security deployment from scratch using a variety of vendors and solutions, each with varying degrees of interoperability.
Generally, a managed SD-WAN solution offered by a partner provides the same functionality as the enterprise version, but without all of the heavy lifting. This includes automated support for multi-cloud connectivity, secure access to SaaS applications through a CASB solution, and the ability to provision and scale security across different clouds.
And from a Service Provider perspective, any SD-WAN solution being considered as a foundational solution for their managed services need to include a number of essential ingredients. And to start, automation-driven single pane tiered management that spans both networking and security functions is a table-stakes requirement. It also needs to support tiered end-to-end analytics for individual customers as well as for their entire managed operations. And because it will be incorporated into a broader suite of managed services, it also needs to include support for public and customer APIs as well as open standards.
Integrating Connectivity with Security Cannot be an Afterthought
History has shown us time and again that building any network architecture and then trying to bolt-on security after the fact always costs more, requires more ongoing maintenance, and creates more exploitable security gaps than by starting with a security-first strategy. However, when security functionality is fully integrated into the network as part of a security-driven architectural plan – such as the one provided by the Fortinet Secure SD-WAN solution – organizations can enjoy automated and highly adaptable end-to-end orchestration and connectivity between multiple locations right out of the box.
This approach combines consistent availability and performance with essential protection for all on-ramp strategies. And if chosen carefully, it should also enable you to manage your entire distributed system through a single management console – or even fully integrate it into you NOC/SOC for full granular access to threat intelligence, policy orchestration, and problem resolution.
Start with Secure SD-WAN
On-ramping SD-WAN to a SaaS, cloud, or multi-cloud strategy is fraught with challenges. One of the most significant issues is maintaining consistent management and visibility combined with threat prevention and security enforcement, especially when both sides of any connectivity equation are likely to undergo constant and sometimes dramatic changes. A true Secure SD-WAN solution, built on an integrated framework already designed to seamlessly span and secure multiple environments, is the only way to ensure that your critical data, applications, and workflows are consistently available and receive consistent protection – even when part of a highly disruptive collection of rapidly evolving networked ecosystems.
Authors:
Article was first published on Fortinet Blog. To read the whole article please visit: https://www.fortinet.com/blog/business-and-technology/secure-sdwan-cloud-security-on-ramp.html
