Many legacy WANs consist of disparate and isolated links which make consistent security policy enforcement nearly impossible. Vulnerabilities frequently occur due to security tools and products that are not used across all WAN links. A holistic configuration requires network security teams to individually deploy and manage security for each specific link—a process that’s not only resource-intensive but increases the probability of human error. As a result, businesses are shifting to more comprehensive security foundations for their WAN—SD-WAN, within an overall software-defined network (SDN) environment.
A next-generation WAN
What has become a highly effective approach for securing the
WAN is to overlay software-defined
WAN (SD-WAN) functionality to act as a platform to provide consistent
management and comprehensive visibility. This method allows for consistent
policy implementation and holistic use of security solutions across the WAN. A
single network “image” reduces complexity and simplifies deploying better
security. It also reduces potential errors or omissions that can occur when the
network is comprised of links that must be secured individually. With a SD-WAN,
network operations and security teams can ensure that there is documented and
consistent use of security solutions and policies across the WAN.
Securing your WAN
Secure WAN solutions require more than just the basics. There are several specific features and capabilities to look for when using SD-WAN and software-defined networking (SDN) to WAN security.
SD-WAN and SDN provide a software-defined platform for
managing, securing and operating the WAN that can dramatically enhance security.
To learn more about improving the security of your network, check out our whitepaper:
network security through programmable networks”.
The wide area network (WAN) is the key determinant of application
performance, user experience and other key IT success measures. According to Forbes, 83% of workloads will run in the cloud by the end of 20201. Yet, most current WANs were never designed to support the volume and types of traffic destined for the cloud—much less to meet the demands for application performance and the daily operations of today’s businesses.
What began more than 10 years ago with server
virtualization, has manifested into the move to a next-generation WAN
environment—the migration of compute and storage resources to a
The concept of using software to describe resources has
become the standard approach and the future of IT for all three aspects of the
infrastructure (compute, storage and networking). The first step to deploying a
cloud-ready WAN is moving away from legacy WAN processes and technologies to
services that can support the challenges of a cloud-driven IT environment.
Utilizing a software-defined wide area network (SD-WAN)
can solve many problems that legacy WANs present. Much as hyperscale cloud
service providers (CSPs) are already reaping the benefits of virtualization
when it comes to compute and storage resources, expanding this approach to the
WAN further optimizes end-to-end application experience for business users and
yields many benefits, such as:
To further explore the benefits of software-defined networking, check out this whitepaper: “SD-WANs enabling the move to a cloud-centric world.”
SD-WAN (software-defined wide area network) and security technologies are convergently evolving—responding to the needs of the market while stimulating new demand through innovation. SD-WAN and security capabilities are being integrated in platforms both on-premises and in the cloud. What’s more—network and security functions once tied to dedicated hardware solutions are now being delivered more effectively via flexible software applications.
Overcoming WAN security concerns
In a recent survey administered by Gartner on behalf of Fortinet, 72% of the respondents confirmed that “security is the biggest WAN concern,” outranking performance at 58% and cost at 47%. Not a surprising result considering the potential impacts that a single security event can have in terms of network performance and financial damages.
Security can no longer be an afterthought. It must be designed as a fundamental component in SD-WAN deployments—whether integrated into the platform itself or as an adjacent service. SD-WAN solutions today often become hybrid solutions in order to maximize returns on prior investments, therefore, any embedded security functions must also be designed for a complex, hybrid world.
The simplification of existing technology in one area often introduces greater complexity elsewhere to stimulate innovation that will yield a greater aggregate value. As overall solution complexity ebbs and flows, the dynamic environment can be very challenging to manage. Network and security management challenges can be multiplied by many factors in a WAN, including:
Security gains from technological advances
Software-defined networking introduced the concept of network functions virtualization (NFV), including security. Service chaining enabled multiple functions to be linked together and work in harmony. Software-defined technologies can deliver seamless security across vast WANs with centralized management. The virtualization and integration of network and security functions can reduce dependencies on dedicated hardware solutions. This standardization, simplification and automation can improve the uniformity—and therefore the integrity—of security across all locations, while reducing the need for human intervention.
While virtualization has simplified the physical world, it has also enabled the logical complexity required for Unified Threat Management (UTM) to address ever-growing complexity in the threat landscape. User segmentation enables security capabilities to be applied to each segment type in the most efficient and cost-effective manner possible. For example, PCI DSS (Payment Card Industry Data Security Standard) Compliance may apply to a company at large, but there may be relatively small subsets of employees or network segments that require special handling from a network and security perspective.
IT and security leaders must carefully consider and evaluate segments of user types, or “security classes,” for WAN traffic, and impose policy and technical controls to ensure traffic and apps are treated appropriately. Service providers can help with hosted security options and demonstrating how customers can segment traffic to engage or bypass various security functions.
SD-WAN deployments can also enable Internet connections to software-as-a-service (SaaS) applications in the cloud, but those cost savings come with new security risks. Cloud-based application access may precipitate a new approach to security with a next‑generation virtualized firewall (NGFW) that runs at the network core. Once customized for the specific apps used in the enterprise, a cloud NGFW can be serviced‑chained into SD-WAN connections to as many WAN locations as desired.
Security gains from technology-empowered humans
SD-WAN solutions offer “hard savings” relative to the MPLS solutions they are slowly displacing. Less tangible—but perhaps of even greater importance—are the “soft savings” that an SD-WAN solution with integrated security can yield.
In the past, “rip and replace” WAN deployments created significant disruptions and distractions for all users and especially for the IT professionals tasked with challenges well above and beyond “business as usual” operations. That kind of chaos creates opportunities for existing and emerging security vulnerabilities to be more easily exploited. In contrast, SD-WAN solutions can be deployed “over the top” (OTT) of existing networks. Security risk factors can be mitigated because businesses can progressively deploy SD-WAN by a self-defined project plan and schedule, adjusting on the fly to fight the unexpected, but inevitable, fires of the day. Top tier service providers also offer premium high touch services to fully outsource the deployment and/or ongoing management of SD-WAN, as needed or desired.
Once deployed, SD-WANs provide greater security because the people who manage them can operate more effectively and efficiently via a “single pane of glass” that simultaneously monitors the environment for network and security events. With an integrated SD-WAN and security deployment, security can be managed from a centralized portal, and modifications to security policies can be made for all locations in a matter of minutes, without the need for on-site IT support that could previously take days or weeks for hundreds of locations. Some amount of “soft savings” are realized from operational efficiencies. Much greater savings may be realized when (not if) a security event does occur. A fully-integrated portal for managing network and security enables operators to recognize, analyze and respond to events as quickly as possible. When a security event is significant, every second saved in mitigating it may prove invaluable to protecting the company’s infrastructure, data and—ultimately—its brand and reputation.
Wherever you are in your path to digital transformation, ensuring your existing network security plans help you realize the full value of prior investments and the new investments you make will support the evolving needs of your business well into the future will be key.
With its sweeping improvements in agility, reliability, security, performance, and cost, SD-WAN has moved into the networking mainstream in a remarkably short period of time. While MPLS will continue to serve in hybrid networks and as legacy infrastructure, it’s clear now that SD-WAN is becoming the new de facto standard – and I expect 2019 to be the year it leads in new network build-outs by a long shot.
The speed with which SD-WAN took hold can be contributed to a couple of factors, and it’s having a tremendous impact on solution providers as 2019 gets into full swing.
Two main reasons why SD-WAN adoption will continue to explode
Additional impact on solution providers
From a solution provider perspective, the rapid rise of SD-WAN has serious implications going forward including:
I’m happy to say that SD-WAN’s rapid rise has helped my previous projections prove accurate overall – and there is no longer any doubt that SD-WAN is solidifying its position as a key element in all kinds of contemporary enterprise initiatives.
As every merchant who processes payment cards knows, properly protecting sensitive data requires every in-scope network, device, process, and control to be PCI-compliant.
Windstream Enterprise’s SD-WAN solution is the first to achieve PCI DSS compliance, and is enabling retailers to simplify the process of satisfying that requirement.
Our SD-WAN solution’s PCI DSS compliance was recently confirmed by an independent, third-party Qualified Security Assessor (QSA) in the form of Windstream Enterprise’s Attestation of Compliance (AOC). Attaining PCI DSS compliance means that Windstream Enterprise can now provide an SD-WAN AOC report to every customer that adopts its SD-WAN solution.
Reducing the scope – and cost – of compliance audits
PCI compliance ensures that our SD-WAN solution meets PCI service provider requirements for credit card transactions and the transport of data. With compliance, we are able to reduce the scope and cost of PCI DSS audits that adopting retailers and their QSAs must perform.
Retailers who implement Windstream Enterprise SD-WAN can request an AOC and Windstream will deliver annual updates automatically in successive years.
It’s important to note that while the SD-WAN network itself is PCI-compliant, retailers that process credit cards, must ensure that other networks, devices, processes, and controls connected to the SD-WAN, in addition to other systems that handle sensitive data are also PCI-compliant.
End-user enterprises that don’t process credit cards benefit as well
Windstream Enterprise extends tremendous value to customers in all industries, and that includes the protection of sensitive data and the security of the solution. Whenever any consumer-facing enterprise incurs a network breach, its customers will always be understandably concerned about whether any of their own information was compromised. The protections built into our SD‑WAN offer assurance that those customers’ personal information, and the enterprise’s sensitive data within the SD‑WAN, are thoroughly protected.
While SD-WAN was designed to address the need to simplify network expansion, provide increased visibility and control, and reduce networking costs and downtime, attaining PCI compliance reinforces the security of the data inside the SD-WAN.
The headlines are so common that we all understand clearly: Cyberattacks have become a constant fact of life.
But with most of those headlines trumpeting attacks on major corporations and government agencies, it’s easy to overlook the fact that small to medium-sized businesses (SMBs) are also under attack – and typically are more vulnerable than larger enterprises. Consider:
What makes these businesses so vulnerable? Insufficient defense. SMBs too often leave network security to the firewalls that alone served so well years ago. Those days have past.
Times have changed – dramatically
When firewalls became the standard network defense, there were no employee-owned smartphones on SMB networks, phishing was easy to spot, ransomware hadn’t been invented, and all applications ran locally.
Since then, the advent of cloud-based services, remote working, BYOD computing, and many other factors have exponentially increased SMB vulnerability. While firewalls are still a core protection element, they are no longer sufficient by themselves.
What’s an SMB to do?
Small to medium-sized businesses often feel hamstrung by limited IT staffs and budgets, and the sheer number of security solutions available can seem overwhelming. It doesn’t have to be that way.
For starters, not every business needs every defense. A thorough audit of your risk level, potential security weaknesses, and security readiness can reveal where you’re in good shape, and what deficiencies you need to correct – which can often be handled cost-efficiently by a managed service.
Correction may include a managed firewall built for current realities, and perhaps a managed cloud firewall, and DDoS mitigation as well. It may mean beefing up email and web security. If you have remote workers, you may need more secure VPN access that connects them to your network. You may also opt for unified threat management. The right combination of security solutions depends on current vulnerabilities and needs specific to your business.
Regardless, you do need protection from breaches and the dire consequences that can follow. The best place to start is by contacting a provider of managed network security services that is highly adept at keeping SMB networks like yours thoroughly secure.
I don’t normally talk about product releases in my blog posts, but the new SD-WAN Cloud Connect service that Windstream Enterprise recently unveiled is something I’ve been championing for months.
Because for me, SD-WAN Cloud Connect is game-changing in its marriage of software‑defined WAN and cloud based applications. We’re finally getting to the core purpose of networking: Extending every application in an enterprise to everyone who needs access to it, efficiently and economically.
Created in a partnership by Windstream Enterprise and VMware NSX (formerly VeloCloud), SD‑WAN Cloud Connect’s breakthrough is that it connects every network location in an enterprise to the cloud-based applications run by that enterprise – and provides end-to-end visibility and control enterprises have come to expect from a SD‑WAN.
In doing so, it answers long-standing enterprise needs for agility, affordability, visibility, and control with highly secure access to leading cloud service providers over public Internet.
How the technologies combine to make it work
With SD-WAN Cloud Connect, a virtual Windstream SD-WAN edge device at the cloud service provider (CSP) becomes another location on the SD-WAN. This location is then linked directly to all other sites, putting those apps closer to end users to decrease latency. The SD-WAN technology provides the security and application performance that an Internet-only connection can’t deliver on its own. Then, adding a secondary connection to the SD-WAN Cloud Connect edge device virtually eliminates downtime for mission-critical, cloud-based apps.
Finally, adopting enterprises have the option of self-installing or engaging Windstream Enterprise’s Professional Services to spin up the virtual SD-WAN Cloud Connect edge device on a server at the CSP. Once the install is complete, Windstream Enterprise activates the edge device, making it part of the network, and manages that location as part of a fully managed SD-WAN Concierge solution. The SD-WAN Cloud Connect location appears in the SD-WAN Management Tool with the same levels of visibility and control as any other SD-WAN location.
A new level of network access to applications
As a champion of advanced networking benefits, this approach to application availability gets me pumped in multiple ways:
The best new products are those that make it possible to do something you couldn’t easily do before – if at all – and to do it elegantly, efficiently, and cost-effectively. That absolutely describes SD-WAN Cloud Connect. If you’ve been looking for the ultimate in cloud connectivity, be sure to check it out.
At the beginning of this year, I wrote a looking back/looking ahead blog post titled 2017: The year SD-WAN caught fire – get ready for more to come. Seems natural for someone with the job title “Vice President for SD-WAN,” right?
So, how did the looking ahead portion pan out?
In comparing that year-end blog post with what I’ve seen in the first half of 2018, it seems I got much of it right, and some not quite right, with a few surprises popping up. As I always strive to be a technology realist, here’s my updated take on the state of affairs for SD-WAN.
SD-WAN is moving front and center
Consistent with my earlier assessment, all indications are that SD-WAN remains “on fire.” We’re seeing solid increases in new deployments, month-over-month and quarter‑over‑quarter. Those increases are coming across multiple verticals, too. There’s the expected embrace of SD-WAN in retail, healthcare, and finance, with manufacturing, professional services, and pretty much every other vertical market following suit. That means SD-WAN isn’t just gaining—it’s heading toward mainstream status.
But MPLS is far from dead
I didn’t state this in my previous post, but I assumed the ascent of SD-WAN would balance with a march toward the sunsetting of MPLS. Not so! The need for private network connections endures for many enterprises, where MPLS is finding a comfortable home in hybrid networks. Many customers are downsizing their MPLS circuits by perhaps 50 percent, adding broadband and cellular, and implementing SD‑WAN to control it all. That’s one of many aspects where SD-WAN shines: It provides uniform control of diverse connections – while delivering visibility and control that wasn’t possible with straight MPLS.
Approaches to management are diverging
Regarding the best use of SD-WAN’s higher level of visibility, two camps are emerging:
It doesn’t have to be either-or, and providers have a clear opportunity to provide a “co‑management” bridge between DIY and managed service. All SD-WAN customers can exercise the increased visibility and control to their degree of comfort as they gain hands-on experience. Those who opt to take fewer control actions still retain the ability to jump into the portal when they want to see what’s happening. The Windstream Enterprise solution provides this co-management ability that is really resonating with our customers.
A word about security, which goes hand-in-hand with SD-WAN
SD-WAN security, which goes beyond site-to-site security and data encryption, is top of mind for most buyers. There’s also the need to protect network assets now that more of the network operates over the Internet. There are multiple ways to address this, and it’s really a topic unto itself which I covered here. Bottom line: Software-defined networking (SDN) is infinitely more flexible than legacy models, offering an array of security options that should be reviewed with any SD-WAN vendor under consideration.
Lightweight SD-WAN for SMBs? Not exactly….
Six months ago, I expected to see the near-term emergence of stripped-down versions of SD-WAN for smaller enterprises, which typically don’t need the full set of features and functions in most standard offerings. What we’re actually seeing instead, are vendors of firewalls, load-balancing solutions and more promoting SD-WAN as a new feature of the narrow services they already offered. Rather than the pure SD-WAN technology vendors trying to move into the SMB space, these other vendors are stepping up into SD-WAN. SD-WAN as an enhancement to an existing platform, and not a product unto itself, is what’s emerging instead of “SD-WAN light.” This isn’t to say that every company marketing their capabilities as “SD-WAN” are actually providing SD-WAN, however, and buyers should educate themselves to really understand if it’s SD-WAN or something masquerading as SD-WAN.
Universal CPE is coming, but not as fast as I expected
Another development that isn’t coming along as quickly as I anticipated is the introduction of “white box” or universal CPE. The big hardware companies are moving in that direction, but slowly, mainly due to issues with pricing models and figuring out what it means to be a software company. A company that has been selling a $1,000 solution consisting of $700 in software and $300 for hardware can have a hard time switching to $700 total for an all-software solution – whether or not there is profit in the hardware (as most would say “we aren’t in the hardware business anymore, it’s just a platform to deliver the software”), that $300 shows as top-line revenue. The use cases are out there, but hardware companies will need to approach pricing with a software mindset.
Service providers building their own platforms
On a final note, here’s one development I intentionally skipped over in my previous blog post. We’re hearing a good deal of buzz about service providers building their own SD‑WAN platforms, rather than reselling platforms from third-party vendors. It’s driven by the need to differentiate service offerings, plus the opportunity for tighter integration with cloud provider infrastructure.
As a pathfinder and SD-WAN leader, Windstream Enterprise will continue to differentiate its services to maintain a leadership position. When I’m asked whether Windstream Enterprises plans to develop its own platform, I always say we will do what’s best for the market and for our customers, and that’s the truth. Time will tell where it goes!
Prior to SD-WAN, multi-location enterprise networks needed to rely solely on local protection at the branch office level from a data security perspective. This typically meant point security appliances at the network boundary in the branch office, which combine functionality including firewalls and unified threat management for local use (content filters, data loss protection, data encryption services, etc.). Moving to SD-WAN introduces new options for taking on typical multi-office network security challenges. Following is a summary of those challenges, and an explanation of how SD-WAN, along with other security solutions, can help mitigate them.
SD-WAN faces multiple branch office security challenges
Most distributed enterprises manage their security infrastructure internally or work with a managed security service provider (MSSP). Despite these best efforts, they face a variety of complex challenges when using multi-point solutions to provide comprehensive security at branch offices, including:
How SD-WAN can help boost branch security
Software defined technology introduces the concept of network function virtualization (NFV). This includes security functions and service chaining, which enables multiple functions to be linked together for servicing-specific network connections. Thus, software defined technologies can deliver seamless security across branch offices in a way that is painlessly managed within a centralized approach by a service provider, or from the data center. This allows virtualized network and security functions to migrate away from hardware point solutions to their virtualized software-based counterparts, improving security integrity across all locations. This makes them easier to define, deploy, and manage at the branch, and to update, upgrade, or replace when changes are required. Using data centers at the network core makes it easier and more affordable to update branch office security models.
This introduces a potential cloud-based approach to security, featuring a high-function, next gen virtualized firewall (NGFW) that runs at the network core. Once configured and tuned for the specific apps used in the enterprise, this NGFW can be serviced-chained into SD-WAN connections to as many branch offices as desired. Such core-based solutions may pose some of the latency issues noted in the preceding “enterprise challenges,” so IT must be selective about how and when they’re used.
SD-WAN and “security classes”
For example, in a location where the application and traffic includes both A) customer records and transactions, and B) guest or visitor WiFi, it makes sense to differentiate the traffic by “security classes.” More sensitive customer records and transactions would be routed through the service chained NGFW functions to ensure the highest level of security, while less sensitive traffic in the “guest WiFi class” could make use of local security appliances.
This kind of configuration would require an enterprise to carefully consider and evaluate “security classes” for branch office traffic, and impose policy and technical controls to ensure traffic and apps are treated appropriately by “security class.” Service providers can help by describing hosted security options, and demonstrate how customers can segment traffic to use or bypass the various security functions they provide.
Using SD-WAN, customers can maintain communication confidentiality through encrypted tunnels between branch offices, improving the Integrity of security and business policies by having centralized policy management. They can also improve network availability, by seamlessly utilizing multiple access paths, and path condition to avoid service interruptions. Providing confidentiality, integrity and availability are the three main factors for developing and maintaining a secure network.
Much of this may be new to many people, so feel free to bring your thoughts and questions to our team at Windstream Enterprise anytime so we can add further explanation about what SD-WAN can do to enhance security.
Welcome to the age of AI. It’s the dawn of an era that will change everything, enabling amazing advances in science, medicine, business, and life itself.
Yes, you’ve likely read this same sentence, in one form or another, for the last 20 years. For nearly as long as we’ve had computing, there have been periods of AI hype mixed with progress, followed by … What happened? But this time, consider that in the past few years we’ve experienced:
In addition, the computing industry is developing a roadmap to address AI challenges relating to education and talent, ethical concerns, overall digital momentum, and the drive to apply AI and its sibling, machine learning, towards innovation in the customer experience.
Enterprises are aligned with AI
Optimism among business and IT leaders regarding AI and machine learning and their impact on digital transformation is stronger than ever. The Accenture Technology Vision 2016 survey of 3,100 business/IT execs in 11 countries found that 70% of organizations are investing significantly more in AI compared to three years earlier. In a recent Infosys poll of 1,600 senior business decision-makers, 76% said that AI is fundamental to the success of their organization’s strategy.
What’s driving these trends is that to compete in the cloud economy (and with the likes of the tech powers mentioned above), companies must deliver a customer experience (CX) that transcends channels and is fast, reliable, personalized, mobile, seamless, and secure. This demand reaches into virtually every industry with research by a myriad of analysts reporting a vast majority of organizations believe that CX will be their primary basis for competition in the next few years.
A looming bottleneck
Improving the customer experience for competitive advantage requires learning from oceans of data on the back end, while providing a seamless customer experience up front (something we’re doing ourselves to drive our own CX). All of this adds tremendous stress to the network, with specific implications regarding performance, reliability, bandwidth, security, resiliency, visibility, and control.
And it’s only going to get worse, with a new generation of bandwidth-hungry customer/user experience-enhancing technologies and apps (AR, VR, etc.) about to crash the network party. When it comes to supporting enterprise AI with network infrastructure, it’s like when Chief Brody said to Captain Quint after his first up-close look at the Shark in Jaws: “You’re gonna need a bigger boat.”
When it comes to AI and enterprise networks, “you’re gonna need a bigger boat.”
JawsTM image ©Universal Studios
The essential problem is that traditional networks were developed for a vanishing enterprise technology landscape. Left unaddressed, this will at best lead to annoying bottlenecks. At worst, it could bring a swift end to AI and IT digital transformation initiatives that overpromised and under-delivered.
To run at AI speed, networks need to adapt
To deliver the promise of Machine Learning AI, networks must enable vast amounts of data to be instantaneously gathered, transferred to the cloud, analyzed, retrieved, and then applied wherever work is to be accomplished. All in a blink of the eye. This presents substantial challenges, as the solution may fail if the data is inaccurate or incomplete, or delayed.
This will require a new type of network infrastructure that provides:
In other words, it sounds like a job for SD-WAN.
This is why the growth profile and maturity/adoption curve for SD-WAN – which IDC estimates will see a compound annual growth rate of 69.6% and become an $8.05 billion market 2021.
WE’s SD-WAN architecture is designed to deliver the cloud performance and reliability that applying AI to CX in real time demands
Is your network AI ready?
If you have not already done so, it’s time to begin preparing your enterprise network for AI. The starting point is to answer four key questions:
These are tough ones to answer for a lot of organizations. To make sure you address them properly, and to be sure your network is ready for the data tsunami that will accompany the artificial intelligence era, it is essential that you step up your investigation soon. SD-WAN is a great place to start. A conversation with a cloud/AI ready network provider might be even better.
Enter your business location zip code below for business solutions in your area.
Find business zip code