One of the biggest challenges historically faced by security managers and CISOs has been having to secure a new network environment after it has already been created. Adding security to an existing infrastructure comes with a variety of challenges, including mapping security functionality to networking requirements, maintaining network performance, and creating a cohesive management strategy that doesn’t add unnecessary overhead to an already overburdened security team.
The limitations of deploying security after the fact
Until recently, though this approach has been less than ideal, it has been workable because the underlying networks being protected have been rather static, and perimeters have been clearly defined. But all that has changed. Today's networks are highly flexible and in constant flux. Connections are often ad hoc, applications, and workflows need to span multiple networking environments, and perimeters are being replaced with new multi-cloud and WAN edge environments.
Trying to add security after-the-fact in such environments is exponentially more difficult, and much more prone to introducing security gaps and blind spots. Worse, security can only function in a reactive mode, trying to adapt to rapid network changes that impact policy, access, and enforcement in real time. And on top of that, most available security tools are simply not capable of keeping up with today’s network performance requirements, especially since the majority of traffic needing inspection is now encrypted.
A new approach is needed
Clearly, this is not a sustainable strategy. Instead, new business strategies need to start with a security foundation built around a fabric-based framework that integrates all security elements into a single, integrated whole that can also be extended out to every possible network permutation – branch offices and remote retail locations, remote workers, and multi-cloud networks. This approach provides automatic adaptability and scalability, consistent enforcement across all locations and form factors, seamless communications and event correlation, and single pane of glass management.
But for true adaptability, the next step involves weaving that security fabric directly into the network fabric. By integrating security into network elements, security is better able to dynamically adapt to network changes in real time, see and manage risks across the network, and improve efficiencies by extending a single security solutions across all network edges—including core campus and data-center networks and branch offices, as well as dynamic support for cloud security as a fully integrated component of your cloud on-ramp strategy.
The security-driven network
This deep integration is essential for establishing a security-driven network strategy. With this approach in place, networks can be changed, transformed, and extended into virtually any environment, and security is already fully integrated. Applications and workflows can be automatically secured regardless of their data paths, access can be dynamically managed and orchestrated in even in the most dynamic virtual environments, and encrypted traffic can be inspected and analyzed at network speeds.
The key technologies needed to enable this vision include:
- High performance physical and virtual security processors that accelerate networking and security function to ensure dynamic scalability to meet critical throughput demands. These purpose-built processors can also deliver SSL inspection performance to prevent business bottlenecks.
- Optimized firmware designed to support a wide range of networking and security use cases, including APIs and other common standards to support the broadest range of network security use-cases and solutions, including NGFW, SD-WAN, IPS, ISFW, and more. As much as possible, such an approach should reduce or consolidate point product vendors to eliminate the challenges of solution sprawl. It should also enable granular, single-point management, policy distribution, orchestration, event correlation, configuration assessment, and unified enforcement – and even maintain compliance standards.
- Security and network access controls also need to be integrated into wireless access points and wired ethernet switches to securely extend the security-driven networking functionality across the campus, out to the branch network WAN edge, and then deep into the local branch network.
Starting with security enables rapid network transformation
Such an approach will significantly simplify the creation and deployment of security across a variety of scenarios to reduce costs and complexities, better manage risks, and protect critical business applications. Rather than deploying multiple point products for each new networking project that doesn't share threat intelligence, security teams will be able to leverage the security fabric to consolidate security functions and streamline operations automatically.
Likewise, a security-driven networking approach better addresses the challenges of the expanding attack surface, from mobility to multi-cloud adoption. By intelligently and dynamically segmenting users, devices, and applications, regardless of their location, organizations can ensure consistent protections, prevent lateral-moving threats, and isolate security events to a controlled area.
Finally, the rising rates of encrypted traffic flowing through networks create serious blind spots. By deploying integrated security solutions that are able to inspect encrypted traffic and networking speeds, organizations can gain full visibility into encrypted flows and better protecting business-critical applications, sensitive data, and other resources.
Things like SD-WAN connections, next-gen branch offices, and cloud on-ramp activities are areas that can all be improved and optimized using a security-driven networking strategy.
An SD-WAN/SD-branch example
Branch offices and other remote locations need access to business-critical applications such as unified communications. Traditional MPLS connections can limit application performance, and in many instances, can also be prohibitively expensive. A security-based SD-WAN solution can leverage direct internet access by combining built-in protections with advanced SD-WAN networking capabilities.
This approach eliminates MPLS-required traffic backhauling, which degrades cloud app performance, prioritizes business-critical applications, and improves overall user experience without compromising on security. And because its security and networking functions are integrated, SD-WAN connections can be fully controlled through a single management interface to ensure that networking and security services are always in sync. And by integrating Secure SD-WAN with the wired and wireless access points inside the branch LAN, SD-WAN security can be easily extended into SD-Branch to enable deeper integration and consistent security.
Where to start
Organizations interested in getting out in front of security challenges due to rapid network transformation and limited security and staffing limitations need to do three things. First, ensure that the CISO and members of the security team are involved in business development conversations from day one. Second, transition your existing security deployment to an integrated security fabric that can extend into every corner of your expanding network. And finally, look for solutions that enable deep integration between security and networking functionalities to enable a highly adaptable, dynamically scalable, and easily managed security strategy that will automatically grow and expand as your network evolves.