When is SD-WAN Zero Trust and When is it Not?

Originally published by CXO REvolutionaries.

Written by Gary Parker, Field CTO - AMS, Zscaler.

Deploying a standalone SD-WAN might seem reasonable given the way workers connect today. Many of today's knowledge workers are returning to branch offices, while others still work remotely more often than not. Hybrid work, at first forced on us by the pandemic and then gradually embraced by many organizations, is something organizations will continue to grapple with for some time.

For most organizations, recreating the corporate data center security stack at each of these branch locations is prohibitively expensive. But backhauling traffic back to that data center introduces performance degradation and increases usage costs. SD-WAN, on the other hand, allows companies to utilize multiple forms of connection – MPLS, LTE, broadband – for more efficient routing.

Our apps, too, have largely migrated outside the corporate data center. They are even less likely to return than workers. Here, too, SD-WAN has its advantages. Whereas traditional networking would again require backhauling traffic through the data center before reaching out to the cloud, SD-WAN enables direct access to cloud-native apps, but could skip the security capabilities of our perimeter protection if routed directly to SaaS applications or to the internet.

Of course, so far we’ve been applauding SD-WAN for its simplicity and cost-effectiveness, with nothing to say about security. In the early days of SD-WAN, VPNs linking various networks were the preferred method for securely connecting off-site and branch-based users back to the corporate network. But many security practitioners are souring on VPNs as a secure connectivity method. One rarely needs to go far back into the infosec news cycle to find the latest example of a VPN-enabled vulnerability.

The bigger problem, though, at least for CXOs prioritizing their secure digital transformation, is that VPN connectivity is fundamentally incompatible with zero trust principles. This is because they extend routable networks – and therefore the attack surface – to all connected devices and locations. This can enable lateral movement by any intruder who is able to compromise a VPN-enabled user’s account, whether the device is managed by the organization or not. Additionally, like backhauling, VPNs often introduce significant performance issues.

When we consider VPNs inherent vulnerabilities, attack surface exposure, and performance issues, they’re simply not a viable option in today’s digital workspace.

SD-WAN, sans trust

The benefits of SD-WAN are undeniable. But, without being incorporated within a broader zero trust framework, cost offsets and performance efficiencies bring with them unacceptable security gaps. Implementing an SD-WAN via a direct-to-cloud proxy architecture eliminates the need to extend the network, and the attack surface, for site-to-site or cloud application access.

Cloud-based proxies are able to replicate, and often replace, the traditional perimeter security appliances while providing the same, or better, security capabilities. An expanded roster of solutions including SWG and CASB can be deployed via the SASE model. Additionally, cloud proxy providers are able to provide the services at scale, which enables agility for organizations looking to grow organically or through M&A. The cloud-based proxy architecture also has the added security perk of allowing organizations to incorporate their servers and IoT/OT devices into their zero trust ecosystems.

For businesses relying on M&A transactions as a business strategy, zero trust SD-WAN using a cloud proxy also greatly simplifies the merging of disparate IT operations. Without zero trust SD-WAN, newly merged entities would be forced to reconcile overlapping IPs, competing VPNs, and a host of other complexities that can threaten to derail integrations.

If you find yourself answering yes to the following questions, you’ve likely implemented SD-WAN outside of a zero trust framework:

• Are you enforcing traditional castle-and-moat, perimeter-based security to secure users and applications?
• Do your users rely on VPNs to establish remote connectivity? Do branches rely on VPNs for site-to-site connectivity?
• Are you unable to manage the device status of your IoT/OT devices?
• Are overly broad access policies contributing to unwanted application access?
• Do you struggle to meet time-to-value and synergy goals during mergers and acquisitions?

SD-WAN can be a transformative tool given the realities of digital business today. But, when implemented outside of a true proxy-based, zero trust framework, it can contribute to as many problems as it solves. Make sure any SD-WAN is implemented within a broader zero trust framework, or you’ll carry over many of the issues inherent to routable networks.