In our previous posts in this series, we’ve given a brief overview of the two dominant technologies for secure remote access today: IPsec and SSL VPNs. While both can be used to support remote workers (or the “branch of one”) and a workforce distributed amongst remote offices, it’s far more common to use IPsec VPNs for branch offices with multiple users, and SSL VPNs for individual remote workers.
Due to a very large installed base and the costs associated with re-training end users, IPsec and SSL VPNs are likely to remain in use for the foreseeable future. However, with an evolving threat landscape and increasingly distributed workforce – coupled with exploding cloud adoption – it’s pretty obvious that a traditional perimeter-based strategy for network security will soon cease to be adequate.
Industry analyst firm Gartner has proposed the Secure Access Service Edge (SASE, pronounced “sassy”) as the logical successor to current secure remote access technologies. The SASE umbrella includes SD-WAN, secure web gateways, cloud access security brokers, zero-trust network access (ZTNA) and firewall-as-a-service (FWaaS) in a flexible and extensible cloud-based group of services.
While immediately reaching SASE may seem like an unattainable goal, especially given the extensive VPN infrastructures many companies have already deployed, in reality it is envisioned as a process, rather than a full rip-and-replace operation. Technologies are available today to get started and can be overlaid over existing architectures to bolster security and prepare for the future. Here’s a couple of examples.
SD-WAN and Existing VPN Infrastructures
While the concept of software-defined wide area networking (SD-WAN) has been around since at least 2014, industry analyst firm IDC predicts an astonishing market growth of more than 30 percent from 2017 to 2023. According to IDC, driving factors include SD-WAN’s ability to support for SaaS and multi-cloud environments, as well as its ease of management and higher performance.
SD-WAN can easily co-exist with legacy IPsec and SSL VPNs and allows use of multiple less-expensive broadband links rather than pricey MPLS, while providing increased security, zero-touch deployment and centralized management. Another important benefit is SD-WAN’s ability to use mobile 3G/4G/5G data links, which can provide continued connection in the event of a natural disaster that disables landlines.
With the right SD-WAN solution, you can start the migration to SASE now, while gaining the ability to see all the way to the distributed edge, understand which applications are running, and act to prioritize and secure traffic appropriately. A secure SD-WAN solution will help set a security based foundation that is cyber-resilient, able to endure waves of threats. See Hillstone’s SD-WAN white paper for a comprehensive overview.
ZTNA Bolsters Edge Security
Another component of SASE architecture, ZTNA, is another logical step to take today to augment existing VPN infrastructure and prepare for the future. We’ve written fairly extensively on ZTNA in our past blogs because we believe it’s critical in securing the ever-expanding perimeter engendered by the COVID pandemic and other forces.
The mantra of ZTNA is ‘never trust, always verify’ – in other words, to grant only the precise level of access and authorization needed by a given user, regardless of their physical or network location, or whether the device requesting access is owned by the enterprise or the individual.
While IPsec and SSL VPNs each have their own levels of authentication, ZTNA adds another layer of security that can help ensure that no user or device is considered ‘trusted’ until it is fully authenticated, and that the access granted is limited to only resources that are allowed. Furthermore, ZTNA transcends the physical network to encompass the cloud, data center, SaaS and other assets.
While adding another layer of complexity may seem to be tedious, this layered security is what contributes to a cyber-resilient security infrastructure. Nowadays, attacks are multi-layer and multi-stage. Malicious methods of attack, such as DDoS, are oftentimes used as a smokescreen to mask the true threat. We believe that SD-WAN, ZTNA and SASE are the way forward as security teams are challenged with a rapidly evolving threat landscape and mushrooming network perimeter. To learn more about Hillstone’s solutions and how they can help support the transition to SASE, contact your local Hillstone representative or authorized reseller today.
