Combining SD-WAN and ZTNA is a No-brainer

Like many of the most valuable advances, SD-WAN was the right solution at the right time. It enabled organizations to accelerate their digital transformation efforts by providing flexible, optimized access to critical applications and resources to workers in remote offices. Its advanced cloud on-ramp, application steering, and self-healing connections eliminated the need to backhaul application traffic through the core network due to rigid MPLS connections. It was the perfect complement to cloud adoption, supporting both corporate-based and SaaS applications.

SD-WAN and security

However, one of the biggest challenges from the start has been security. Many business-critical applications include proprietary information or conversations. Most are hosted in locations where other critical assets live, especially for applications deployed inside the corporate data center. Direct access to these resources from a remote location exposes the entire organization to risk.

But because SD-WAN connections are highly dynamic by nature, many legacy security systems are unable to keep up. Most security tools are designed to protect predictable traffic patterns from a fixed point in the perimeter. Building an SD-WAN solution directly into a security platform addresses this challenge. When SD-WAN operates as a fully-featured connectivity solution within a security framework, policy enforcement and deep traffic inspection can automatically adapt to connectivity changes while maintaining user experience.

The challenges of legacy VPN

A similar issue regarding secure access to cloud and data center-based applications has arisen. Traditional VPNtechnologies used to secure access to online resources are based on the principle of implicit trust. Once a VPN connection is made, the assumption is that all traffic crossing through that connection is secure. However, VPNs do not validate or inspect their traffic. They simply push it through.

Unfortunately, many cybercriminals were quick to exploit the flaw in that thinking. During the year following the transition to work-from-home sparked by the pandemic, for example, ransomware spiked nearly 11-fold. And it has largely remained at that level ever since while increasing in both virulence and sophistication. This was largely due to cybercriminals quickly pivoting from directly attacking networks to targeting often poorly secured branch offices and home networks and then hijacking their connections to corporate resources. Vulnerable VPN access is one of the most common ways hackers enter a network. Once inside, they often find they have free rein to move laterally across the network to seek out. This was the strategy used by the attackers who attacked Colonial Pipeline, using a compromised password and legacy VPN technology to gain access.

Switching from implicit to zero trust

Today, most cybersecurity professionals recommend replacing the implicit trust used by legacy VPN solutions with a zero-trust strategy. Zero-trust is based on the idea that any user or device may have already been compromised. Because of that, access to specific resources is restricted by default and only granted based on things like multi-factor authentication, device profiling, user rights, and corporate policy. And then, those connections are closely monitored, looking for any unexpected or unusual behavior so access privileges can be quickly revoked before any harm is done.

ZTNA (zero-trust network access) is a powerful alternative to traditional VPNs because it embraces that zero-trust model. Like a VPN, users and devices are carefully authenticated, and an encrypted tunnel to the destination is established. However, access rights are only granted to a specific application, eliminating the possibility of lateral movement. Access can also be restricted to a single session to further reduce the risk of a compromised user or device. All resulting traffic is then monitored to log, identify, and immediately respond to anomalous behavior.

Better together: SD-WAN and ZTNA

ZTNA can be especially useful in conjunction with SD-WAN to ensure secure access to remote resources that can be monitored and enforced. However, when securing remote application access, most organizations see SD-WAN and ZTNA as separate solutions. As a result, they often run into the same issues when using them together that they do with their legacy security solutions. The first part of the problem is that most ZTNA solutions are hosted in the cloud. For some SD-WAN deployments, that means routing traffic through another service before connecting to an application. This extra hop can defeat the value of essential SD-WAN functions like application steering, rapid on-ramp, and user experience optimization.

The other issue is that most SD-WAN and ZTNA solutions either operate or were developed by separate vendors. This means that most ZTNA solutions will also struggle to adapt to dynamic SD-WAN connections used to maintain application usage SLAs.

A better approach is to use a Secure SD-WAN solution with native ZTNA functionality built in. When ZTNA is part of the same security platform as the SD-WAN solution, whether deployed together on-prem as an appliance or in the cloud as a service, IT teams enjoy the best of both technologies. SD-WAN connections can be dynamically authenticated and secured, application traffic (even encrypted traffic) can be inspected, and connections can be logged or terminated when an unauthorized or unexpected cyber event occurs. And on the back end, all three solutions—SD-WAN for connectivity, ZTNA for secure access, and enterprise-grade security for traffic inspection and protection—can be configured, orchestrated, and managed using the same centralized console.

Convergence and consolidation are essential for today’s evolving networks

Managing today’s rapidly expanding and evolving networks requires tools designed to work together. The convergence of networking and security and the consolidation of security point products are vital for IT teams looking to accelerate digital transformation without compromising visibility or security. It’s why more than half of organizations today report they are moving away from a best-of-breed approach to an integrated security platform—with nearly 9 out of 10 cybersecurity professionals rating integration and interoperability as critical or important for the tools they purchase. For them, integration and interoperability are the new best of breed.

Implementing ZTNA and SD-WAN as a single, fully integrated solution just makes sense. As organizations make Work from Anywhere (WFA) permanent, they need reliable tools designed for the way they do business today. And those tools need to operate consistently wherever they are deployed, so every user and device is protected, user experience is secure and reliable regardless of location, and all applications, data, and workflows are protected end to end.

Learn more about Zero Trust Network Access solutions from Fortinet that secure access to applications anywhere, for remote users.