Modern wide area network architectures demand a new approach to security

Today however, corporate networks are incredibly complicated. The data centre is now usually off-premises, corporate-owned applications have made their way into the public cloud, and staff are using multiple Software as a Service (SaaS) applications.

Branch offices have proliferated and their demands for network connectivity have grown to incorporate critical links to systems such as PoS (Point of Sale) and video collaboration. COVID-19 has meant that what might have once been a small group of remote road warriors has been joined by a larger cohort of work-from-anywhere workers, some of whom may never return to the office.

The result is that wide area networks have evolved quickly, and the systems used to secure them must also keep up.

The traditional security model of having all traffic run back through a central data centre and corporate firewall simply can't meet the performance demands of users, especially those who work more with cloud services than apps in a data centre. Users need flexible and high-performance connections to the applications that matter, and this demands a new way of looking at securing them.

For many organisations, this means taking a decentralised approach to security, where the focus shifts from the core to the edge.

This architecture has been labelled by Gartner as Secure Access Service Edge (SASE), and describes a security architecture that calls upon both cloud-based security services and software-defined wide area networking to ensure that users remain secure no matter where they are connecting from, or on what device.

Removing the security bottlenecks

One of the key advantages of the SASE approach is that it removes the bottleneck of a centralised firewall and improves network performance for users. Security is provided instead through a combination of cloud native services that enable actions such as inspection and DNS (Domain Name Server) to take place at the network's edge.

At Cisco, one of the key tools enabling SASE is Cisco Umbrella, a cloud-based Secure Internet Gateway (SIG) platform that provides multiple levels of defence against Internet-based threats. Umbrella integrates secure web gateway, firewall, DNS-layer security, and cloud access security broker (CASB) functions into a single platform, effectively replaces the centralised firewall with a concept best described as 'distributed firewalling' out to devices across the wide area network.

The second key concept of SASE is that of identity management, to ensure that remote users are who they claim to be. Cisco's approach to identity is based around zero trust network access using the multifactor authentication tool Cisco Duo, which verifies users' identities and establishes device trust before granting access to protected applications. Using Duo it is even possible to identify a user before they type in their name and password by first profiling the device they are using.

Intelligent security in the wide area network

What pulls the SASE concept together is the network that underpins it. By adopting a software-defined wide area network (SD-WAN) architecture, an organisation can not only gain full visibility of its network, but also achieves unprecedented flexibility to manage and change connections at will.

The incorporation of SaaS-based digital experience monitoring from ThousandEyes (a network monitoring tool), provides full oversight of network infrastructure and application delivery, all the way through to Layer 7 of the network stack, to ensure the best possible experience for users.

The Optus SD-WAN offering incorporates a sophisticated control panel that enables network controllers to monitor all points on the network and instantly respond to changes in service demand. As a full-service carrier, Optus has the capability to provide a variety of internet connectivity options. These include the ability to incorporate technologies such as 5G gateways as either primary or redundant links*.

Optus is also introducing licensing as a service, which will give users the flexibility to scale up and manage demands once they have purchased their hardware.

As part of the Optus Liquid Infrastructure solution, new overlay services are constantly in development, including security services that can be procured from within the platform itself – all from a single-pane-of-glass management console.

Security for a dynamic, distributed world

As the world emerges from the COVID-19 pandemic, one thing that is certain is that the needs of corporate networks won't become any less complex. The growth of distributed cloud architectures ensures that network managers will need to work hard not only to maintain network performance, but to ensure those connections remain secure.

The SASE approach is proving highly relevant as it provides an overlay protection for users that secure them no matter where they are or what device they are on. The combination of SD-WAN networking provides 360-degree protection in terms of identifying users and authenticating them and the device they are on with a high level of visibility.

In a world where hybrid working reigns supreme, and where corporate assets are now distributed across a range of locations, new solutions are needed to ensure that performance doesn't compromise security, and vice versa. The old way of bolting together different applications to perform specific functions can no longer keep up with the needs of a world where demands are changing quickly.

A more integrated approach is needed. By adopting the SASE approach, organisations get the performance that users crave while elevating their security practices to the latest in cloud-based services.

For more information visit optus.com.au/enterprise/networking

* 5G available in selected areas & actual speeds may vary. See optus.com.au/5gcoverage"