CIOs know that ubiquitous connectivity across domains—campus, branch, cloud, and edge; wired and wireless—is a baseline requirement for building a digital enterprise. But, as CISOs know, as the network fabric spreads to encompass devices and location-agnostic data and compute resources, the need for end-to-end integrated security is equally paramount. Add in the necessity to continuously monitor and maintain application performance throughout campus, branch, and edge locations, and you create an enormous workload for NetOps and SecOps teams. Often the result is a tug-of-war between the teams: one striving to keep the network optimized for performance and availability, the other striving to keep data, applications, and devices secure.
Conflict or Collaboration?
The problem of balancing the goals of NetOps with SecOps has a lot to do with how the network and all the connected devices and domains are being managed. Traditionally in NetOps, there have been separate consoles to configure, monitor, and analyze network domains – several for the data center, multiple for the campus wireless network, and still more for cloud, branch, and edge deployments.
Similarly, in order for SecOps to capture, log, and analyze traffic in all the various domains, special taps are installed where traffic is entering and leaving the domains. SecOps has an additional burden of storing all the traffic logs in case of a breach or successful malware attack in order to pinpoint the cause and prove appropriate steps are taken to remediate breaches and prevent future attacks.
Can NetOps and SecOps get to the point of collaboration instead of conflict? In fact, new cross-enterprise business initiatives are making collaboration a necessity.
Digital Transformation Projects Benefit from Unified Operations and Security
Deploying new multi-cloud applications or moving processes to the edge—retail outlets, branch offices, medical clinics—requires assurance that the network is responsive, always available, and secure. NetOps needs to work with Development teams to understand network SLAs and cloud usage requirements for the new apps. SecOps needs to ensure that the proper network permissions, segmentations, and polices are applied to the network at application launch time. NetSecOps collaboration is key to the timely deployment of next-generation applications with security and the required levels of performance.
Is there a technology platform that makes unification not only possible but also makes the transition a natural evolution rather than a forced organizational change? By combining a software-defined network fabric with single-console cloud management, SD-WAN can play a significant role in the unification of NetSecOps.
SD-WAN Unified Network Cloud Management for NetSecOps
A primary benefit of SD-WAN for unifying NetSecOps is the ability to provide a single, role-based management portal to configure and monitor network performance, segmentation, and security policies. Through the lens of SD-WAN cloud controllers, NetSecOps together can:
- Install and configure branch SD-WAN routers remotely with Zero Touch Provisioning (ZTP).
- Automatically route traffic through the most efficient and cost-effective path (MPLS, broadband, direct internet, LTE) using dynamic path selection.
- Manage performance, security, and access policies for cloud onramps to SaaS and IaaS-hosted applications.
- Set Quality of Experience (QoE) service levels for cloud and SaaS applications.
- Remotely configure and manage at the branch level the application-aware firewalls, URL-filtering, intrusion detection/prevention, DNS-layer security, and Advanced Malware Protection (AMP) to secure branch traffic that is using direct internet connections to cloud applications.
- Collaboratively configure segmentation rules that are uniformly applied across distributed locations to keep traffic separated—such as employee wireless access from payment system traffic—improving both performance and security.
Let’s double-click on two common yet difficult to manage situations—securing east-west branch traffic and accessing direct internet access SaaS/IaaS-hosted applications—to see how SD-WAN helps a unified NetSecOps team operate.
Managing and Protecting East-West Traffic Flow and Security in Branches
With the plethora of integrated security layers that come with SD-WAN, traffic entering and leaving a branch is thoroughly inspected for application infiltration, intrusion by malware, and known bad URLs. But there is still the tricky problem of when malware is introduced by a device inside the branch network.
In the days of spoke and hub WANs, traffic from each device within a branch would be backhauled to the enterprise data center for inspection and verification, and then back to the branch. This has always been a troublesome scenario for NetOps as the traffic load for just backhauling and inspecting interfered with traffic that legitimately had to go the data center for additional processing.
With SD-WAN, the firewalls and intrusion detection are incorporated into the branch routers so that traffic internal to the branch is also inspected as it traverses the local network, in addition, of course, to traffic exiting and entering the branch. The result is that SecOps maintains control over local traffic security while NetOps frees up bandwidth for priority traffic heading for the data center, SaaS applications in the cloud, and traffic to other branches—all managed via the SD-WAN controller shared by both teams.
Securing Access to SaaS Applications via Direct Internet Connections
The workforce is quickly becoming more dependent on applications hosted in SaaS cloud platforms, such as Office 365, which require routing through direct internet access. With SD-WAN, NetSecOps can focus on not just fine-tuning application performance but also the defenses that secure the valuable corporate data being transmitted over the internet connections to and from branch sites. By using SD-WAN onramps to SaaS and IaaS clouds, the network selects the path that is the most effective to handle Azure, AWS, or Google Cloud workloads while the built-in layers of security provide protection with DNS URL filtering, advanced malware protection, and application-aware firewalls. Both application performance and security are managed by NetSecOps via the SD-WAN cloud controller portal.
Fostering Collaboration Among NetOps and SecOps is Key to Network Agility
With SD-WAN’s ability to manage operations and security via the same cloud portal, it really is achievable to create a NetSecOps team that promotes collaboration to maximize device and application QoE and security. Unifying these two critical functions helps create an agile network that makes digital transformation projects possible while keeping ahead of advanced security threats.