Futureproofing the Branch Office

New SD-branch strategies allow organizations to extend the security and functionality of their secure SD-WAN connections deep into the branch network.

John Maddison

July 26, 2019

5 Min Read
Futureproofing the Branch Office
(Image: Pixabay)

Digital Transformation is driving an evolution at the enterprise branch. As a result, today’s enterprise organizations are looking to expand their WAN edge operations, reduce overhead, and enable faster cloud adoption. SD-WAN has addressed part of this challenge by replacing often expensive and rigidly static MPLS connections with public network links and meshed VPN overlays to support a rich set of business-critical and collaborative applications. Secure SD-WAN has taken that a step further by adding fully integrated enterprise-class security designed to map directly to sophisticated network and traffic management protocols.

However, the branch itself is undergoing changes that SD-WAN solutions don’t address. The accelerated adoption of IoT devices and the growth of connected end-user devices, for example, have overwhelmed the local branch network. Further, this transformation has also expanded the potential attack surface, making security a key concern. Organizations cannot afford for a branch office to be the weak link in their security strategy.

The challenge is that many organizations have attempted to address branch security with the same approach used at their core network. Branch offices have quickly been overwhelmed with point security products, complex integrated services routers, and isolated management systems, coupled with little to no local IT staff. As a result, branch network security often suffers from lack of visibility, complex management challenges, and too many solutions being used to secure WAN and access edges beyond the SD-WAN connection.

Futureproofing the branch with an integrated solution

A growing number of organizations are looking for ways to extend the security and services provided by Secure SD-WAN into the branch network, with the goal of increasing security while simplifying operations. Such an approach helps to futureproof the branch by introducing elasticity and scalability to the underlying security framework. The hallmarks of a futureproofed branch network require the following two key elements:

Flexible Architecture: This futureproofing process needs to start with a flexible network and security architecture designed to work together as a single, integrated system. This enables the scalability and elasticity required to meet branch needs, without compromising security at any step of the process. In this environment, access points and network switching need to function as extensions of the NGFW, enabling security and visibility for every device connected to the network, including the growing number of IoT devices. This ensures that direct connections to things like internet and cloud services receive the same inspection and protection as other data and applications flowing to the branch through the SD-WAN connection.

Likewise, network access control needs to be implemented to identify connected devices, ensure they meet policy, and then dynamically assign them appropriate network access to segment devices based on the sensitive nature of the resources they need to access. Further, network sensors need to continuously monitor device traffic so that anomalous behavior can be detected and rogue devices can be instantly quarantined.

Simplified Management: Ideally, this should all function as a single, integrated system, where network and security functionality and policy are automatically coordinated, and where configurations and policies can be seen, managed, and orchestrated through a single console.

Just as importantly, this needs to be delivered using a zero-touch deployment model. Most branch offices do not have IT staff onsite to deploy, configure, and manage an SD-Branch solution. Of course, vendors have been promising zero-touch deployment for years, but reality is often a far cry from marketing. Integrated services routers, for example, often require separate management consoles for each service they provide and rely on complex CLI interfaces that onsite branch personnel are unable to negotiate.

True zero-touch deployment means that once an SD-Branch security device is connected to a power supply it can automatically connect through the SD-WAN to a central or cloud-based management solution, immediately update components, auto-discover the branch network and connected devices, initiate device onboarding, establish and secure access points, and implement security policies such as segmentation – all without any human intervention. From then on, a combination of automation and remote management allows policies and configurations to be updated and orchestrated for local hands-off lifecycle management and threat response.

Futureproofed SD-branch

One of the most important elements of delivering a futureproofed SD-Branch solution is the idea that security cannot be added as an overlay solution. One of the biggest obstacles dynamic networks face is the need to update security protocols and policies every time the network makes adjustments in terms of scale or configuration.

This can significantly delay or even prevent branch transformation because security needs to be updated or retrofitted every step of the way, often manually, which can slow down the delivery of critical solutions, reduce productivity, and eliminate the competitive advantages that digital transformation is designed to deliver.

Instead, the branch network needs to be designed with a network-aware security framework at its foundation. Then, as networking, end-user, and IoT devices are added, the security framework can identify and securely incorporate them into the network. This integration also enables security to detect network changes – including scaling, resource configuration changes, and the introduction of new resources, applications, and workflows – and automatically make security protocol and configuration adjustments in order to maintain security integrity without delaying necessary network transformation.


The enterprise branch is undergoing a dramatic digital transformation, enabling end-users to leverage the power of rich applications and advanced cloud services at speed and scale. However, the security solutions traditionally deployed at the branch are unable to support or secure today's new digital branch requirements.

New SD-Branch strategies and solutions allow organizations to extend the security and functionality of their Secure SD-WAN connections deep into the branch network, enabling it to quickly adapt to networking changes and support new devices and services without impeding performance or flexibility. Developing such a solution requires rethinking branch security.

This means finding and deploying a security solution designed to integrate seamlessly into the branch infrastructure to dynamically adapt to transformation efforts, and that can do so using a zero-touch model that enables quick deployment that enables branch offices to come online in minutes or hours rather than weeks.

About the Author(s)

John Maddison

John Maddison is EVP Products & Solutions at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights