Nokia VP on how SD-WAN enables secure Digital Transformation and SASE

Nokia VP on how SD-WAN enables secure Digital Transformation and SASE

As enterprises continue their Digital Transformation efforts, they are increasingly looking for tools that enable their cloud journeys to be both simple and secure. Roque Lozano, Vice President of IP & Optics for Middle East and Africa at Nokia, tells us about the benefits of SD-WAN, how it is enabling the age of Secure Access Service Edge (SASE) and what this ultimately means for businesses.

Originally pitched as a more simple and cost-effective way to connect branches to an enterprise network, SD-WAN has come a long way since it appeared on the networking scene in 2014.

Today, it has taken on a new role as an enabler for enterprises to embrace public and hybrid cloud services, as well as Edge Computing and tele-working as it becomes the universal network fabric that links employees to the business application, regardless of of their locations.

How does SD-WAN address modern security challenges?

Historically, the traditional enterprise network was secured by centrally deployed perimeter firewalls. With the WAN set up to route all branch traffic across the private, internal network before exiting the WAN.

And this worked – providing the Internet access requirements were minimal. But with the advent of public cloud and Software-as-a-Service (SaaS), there has never been more demand for direct Internet and cloud access at the branch, as users require access to a growing number of services. Implementing these new cloud-based services on the traditional WAN has led to inefficiencies of transport in both use of expensive WAN uplinks and an increase in the latency between the cloud hosted application and the business user. On top of these inefficiencies are the new dynamics around how and where security functions should be implemented.

Enter SD-WAN, which is finding new relevance in the enterprise network given that its centrally-defined security functions can be easily distributed to any endpoint in the network, no matter how remote the branch.

How does SD-WAN enable a centrally-defined security policy?

SD-WAN supports service-chaining which is the deployment of Virtual Network Functions (VNFs) either centrally, cloud hosted or deployed at the enterprise branch. In the case of the branch the VNF is spun up on the SD-WAN gateway device to perform localized firewalls, or intrusion detection functions.

These VNF functions are centrally managed by the SD-WAN service via an intuitive service portal that provides the network manager with full visibility and control into their performance.

This new approach to enterprise security is referred to as the Secure Access Service Edge or SASE.

Tell us more about SASE and how it will impact the industry?

Gartner analysts expect that, over the next decade, the WAN edge and network security markets will come together into one SASE market. As many enterprise verticals adopt Industry 4.0, they will increasingly introduce edge cloud computing to support the massive IoT and critical machine-to-machine (M2M) communications that will be typical of automation and other low latency use cases. Inevitably, this will require the need to secure many more distributed points of presence as enterprises connect with these services.

Regardless of whether an endpoint is in a central enterprise campus or in a remote branch, the SASE approach to enterprise security treats every access point to the cloud the same way.

It could also be a central enterprise data center or a multi-edge computing (MEC) facility supporting an advanced manufacturing plant with AI, machine learning and advanced analytics. SASE can set security policies specific to one location or replicates identical functions across multiple WAN access points. All managed centrally by IT personnel from a single pane of glass.

What is the driver behind SASE?

With an increasing number of new security threats facing modern enterprises, there is a need for modern protection that addresses these – one of the key drivers for the inception of SASE.

DDoS attacks, for example, are executed from multiple points, often captured botnets, that might even include machines or IoT devices inside the enterprise network.

For the traditional perimeter security model to be effective, enterprises were reliant on having a comprehensive database which showed identified threats to configure their centrally deployed firewalls.  However, this assumed that an attack would come from outside that perimeter. This is no longer a given, considering the increased number of endpoints, and once attackers are inside the perimeter of the WAN this security model is rendered inadequate.    

How does SASE provide secure network capability?

The SD-WAN/SASE approach to securing the WAN works in conjunction with newer technology such as AI and Machine Learning, which are used to analyse network data and construct a model for normal behavior on the network, including the WAN connection.

The SD-WAN service will ‘learn’ what is normal for the network and, if behaviour alters and it passes a threshold, it is considered a threat, alerting the IT team so they can investigate. SD-WAN can virtualise, distribute and run these analytics functions, providing embedded security for any endpoint.

This enables a much more tailored approach and is contexualised based on the scenario. It means that, rather than a ‘one-size-fits-all’ policy, security teams can tailor policies depending on individual branch scenarios based on current threat levels, the security level of an asset or local conditions. So, what is normal for a head office will have different network behaviour to that of a data centre or a remote branch running IoT sensors.

The local enterprise anomaly detection can also be integrated with Security-as-a-service (SECaaS) to quickly respond to globally-known threats that are being tracked by the service.

These global services, which use anomaly detection across the WAN, can coordinate with anomaly detection at an enterprise level so that when a DDoS attack is identified, the SASE function can remove infected traffic in real-time at the edge of the enterprise, whether they are coming from inside or outside the network.

There are many more benefits to be realised from SD-WAN than just inexpensive branch connectivity, enabling a much more fluid notion of what constitutes the interface between the enterprise network and the WAN, without increasing the complexity of managing it. The industry has coined this new enterprise network as the universal network fabric as it securely connects business applications, regardless of their location (in private or public cloud, or even on-premises) to employees, regardless of their locations; be that in the office, on the road, or working from home.

As enterprises continue to accelerate their Digital Transformation strategies for enhanced agility, scalability and simplicity, SD-WAN will be their greatest ally in enabling them to embrace this new cloud era securely and simply.

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive