How your agency can modernize using secure SD-WAN
- By Bob Fortna
- Jul 30, 2019
Federal agencies are mandated to modernize and consolidate their legacy IT networks. But these efforts don’t come without challenges, including increased security complexity and lack of visibility as the attack surface expands.
Resource-intensive and latency-sensitive applications such as voice and video, and critical cloud applications like Office365, are designed to enhance productivity and collaboration. But they also put a growing strain on bandwidth and traffic management, expand the potential attack surface and expose critical data to a constant barrage of cyberthreats. These challenges are being compounded through the ongoing acquisition of additional cloud-based applications and other resources, especially when deployed at remote branches and departments.
In an alarming number of cases, this has also led to a shadow IT problem, where individuals with procurement authority are acquiring assets without informing their leadership. When this is done in an already overly complex IT environment, troubleshooting network issues and implementing what should be simple fixes can often take days or weeks, hindering mission-critical and time-sensitive work.
For many agencies, the decision to overhaul their infrastructure has reached a tipping point.
With the escalating adoption of bandwidth-hungry software-as-a-service applications, agencies must rethink their wide-area networking strategies and how they can deliver secure, modern and cost-effective networking capabilities.
Traditional WAN allows agencies to ensure distributed remote locations maintain seamless network access as digital demands increase. But agencies need WAN solutions that improve efficiency and enhance security to keep pace with greater demands on the network and increased cyberthreats. Agencies need a software-defined approach to delivering and managing WANs.
One approach is to overhaul existing wide-area networks with SD-WAN to give remote offices greater flexibility while enabling the central management of network connections in a secure, cost-effective and transparent manner. Even better, SD-WAN also supports federal initiatives such as Trusted Internet Connections (TIC) and migration to the new General Services Administration’s Enterprise Infrastructure Solutions (EIS) contract.
The need for secure SD-WAN
However, to make the challenge even more difficult, IT officials must also ensure that new networking solutions and internet access are compliant with strict government and agency security regulations, such as those set by the National Institute of Standards and Technology and the Department of Homeland Security. This means that these agencies must implement SD-WAN solutions that have built-in security that limits downtime and reduces costs without hindering critical business operations.
While many SD-WAN solutions combine routing, critical network functions and applications (such as voice, video, Wi-Fi, and internet), few also include comprehensive network security. But for an SD-WAN solution to really function as needed, a comprehensive security suite must be fully integrated, resulting in what some are now referring to as “secure SD-WAN.” Additionally, all of those functions must also be seamlessly integrated into the larger, distributed networks, including multi-cloud environments, enabling secure SD-WAN users to securely connect to cloud resources.
With secure SD-WAN in place, agencies not only enjoy greater visibility and management across their network environments, but access to an integrated security infrastructure as well, reducing WAN operating expenses while enabling applications that are more reliable, robust and secure – while giving agencies greater flexibility to adapt to network changes.
The challenges associated with implementing a secure SD-WAN solution can be addressed by following a few simple best practices:
- Start with a holistic strategy. Identify and classify the types of branch locations across the agency, such as main headquarters or remote locations, and their unique needs. Keep in mind that while SD-WAN solutions provide application automation and simplified network operations, they often lack critical integration with other branch devices. Extending secure SD-WAN functionality into branch offices via an SD-branch solution that integrates secure access points and switches can improve the functionality and integrity of the entire remote office and not just its WAN link.
- Insist on integrated management. A proper secure SD-WAN solution should allow network managers to deploy, configure and monitor all of its functions, including security, through a single management interface. That way, when managers must make rapid changes, quickly mitigate threats or deploy upgrades, they can be easily achieved and even automated, thereby reducing IT overhead.
- Make security a priority. Organizations are increasingly adopting direct internet access in their SD-WAN deployments, raising new security concerns. However, integrating security into an SD-WAN solution is much easier said than done. According to Gartner, “most SD-WAN vendors support basic capabilities, such as stateful firewalling and VPN; however, they depend on security partners for advanced functionalities such as intrusion prevention system, malware analysis and sandboxing.” Agencies must ensure that security is not an afterthought when adopting one of the dozens of SD-WAN solutions on the market today.
Secure SD-WAN use cases
In addition to the issues outlined above, any secure SD-WAN solution should also address the following concerns:
- TIC 3.0 – The TIC initiative is intended to enhance network security across the federal government by consolidating and reducing the number of external network connections. But for many agencies, TIC became an impediment as they sought to access cloud services via the internet. Secure SD-WAN provides agencies and remote offices with reliable and secure capabilities to access cloud services.
- Security integration – The Defense Department's Comply to Connect standard serves as a formal framework for validating new devices, evaluating their compliance with DOD security policies and continuously monitoring those assets to ensure they remain in security compliance.
- EIS adoption – EIS transition leaders are under pressure to modernize their networks to support departmental goals, but the migration process exposes new security issues. They’re up against an expanding attack surface, increased security complexity and rapidly changing threats as devices and networks move outside agency walls. Secure SD-WAN solutions can play a key role in the transition to GSA’s new EIS contract.
Today’s connected federal agencies are under pressure to meet new modernization guidelines and security requirements. However, one of the most complex challenges is extending these new functionalities to remote offices. While SD-WAN solutions show promise, not all solutions are the same. Secure SD-WAN should seamlessly integrate world-class security into an SD-WAN solution to provide multibroadband support, improve application performance, reduce WAN operating expenses and minimize management complexity without compromising the integrity of the data and resources being used or unnecessarily increasing SD-WAN deploym
Bob Fortna is president and board member of Fortinet Federal Inc.