Software-defined everything is trending; cloudifying everything as a service is the future – just make sure security is top notch!
Digital transformation is driving change across the world. In order to give their users much richer, faster and less costly access than ever before, increasingly distributed organisations—including APAC based retailers, banks, hotels, large school systems and public-facing government agencies—are re-designing their networks and security to move their most valuable data and applications to the cloud.
The new challenge facing enterprises and government agencies is enabling remote sites and off-network users to securely connect direct-to-cloud. As modern cloud apps become easy-to-use and pervasive, APAC firms are starting to realize that the traditional “hub-and-spoke” networks used by distributed organizations can no longer keep up.
Microsoft Office 365 is the most obvious example. Companies are adopting it at astounding rates, but often experience dramatically slower user performance at remote sites than in their central offices. This can happen whenever remote stores, branches or remote offices are not connecting to the internet directly. Instead, they are going over internal networks that send traffic back to centralized gateways. These “backhauled” internal networks, often built on slow and costly technologies such as MPLS, introduce delays that kill the performance of the modern cloud apps that organizations are looking to adopt.
Software-defined is the new cloud
To eliminate the delays of traditional backhauled network architectures, enterprises and government agencies are connecting their remote sites directly to the internet using low-cost broadband links like DSL, cable, fiber or even mobile LTE. These links are managed through Software-Defined Wide-Area Networking (SD-WAN), a relatively new class of networking technologies that automatically route each application’s traffic over the right network links. This offers operations teams new levels of visibility and control over their networks.
For example, it’s not unusual to see retailers run separate connections into each large store for different types of applications:
- Fast, low-latency links (fiber, cable, etc.)—for cloud-based business apps like Office 365, CRM, ERP, streaming video for promotions or training
- Less expensive links (DSL, etc.)—for customer internet access over Wi-Fi
- Wireless links (LTE)—as a backup in case one of the other links goes down
- Internal legacy links (MPLS)—for sensitive point-of-sale data and legacy apps
With SD-WAN, it is possible to automatically direct each application over different links to optimize performance and cost. For instance, costly fiber links can be reserved for business traffic in a way that also addresses auditors’ needs for segmentation and rapid response to potential problems.
Three security angles for Direct-to-Cloud
Cybersecurity, however, is critical to the business continuity of any enterprise. This means that as firms move to SD-WAN, their approach to securing their infrastructure needs to change.
SD-WAN solutions can almost always encrypt traffic as it travels over the internet but that is more about privacy than security. SD-WAN is great for handling new applications, and it breaks old, centralized security architectures that are based on having all network traffic flow back through headquarters-based security gateways. The security that used to be provided by those gateways now has to follow the network traffic and move closer to sites and users. This calls for organizations’ network security, web security and cloud application security deployments to be revamped.
In terms of network security, firms need remotely managed next-generation firewall (NGFW) appliances or better still, NGFW-as-a-service offerings that are starting to emerge on the market.
For web security, organisations should look at real-time network scanning that protects users against advanced threats lurking in web pages and downloaded content while also providing insights into the “shadow IT” risks associated with web applications. This is most commonly delivered as a cloud service complemented by hybrid enforcement at sites that have special data sovereignty requirements.
Lastly, in the domain of cloud application security, cloud application security brokers (CASBs) should be deployed to monitor firms’ cloud-based business apps to prevent abuse and enforce data protection policies for information stored in those applications.
The goal of enterprises is to bring all three pieces of the puzzle together and get them to work coherently. If they succeed in this direct-to-cloud transition, they can enjoy greater productivity, lower cost due to infrastructure and operational efficiencies, and improved security that positions them for business success.