When it comes to cloud computing security is always top of mind. As a result, a lot of attention gets paid to the networks used to access cloud services. Historically, IT organizations have depended upon the inherent segregation of MPLS lines. But there was always a small risk that communications service providers (CSPs) might misconfigure their systems. As the industry transforms to SD-WAN running above a mix of direct Internet connections and existing MPLS framework, the need for secure, protected wide-area connections becomes more critical.
Mike Sapien, an industry analyst with Ovum, said there are many options when it comes to layering security in the form of IPSec protocols, encryption, and access controls. And a virtual private network running as an overlay can be just as or more secure than a MPLS connection. The main difference is that MPLS has security and private network policies baked into the service, Sapien said.
An SD-WAN usually provides fine-grained policies based on applications and/or the identity of devices or users, along with improved traffic visibility, and can thus provide segmentation in a way that makes it possible to implement application access controls alongside other tools that make sure the network itself hasn’t been hacked. In addition, SD-WANs create the opportunity to invoke analytics engines in the cloud to further inspect traffic in real time. Some SD-WANs have the ability to program “cloud breakout” based on applications, allowing direct access to trusted sites (like SalesForce.com), while funneling traffic to unknown sites to either cloud-based or centrally-based inspection services. This ensures improved productivity, minimizes unnecessary inspection of trusted traffic and provides better security than traditional hub-spoke MPLS solutions.
When making use of SD-WANs to access any remote service, extra attention needs to be applied to the control plane. Typically, the control plane for a SD-WAN can deployed on a public or private cloud. That control plane needs to be sufficiently hardened and secured to make sure that it doesn’t get compromised. In addition, some care need to be applied to making sure that rogue platforms are not capable of masquerading as valid endpoints. Some regulated industries even require SD-WAN platforms that have hardware that is tamperproof.
Experts say many organizations will likely default to hybrid SD-WAN deployments. MPLS will continue to be used to access sensitive ERP applications, while a secure Internet connection might, for example, be used to access productivity and collaboration applications.
Vinnie Mirchandani, an industry analyst with The Deal Architect, said the real issue when it comes to employing SD-WAN platforms is inertia. MPLS connections cost significantly more per Mbps than a business class Internet connection. But many companies prefer a single networking services provider and want to make sure the same quality of service is being delivered to each branch office. Nevertheless, enterprises we’ve spoken to indicate that in global deployments, having a single network services provider isn’t always possible but SD-WAN as an overlay can provide improved management regardless of the underlying transport.
But Craig Belics, lead product manager for CenturyLink, a cloud service provider, said IT organizations need to be careful about making assumptions about how MPLS works in the context of, for example, the deployment of an application based on a database such as SAP HANA. MPLS lines have built-in fault tolerance capabilities that automatically kick in whenever a line fails. That can result in databases becoming out of sync with the application because the database isn’t aware that a new MPLS connection has been made. Because of that issue, Belics said many IT organizations are relying on SD-WANs to access database applications residing in an external cloud.
SD-WANs Becoming More Common
IT organizations are increasingly looking to SD-WANs as a viable and secure remote access solution. In fact, Amanda Thomas, senior director of marketing for Liaison Technologies, an IT services provider, said that many organizations fear losing control over their data more than whether there might be a back door into the cloud service. What IT organizations really want is the ability to deploy a hybrid SD-WAN so they can flexibly utilize both MPLS and Internet lines on an active-active basis. Over time they will likely discover that the number of cloud applications being accessed over a secure Internet connection will eventually eclipse the number of applications being accessed over an MPLS line.