Security Experts:

The Case for Intent-Based Segmentation with SD-WAN

Intent-based Segmentation Allows Networks to Dynamically Adapt for Advanced Threat Mitigation 

SD-WAN is a perfect example of how digital innovation (DI) efforts are redefining how businesses operate and networks function. It combines remote workers, multi-cloud platforms, business-critical applications, and advanced networking into a single, integrated system. And when combined with a fully integrated security solution, it can vastly improve an organization’s security posture and protection across the distributed WAN.

However, providing an advanced set of technologies that enable fast and reliable access to critical resources is less effective if the network on the other side of the firewall hasn't been adequately secured. Traditional security approaches tend to be perimeter-centric, meaning that the majority of security resources are focused on things like posting a next-gen firewall and AAA services at the network edge. But far too often, the network behind the firewall is flat and open. With little effort, users can move laterally across the network, which also means that threats are often able to cross over to POS or other restricted corporate network resources. And worse, because there is so little security monitoring the internal network, events such as those can remain undetected for months. 

In addition, ongoing complexity from infrastructure expansion projects as well as mergers and acquisitions as part of business development can also compound the challenge to implementing security measures if not planned for ahead of time at a foundational level.

Of course, the requirement to build a more agile business model means that applications and workflows need to be able to move quickly and seamlessly across the internal network. The mandate to implement new public and private cloud networks, extend WAN connectivity to branch offices, support new IoT and privately-owned end-user devices, and develop aggressive application advancement strategies can often conflict directly with the need to secure the entire expanding network.

Network Security Should Start with Segmentation

Internal segmentation strategies—solutions that go well beyond simple VLANs—play a critical role in ensuring that agile connectivity strategies such as SD-WAN can be safely integrated into a traditional network. However, this segmentation strategy needs to be smart enough to support the kinds of access and dynamic changes that things like business applications and SD-WAN connectivity require. And the reality is, traditional segmentation methods are often more complex to work with when it comes to addressing the needs of an active SD-WAN deployment.

First, rigid segmentation methods struggle to adapt to business and compliance requirements. This issue is especially true for SD-WAN, where the infrastructure is continuously shifting to meet business demands. Another challenge is that segmentation can introduce high levels of unnecessary risk due to static or implicit trust. This happens when data and users are free to move, and devices can be repurposed on demand. Traditional segmentation efforts are unable to detect and adapt to these changes. And finally, the isolation that can occur within, as well as between, network segments can reduce security visibility and limit consistent policy enforcement. This becomes particularly risky when the attack surface is in a state of instability. 

The Need for Intent-based Segmentation

To ensure that the security inside the network matches the SD-WAN and other DI efforts occurring outside the traditional perimeter, organizations have begun to transition to intent-based segmentation. This strategy is designed to help organizations establish and maintain a security-driven networking strategy that complements DI efforts happening elsewhere across the distributed environment.

Using business intent, rather than just the network architecture, is essential in determining the logic by which end-users, applications, and devices are segmented. It also enables security policies that can see and adjust to change in real-time to achieve a level of continuous trust that can evolve with the network. This can then complement the deployment of advanced application-level security solutions so they can span the entire network. It also enables comprehensive, centralized content inspection to provide full visibility into all traffic and limit breaches to specific segments by preventing malicious content from passing over from one area to another. Further, choosing a solution that supports thousands of application signatures enables accurate detection and translates into segmentation logic for users and applications. 

The power of intent-based segmentation is that it provides visibility into all aspects of the network. It enables the instantaneous fine-tuning of access controls, enables segments to be dynamically established regardless of where a workflow originates, and allows for advanced threat mitigation by using business intent to drive network segmentation.

The Importance of Trust

One of the biggest challenges faced by organizations is that many parts of the network operate from a position of implicit trust. This model is the result of years of running a static network. But in a dynamic and evolving environment, pre-configured segmentation standards that allow implicit or static trust will inevitably expose critical resources to risk, especially in the event of a network compromise. To support an SD-WAN deployment, an intent-based segmentation solution must be able to measure trust to determine a suitable level of access for individual users, devices, and applications. There are several existing trust databases designed to house such information that can be leveraged.

But that’s not enough. IoT and other devices can be easily manipulated, and trusted employees and insiders can act maliciously and inflict considerable damage. As a result, trust also needs to be continually renewed through an integrated security strategy. This requires employing tools such as behavioral analysis and multifactor authentication, maintaining trustworthiness through the use of strict access controls and the continuous monitoring of each device's data and traffic, and then dynamically resetting access rules when behavior becomes untrustworthy. 

To effectively establish and maintain this level of trust, organizations should consider augmenting their intent-based network segmentation with a Zero-trust Network Access (ZTNA) strategy. This ensures that, in addition to restricting lateral movement, all access is authenticated, every aspect of traffic is monitored, and users and devices are limited to only those assets and resources required to do their job.

Securing Digital Transformation with a Single Security Fabric

As organizations continue to pursue an aggressive DI strategy, their distributed networks need to employ a single, integrated security solution that spans to comprehensively protect critical resources across the entire network. By combining verifiable trust, intent-based segmentation, and integrated security, organizations can establish a trustworthy, security-driven networking strategy. This allows the network to dynamically adapt to meet the security demands of an evolving environment, including the challenges of a dynamic SD-WAN strategy.

view counter
John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.