Securing the Software-Defined Branch with Aryaka Zones and Partner Solutions
Last week I blogged about Aryaka HybridWAN and its innovative approach to deliver internet connectivity with enterprise class SLAs to the branch. Of course, as soon as you open branches to the internet, security is a major concern.
When it comes to security in SD-WAN, it’s easy to observe there are two generic approaches in our industry:
- The Integrated Solution posture, meaning “You should get my SD-WAN because it also happens to come integrated with my integrated security solution, which saves you getting security from anybody else. Trust me, it fits your needs.” This posture is quite prevalent in the SD-WAN world, but quite clearly it represents a lock-in strategy and it may well be detrimental to enterprises’ particular security preferences and needs.
- The Open Solution posture, meaning “We as an SD-WAN company understand that most enterprises need to tailor the multi-layered security approach that fits their particular needs, hence we’ll provide some foundational security capabilities – but we will make sure to maintain an open posture and also partner with a number of leading security companies so our customers can truly custom-tailor their security solution.”
Aryaka is a SD-WAN company that firmly subscribes to the Open Security Solution posture. The reasons? First and foremost, we are a customer first company. Our State Of The WAN 2019 Report firmly established that, while of course security is a top concern with every enterprise deploying SD-WAN, the majority of enterprises require the power of choice. Due to a variety of reasons that range from enterprise architecture concerns down to regulatory needs, a single security solution will seldom cover all enterprise’s needs. Several industry analysts have also repeatedly established the need for a multi-layered approach to security.
Aryaka’s approach to security is open and straight-forward:
First, there is the foundational aspect to security. In the branch, you need a basic stateful firewall, and you need policy-based segmentation. We integrate both functions into our branch device, the ANAP (Aryaka Network Access Point). We call this feature Aryaka Zones, and we include it in our ANAP as free basic functionality. Zones provides a stateful firewall for basic access security, segmenting the branch from the outside world. Furthermore, in Zones, we create strict internal segmentation of traffic based on policies, which typically means strict separation of public internet (Guest WiFi, consumer apps, etc), cloud security, DMZ and corporate traffic. Our policies are flexible to accommodate up to 32 Zones in a branch. You can leverage Aryaka Zones not only for East-West segmentation, but also for enforcing restricted & secure communication between the segments – within the branch or across branches.
Second, Aryaka partners with cloud security leaders like Zscaler, Palo Alto Networks, Symantec and others in order to deliver choice and easy integration.
But back to architectural enablement: VLAN-based segmentation is great, but there are many application cases that call for segmentation at Layer 3, which is called VRF (Virtual Routing and Forwarding). A classic use case for Layer 3 segmentation with VRF is multi-tenancy. You will not be surprised now if I tell you that we also provide that function: it is also included in our ANAP.
Architecturally, when you implement multi-layered segmentation and support an overarching policy framework, you support a micro-segmentation architecture. Hear me out, though: Aryaka does not provide the entire stack for a micro-segmentation solution supporting a so-called Zero Trust approach to security. We provide the architectural enablement at L2 and L3. There are higher level, industry de-facto standard identity and policy frameworks to tie the L2/3 foundational micro-segmentation capability to an overarching framework to deliver on a so-called Zero Trust posture.
Micro-segmentation and zero trust are inseparable, as soon as you talk one, industry pundits will ask you about the other. So what is zero trust? As with many things these days, there is no industry standard, so I’ll simplify: Zero Trust It is a security posture that doesn’t allow anything or anyone into the enterprise unless their identity is confirmed, and when granted access they are mapped via policy to a few chosen micro-segments in the network.
You could say that Zero Trust is the countermovement to the universal connectivity premise that IP networks enabled. IP’s universal connectivity stack enabled an industry revolution, but that universal connectivity became a liability. Consequently, we started to defeat universal connectivity. Firewalls came first. Intrusion detection followed. Unified threat management was the next stop. But if you think about it, those are all passive defensive postures. Zero Trust represents a disruptive, offensive move in enterprise security architecture.
One more thing about a Zero Trust architecture: clearly, it does require a very open approach from every technology vendor involved in the stack, no single vendor will cover every enterprise domain and every technology stack layer. Clearly, SD-WAN vendors advocating a single, in-house security solution are missing the boat on where we are headed with enterprise security.
To sum things up: Aryaka’s open approach to multi-layered security delivers on the choice that enterprises prefer, and which emerging Zero Trust security postures require as a foundational enabler.