In the tug-of-war between NetOps and SecOps, what role does SD-WAN play?

Connectivity across campus, branch, cloud, and edge is a fundamental requirement for building a digital enterprise, but as the network fabric expands, the need for end-to-end integrated security becomes more important. This, coupled with the necessity to continuously monitor and maintain application performance at campus, branch, and edge locations, creates a huge workload for NetOps and SecOps teams. The result is often a tug-of-war between two teams: one striving to keep the network optimized for performance and availability, and the other striving to keep data, applications, and devices secure.

[[316641]]

Conflict or cooperation?

The key to balancing NetOps and SecOps lies in how the network and all the connected devices are managed. Traditionally, in NetOps, there are separate consoles to configure, monitor, and analyze network domains. Similarly, in order for SecOps to capture, log, and analyze traffic in all the different domains, special taps are installed wherever traffic enters and leaves the domains. SecOps has the additional job of storing all traffic logs in the event of a breach or successful malware attack in order to pinpoint the cause and prove that appropriate measures were taken to remediate the breach and prevent future attacks.

Can NetOps and SecOps collaborate instead of conflict?

Digital transformation projects benefit from unified operations and security

Deploying new multi-cloud applications requires ensuring the network is responsive, always available, and secure. NetOps needs to work with development teams to understand the network SLAs and cloud usage requirements for new applications. SecOps needs to ensure the correct network permissions, segmentation, and policies are applied to the network when applications are launched. NetSecOps collaboration is critical to timely deployment of next-generation applications with the security and performance levels required.

SD-WAN can play an important role in the unification of NetSecOps by combining software-defined network architecture with single-console cloud management.

SD-WAN Unified Network Cloud Management for NetSecOps

The main benefit of SD-WAN for unified NetSecOps is the ability to provide a single role-based management portal for configuring and monitoring network performance, segmentation, and security policies. With the SD-WAN cloud controller, NetSecOps can:

• Remotely install and configure branch SD-WAN routers using Zero Touch Provisioning (ZTP).
• Automatically route traffic over the most efficient, cost-effective path (MPLS, broadband, direct internet, LTE) using dynamic path selection.
• Manage cloud platform performance, security, and access policies for SaaS and IaaS hosted applications.
• Set Quality of Experience (QoE) service levels for cloud and SaaS applications.
• Remotely configure and manage application-aware firewall, URL filtering, intrusion detection/prevention, DNS layer security, and Advanced Malware Protection (AMP) at the branch level to secure branch communications using direct internet connections to cloud applications.
• Collaboratively configure segmentation rules that are applied uniformly across distributed locations to keep traffic flows (e.g., employee wireless access and payment system traffic) separate for improved performance and security.

Manage and secure east-west traffic and branch offices

Because SD-WAN provides a host of integrated security layers, traffic entering and leaving the branch can be thoroughly inspected for application penetration, malware intrusions, and known bad URLs. But when malware is introduced by devices in the branch network remains a thorny issue.

In the days of branch WANs and hub WANs, traffic from each device in the branch office would be backhauled to the corporate data center for inspection and verification before returning to the branch office. This has always been a troublesome situation for NetOps because the traffic load just for backhauling and inspection interferes with traffic that normally has to go to the data center for additional processing.

With SD-WAN, firewalls and intrusion detection are integrated into the branch routers, so traffic within the branch is inspected as it traverses the local network, in addition to traffic to and from the branch. The result is that SecOps can maintain control over local traffic security, while NetOps can free up bandwidth for priority traffic in the data center, SaaS applications in the cloud, and traffic to other branches, all managed through an SD-WAN controller shared by both teams.

Secure access to SaaS applications via direct Internet connections

Employees are now increasingly dependent on applications hosted in SaaS cloud platforms, such as Office 365, which need to be routed via direct Internet access. With SD-WAN, NetSecOps can focus not only on fine-tuning application performance, but also on defensive measures to protect valuable corporate data traveling to and from branch sites over Internet connections. By onramps to SaaS and IaaS clouds using SD-WAN, the network selects the most efficient path to handle Azure, AWS, or Google Cloud workloads, while built-in security layers provide protection through DNS URL filtering, advanced malware protection, and application-aware firewalls. NetSecOps manages application performance and security through the SD-WAN cloud controller portal.

Facilitating collaboration between NetOps and SecOps is key to network agility

With SD-WAN's ability to manage operations and security through the same cloud portal, it is practical to create a NetSecOps team to facilitate collaboration and maximize the QoE and security of devices and applications. Combining these two key capabilities helps create an agile network that makes digital transformation projects possible.