The impact of deploying software-defined wide area networks (SD-WANs) within the cloud fabric of centralized or distributed networks has been profound on a number of levels. One reason for this impact is the appeal of integrating security capabilities into communications service providers' (CSPs') SD-WAN solutions.

To understand the associated business drivers and technical requirements, Heavy Reading launched the SD-WAN Security Market Leadership Study (MLS) with collaboration partners Amdocs, Fortinet, Lavelle Networks and Nuage Networks in 4Q 2019. The survey attracted 90 qualified global respondents and documented SD-WAN security service use cases, implementation timelines, the impact of virtualization, cloud service integration opportunities, automation and analytics, as well as technical requirements, including orchestration strategies.

SD-WAN security and SECaaS cloud integration
One business opportunity fueling CSPs' cloud transformation is growth in the cloud-based managed security service market segment. This growth is in large part because many enterprise customers have realized that the optimal strategy in a dynamic and complex threat landscape is to work with a third-party cloud provider that supports a security as a service (SECaaS) delivery model. In addition to being cost-effective, there are several technical advantages to this model, including the ability to deliver a holistic portfolio of security services to users in either corporate or remote branch offices.

The key question here is: To what extent will CSPs integrate their SD-WAN-based managed security services into a harmonized SECaaS portfolio? As Figure 1 illustrates, most CSPs are in favor of some level of integration. For example, the largest group of respondents (37%) propose to partially integrate some specific features into their SECaaS portfolio and fully integrate others.

A second more progressive group (28%) advocates an "integrate them all" approach to enable them to achieve a single pane of glass monitoring and create a single security support team. The third group (28%) plans to move at a slower pace and start with only a partially SECaaS integrated model and then transition to a fully integrated model over time.

These three groups represent more than 90% of all survey respondents. While the approach to and pace of integration differ among the groups, only 8% plan not to integrate SD-WAN security services into SECaaS. Thus, it is clear that cloud integration is an important feature that CSPs plan to pursue going forward.

Figure 1: SD-WAN security features and SECaaS integration

Question: To what extent will you integrate SD-WAN security features into your SECaaS portfolio? (N=90)
(Source: Heavy Reading)

SD-WAN security branches out
A consideration that affects SD-WAN security integration strategies is the level of service support that is required in branch offices. The decision fundamentally comes down to whether to support only local Internet breakout access or to secure all communications services originating and terminating within the branch. One reason for the renewed interest in local Internet breakout is that in the past, Multiprotocol Label Switching (MPLS) networks often lacked the programmability to support direct Internet access in the branch. This meant access could be supported only via a centralized hub configuration, which is less efficient.

Consequently, as shown in Figure 2, 34% of CSPs have "already implemented" local Internet breakout security while 28% indicated they are utilizing SD-WAN branch-based security services to support communications services from all locations.

Based on "currently implementing" response levels, the "all communications" services model leads (40%). A third of respondents indicated they "may implement" Internet breakout (33%) or all communications security services (32%) in the branch. Still, taking these "may implement" responses out of the equation means more than two-thirds of CSPs (68%) have "already implemented" or are "currently implementing" a comprehensive all communications services strategy for SD-WAN security in the branch to fully harness the power of cloud integration.

Figure 2: Branch-based SD-WAN security strategies

Question: Do you plan to use branch-based security functions for local internet breakout only or to secure all communications from the branch to other branches, HQ and cloud? (N=86-89)
(Source: Heavy Reading)

Looking for more information?

White paper: SD-WAN Security Services: Implementation, Integration & Impacts

Webinar: SD-WAN Security Services: Implementation, Integration & Impacts

This blog is sponsored by Nuage Networks from Nokia.