Can we do all this without SD-WAN?
In theory, yes– with novel router features and configurations, deep packet inspection, policy-based routing into manually created IPSec tunnels with IPSLA monitoring and more besides. We were doing this a decade ago and it was this complexity that led to the emergence of SD-WAN.
You would do this better today using modern automation tooling, but without a control plane, you're basically performing a bespoke one-of-a-kind router-based configuration, which is a tall order when you need to deploy and manage hundreds or thousands of routers globally. At least not at a resource cost or risk appetite that most firms will tolerate.
The bottom line is organisations don't want to be reliant on novel workarounds that are difficult for their network vendor to navigate when it comes to complex faults. Vendors don’t perform regression testing for one-off bespoke configurations, instead they expect you to take their SD-WAN package as the majority will.
Take a steer from the industry’s convergence path
If you look at the vendor landscape, whether they started life as a security vendor or network vendor, and no matter their heritage, the trend is very much towards a joined-up SSE and SD-WAN portfolio.
Even long-established, dyed-in-the-wool security vendors have by now added a cloud-based SSE. The majority have also worked to acquire or develop their own SD-WAN solutions, tightly integrating them into their ecosystem. Even vendors we think of as being pure-play cloud security vendors have launched branch connectivity options with SD-WAN-like features. All credit to them for tracking where the market was heading and pivoting their strategies.
One thing is for sure: the vendors are clear that SD-WAN and SSE go hand in glove and they’re all delivering tremendously powerful and innovative solutions to deliver on the overall SASE framework.
The future direction for SD-WAN
The push is towards packages of integrated services which drive business outcomes on user experience, observability, compliance management and security. This will be most visible in single-vendor SASE solutions, where my prediction is that SD-WAN will remain as a core capability, but we will come to think of it more as an extension of SSE, rather than traditional branch WAN technology.
We can already use the SD-WAN edge router as network-based DEM sensor and we can place security controls such as firewall or intrusion prevention system at the edge router, but the policy is usually managed by SD-WAN separately to SSE. Instead, future architectures will evolve to the extent that SD-WAN and firewalls become extensions of SSE with consistent policy definition and threat detection techniques, regardless of whether the control is placed in the cloud-based SSE tenant, an SD-WAN edge router or a firewall appliance.
A potential consequence of tighter integration is a change in buyer behaviour and contracting. My observation is that many customers default to dual-vendor SD-WAN+SSE not always based on preference or efficacy, but because of misaligned contract end-dates complicating procurement as well as the need to re-train and re-tool when moving from an established security vendor.
The increasing capabilities of a single-vendor SASE might become so attractive as to encourage more firms towards a wider transformation of both towers, especially with SASE being so well suited to NETSECOPS, making the overall TCO model, including service, more compelling.
SD-WAN is still relevant, and will continue to be
To re-emphasise, all of the reasons that SD-WAN was invented still exist today. None of these reasons are going away: visibility, segmentation, embedded security, local internet breakout, compliance, path management, load sharing, zero-touch provisioning or automation. The SD-WAN of the future may be more tightly integrated with the SSE stack, but there are no signs of an alternative technology on the horizon.
These outcomes are impractical and costly to achieve without SD-WAN. The technology is getting better all the time and the business case should be clear. If not, let our consultants help you take a wider view, help with your total cost of ownership model and determine a solution that fits your budget.
Draw on the BT and Palo Alto Networks partnership
At BT, we’ve been part of the development pathway leading to SASE from the beginning. And, over the years, we’ve built an ecosystem of SD-WAN and SSE vendors and developed the tools and methodology to deploy and service multi-vendor environments.
As part of this, we’ve been working for over ten years with Palo Alto Networks as one of our key security partners. We value their advanced capabilities, as recognised by their status as Leader in the 2023 Gartner Magic Quadrant for SSE and Leader in the 2022 Gartner Magic Quadrant for SD-WAN.
Today, our partnership brings networking and security together to design, build and deliver SASE solutions for the world’s largest multinational corporations and public bodies, offering flexible services that are customisable to specific business requirements.
Our partnership-driven managed SASE solution brings together expert advice on how to deploy the various elements of SASE, underpinned by services from Palo Alto Networks. This includes everything you need: SD-WAN, Zero Trust network access, cloud access security broker, firewall as a service, and secure web gateways- all in one place with a choice of where and when to deploy them.
To find out more, ask your BT account manager for an SASE workshop. They can help you understand where you currently are on each aspect of SASE and work with you to build a SASE journey that’s aligned to your objectives.