Do you still need SD-WAN?
In recent conversations, I’ve had a number of customers seeking clarification about what’s happening with Secure Access Service Edge (SASE) and Security Service Edge (SSE), and whether SD-WAN still fits into the picture. They’ve perhaps had conflicting advice on whether SD-WAN is needed or heard that SD-WAN is an alternative to or even somehow at odds with Zero Trust.
This uncertainty is understandable, and ‘do I still need SD-WAN?’ is a reasonable and relevant question. A thorough answer involves exploring the use cases and benefits of SD-WAN, as well as how to get the architecture, service model and vendor selection right. But the starting point is unpacking how SASE, SSE and SD-WAN relate to one another, which we shall cover in this article.
Reviewing Gartner’s positioning on SSE, SD-WAN and SASE
The intersection of security and networking isn’t a fixed specification. Instead, it’s an ongoing conversation, informed by innovation, practical experiences and the operating environment of the time.
When SASE first came to the fore in 2019, Gartner was clear that the future of network and security is in the cloud, providing a holistic architecture where networking and security are managed together as a cloud service. They positioned SASE as a framework rather than a specific fixed product: a structure that allowed for alternative hosting models, mixed vendors, and different network and security functions.
Since then, Gartner have advanced their thought leadership through their Strategic Roadmap for SASE Convergence (2021), Magic Quadrant for Security Services Edge (2022), Magic Quadrant for SD-WAN (2022/23), Magic Quadrant for Single-vendor SASE (2023) and more besides.
Some questions arose when they released the Magic Quadrant for SSE about how it related to SASE and SD-WAN. Would these new SSE products replace SD-WAN?
However, the root of Gartner’s messaging hasn’t changed– the core concept of secure networks remains SASE, which continues to be the combined architectures of SD-WAN and SSE. Gartner isn’t pivoting away from SD-WAN being one of the two towers of SASE. It’s probably more helpful to see the separate Magic Quadrants as recognition that many firms are buying SDWAN and SSE from different vendors, with the remainder taking both from a single-vendor ecosystem.
The separate Magic Quadrants also shine a light on different sourcing strategies where a client might start with Zero Trust Network Access (ZTNA) for VPN replacement, compared to an organisation that starts with branch WAN transformation. These separate quadrants are also helpful to organisations that want a dual vendor arrangement, rather than a single-vendor approach to SASE, allowing vendors to focus on one area or the other. As I see it, Gartner are actually doubling down on SASE with the release of the Magic Quadrant for single-vendor SASE.
The enduring value of SD-WAN within Zero Trust
At BT, we work to make Zero Trust principles specific and deliverable to a customer’s situation. To this end, SD-WAN has a thriving role to play. The two harmoniously coexist, combining their powers to enhance network security.
Zero Trust can be succinctly understood to mean ‘continuously validate everything’; it doesn’t mean ‘ignore the network and put all the smarts in endpoint agents.’ In fact, the network itself is arguably the most important of all sensors, generating a wealth of telemetry data. It’s important to remember that true Zero Trust is about defence-in-depth, and having the right security controls at their most effective locations - and that includes WAN routers.
If we think of SD-WAN as ‘security-defined WAN’ rather than ‘software-defined WAN’ it’s a more accurate description of the role of the modern WAN router. Gartner and indeed MEF (who define service attributes and features for both domains to drive interoperability) also take this perspective, with neither of them describing SD-WAN as a solely WAN service.
Zero Trust means thinking about how all the controls interact together to achieve the wider objective, and then take a contextual view to identify weak points where appropriate controls are needed.
Crucially, this involves recognising that your attack surface isn’t just managed end-user devices, but any device attached to the network. Relying only on security controls on managed endpoint agents such as Endpoint Detection and Response (EDR) only works if your entire attack surface is end-user devices.
In reality, your attack surface will be much wider than that, and you’re going to need the means to secure traffic from those other devices, including segmentation and firewalling or perhaps forwarding the traffic towards an SSE service. SD-WAN is ideal for this and has distinct benefits to offer in both large and small settings.
Smart Building and IoT systems need SD-WAN more than ever before
IoT devices such as smart building and occupancy sensing solutions are now mainstream capabilities. From room and desk occupancy sensors, power monitoring, asset tracking to flood and smoke detection and wayfinding – all these sensors, gateways and controllers need unique treatment.
These elements need securely onboarding onto the network with authentication and posture checking from the LAN, but also segmentation on the WAN. They usually require direct internet connectivity, so security is essential, but they also need application classification so performance and reliability can be assured. The separation of endpoints into different personas with their own network requirements speaks to the power of SD-WAN.
Ultimately, the needs of the future network are going to be defined as much by stakeholder groups such as property management as they are by application owners or network teams. Failing to keep pace creates the ideal conditions for shadow IT to creep in. By supporting rapid and easy technology adoption. SD-WAN is increasingly an effective part of defending against unsanctioned and unseen IT projects.
Providing economic certainty for Hybrid Cloud architectures
A significant part of our work in BT Business is enabling our customers to transform their applications and networks for hybrid cloud. The vast majority of our customers are in multiple public clouds and many continue to invest strategically in private cloud for compliance, data sovereignty or economic reasons.
One of the challenges of public cloud is that costs rise as utilisation increases. This also applies to the network where data transfer out (DTO) fees increase with peaks in network traffic, especially when connecting branch sites to public cloud via the Internet.
We help customers understand the importance of intelligent placement of workloads and data to counter the potential for bill-shock. We also demonstrate how SD-WAN has a key role to play not only in providing flexibility to move data and workloads between hosting locations, but also to aggregate user traffic for routing via private cloud connections. Options such as ExpressRoute and Direct Connect offer more attractive DTO fees, including unlimited data plans, thus minimising the link between user demand and the cost to run the public cloud egress network.
The agility of SD-WAN to route traffic by policy is extremely helpful in cases where a firm wants to experiment or innovate with a new cloud provider or perhaps to differentiate routing of traffic for a development instance compared to production or for branches in one cloud region compared to another. For example, a European firm primarily using EU Azure regions using ExpressRoute to minimise costs, but also using Internet egress to connect to an AWS instance in the USA for a small number of sites in that region or a small amount of traffic from EU sites towards an application hosted out of region.
SD-WAN provides the flexibility for this level of differentiated routing, allowing for smart placement of workloads, securing the data as well as optimising cost.
SD-WAN is not just for large, complex environments
Some question the role of SD-WAN in small offices, thinking it’s overly complicated and expensive for their needs. In fact, from a small site perspective, SD-WAN provides many benefits that legacy WAN’s cannot match.
Small offices, kiosks, and concessions in shopping malls, airports or fuel filling stations tend to face challenges on user experience, security and budget. Plus, there can be a resource challenge to delivering at scale if there’s a large estate requiring transformation.
The trend for these small sites is to favour an all-in-one solution where the WAN, LAN, Wi-Fi and security functions are consolidated onto the same physical appliance, or at least all managed via a single central controller and management plane. This level of consolidation can’t be achieved on a practical basis without an underlying SD-WAN service.
As organisations turn to the internet, they find variations in performance can adversely impact end-user experience, even nations with excellent fibre infrastructure can have peering strategies based on consumers rather than business.
In attempting to mitigate this, a common approach is to load share across multiple broadband or mobile LTE/5G circuits. SD-WAN features such as path monitoring, application-aware path steering, packet duplication and error correction are key to enabling efficient use of multiple paths, as well as to the use of potentially lower-quality underlay.
SD-WAN is also important to the continuous measuring, reporting and diagnostics of performance that support user experience. In fact, visibility has always been one of the biggest challenges across all IT services and is one of the most welcome and valued benefits of SD-WAN.
SD-WAN as a critical part of Digital Experience Monitoring visibility
All mainstream SD-WAN and SSE vendors have a good baseline of application-aware visibility, monitoring and alerting, but the trend today is towards Digital Experience Monitoring, sometimes known as DEX (although some vendors have their own interpretations, such as DEM or ADEM). DEX is becoming an essential capability, not only for fault handling but also measuring and reporting on service levels that are more meaningful to end-users.
What we’re seeing, especially from single-vendor SASE providers, is a tight integration of DEX into both SD-WAN and SSE. This means that data is collected from agents running on endpoints and also from SD-WAN routers, either through embedded agents or running as containers. This delivers a complete picture of the environment and greatly helps in triaging complex issues with end-user applications.
Being able to achieve this level of end-to-end visibility from SD-WAN and SSE is arguably worth the price of entry alone and needs to be factored into total cost of ownership modelling and service models.
SD-WAN as a critical part of operations and management
Beyond its visibility strengths, the growth area in SD-WAN (and arguably where much of the value from it is derived) is in supporting operations and management. Vendors are innovating through integration with IT service management through AIOps, with event-driven automated responses and the ability to react to deviations from dynamically established baselines of normal behaviour. There are intelligent assistants, guided fault triaging and much more besides and that’s set to increase as vendors take advantage of GenAI.
It's often overlooked, but many customers realise significant business outcomes just from handling the basics of compliance. That may be conforming with formal industry regulations such as GDPR, PCI-DSS, HIPAA or with policies governing software standards, patching, locking down of management access, authentication, logging or ACLs. It’s invaluable to be able to manage these essentials at pace and scale and to be able to report on compliance with these standards and policies at audit time.
Can we do all this without SD-WAN?
In theory, yes– with novel router features and configurations, deep packet inspection, policy-based routing into manually created IPSec tunnels with IPSLA monitoring and more besides. We were doing this a decade ago and it was this complexity that led to the emergence of SD-WAN.
You would do this better today using modern automation tooling, but without a control plane, you're basically performing a bespoke one-of-a-kind router-based configuration, which is a tall order when you need to deploy and manage hundreds or thousands of routers globally. At least not at a resource cost or risk appetite that most firms will tolerate.
The bottom line is organisations don't want to be reliant on novel workarounds that are difficult for their network vendor to navigate when it comes to complex faults. Vendors don’t perform regression testing for one-off bespoke configurations, instead they expect you to take their SD-WAN package as the majority will.
Take a steer from the industry’s convergence path
If you look at the vendor landscape, whether they started life as a security vendor or network vendor, and no matter their heritage, the trend is very much towards a joined-up SSE and SD-WAN portfolio.
Even long-established, dyed-in-the-wool security vendors have by now added a cloud-based SSE. The majority have also worked to acquire or develop their own SD-WAN solutions, tightly integrating them into their ecosystem. Even vendors we think of as being pure-play cloud security vendors have launched branch connectivity options with SD-WAN-like features. All credit to them for tracking where the market was heading and pivoting their strategies.
One thing is for sure: the vendors are clear that SD-WAN and SSE go hand in glove and they’re all delivering tremendously powerful and innovative solutions to deliver on the overall SASE framework.
The future direction for SD-WAN
The push is towards packages of integrated services which drive business outcomes on user experience, observability, compliance management and security. This will be most visible in single-vendor SASE solutions, where my prediction is that SD-WAN will remain as a core capability, but we will come to think of it more as an extension of SSE, rather than traditional branch WAN technology.
We can already use the SD-WAN edge router as network-based DEM sensor and we can place security controls such as firewall or intrusion prevention system at the edge router, but the policy is usually managed by SD-WAN separately to SSE. Instead, future architectures will evolve to the extent that SD-WAN and firewalls become extensions of SSE with consistent policy definition and threat detection techniques, regardless of whether the control is placed in the cloud-based SSE tenant, an SD-WAN edge router or a firewall appliance.
A potential consequence of tighter integration is a change in buyer behaviour and contracting. My observation is that many customers default to dual-vendor SD-WAN+SSE not always based on preference or efficacy, but because of misaligned contract end-dates complicating procurement as well as the need to re-train and re-tool when moving from an established security vendor.
The increasing capabilities of a single-vendor SASE might become so attractive as to encourage more firms towards a wider transformation of both towers, especially with SASE being so well suited to NETSECOPS, making the overall TCO model, including service, more compelling.
SD-WAN is still relevant, and will continue to be
To re-emphasise, all of the reasons that SD-WAN was invented still exist today. None of these reasons are going away: visibility, segmentation, embedded security, local internet breakout, compliance, path management, load sharing, zero-touch provisioning or automation. The SD-WAN of the future may be more tightly integrated with the SSE stack, but there are no signs of an alternative technology on the horizon.
These outcomes are impractical and costly to achieve without SD-WAN. The technology is getting better all the time and the business case should be clear. If not, let our consultants help you take a wider view, help with your total cost of ownership model and determine a solution that fits your budget.
Draw on the BT and Palo Alto Networks partnership
At BT, we’ve been part of the development pathway leading to SASE from the beginning. And, over the years, we’ve built an ecosystem of SD-WAN and SSE vendors and developed the tools and methodology to deploy and service multi-vendor environments.
As part of this, we’ve been working for over ten years with Palo Alto Networks as one of our key security partners. We value their advanced capabilities, as recognised by their status as Leader in the 2023 Gartner Magic Quadrant for SSE and Leader in the 2022 Gartner Magic Quadrant for SD-WAN.
Today, our partnership brings networking and security together to design, build and deliver SASE solutions for the world’s largest multinational corporations and public bodies, offering flexible services that are customisable to specific business requirements.
Our partnership-driven managed SASE solution brings together expert advice on how to deploy the various elements of SASE, underpinned by services from Palo Alto Networks. This includes everything you need: SD-WAN, Zero Trust network access, cloud access security broker, firewall as a service, and secure web gateways- all in one place with a choice of where and when to deploy them.
To find out more, ask your BT account manager for an SASE workshop. They can help you understand where you currently are on each aspect of SASE and work with you to build a SASE journey that’s aligned to your objectives.