In the current landscape, the prevalence of the cloud era is undeniable, and the market is characterized by constant dynamism. Enterprises, in order to maintain relevance amid this competitive environment, are unmistakably demonstrating a keen interest in embracing cloud technologies. What motivates this significant shift?
Cloud-centric security strategies, exemplified by initiatives like Secure Access Service Edge (SASE) and Security Service Edge (SSE), encompassing components such as Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP), and Zero Trust Network Access (ZTNA), efficiently extend security to wherever corporate users, devices, and resources are located—leveraging the cloud as the central hub.
With all security functionalities seamlessly delivered and managed through a unified interface, the security of both inbound and outbound traffic, often referred to as north-south traffic, is significantly fortified.
On the flip side, the internal network's east-west traffic, which moves within the confines of data centers and the network but does not cross the network perimeter, remains untouched by the security checks implemented through cloud-based measures.
A potential workaround involves keeping a traditional data center firewall dedicated to overseeing and regulating internal, east-west traffic. However, this hybrid security approach introduces increased expenses and intricacies in handling diverse security solutions. Many organizations strive to address these challenges by opting for integrated, cloud-based security stacks to streamline management and mitigate the complexities associated with maintaining separate security measures.
To ensure comprehensive security coverage for organizations, a solution is required that safeguards both north-south and east-west traffic. The key lies in orchestration through a centralized, cloud-based console. Achieving this can be approached in two ways:
1. Via WAN Firewall Policy
Cloud-native security frameworks like SASE and SSE can provide east-west protection by directing internal traffic through the nearest point of presence (PoP). Unlike traditional local firewalls with their own setup limitations, SSE PoP allows firewall policies to be managed centrally through the platform's console. Admins can easily create access rules in the unified console, such as permitting authorized users on the corporate VLAN with approved, Active Directory-registered devices to access specific resources in the on-premise data center, following Zero Trust Network Access (ZTNA) principles.
2. Via LAN Firewall Policy
In a security-conscious scenario, where an IoT VLAN's CCTV camera needs access to an internal server, disabling default internet/WAN access is wise to prevent cyber threats. Implementing data center firewall policies at the Point of Presence (PoP) may not affect devices like IoT cameras with no internet access.
SASE and SSE platforms address this by empowering administrators to set firewall policies on the local SD-WAN device. Organizations connect to SASE/SSE PoPs through this SD-WAN device, allowing direct rule configuration for internal LAN traffic. Pre-defined LAN firewall policies are locally enforced, with unmatched traffic sent to the PoP for further assessment, enhancing security management efficiency.
