SOLUTION GUIDE

WHAT TO LOOK FOR WHEN ADDRESSING DIGITAL TRANSFORMATION SECURITY REQUIREMENTS

2

SOLUTION GUIDE: WHAT TO LOOK FOR WHEN ADDRESSING DIGITAL TRANSFORMATION SECURITY REQUIREMENTS

EXECUTIVE SUMMARY

Digital transformation (DX) brings new capabilities to networks. It also introduces new risks. Previous-generation security solutions are no longer effective. To protect modern, distributed networks and evolving and expanding attack surfaces from a rising tide of sophisticated threats, organizations need an evolved security architecture. Solutions should be integrated to share intelligence and immediately respond with automated countermeasures. The security infrastructure should offer visibility and control across the organization to simplify operations. And it should include cutting-edge capabilities like software-defined wide area networks (SD-WAN) to support the changing shape of organizations that are increasingly distributed across branches and remote sites.

ATTACK SURFACE EXPANDS, COMPLEXITY INCREASES

The growing digital connectedness of businesses via rapid proliferation of mobile devices, the Internet of Things (IoT), and multi-cloud environments has eroded the border of modern networks. This makes them more difficult to manage while making them more susceptible to outside threats. At the same time, networks are experiencing cyberattacks of increasing velocity and sophistication. This creates more noise, invites more chances for human error, and raises risks for data loss or network disruption.

Adding more isolated “point” security products to combat these problems compounds system complexity and costs. It increases staff workload by adding new tasks, demands training and additional skills to operate, and requires greater oversight and coordination. More importantly, a complex but segregated security architecture lacks intercommunication and shared threat intelligence, which slows security’s ability to detect breaches and prevent data extraction or other damage.

The faster a data breach can be identified and contained, the less harm that can be done and the lower the associated costs. On average, an organization currently identifies a data breach in 191 days and then needs another 66 days to contain the problem after detection.1 Shrinking the windows from intrusion to detection and then from detection to containment will minimize the impact of a breach.

To mitigate this kind of exposure to risk, security must strategically transform to keep pace with the rapid evolution of both network infrastructures and persistent threats. There are some key precepts that organizations need to follow to address the challenges of the advanced threat landscape.

ESTABLISHING A MODERN SECURITY ARCHITECTURE

Adopting an open, integrated security architecture that connects all the various security solutions from end to end across the network infrastructure can help organizations adapt to an ever-changing and increasingly aggressive environment.

Effective security for a modern network starts with connecting each of the different tools and solutions deployed across the organization. Further, a truly integrated security architecture shares real-time threat intelligence across all parts of the organization, enabling the security architecture to automatically respond to incidents with speed and coordination.

1. True Automation Only Occurs with Integration. Integration unlocks automation capabilities across your rapidly evolving security architecture. But not all integrated solutions support these kinds of actions. For example, some providers claim to have integration by having two separate consoles appearing on a single screen. But to perform automated responses at the policy level, your security must be integrated at the data level. This means that data from Solution A is used and trusted by Solution B (almost as if Solution B had created the data itself) so that instantaneous action can be taken. An example would be a firewall proactively and automatically blacklisting a yet unseen threat before it enters the network, based on data from another solution (such as a sandbox) in your security system.

Unified and automated defensive responses across the architecture can drastically shrink security response times. Architectural integration must include all key solution areas like multi-cloud environments, web applications, email, access, and endpoints. Sharing intelligence of events between the different security solutions in real time breaks down outdated, isolated defensive silos across the attack surface. Instead of multiple independent tools, security becomes a coordinated single entity—like all the different organs working together within one body.

With many IT security organizations facing skills shortages and other resource constraints, automated workflows and integrated audit/compliance services with customized ranking and industry benchmarking can also help your team get more done with less.

2. Visibility Reduces Complexity. Solution integration also enables visibility and control that help simplify security management. Visibility—of endpoints, access points, network elements, data center, cloud, applications, and even data itself—allows you to see the big picture. Single-pane-of-glass management unifies all the parts of the security architecture for simplified control and oversight. You don’t have to hunt for disparate parts and pieces within multiple systems or on different screens. And not only is everything visible in one place but integration also allows all the data to be aggregated and sorted as well.

3

SOLUTION GUIDE: WHAT TO LOOK FOR WHEN ADDRESSING DIGITAL TRANSFORMATION SECURITY REQUIREMENTS

The ability to perform business-, network-, and entity-level tagging can help identify patterns and outliers to reduce complexity and provide visibility for intrusion and breach detection. Tagging lets you filter out the extraneous noise and focus on select elements at will. This simplified view helps streamline communications and map the needs of your business to network security.

And when these capabilities are combined with dynamic network segmentation that can logically separate data and resources, the security architecture can cover all attack vectors to discover threats and contain them as they attempt to move from one network zone to the next.

3. Branch Networks Are Evolving. The traditional approach to secure networks at branch offices was largely accomplished by backhauling traffic to the data-center and covering security via robust data center resources. But these traditional wide area network (WAN) structures relied on expensive multiprotocol label switching (MPLS) links. The centralized security model also created bottlenecks that impeded overall network performance, increasing expenses even further. For some time, organizations have been looking for cheaper ways to support remote networks without sacrificing security or performance.

Another factor that’s changing how branches operate is the adoption of cloud-based services and applications to save on costs while boosting productivity. This trend put additional pressure on network teams to open the branch directly to the Internet. At present, the average enterprise already uses around 30 different cloud-based applications across their organization.2 Like any other part of an organization, remote sites increasingly rely on the cloud for daily operations—which further calls into question the practice of backhauling traffic only to redirect it to the cloud.

4. Adoption of SD-WAN. As companies consider replacing expensive MPLS links at branches by allowing them to use more affordable direct Internet connections, several other challenges arise. First, these more affordable connections, such as DSL, cable, and wireless, do not offer the same levels of quality or performance as more expensive MPLS links. Branch business and voice applications suffer if MPLS is replaced by these other networks without any additional changes being implemented. In fact, while many branch offices use two or more affordable connections in lieu of a single MPLS link, they still greatly reduce their network costs. In addition, connecting the branch directly to the Internet (especially for accessing cloud applications) changes the role of branch IT staff, forcing them to take responsibility for application performance in addition to network quality.

SD-WAN offers improved performance, agility, and operational flexibility for the branch network, plus significant cost savings to better manage those WAN investments. SD-WAN can intelligently balance application traffic between an assortment of affordable broadband links, sending high-priority or needy applications over the links that offer the best performance at that moment. This enables direct use of public Internet connections.

SD-WAN’s ability to use these direct links eliminates backhauling cloud application traffic through the data center. While this enables branch adoption of SaaS apps without bottlenecking network performance or impacting the productivity of end-users through the data center, it also circumvents security controls in the data center. To compensate for this bypass, security leaders need to ensure that robust protection is natively part of their chosen SD-WAN solution at an architectural level.

There are also business needs to consider regarding SD-WAN implementation—including zero-touch deployment, granular application service level control, and traffic shaping. Some security architectures even offer their own integrated plug-and-play SD-WAN capabilities, which combine advanced threat protection and robust network performance in a single solution.

FIND A SECURITY ARCHITECTURE BUILT FOR DIGITAL TRANSFORMATION

Integration and interoperability are foundational to a security architecture strategy. Your security infrastructure needs to consistently distribute, orchestrate, and enforce policies across different domains—including remote workers, branch/retail offices, geographically distributed data centers, and private/public cloud networks. An effective, modern security strategy should address:

nn Integration for automated responses that improve security effectiveness

nn Broad visibility and control that improves operations while easing staff burdens

nn Support for secure SD-WAN to enable productivity and protection for remote sites

A security architecture that’s inclusive of these principles offers an optimal balance of network performance and comprehensive security for the rapidly evolving needs of enterprise-class networks.

SOLUTION GUIDE: WHAT TO LOOK FOR WHEN ADDRESSING DIGITAL TRANSFORMATION SECURITY REQUIREMENTS

Copyright © 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales

EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: +33.4.8987.0500

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730

LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990

May 18, 2018 3:25 PM

sg-fortios6-what-to-look-for.indd

1 “2017 Cost of Data Breach Study,” Ponemon Institute, June 2017.

2 Nirav Shah and Bill McGee, “Empowering Distributed Enterprises with Secured SD-WAN,” Fortinet, accessed December 16, 2017.

179575-0-A-EN