InfoSec Insider

CANs Reinvent LANs for an All-Local World

A close look at a new type of network, known as a Cloud Area Network.

In an article I wrote over a year ago called “Securing the New Normal of Network Access,” I presented four access scenarios that modern organizations needed to enable users to stay securely connected and protected in the new normal of a work-from-anywhere world.

Of course, “new” is a relative term, as is “normal.” When that article was published, in late 2020, Covid was relatively new, vaccines had not yet been introduced, and many organizations were still working out work-from-home kinks.

Today, two years into the pandemic and into the whirlwind digital transformation it helped accelerate, networking advancements may soon leapfrog over the access grid that illustrated my earlier networking model. In this grid, I showed the need to be able to connect users – from within or outside of traditional office environments – to applications and resources – located within traditional datacenters or, increasingly, in the cloud.

For my out-to-in scenario, with remote workers accessing on-site networks, for instance, Zero Trust Network Access (ZTNA) represented a vast improvement over the traditional tool many organizations were opting for, vulnerable VPNs. Too many VPNs are still in use, but more organizations are moving to secure remote access to their networks by implementing ZTNA – a positive development.

The “Everyone/thing-to-Everyone/thing, Securely” Solution

So-called SASE – Secure Access Service Edge – capabilities, such as ZTNA and isolation-powered Secure Web Gateways (SWGs), have been increasingly adopted over the past year to support the full range of access scenarios in a single cloud-delivered platform. This, of course, represents a great step forward.

But what if, instead of integrating many access solutions into a single platform, a new networking technology could simplify everyone-and-everything-access-to-everyone-and-everything-else even further by making connecting easier and by having Zero Trust security baked-in as part of its DNA? Such a development would be a vast and welcome upgrade to the good old reliable LAN, making it fit for the cloud age. Policies would enable every user to simply and securely, under relevant permissions, and regardless of location, access the physical servers, cloud storage and apps that they need to stay productive in our perimeter-less world, as well as securely connecting with other users and the web.

The steady move to the cloud that AWS kicked off a decade ago has turned into a flood. With available bandwidth growing by 50% every year, and networking and security professionals in short supply, forward-looking organizations are seeking simpler solutions that require minimal in-house equipment and management resources.

Yet two factors are keeping organizational networking earth-bound. The first is that on-premises corporate data centers have not disappeared, and branch offices need fast, reliable access to the data and apps in those centers. And of course, security is the second.

Magical (Networking) History Tour

The WAN, which has long been essential for distributed organizations, is a technology whose days are numbered. With bandwidth plentiful, QoS guarantees can no longer justify investment in costly MPLS circuits. The issue of secure internet access is equally problematic. Backhauling internet traffic to the corporate network where security appliances reside reduces quality, increases latency, and is simply inefficient.

Increasingly, organizations are turning to software-defined WANs (SD-WANs) as more efficient, less costly alternatives. SD-WANs use IPsec encryption and tunneling (or in more modern versions, WireGuard encryption) technologies to enable private communication between branch offices and corporate data centers, over the public internet. SD-WAN routers must be installed at each office.

SD-WANs represent a significant improvement over traditional WANs, since eliminating the need for dedicated leased lines yields considerable savings. In addition, local branch routers integrate security controls, enabling secure internet access directly from branches.

Expanding the Limits of WAN

Once we can create a network that enables secure access via the public internet, it should be able to handle any user who needs to connect to any device, user or app, anywhere – assuming, of course, permissions are in place. Authorized users should be able to securely access corporate data centers from home, a branch office or the beach. They should be able to securely reach each other, public cloud apps, websites and private clouds, too.

In short, once physical lines are no longer needed, the traditional WAN model becomes obsolete. But while SD-WANs expanded the WAN concept to internet-enabled access, they do not take full advantage of cloud capabilities, since they still require on-premises security controls, at branch offices.

Rethinking Organization Networks for the Cloud Era

This is exactly the conceptual leap behind a new type of network, known as a Cloud Area NetworkTM (CAN). CANs replace the old hub-and-spoke model with an overlay network mesh concept that enables any-to-any communication between users, devices, data centers, and web apps.

Think of a CAN as comprising virtual ethernet cables, with secure tunneling creating a cloud security fabric that operates atop the public internet. A lightweight agent on each device enables connection to an overlay network that provides a dedicated, cloud-agnostic IP address for the device. Alternatively, a branch-level connector can integrate the full LAN into the CAN.

In addition to providing dedicated IP addresses, the overlay network integrates Zero Trust security functions that are essential for applying least-privilege access controls and keeping malicious content from reaching and infecting user devices, on-premises and cloud storage, and even SaaS apps. For instance, cloud firewall and isolation-powered SWG functionality are built into the network to prevent zero-day malware on compromised websites from penetrating devices that are part of the CAN. Anti-phishing technology prevents threats like credential theft, and integrated data sharing controls and DLP technology ensure that data remains where it belongs.

Similarly, built-in ZTNA and identity and access management (IAM) capabilities allow strict access controls to be applied in the cloud, so each user’s access is limited to resources they’re authorized to use.

The long-touted move to the cloud is in high gear. The technology is ripe, bandwidth is abundant. Now the network – both connectivity and security – just needs to catch up. And that’s exactly what the Cloud Area Network is poised to accomplish.

David Canellos is president and CEO of Ericom Software.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.

Suggested articles

Securing Your Move to the Hybrid Cloud

Infosec expert Rani Osnat lays out security challenges and offers hope for organizations migrating their IT stack to the private and public cloud environments.