Under the tide of global digital transformation, the global distribution of institutions, facilities, and personnel of multinational companies not only brings network complexity to WAN construction, but also brings more serious security challenges. A world-renowned multinational company adopted the joint solution of a domestic IDC operator and Fortinet in the process of network security upgrade and transformation in China.
The excellent compatibility and integration capabilities of the Fortinet SASE solution not only realized the smooth upgrade of the zero-trust network architecture of the multinational company, but also enabled its China region to seamlessly integrate into its global network security unified architecture, and also quickly built a network for an IDC operator. The SASE service platform with fast delivery, convenient management and automatic operation and maintenance has been established, which not only better serves the multinational company, but also lays the foundation for serving more enterprises in the future.
Background and Construction Overview
A multinational company is engaged in the production and sales of various electrical appliances. China and Northeast Asia are important parts of its business, and its business revenue accounts for almost 1/4 of its total global business volume. Under the tide of global cloudification, digitalization, and serviceization, the company's IT, network, security and other infrastructures have been fully upgraded, and on the basis of cloudification of core business application systems such as OA and ERP, it has fully entered the era of service-oriented security hosting systems.
The company has completed the implementation of cloud-based agent-based SASE solutions in the United States and other regions, and fully upgraded key infrastructure such as wide area networks to SD-WAN architecture, realizing the convenience of network construction, maintenance and operation, and security capabilities. Significantly improved. As the company's key business area, the China region urgently needs to quickly keep up with the pace of global network security and other construction.
Due to historical reasons, part of the network and security infrastructure built in the early stage of the company's China region can still play the role of cloud, branch offices and other scenarios, but there is a status quo of losing supplier maintenance. Therefore, for the company in China, it is the best choice to realize the smooth evolution of the network security architecture while utilizing the existing network, security and other IT infrastructure as much as possible while realizing the utilization of old resources.
From the perspective of geographical distribution, the company's China region mainly has two major business areas, the north and the south. At present, in the process of cloudification and digitalization, the China region has realized the cloudification of various business systems, and the coexistence of multiple availability zones and local data centers. At the same time, some data processing has been realized in order to give full play to the timeliness of local computing And computing edge nodes sink. In terms of institutions and personnel, China is forming a mixed office model of headquarters office, branch office, mobile office, and remote office.
Main challenges of transformation and upgrading
Therefore, the company's network and security construction in China is facing complex challenges. On the one hand, the integration of on-cloud and off-cloud forms a hybrid business system. At the same time, the deployment of multiple availability zones makes businesses and applications ubiquitous. Coupled with the normalization of hybrid office models, the attack surface expands infinitely. The edge is everywhere and the threat is everywhere.
Under the new challenges, although the network and security in China are also continuing to build, and some investments have been made in the cloud and branch offices, these solutions are still unable to meet the new model and challenges.
1
The first is secure access. At present, China cannot implement unified security management and control for all access users. Business applications and employee offices under the distributed architecture are facing huge security risks. How to make ubiquitous visitors and multi-point Can the deployed and accessed business applications be safely controlled?
2
The second is cloud-network interconnection. Under the multi-point service application deployment architecture of cloud and local data centers, how to quickly and safely interconnect the cloud network with the off-cloud network? Correspondingly, how to quickly and securely interconnect each branch structure, mobile office, and remote office users with the cloud and data center?
3
The third is the implementation of the zero-trust security architecture. The China Region very much recognizes the concept of zero-trust as the key to solving its current challenges, but how to implement unified management and control of multi-point distributed business systems and ubiquitous terminals, and establish zero-trust that can be implemented system, and how to effectively implement the basic principles of zero trust?
4
The fourth is the operation and maintenance problem. The scale and resources of the branch and the headquarters are very different. How to ensure the network and security level of the branch without sufficient manpower and material support, how to reduce the infrastructure construction cost of each branch, and reduce the daily O&M complexity? How to reduce the complexity of knowledge among different protections?
Fortinet Solutions at a Glance
On the basis of fully considering the challenges and needs of the enterprise's network security construction in China, Fortinet and an IDC operator combined their respective advantages to build a Managed SASE solution. An IDC operator provides the underlying computing resources and network/internet resources, and Fortinet provides technical resources and functional resources. Through the centralized integration of various aspects, it can help customers establish a set of secure access service edge managed by themselves or hosted by operation and maintenance services.
The following is an architecture diagram of a real customer's overall cloud Managed SASE.
The customer established two regional access centers through the public cloud platform of an IDC operator, which are responsible for accessing the branch structures in North China and South China respectively. Fortinet's SD-WAN solution can help customers quickly interconnect branches with the cloud, branches and data center, cloud and data center.
The access center also supports direct terminal access (by deploying a terminal agent), so as to facilitate the rapid interconnection of terminal customers in an open and free working environment. In order to protect the attack surface, the terminal agent automatically identifies its own environment, and when the terminal is not in the physical office, it automatically connects to the center for seamless security protection.
At the same time, the terminal Agent not only monitors the environment, but also conducts its own state detection, such as whether to install the baseline program (EPP, EDR), whether to implement the GPO policy, whether to comply with the baseline terminal version, and other information. By monitoring the status of these terminals, you can effectively understand and perceive terminal security, and identify whether the terminal meets the security baseline. Moreover, these states are monitored in real time. Once a terminal is found not to comply with the baseline security, the service access of the terminal will be directly blocked, increasing the sensitivity of the overall environment to security.
The environment also deploys Fortinet's FortiGuard intelligence library locally to quickly distribute the latest intelligence to all monitoring components to achieve overall security protection consistency for known threats. For unknown threats, the cloud access center deploys the Sandbox functional component, through which it can simulate and analyze unknown files and URLs and check related risks, transforming unknowns into known risks. Based on the customer's daily ultra-large number of file detection needs, the Sandbox component can be effectively integrated with NDR, which greatly improves the file detection efficiency while maintaining a high detection rate, and provides the industry's most comprehensive unknown threat detection capabilities.
The overall service is provided by an IDC operator for overall operation and maintenance. Customers only need to provide requirements. The specific underlying configuration and debugging are carried out by an IDC operator, which greatly reduces the pressure on customers' own operation and maintenance and knowledge reserve. At the same time, due to the use of SD-WAN technology to partially replace dedicated line resources with Internet resources, it also greatly reduces the cost pressure of customers in the later stage.
Customer value and program results
The solution is based on a reliable infrastructure provided by an IDC operator and built in the customer's own available domain, and the customer has absolute control over the system. This satisfies the system's controllable, auditable, and legal compliance requirements.
At the same time, the overall service provides a consistent policy architecture without the need for multi-point configuration. The overall access performs multiple verifications on business application equipment and user identities. Continuously check terminal status, and automatically and dynamically adjust terminal access and security sensitivity. The terminal automatically establishes an access tunnel, and the access behavior of the visitor inside and outside the enterprise is exactly the same.
This service has comprehensively improved enterprise access security monitoring. An IDC operator provides fully managed services to solve customer operation and maintenance problems. Managed SASE, which is jointly operated by Fortinet and an IDC operator, can effectively solve the actual difficulties and various problems faced by customers. risk.
The solution has good integration capabilities, convenient access and deployment capabilities, and automated operation and processing capabilities. This enables the enterprise to obtain the fastest and most convenient upgrade of the security solution. At the same time, for the IDC operator, this solution enables it to have advanced security service capabilities. Even if there are more customers in the future, more According to various security and network requirements, it can use this solution to conveniently use management and operation capabilities, quickly configure and debug security functions, and go online for delivery. While accelerating the acquisition of network security capabilities by end customers, it also greatly improves the platform. The service quality of the operator and its own security operation cost, operation and maintenance cost, and time cost.