"SD-WAN adoption rates are rising at a significant pace. The adoption rates increased from 35% to 54% in the last two years, with predicted future adoption rates of 90% Security continues to be a significant concern for those adopting SD-WAN solutions." - Source UC Today
There is no doubt that SD-WAN technologies present a real opportunity for organisations to truly support the evolution of their business models, applications and employee working habits, to deliver a more efficient operating model. However, against the backdrop of this new way of working, is the rise of security as a significant concern that needs addressing.
Arguably the most critical facet of this new technological shift is the need to understand how to make it perform efficiently, and the optimal way the service its users and that the applications are secure, compliant, and protected manner from outside intruders or attackers.
For any organisation looking to deploy an SD-WAN, several relatively simple considerations are vital in ensuring the most secure way of operating in this new virtualised network world:
With SD-WAN technologies, it is relatively simple to see the Internet as the network. This means that it would be incorrect to view SD-Wan technologies in the same way as one might consider more traditional physical network services, that automatically place constraints on the way that data is routed and flows. SD-WANs are quite different from the Internet as the network; this places different focus around networking, bandwidth and overall application performance.
In short, please don't treat the SD-WAN as a completely separate part of your security architecture, when in fact, it is at the very core of the overall architecture. Rather than seeing it just as a technology that provides some form of encryption for traffic or a tool that enables better monitoring and management of general application performance, SD-WANs do not generally protect the data's security, which exposes the business to risk.
By integrating the security of the SD-WAN into the core of the overall security architecture, organisations can develop policy-based controls (to complement policy-based networking and application performance controls) that specifically monitor data traffic and integrate an organisation-wide detection response model that effectively provides another layer of protection against
An SD-WAN is inherently a network that can flex, grow and move to accommodate the application, user and location needs of a given organisation. In a similar vein, it makes sense to multiple vendors providing security for users and applications, within that SD-WAN environment, as security needs similarly evolve. Having different vendors integrated into the overall SD-WAN environment makes it easier and faster to migrate to other security solutions as threats appear and evolve.
Often, SD-WAN technologies are "tied" to single security architecture and vendor that limits this ability to deploy a blended security architecture and may diminish the level of protection provided to the organisation. Furthermore, it just makes sense to have network-centric security, application security appliances or applications. In addition to endpoint security to ensure that all end-user environments are given the maximum chance of being covered – a blended vendor approach provides a better and more comprehensive level of security. A more cautious approach to security is always the best policy.
SD-WAN means a fundamental re-think on how network traffic is both routed and protected. In a more traditional WAN, all network traffic is typically backhauled to the Enterprise Data centre. It is scanned and processed by the legacy firewall to detect and respond to any security issues. Or there may be an array of branch or "edge" security devices trying to perform similar security checks. This can often lead to an increase in bandwidth or network costs, unpredictable application performance and an overall network "toll" that can degrade the user experience's performance.
In an SD-WAN environment where the Internet is the network, organisations need to take extra care with their workloads since the Internet provides a broader attack vector. In short, this means that using a single legacy firewall just isn't going to do the job as the number of user, applications, processes, and threats will likely overwhelm a legacy firewall infrastructure. It makes more sense to hand off the task of threat detection and mitigation to the cloud – the power of aggregated computing to solve this issue.
Integrating network and application security at each edge of the network – either at the user or branch level – coupled with clear and uniform policies and procedures that are both application and network hardware.
This enables your organisation to implement a consistently manageable threat detection regime to mitigate risks, whilst not relying on the old and often "legacy" firewall infrastructure used for the older-WAN infrastructure – new network architectures need a new approach to security.
It is quite common for organisations to have their SD-WAN appliance deployed in a way that effectively bypasses their firewall infrastructure. They either deploy the appliance behind the Firewall or remove the Firewall altogether when testing or troubleshooting. In this scenario, the organisation has minimal security in place and leaves them wide open to malware attacks or breaches that could be more serious.
Placing the SD-WAN appliance in front of the Firewall infrastructure can handle inbound network connections, whilst the Firewall can continue to be responsible for internal network protection. And when you make a change to the network or deploy a new application to users, check that this simple policy hasn't been breached or changed in a way that leaves the organisation at risk.
New security technologies are emerging that combine unified threat management, with next-generation firewalls now offer SD-WAN capabilities, e.g. intelligent application or path routing. These capabilities take-care of the issues associated with the incorrect placement of the SD-WAN device and help reduce the management overhead costs associated with maintaining multiple appliances.
A few simple procedures will help provide an added level of security for an SD-WAN infrastructure, all of which are relatively straightforward to understand. With SD-WAN presenting a new level of opportunity for organisations that deploy them, comes a change in the type and magnitude of the security threats they need to accommodate.
Careful planning, diligent monitoring and predictably good service deployment can reduce the risks to users and organisations that use the SD-WAN infrastructure.