By Doros Hadjizenonos, regional sales director at Fortinet
For many networking teams, making the move to SD-WAN is an easy decision, especially considering the support it offers for new critical business applications being added as a result of business digitisation. Greater flexibility, control, and automated traffic management all ensure that the user experience improves business outcomes, and that latency-sensitive applications remain stable while traveling from one public internet connection to the next.
Despite these benefits, a survey by Gartner shows that 72% of organisations consider security to be a top concern when it comes to SD-WAN. With this in mind, it is important that the CISO be involved in the selection of any SD-WAN solution along with its implementation strategy.
Simplicity doesn’t equal security
While traditional connections between the branch office and the data centre offer the benefit of being simple, straightforward, and manageable, they no longer work for today’s highly dynamic digital businesses. Multiprotocol Label Switching (MPLS) connections are simply not able to adapt fast enough to keep up with changing marketplace demands, and are not flexible enough to support all of the evolving requirements of today’s branch users and devices. These demands include direct access to cloud-based web applications and the ability to coordinate with other branch offices.
SD-WAN solutions are designed to meet these demands and manage complexities – a seemingly obvious choice for organisations looking to embrace digital transformation. However, as with anything, SD-WAN has its flaws, specifically when it comes to security.
SD-WAN security concerns
The lack of security tools built into most SD-WAN solutions means that organisations are required to build out their own strategy for defence after the fact, which can prove to be risky.
Here are four key security concerns that organisations should understand when considering deploying an SD-WAN solution:
1. In regards to SaaS applications, organisations must ensure that all connections and applications are verified, privileges are evaluated, and traffic is inspected. Additionally, because fundamental connectivity can change at any moment, security must also be able to dynamically adapt to and keep up with dynamic network changes. As a result, in any SD-WAN solution should include a full stack of enterprise-grade security, including NGFW, anti-malware, IPS, and web-filtering.
2. The concept of accessing business-critical applications and resources and moving essential workflows across a multi-cloud environment exacerbates the challenge of SD-WAN security. This is partially due to the fact that not all cloud environments speak the same language. In order to enable consistent enforcement between the branch office and the cloud or SaaS environment, connections must be able to accurately translate security policies, functions, and protocols between these different platforms in real time. These modern environments are also especially vulnerable to zero-day threats, highlighting the additional need for a sandbox solution as part of any SD-WAN strategy.
3. Data that runs across a public network increasingly needs to be encrypted – this includes connections to the various data centres, SaaS services and applications, the internet, and between individual branch offices. In order to form and control these connections, SD-WAN solutions also need to support SSL and meshed VPN strategies. And with a high volume of encrypted traffic, organisations also require a high-performance NGFW designed to inspect traffic at network speeds, ensuring a bottleneck does not occur.
4. When looking to address these issues, organisations must choose security solutions that align with the broader security fabric strategy while remaining compliant with current regulations and internal standards. Bolting on one-off security solutions that require separate management interfaces to an SD-WAN installation can actually hinder visibility and control. Instead, organisations need to implement an integrated compliance monitoring strategy to ensure that all connections consistently meet fundamental requirements. Additionally, the deployment of a CASB solution can help establish control over SaaS usage to protect distributed data and prevent the introduction of Shadow IT.
Considerations for secure SD-WAN
When choosing a WAN solution, organisations should consider an integrated strategy that brings together security and network connectivity into one system. This ensures that security can easily conform to network changes and policies can be implemented and controlled using the same integrated management console. Finally, this approach ensure that configuration issues can be recognised and addressed while remaining compliant with regulatory requirements that cover both security connections and the network.
When looking to implement a Secure SD-WAN solution, organisations must be sure to involve the CISO and the security team to help identify and address potential issues. By prioritising security and weaving integrated deployment and management concepts into their overall security strategy, organisations can introduce new, flexible services to branch offices without having to worry about associated risks.