As organisations respond to the challenges of digital business, they’re migrating enterprise applications from on-premise data centres to Software-as-Service (SaaS) models in the cloud. This ongoing digital transformation means enterprise networks are coming under increased pressure to evolve their Wide Area Networks (WAN) to be more flexible and reliable to support digital ways of working. At the same time, the rapid rise in the use of cloud applications means organisations must regularly revisit their network bandwidth requirements and reprioritise traffic.
Responding to these trends requires a more agile WAN strategy. A strategy based around Software Defined-WAN (SD-WAN), which transforms the traditional WAN by implementing network functionality in software and decoupling the network hardware from its control mechanism.
SD-WAN can seamlessly combine multiple transport networks (such as MPLS, 4G, 5G, internet) and control edge appliances through a central node that runs dynamic network path selection to improve load sharing and resilience.
But introducing SD-WAN will increase security risks as it changes the organisation’s security posture and increases the attack surface. This means organisations must rethink their security strategies and ensure closer collaboration between the networks and IT security teams. Only then can there be a comprehensive security framework and the right controls in place.
Chief Information Security Officers (CISOs) and their security teams should be an enabler of the SD-WAN strategy. Their early engagement will help reduce the likelihood of introducing critical security gaps into the SD-WAN, ensuring the network is secure by design.
The final selection of the SD-WAN needs to be a natural and seamless extension of your organisational security strategy and fit with your organisation’s risk profile. This won’t be possible unless the network and IT security teams work collaboratively from the early stages of the project.
You also need to be clear on the security capabilities, processes and policies that run between your internal functions and any third-parties you’re working with under a co-managed or fully-managed approach.
The software-defined enterprise needs to be able to inspect every piece of traffic and the entire application white-list before allowing access to the network. This zero-trust architecture needs to be created from day one of the requirements, otherwise the costs to implement and secure the enterprise will rise sharply.
So, network and IT security teams need to establish a baseline of security hygiene practices that everyone who touches the network enforces, regardless of whether they’re internal staff or third-parties. These security hygiene factors are critical in a modern enterprise where ransomware can overcome perimeter security controls. They’re also essential at a time when SD-WAN is still in its infancy and gaps in security might have yet to be found.
One of the attractions of SD-WAN is the ability to replace costly MPLS network links with cheaper Direct Internet Access (DIA) links. It’s possible to implement these DIA links simply using a broadband connection with virtual private networks (VPNs) to improve the user experience when accessing cloud services, but connections must be automatically secured.
Basic SD-WAN security offerings might not meet your organisation’s risk profile, so you may need to add additional threat management and network security capabilities to fill the gaps. Many SD-WAN solutions and vendors claim to provide the ability to add a layer of security from third-parties, but it’s difficult to be sure it will work with your current security architecture and reduce the headache of an additional management tool. So, get your operational teams to input into the project requirements to ensure the operational model for SD-WAN considers the impact on your security management.
SD-WAN is the key to digital transformation and agility. But, as with any digital transformation, the security department has the potential to become either an enabler or a constraint. Close collaboration between the CIO and CISO on the SD-WAN journey ensures your organisation will establish a comprehensive security framework and controls in the early stages of your SD-WAN project. Organisations need to adopt a ‘secure by design’ mindset and a new security posture that’s agile, flexible and adaptive to ensure SD-WAN delivers in a way that aligns to your software defined organisation’s appetite for risk.