Gartner’s “Hype Cycle†2019 report on enterprise networking concluded that ‘SD-WANcontinues rapid movement as a mainstream technology’. Implemented correctly, SD-WAN is able to mitigate against many of the challenges inherent in delivering applications and traffic across wide areas.
However, to truly reap the promised rewards, NetOps teams have to ensure they are able to really see the network and avoid overlooking or underestimating thesecurityexposure and subsequent risks.
The role of Network Operations (NetOps) teams has rapidly evolved in recent years. The combination of cloud migration, digital transformation and a seemingly insatiable appetite for bandwidth-hungry applications, as well as the increasingly global nature of businesses today mean that managing the flow of business-critical traffic between teams, offices and data centers is more complex than ever.
Enter SD-WAN. Software-defined WAN is by no means a new technology but it continues to dominate the enterprise technology conversation years after inception. In fact, just this month Gartner’s “Hype Cycle†2019 report on enterprise networking concluded that ‘SD-WAN continues rapid movement as a mainstream technology’.
Implemented correctly, SD-WAN is able to mitigate against many of the challenges inherent in delivering applications and traffic across wide areas by reducing latency, increasing bandwidth, optimizing security and simplifying the massive task of managing, controlling and monitoring the network. But, even as it delivers all of these benefits, it inherently increases the complexity involved in monitoring, and at the same time can exacerbate potential risk exposure. To truly reap the promised rewards, NetOps teams have to ensure they are able to really see the network and avoid overlooking or underestimating the security exposure and subsequent risks.
Security Front and Center
In the rush to deploy, the biggest mistake NetOps teams can make is neither appreciating nor preparing for the unintended consequences of SD-WAN deployment; access independence may well usher in cost reductions but it also significantly opens up greater potential for attack. Put simply, as remote or disparate sites become addressable on the public internet or one or more gateway links, the attack surface expands and becomes more porous for cyber criminal exploitation. Previously, when all traffic was routed back via private line service to a hardened core site, corporate security policies could protect traffic routed centrally. Now, there’s a lot more potential edge exposure to cyber threats. An expanded attack surface exposes network connected corporate assets and information to both external bad actors and internal rogue users.
Additionally, a heterogeneous deployment of different SD-WAN vendors creates management and security silos because they do not integrate at those levels, requiring far more orchestration across the vendor security management domains. As volumes increase across highly distributed infrastructures, it becomes difficult to monitor every user and link in real time for threats. Traditional security monitoring solutions weren’t designed with this new landscape in mind which means that NetOps teams must look farther afield to ensure they have clear visibility across network performance and perimeter.
Organizations can be lulled into a false sense of security because they have a firewall that either the SD-WAN vendor provides or is integrated from a third party at the remote sites. Firewalls, however, do not protect the internal network of remote sites or even core locations completely, especially against authenticated unauthorized attackers, as perimeter protection is only one aspect of a comprehensive security plan.
This leads us to a second potential misstep – waiting until after deployment to ensure the team has the security skills necessary to anticipate and address the increased security exposure. Any security skills gap, which includes the ability to implement security across public networks to branch offices is not a trivial matter and any delay here exacerbates the risks inherent in deployment. The benefits are myriad but it only takes one weak link in an otherwise very strong SD-WAN security chained architecture to become exposed to bad actors. Implementation and optimization can create personnel and financial strains that many organizations just do not have the resources to manage – this should be assessed well in advance of any deployment decision.
The Fix is in
To remedy the unintended security vulnerability of SD-WAN, organizations need to complement perimeter protection with next-generation intrusion detection coverage that is both economically viable and operationally feasible for one to dozens and potentially hundreds of remote sites.
To avoid falling foul of security stumbles, teams must ensure they are devoting adequate time and attention to comprehensive planning for SD-WAN well in advance of taking the leap. The planning process should not only involve best-of-breed technology assessment, but also a plan for covering the new and expanding attack surface, operational assessments, and integration across platforms.
Fundamentally, NetOps teams need to know that the buck stops with them when it comes to security – vendors and third parties will only ever be able to do so much and shouldn’t be relied on to solve for every threat. While most SD-WAN vendors offer basic VPN connections and perimeter firewall based protection, they do not natively address the majority of security issues to which today’s businesses are vulnerable. It is important to include other security functions such as intrusion prevention, web filtering, malware analysis, SSL, and IPSec inspection and sandboxing.
Gartner is right:many businesses are moving to SD-WAN because it offers seemingly the best option for reliable, efficient and cost-effective network operations, both for today’s business needs and those of the future. But, only by ensuring the team has the skills and the appetite to mitigate the hidden risks can organizations ensure they benefit from its overt promise.