In today’s remote-working world, many enterprises are transitioning to software-defined networking in their wide area networks, or SD-WAN, in place of traditional MPLS-based WANs. Is it any wonder network and IT professionals are fully embracing SD-WAN? Where they once had to deal with the challenges caused by an architecture overwhelmed by an ever-increasing load of data and devices, IT departments now are able to increase bandwidth, improve connectivity, and enable multicloud applications via a single, centrally managed WAN edge platform.
MPLS-based wide area networks allowed for centralized security policy and enforcement across the organization. While SD-WAN enables lower latency and faster access to cloud and SaaS applications, it also raises significant security issues. If a corporate enterprise has 200 locations, transitioning to an SD-WAN topology now expands the footprint of locations that must be secured, audited and monitored from a handful of data centers in the MPLS world to all 200 locations in an Internet-based SD-WAN architecture. That’s a tremendous burden for IT leaders to take into consideration as they are not only deploying a new WAN architecture, but they also must make sure it is properly secured. So as SD-WAN fosters tremendous transformation, it also increases the potential for major vulnerabilities within the organization.
SD-WAN topologies enable greater network visibility and centralized management of the distributed network This in turn allows IT personnel greater insight into the applications traversing the WAN between locations as well as to the Internet. When properly secured, SD-WAN enables “internal” network segmentation on an organization’s WAN without forcing all Internet-based traffic to flow through the headquarters location. However, it is imperative that additional security tools be implemented. Networking and security technology have come a long way, but still there is significant room for advancement. No cybersecurity infrastructure is perfect, and that fact is proven daily by the number of successful cyberattacks experienced by businesses worldwide.
As organizations increasingly move to the cloud, many have turned to a cloud access security broker (CASB) or one of the cloud-based caching, proxying, and security devices to confront data security and governance challenges. Secure access service edge (SASE) frameworks have been gaining traction as these are designed to connect and secure geographically dispersed branches and other endpoints to an enterprise’s data and application resources, whether internal, cloud-based, or Internet-based. Despite – or perhaps due to – this rapidly emerging technology, it is more important than ever for IT teams to come together to determine where to do the appropriate level of security introspection and inspection.
The Convergence of Security and Networking
Where security and network procurements were once handled separately, network and security decisions increasingly are being made at the same time and more often with the same solution, according to Gartner. It predicts that as part of a desire to minimize branch sprawl, more customers will look to partner with vendors that offer a combined security and networking solution or as part of a broader ecosystem.
Likewise, this convergence is prompting convergence of networking and security teams. Frequently the question is who owns the SASE product set? The answer: it doesn’t matter.
Securing SD-WAN can be a complex and overwhelming undertaking, and one that should not be initiated without networking and security teams joining forces long before the SD-WAN is deployed. The two teams must collaborate on how to take the organization’s architecture and security posture from its current state to where it needs to go for future growth and success. Three steps to get started include:
- Evaluate Your Services Chain
Analyze your edge services chain to identify what network functions need to be supported and integrated into the SD-WAN. By analyzing what components need to be physical, virtualized or combined/collapsed, your organization can determine if a single SD-WAN appliance will meet the need or whether a more complex deployment model is needed. Be sure to look at it from the lens of security, including regulatory compliance.
- Identify Must-Have SD-WAN Security Capabilities
Learn the different security features of various SD-WAN vendors and line them up against your organization’s requirements. Some must-have security capabilities include policies for on-demand security, encryption, distributed denial-of-service DDOS protection, unified threat management (UTM)/firewalls, and threat intelligence.
- Fill Security Gaps
Address missing security needs with managed services. These services can range from Managed SD-WAN solutions to Managed Security Services that address security from the network’s edge all the way to the cloud, and incorporate automation, Zero Trust, and best practices for security and industry-specific compliance. The key is to make sure you work with a partner who understands clearly how to secure SD-WAN solutions effectively with clear KPIs that work well with your IT organization.
The Case for Outsourcing
As SD-WAN adoption expands, there is a surge in managed service providers augmenting the enterprise IT staff. Organizations are finding that they must refocus valuable internal IT resources to carry out their core goals. The software-defined nature of SD-WAN lends itself to leveraging third-party providers that can alleviate the burden on overworked IT staff. The smartest IT leaders will turn to a provider with expertise in network, security, and cloud to gain 360-degree visibility into network and security actions as well as cloud governance
