Software-defined wide-area networking (SD-WAN) is revolutionizing the way that local branches are managed. As we’ve previously pointed out in our article on 4 things you should know about SD-Branch, it is being used to enable faster cloud adoption and greatly improve centralized control over the systems running in branch offices.
Unfortunately, these advantages also come with some downsides. As SD-WAN has developed in SD-Branch, the number of IoT and end-user devices connected to these networks has grown exponentially. This means that the surface attack area of the average SD-Branch setup has increased enormously over the past few years. At the same time, business-critical applications are now sharing more data than ever over broadband internet connections, exposing critical data to interception or disruption.
To combat these problems, many organizations have deployed branch-office based security tools. Unfortunately, these are a bad way to futureproof the branch office, because in many cases, this has simply meant that the security implemented in branch offices is varied, isolated, and without proper oversight.
In this article, we'll take a look at how companies should be managing SD-Branch security, in line with five core principles.
1. Protect Network Edges
One of the major advantages of SD-Branch is manifested in team projects and collaboration, as measured by the number of devices that can be connected together. However, this creates major difficulties in terms of security, because ideally, all of the data passing over the SD-WAN should be encrypted.
The solution, for most companies, will be to use a Nest-Generation Firewall (NGFW), which will encrypt all information passing between user devices and the SD-WAN, including both direct and indirect cloud links. The only issue with most NGFWs is that they are extremely slow at performing this encryption, which can make collaboration less effective. For companies going down this route, therefore, performance indicators of a prospective NGFW are critical.
2. Protect Device Edges
A linked issue is that as the number of IoT devices connected to the SD-WAN increases, securing each device becomes more difficult. Ideally, companies should deploy a network access control (NAC) system that is able to keep up with the number of devices connected to SD-WAN.
A NAC allows companies to access real-time information on the devices connected to SD-Branch, and to monitor these according to device type and risk profile. You should ensure that your business IoT devices are covered, but also any consumer-level devices connected to the same system because smartphones can be a source of malware just as IoT devices can.
3. Secure Access
When it comes to locking down access to SD-Branch, there are two elements that companies must be aware of.
The first is that access to SD-Branch should use the strongest authentication practical. Ideally, biometric authentication should be used for each device and user, but in practice, this would come with a significant performance decrease for most networks. At the very least, therefore, users should be authenticated using two-factor authentication.
Secondly, companies should regularly audit user lists. As more and more companies are using SaaS solutions, many are observing that user numbers – and privileges – have a habit of subtly increasing over time as employees share credentials and ask for more access. Organizations should keep a careful watch on who has access to SD-Branch, and their level of privilege, in order to limit the vulnerability of the system.
Fourth, cyber threat intelligence is as important in SD-Branch as it is in any other form of network. You should perform continuous scanning on SD-Branch in order to quickly identify anomalous behavior, and investigate it. Ideally, you should also have the capability of quarantining portions of the SD-WAN in order to isolate malware or intrusion attempts.
Alongside network traffic monitoring, you should also scan for known vulnerabilities in the software that is feeding data in SD-Branch. Regular checks of open source software vulnerabilities – in particular – should form part of your weekly schedule, and compromised systems should be segmented from SD-Branch until they are patched.
5. Remote Provisioning
Last, but definitely not least, all organizations should be able to moderate security across all branch offices from a central location. Instead of deploying multiple and varied security tools at each location, cybersecurity staff should be able to control local manifestations of SD-WAN from a single console. They should also be able to centralize, automate, and federate these important security functions across the entire distributed enterprise.
It’s important to recognize, however, that this integration comes with security risks in itself. Remote provisioning should always be done in the same encrypted, secure way that data is shared on the rest of SD-Branch, including the use of localized, dedicated web hosts and encrypted communication protocols. If it is not, you run the risk of your security measures being the weakest part of your SD-Branch network.
The Bottom Line
SD-Branch is one of the key components in the digital transformation of the enterprise branch and can confer huge advantages to businesses that adopt it early. However, it should also be recognized that the system – like any highly networked system – comes with security challenges as well.
It is, therefore, key that organizations develop and deploy a thorough approach to managing SD-Branch security from the very first implementation of this system in remote locations. By empowering a central cybersecurity team to remotely monitor and intervene with in-branch implementations, companies can ensure that they maintain oversight of them.
Ultimately, centralizing cybersecurity in this way also has another advantage: cost. Instead of maintaining multiple and isolated IT teams, companies taking this approach only need one dedicated team to manage their entire SD-Branch setup.