Include the CISO in Your SD-WAN Planning Strategy

Implementing SD-WAN introduces new layers of risk that may not be apparent on the surface. This is where your CISO can provide invaluable assistance.

John Maddison

October 3, 2019

6 Min Read
Include the CISO in Your SD-WAN Planning Strategy
(Image: Pixabay)

On the surface, updating your WAN connections with SD-WAN seems like a straightforward decision by the networking team. SD-WAN replaces fixed Multiprotocol Label Switching (MPLS) connections to provide better support for critical business applications. It offers greater flexibility, instant application recognition and control, and automated traffic management solutions. These functions enable branch users to have access to the business-critical resources being added through digital innovation in order to ensure a better business outcome and user experience. They also ensure that latency-sensitive applications such as unified communications maintain their integrity while traveling across public internet connections.

However, SD-WAN, especially with direct internet access, doesn't come without added risks. A recent Gartner survey reported that 72 percent of organizations list security as a top concern for SD-WAN, which is why there is a critical case to be made for including your CISO in your SD-WAN selection, planning, and implementation strategy.

Traditional Models Don’t Support Digital Business

One of the reasons why the traditional connections between the branch office and the data center – such as MPLS – have been so successful is because they are so simple. A direct link through a service provider's secure backbone, perhaps enhanced with encryption for certain transactions, simply works. Service level agreements (SLAs) and controls are straightforward and manageable. Just place a high-performance firewall at the data center end of the connection and then backhaul all your branch traffic through it and your branch connectivity and security issues are solved.

In today’s digitized world, however, that approach no longer works. MPLS connections can't adapt fast enough to meet marketplace demands. And they aren't flexible enough to support all of the different kinds of connections and services that branch users require. They not only need direct access to Software-as-a-Service (SaaS) and other cloud-based web applications, but they also need to be able to coordinate and correlate efforts with other branch offices. These are all things that traditional MPLS connections just can't do. SD-WAN solutions are designed to manage all of that complexity, which is why you are looking at them.

Complexity always increases risk

SD-WAN security is another matter. Most SD-WAN solutions do not include the range of security tools that dynamic connections over public networks require. Instead, many organizations need to select and add them on after the fact. And bolting on security is where things almost always start to go sideways. Here are four of the primary security issues that need to be understood:

1) For SaaS applications, connections and applications need to be authenticated, privileges need to be assessed, and traffic needs to be inspected, especially in deployments where direct internet access is enabled. And while that is happening, underlying connectivity can still change second by second, and security needs to be able to keep up automatically. Add direct access to internet services and the increased use of personal and IoT devices at the branch and most security solutions can quickly become overwhelmed. To ensure a good security posture, organizations need to implement enterprise-grade security such as IPS, web-filtering, and anti-malware as part of their SD-WAN solution.

2) The need to access different applications and other resources placed across a multi-cloud environment further compounds the challenge. Part of the problem is that each cloud environment speaks its own language. Connections from the branch office to different cloud or SaaS environments need to accurately translate security protocols, policies, and functions in real-time to ensure consistent enforcement. In addition to the traditional suite of malware, these new environments are also incubators for new zero-day threats – which means that SD-WAN security also needs to include a sandbox solution.

3) Encryption is another issue. Virtually all data that runs across a public network needs to be encrypted. This includes connections to the central data center, connections to the various SaaS services and applications, connections to the internet, and connections between different branch offices. As a result, many SD-WAN solutions support SSL and meshed VPN strategies to establish and manage all of these connections. And more than 70 percent of that traffic is encrypted, which means you also need high-performance NGFW that can inspect encrypted traffic at network speeds, so it doesn't become a business bottleneck.

4) Finally, any security solutions selected to address these challenges also need to fit seamlessly into your organization's broader security fabric strategy. This includes ensuring that your organization remains in compliance with regulatory requirements and internal standards. One-off security solutions limit visibility and restrict control, leaving your organization exposed to increased risk and compromise. What is needed is integrated compliance monitoring to ensure your connections meet your baseline requirements. In addition, a CASB solution helps ensure control over SaaS usage and user activities.

You Need A Secure SD-WAN Strategy

Rather than deploying two different WAN solutions – one for SD-WAN connectivity and one for SD-WAN security – organizations should seriously consider an integrated strategy that weaves security and network connectivity functionality together into a single system. This ensures that security automatically adapts to networking changes because they are both part of the same control system. Policies can be implemented, managed, enhanced, and orchestrated using the same integrated management console. Configuration conflicts can be automatically identified and addressed while complying with regulatory requirements that span both network and security connections can be ensured.

Your CISO Can Provide Essential Guidance

Implementing SD-WAN introduces new layers of risk that may not be apparent on the surface. For your organization to effectively address those risks, it is essential that all potential issues are identified, understood, and addressed before a single device has been plugged in. This is where your chief information security officer (CISO) and the security team can provide invaluable assistance.

A Secure SD-WAN solution and strategy enables you to introduce flexible and adaptive services to your branch offices and other remote locations without raising your risk profile. By weaving security into the preliminary design, selection, and implementation process, IT and security teams can engineer many of the security challenges out of your final SD-WAN implementation before they are ever introduced into the network. This makes it that much easier to address the regular, ongoing security issues your network will face through your larger, integrated security strategy.

Related Network Computing articles:

Problem: Complex Networks Getting Harder to Secure

How to Build Secure Networks that are Both Agile and Customizable

Hackers Share Tips on How to Better Secure Corporate WLANs


About the Author(s)

John Maddison

John Maddison is EVP Products & Solutions at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights