This blog post is #1 of a four-part series answering the question “What is SD-WAN security?” In this post, we will talk about intrinsic security characteristics of SD-WAN, as a foundation for future discussions around why Branch Security is best served from the cloud, and how a well-defined security posture is essential for an SD-WAN vendor to be credible. But first, some context and background...
Recently, British Airways was fined a record £20 million for a data breach in which hackers accessed 400,000 customers’ personal details. Were the airline’s financial situation less perilous, the levy would have been far higher.
Roll back a little bit further and Capital One, the US-based bank holding company, agreed to pay $80 million to regulators for its failure to thwart a hack of 100 million credit card applications, one of the largest data breaches ever to hit a financial services firm.
And the internet is awash with stories of cybersecurity vulnerability as the white-collar workforce worldwide continues its inexorable journey into the remote-working space, a phenomenon accelerated by Covid-19. Add to that the increasing adoption of multi-cloud technologies as enterprises seek ways to streamline operations, increase agility and reduce costs by leveraging SaaS and IaaS, and what we have is a new world order of networking challenges that reside outside the physical boundaries of the corporate perimeter.
Tech has risen to the challenge of providing fast connections for widely dispersed people and systems, many of them reliant on the cloud, as mentioned, but there’s a fear that the threat of cyber attacks could outpace these developments.
Many of these threats to what we might describe as the ‘Extended Edge’ – a ‘new normal’ born of physical headquarters being phased out or downsized, and workers dispersing from clusters of manageable hubs to thousands of remote locations, as well as the proliferation of multi-cloud environments – will certainly have a bearing on software-defined wide area networks (SD-WAN).
With SD-WAN becoming increasingly crucial for supporting this new Extended Edge, let’s take a look at some of the security considerations in a two-part blog post series covering the basics, including:
- An overview of why SD-WAN has always been secure;
- A recap on and technology deep-dive into what SD-WAN is and how it came about;
- An introduction to security and SD-WAN; and
- For the second installment, a deeper dive into topics such as shadow IT, WSG, extra security layers and new types of firewall.
But let’s start with a quick trip down memory lane. Once upon a time, the first time I was ever involved with the launch of an SD-WAN product, people kept asking me: “Great, but what do we do for security?”
I’d stare at them blankly before saying: “What do you mean? SD-WAN is security.”
They’d invariably stare back.
“OK,” I’d say. “Listen up.” And I’d dive into the basics with them:
SD-WAN is, by its very nature, intrinsically secure.
Reasons why SD-WAN is and has always been secure
I would identify five core reasons behind its intrinsic security:
- Reason One: By orchestrating dynamic traffic steering specified by policy as well as application traffic visibility and prioritization, you build security right into your WAN management console and network traffic control practices and processes.
- Reason Two: You get to say what can cross your network, and how and when and why, down to the user- and session-level (with certain solutions, that is, for instance Ipanema SD-WAN).
- Reason Three: You can shine a light on the WAN and see and control all the slippery applications hiding under the rocks, aka Shadow IT (covered in Part 2 of this series).
- Reason Four: You can also use a web security gateway (WSG) for super-duper extra cloud security.
- Reason Five: You can pile on any additional security layers you want to by service-chaining with other technology vendors.
Mind you, this is just the foundation. Recently, new developments in security and specifically SD-WAN security have come online and broadened the horizons of how we do security at the network policy-level.
Developments driving the current scene
Picture the many very smart people sitting in dark rooms (because they work until midnight), wearing hooded sweatshirts, drinking espresso and dreaming of how to perfect their security practices. In their dreams they speculate about how Cyber Crimers will try to defeat their security practices. And they dream of ways to prevent Cyber Crimers from defeating their security practices.
But their dreams descend into nightmares as Cyber Crimers try to circumvent the preventions so they can circumvent the circumvention. And so on, and so forth.
I mention this last point to illustrate the reality that security isn’t a “one and done”-type thing. It’s an evolution, requiring vigilance and agility. You must always stay one step ahead of the people and their bots who want to steal or compromise your company’s most valuable asset – data (cue dramatic chipmunk).
‘Orchestrating’… ‘dynamic’… ‘traffic’… ‘steering’… Wait, what? This space is replete with bafflingly opaque terms. What do they mean?
To put this into the simplest terms possible, let’s start with a really basic reminder of what companies want from SD-WAN:
- Let’s start with your network, which is a physical thing that connects your sites and data center(s) and clouds, consisting of cables, routers and physical kit.
- You want to control what traffic goes where, ensure high availability for important traffic and maybe limit the accessibility of certain resources based on security privilege.
- On top of that, you might want a whole boatload of security provisos and instructions for your firewall, which you’re probably paying a third-party provider for.
Now, in a time before SD-WAN, you had to send an actual person to write a bunch of code, do a bunch of configuration work, push a lot of buttons and move cables around.
And they had to do it for every site, so of course it took forever and there was massive potential for error. Sure, maybe your managed-service provider did it for you, but the outcome was always the same, as it was:
- Time-consuming and disruptive to the business, with a slow ROI;
- Manual, therefore expensive; and
- Intricately detailed, making the process error-prone, risky and expensive, as deep IT expertise was needed.
The emergence of SD-WAN
So, with all that in mind, enter SD-WAN. Taking all that hardware and putting software on top of it, it says: “Relax, friend! With SD-WAN, you can now manage all that network administration from one pane of glass with a handy orchestrator.”
The enthusiasm is well-deserved: network administration is dramatically simplified; and now it’s automated, so you don’t have to do all that repetitive coding and configuring and traveling from Miami to Dubai to push buttons (or wait for your MSP to do it for you).
Either way, you set it up how you want it and push it out to all sites, which is: faster (meaning quicker ROI); less expensive; less error-prone; and less disruptive (the latter meaning less risk for the business).
It’s also intelligent, and by that, I mean that it can give you insights into your network that you never had before, such as:
- Traffic patterns;
- Application usage;
- Shadow IT;
- Information of where traffic is coming from and where it’s going;
- Longitudinal trending data to help resource planning; and
- Troubleshooting data to help, well, troubleshoot.
In short, it offers all the answers to life, the universe and everything (hint: 42). (#sciencefictionjoke)
What’s more, it can let you control things you never could before, like:
- Which applications are most important and should get the most resources;
- Which applications are lower priority and should be relegated to steerage (too soon?);
- Which applications you want to shut down (remember shadow IT); and
- Lots of other fun stuff.
Security and SD-WAN
So, that’s what SD-WAN does; where does security comes in?
By orchestrating dynamic traffic steering specified by policy as well as application traffic visibility and prioritization, you build security right into your WAN management console and network traffic control practices and processes.
Now, I realize I’ve already said this, but it bears repeating and needs an explanation. Remember when I talked about intelligence, automation and central orchestration? Well, these SD-WAN capabilities are what make security ‘intrinsic’ to SD-WAN. It works like this:
- You take your security policies;
- You translate them into rules governing network traffic and application usage;
- You program them into your orchestrator;
- Your orchestrator automatically pushes out the policies and governs traffic based on those rules;
- It does it dynamically, meaning that it’s constantly responding in real-time to changing network conditions – not reacting to yesterday’s circumstances, but responding proactively to network impacts at the split second- and session-level
Of course, only the best SD-WAN solutions do everything I mention here, so choose yours wisely.
What is secure SD-WAN?
So, what is secure SD-WAN? As I said at the start, for the second installment in this short series of blog posts, we take a deeper dive into topics such as Cloud Security, best practices for Security Posture, shadow IT, WSG, FWaaS, UTM, and all sorts of exciting security topics. So, look out for that! You can also download the eBook, which combines Parts 1 and 2 of this series.
Read about Ipanema SD-WAN.