The flexibility and cost savings offered by the latest software-defined wide area networks (SD-WAN) make them highly attractive to global companies looking to create a more agile organization. But this agility comes with risks.

Security by design

While the benefits of SD-WAN are clear, it does introduce threats to your network, application availability and performance. For example, your SD-WAN routers and management platform will be directly connected to the internet. And using the internet for traffic flow means that you’ll lose control of the data path - so your data is flowing in zones of zero trust. Also, the physical security of your SD-WAN elements becomes more critical.

Purely relying on the inbuilt security of a SD-WAN solution in many cases will not be enough. It’s down to you to assess your own requirements and what security controls you’ll need. Get this wrong and you could increase the risks of hacks of your new SD-WAN routers, lateral movement of attacks within your network once the hack is past them, DDoS attacks or exposure to insider threats.

SD-WAN – the wedge between the CIO and CISO?

But in around 80 per cent of the invitations-to-tender we see, customers aren’t actively considering or aware of these risks.

“Regardless of technology, it is important to move away from thinking about your data and network security separately”

SD-WAN is highlighting a tension between CIOs, focused on supporting the business with technology enabled solutions, and CISOs, concerned with managing information security risks. Both CIOs and CISOs recognize the agility and cost savings SD-WAN can offer, but it’s the CISO’s priority to ensure the whole organization remains secure whilst those benefits are realized.

Cybercriminals are fully aware of these tensions too. They have an interest in ensuring that companies’ IT and security teams remain disconnected. Any digital transformation that’s not tightly coordinated between these teams is likely to lead to an increasing amount of vulnerabilities or delays as security considerations are retrospectively implemented, potentially at significant cost and inconvenience to users compared with designing in security at the start.

Design principles for security

Implementing a SD-WAN proof-of-concept or solution should involve close collaboration between your network and security teams. By analyzing what you want to achieve, understanding your network and applications and where your corporate ‘crown jewels’ are, you can work out what you want to protect and how.

Regardless of technology, it is important to move away from thinking about your data and network security separately. Instead, you should be thinking about policy, visibility and control of the network underlay, the SD-WAN overlay and your Cloud Security Architecture.

We recommend seven design principles:

1. Apply security at all layers;

2. Control access through identity;

3. Protect data at rest and in motion;

4. Automate security;

5. Monitor continuously and hunt for threats;

6. Adhere to compliance regulations and laws;

7. Prepare for disaster.

SD-WAN security controls

By classifying sites as ‘mission critical’, ‘business critical’ or ‘other business sites’, you can design the right security controls for each type of location. For some of our customers, the answer may be to take a hybrid approach, leaving mission critical sites on inherently secure MPLS but migrating other business sites to SDWAN, or by deploying additional security controls.

General security considerations should also include things like continuous security monitoring to spot unusual traffic, vulnerability management/patch management and identity and access management for the SD-WAN controllers and devices.

Network and security can no longer be considered separately.