For those of you who have been reading the Telstra blogs on ZDNet of late, you'll notice that I recently wrote about SD-WAN as a holistic technology architecture and whether 2018 is the year that we'll see if it will really take off (for those who haven't read it, you can read it here). For the record, I still believe that it is as long as we take the time to get it right and it has been great to spend a heap of time with customers really looking under the hood and working out what is best for them.
This in turn has allowed me to start thinking about what my next blog topic would be and I finally settled on a topic that has been front and centre for me for some time now and that is around network security in an SD-WAN world. I'm going to go a bit deeper into things here as I believe that the implications of security are even more critical in an SD-WAN world as there are a lot of moving parts in a network architecture of this type and it is important that we maintain or even enhance security regardless of what a network may look like in the future.
When I talk to people about SD-WAN, I get quite passionate about security and I am often asked why this is the case - Not because people think that I place too much emphasis on the security aspect, but because there is an almost implied belief that the security is just included and is everything it needs to be and more. Some time back I noticed an interesting trend with SD-WAN hardware and software vendors and at the time I mentioned to one of Telstra's other principal consultants that I felt customers were being asked to trade off some capability without specifically being asked to do so.
So, what was that capability? You guessed it, security. About two years ago or so I got an opportunity to go deeper with a number of SD-WAN hardware and software vendors and before getting down and dirty with their engineers, I listened to all of the pre-technical sales pitches and noticed one very interesting theme. That theme was all about increased network agility, enhanced network capacity, increased reliability and uplifted application performance. One notable omission at this time was security.
Now this omission was of extreme interest to me as the hype cycle of SD-WAN at the time was very much focused on internet-based Virtual Private Networks (VPNs) or to a lesser extent (albeit a more common approach now), Hybrid Wide Area Networks (Hybrid WAN - A combination of private and public WAN connections). As a result, I started scratching the surface a little deeper and it became immediately apparent that a majority of SD-WAN vendors were effectively asking customers to trade off elements of security in order to obtain the performance benefits outlined above.
If you consider what this means in terms of a network that may eventually shift to an all-internet carriage offering or even a Hybrid offering, the potential risks are huge. As an organisation gravitates towards these kinds of network offerings, they are ultimately increasing their attack surface (the number of possible entry points to a network) and their overall risk profile. So I am sure you can appreciate why this did not sit well with me and why I am quite passionate about this subject when I write articles like this, work with our internal product teams or ultimately talk to customers about SD-WAN solutions.
It should be noted at this point that SD-WAN hardware and software vendors were not entering into the market place and asking customers to forgo a comprehensive security strategy in order to unlock network and application performance gains, it was simply a result of their product development at that time. Referring back to my earlier point around scratching the surface on security, when I did just that, the responses I received to a couple of pointed questions were less than satisfactory to put it rather mildly. The list below includes some of the more memorable ones:
"Your SaaS applications are already secured via SSL, what additional security could you possibly need?"
"Our solution can provide you with the same level of security as MPLS, if not better!"
"So long as you have some form of cloud-based security, you wouldn't need any additional security."
"Yes, absolutely. Of course we have a firewall built in. No, it isn't a NGFW. No, it doesn't do IDS/IPS. It's just a normal zone-based firewall with a number of access control capabilities."
The great thing is that a number of SD-WAN vendors have now recognised the shortfalls in their security story and have taken or are in the process of taking steps to rectify this shortfall. Some have partnered with Cloud-based security providers and are now offering some fantastic capability and others have implemented increased security capability by way of acquisition. All in all, whilst there is still a lot of work to do in this space, customers should feel comfortable knowing that the security gaps I made mention of earlier are being addressed and adopting a SD-WAN solution is much safer than it ever has been and will continue to go from strength to strength.
One piece of advice I would offer to anyone considering an SD-WAN solution that is based on an internet only carriage model or even a Hybrid WAN model is recognise that there are two key elements to consider when it comes to security on SD-WAN. Those two elements are:
1. Anywhere an internet link is to be deployed, you must ensure that some enhanced level of security is provided at the 'front door' so as to ensure mitigation of the risk of a breach from someone unsavoury who comes knocking on the door (and they will, it's not a matter of if, but when)!
2. User-based security, both inbound and outbound is more critical than ever so whilst you may stop the door knockers from the first point, you've got to make sure that your business protects itself from issues within the staff base (or wider team, such as contractors etc), ones that may be deliberate or ones that may be as a result of unintentionally taking an action on the network due to being tricked into doing something - Cyber criminals are very capable people, which is why we are seeing remarkable shifts in security threats in general, from the very large, to the very, very small.
If you're thinking of adopting an SD-WAN solution in the near future and hold concerns about the potential security impacts that may arise as a result of this kind of solution, please engage with our consulting teams who can help you work on a holistic solution platform covering all security elements or help you work an SD-WAN solution into an existing security strategy that has been right-sized for your business.
SD-WAN + Security guidance all in one easy to consume package? Who wouldn't want that?