Security is a Top Concern for SD-WAN. Is Your Solution Ready?

The Necessity of Native Security Controls in an SD-WAN Environment Cannot be Overstated

According to a recent report from Gartner, security is the top concern for organizations updating their wide-area networks (WANs). This is followed by wanting to ensure high-performance connectivity to their branch offices and managing escalating costs associated with traditional connections such as MPLS.

Part of the challenge is that today’s networks are highly interconnected, with data moving across and between different ecosystems and devices. Both core data centers and cloud environments need to connect to branch offices and IoT devices to meet new digital business requirements. To address the growing need for agile and scalable connections, organizations are replacing their traditional WAN connections to their remote locations with SD-WAN.

SD-WAN security is harder than it looks

As a result of digital transformation efforts, many organizations have had to implement a hybrid security strategy in order to secure each of the ecosystems they adopt and connect to. Unfortunately, few security solutions can support every new networked environment, and even when they can, they don’t provide consistent functionality across each of them. This problem is compounded when they try to extend the complex, multi-vendor security strategy they have deployed inside their core networks to their cloud, mobility, and SD-WAN environments. Not only do these hybrid, multi-vendor architectures fail to provide consistent levels of protections in different environments, they also fail to provide seamless security for the data, applications, and workflows moving between these environments.

And because all of these environments are interconnected, the potential attack surface is rapidly expanding exponentially. As a result, a weak security profile in any area of the extended network becomes a threat to the entire organization. This risk increases further as organizations leverage the Internet to enable more efficient cloud connections directly from the branch. While these connections may address network latency and traffic congestion challenges to increase performance, they also introduce security concerns that can’t be addressed with traditional security tools and gateways.

SD-WAN vendors tend to not do security

Unfortunately, of the more than 60 vendors currently providing SD-WAN solutions, almost none of them provide a truly integrated security strategy. While many provide basic VPN connections and some simple stateful security for Layer 2 and 3 protections, they do not address the range of Layer 4-7 security issues that today’s digital businesses are increasingly exposed to. Instead, the depend on other vendors to provide advanced security functions such as intrusion prevention, web filtering, malware analysis, SSL and IPSec inspection, and sandboxing.

A big part of the issue is that SD-WAN solutions tend to be chosen and implemented by networking teams to address the issues of performance and cost, which means that security tends to be a concern that only gets addressed after the fact. But as security resources remain constrained and the security skills gap continues to widen, bolting on security solutions after an SD-WAN solution is in place is a strategy that rarely meets its intended goals. There are simply not enough resources to design, deploy, implement, optimize, and manage yet another set of security tools, especially not ones located at the branch end of the connection.

Traditional security solutions aren’t much better

However, attempting to use any of the existing security solutions already deployed inside the core network creates an entirely new problem. Many of these devices, whether physical or virtual, were never designed for the sort of scalability, elasticity, and performance requirements of SD-WAN. 

For example, data and transactions that move through the public Internet between the branch and other destinations—whether the core data center, other branch offices, mobile users, or one of several cloud environments—must be encrypted. But inspecting encrypted traffic is the Achilles Heel of most security devices, forcing most NGFWs to drop to their knees. The resulting impact on performance can actually negate the advantages achieved by adopting an SD-WAN solution.

Likewise, they don’t interoperate with similar solutions—or even solutions from the exact same vendor—that have been deployed in the cloud. As a result, those few vendors who recognize the need for integrated security across environments are going to extreme lengths to provide it, such as deploying IPS inside a container inside a network device. Strategies that try to wedge a traditional security solution into the middle of a highly elastic environment have many of the exact problems that trying to extend existing security solutions to SD-WAN have: they tend to fail due to issues around scalability and management complexity.

To preserve SD-WAN functionality, you need native security controls 

To help organizations avoid the challenges created by having to adopt a fragmented, multi-vendor security strategy to protect their SD-WAN deployments, SD-WAN providers need to deliver threat protection at the cloud’s edge as well as the customer’s WAN gateway points. Unfortunately, few SD-WAN vendors have risen to the challenge.

What’s needed are security tools that provide the full range of security solutions today’s digital businesses need that are also natively integrated into the SD-WAN solution. In this way, security can dynamically adapt to changes in connectivity and support business-critical applications and transactions. Those tools also need to seamlessly interoperate with tools deployed in other environments, whether in the core network, in the cloud, or deployed in endpoint and IoT devices. And finally, they all need to be managed through a single management and analysis console to ensure that policies can be easily deployed, orchestrated, and updated wherever data and workflows need to travel.

The necessity of native security controls cannot be overstated, regardless of where security is being deployed. In an SD-WAN environment, security needs to not only protect data and resources, but also ensure that its two primary objectives—performance and controlling costs—are preserved. This includes maintaining security without impacting latency-sensitive communications, supporting constantly evolving applications, integrating with DevSecOps strategies, and seamlessly straddling different networked environments.

Original author: John Maddison