This Industry Viewpoint was authored by Matt Hiles, COO of Mosaic NetworX
SD-WAN has become the “go-to” solution for bringing enterprise networks into the digital transformation era. However, there is a significant challenge that must be addressed with SD-WAN deployments. That challenge is security, that extends to branch offices, and across the cloud-expanded network perimeter. But developing a comprehensive and effective defense against cyberattacks can be a slippery proposition.
Organizations create reliable, high-performing WANs by deploying SD-WAN to combine multiple low-cost circuits, that either partially, or completely replace expensive and rigid private WAN circuits. These networks can include Hybrid, (MPLS, broadband Internet, DIA, LTE, etc.) or all-Internet connectivity, to increase reliability and lower costs.
SD-WAN software abstraction uses a centrally managed network overlay to manage remote branches, and decouples apps and services from the network infrastructure underlay. SD-WAN can also replace traditional branch routers, with virtual or physical appliances that control application-level policies within branch offices.
SD-WAN is applied to circuits that connect enterprise branch offices, data centers, and cloud/SaaS. By abstracting network hardware and circuit characteristics from the applications, network visibility, control and management are simplified, while assuring optimal application performance. Network agility and reduced costs are enabled through policy-based workflow automation, providing a complete view of the SD-WAN network within a single pane of glass, via a centrally managed controller.
Cloud-native SD-WAN Security
SD-WAN enables a tightly controlled virtual perimeter, from a hub and spoke, to a multi-breakout network. Security features defend against cyberattacks, using Advanced Encryption Standard (AES), to secure connectivity over any type of circuit. SD-WAN also uses AES 256-bit key encryption to encrypt and decrypt data and files.
Edge devices must first be authenticated to the SD-WAN management plane to participate in the secure cloud network. After the SD-WAN edge device is authenticated and authorized, it receives its assigned policy, with access to the secure network. Based on traffic type, security services can be provisioned within the cloud, or on-premise.
PKI may be built into the orchestration layer to facilitate the identification of SD-WAN devices and the distribution of identity information. This also enables SD-WAN devices to securely authenticate each other and exchange encryption keys. If an attack is perceived, the orchestrator will revoke the SD-WAN device’s identity, to prevent it from participating in the secure overlay.
SD-WAN Without a Security Assessment, Brings Risk
There are scores of technologies and strategies that address cybersecurity, but without a security plan that includes an assessment, they are all rendered less effective, and in some cases, useless. When it comes to security, trust becomes a vulnerability, while control is a strength.
A cybersecurity assessment includes identifying, analyzing and evaluating risk. This includes determining key areas of risk, controls, and recommended remediation for any gaps in controls. A risk assessment provides the framework for determining and remediating security vulnerabilities within the IT environment, workflows, and user awareness.
Cybersecurity is as necessary as an annual physical. This cyber “health check”, provides the framework for subsequent actions to be taken. This is the most effective tool in the cybersecurity tool-kit to justify the requirement for any security products and services.
Networking and Security Integrated Together, are Greater Than the Sum of Their Parts
There are many different SD-WAN offerings that companies have to sort through. Some are focused only on SD-WAN technology. Others are delivered by large telcos as managed services. Still others market secure SD-WAN solutions.
Networking and security solutions each have their strengths, but when you integrate those strengths, they produce something more than the individual solutions could alone. SD-WAN and security each have dynamic requirements that necessitate more than just technology. They need technology, people, process and workflow integration. When these are all brought together as a fully managed, and carrier agnostic service, this becomes a case where the whole is much greater than the sum of its parts.
First of all, I should explain that neither SD-WAN or cybersecurity are simple. And no technology alone can make them simple. For example, SD-WAN requires the management of multiple carriers, that can be difficult and time-consuming for technical personnel. Carrier diversity is critical for achieving the benefits inherent with SD-WAN performance. However, it comes at a cost, with multiple layers of NOC support and escalation lists for each carrier, that can easily spiral out of control. And the more carriers you add, the more complex your support becomes.
You might have a half-dozen or more carriers, each with separate contact numbers, support organizations, and internal processes to manage and coordinate. And enterprises don’t want their IT staff spending endless hours configuring and troubleshooting network and carrier issues. By the way, this has nothing to do with technology. This is about the integration of process and workflow management.
Security requires users to be trained to avoid a hacking attack. Again, this has nothing to do with technology. Any organization that relies upon WANs for communications and connectivity, is not just susceptible to security attacks, they will eventually be a target for those attacks. The big question is, how well will they handle attacks, to prevent them from becoming security breaches? The most reliable and successful means to prevent security breaches is having a successful cybersecurity program.
An effective cybersecurity program requires a three-pronged dedication to empowering people, implementing processes, and deploying technologies. Together, this triad establishes a value chain that accomplishes much more than each element working independently. Through implementing best practices, they can lead to a successful cybersecurity outcome.
Two Important Questions
When evaluating security and SD-WAN solutions, the first two questions you should ask are, do you have a cybersecurity program in place today, and do you want your technical resources spending endless hours fixing network problems?
It’s understandable that you may not be cybersecurity experts. You may in fact, employ security personnel. However, cybersecurity requires people, processes, and technology. It also requires ongoing training and reassessments of best practice implementation of all three areas.
Integrated Managed Services
If you decide to outsource SD-WAN, carrier management and cybersecurity, you will want to find a company that has a vast set of diverse resources and skillsets, proven processes, and technology solutions that are continually evolving to stay ahead of the ever-changing network and security requirements.
Managed cybersecurity companies can help ensure you get quality execution on the in-depth cybersecurity program assessment findings and subsequent remediation. They should also have the capabilities you need to harden your defenses, and put measures in place to help your organization become more resilient, shore up security gaps, and eliminate threat vectors.
Albert Einstein famously said, “the definition of genius is taking the complex and making it simple.”
Every year, enterprise IT becomes more complicated, with myriad network and security devices, increasing numbers of mobile workers and IoT devices, a growing number of cloud and SaaS applications, and much more.
It’s easy to make things complicated. The difficulty is in striving for simplicity. Managed SD-WAN, carrier management, and managed cybersecurity services take the complexity and burden away, allowing you to focus on your core competencies, and grow the business. These strategic managed services, working together can provide the business infrastructure your business needs to be successful.
About the Author
Matt Hiles is the Chief Operating Officer at Mosaic NetworX. With a successful career in the telecom and data center industries for over 20 years, he has also held executive and leadership positions at WorldCom, Level 3, and DCI Technology Holdings. Matt earned a bachelor’s degree in Government – US/Soviet Relations from Harvard University in Cambridge, MA.
If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!Categories: Industry Viewpoint · SDN · Security