Most organizations are in the midst of some form of digital transformation (DX), transforming how they bring products and services to the market—and ultimately deliver value to their customers. But DX initiatives also bring complexity for the network operations team. With business-critical services distributed across multiple clouds, this leads to potential performance issues, especially at branch locations.
Given these realities, it is no wonder that software-defined wide-area network (SD-WAN) technology is rapidly going mainstream. Unfortunately, SD-WAN is an example of the paradox of DX: trans-formative technology can potentially move the business to the next level, but the expanded attack surface it creates can expose the organization to significant risk. That is why an SD-WAN deployment, like every other DX effort, should be accompanied by a security transformation (SX) that rethinks outdated principles, broadens protection beyond the data center, and integrates the security architecture for centralized visibility and control.
SD-WAN Addresses DX Networking Needs
As more services move to the cloud, it becomes increasingly clear that “conventional network architectures … were not built to handle the workloads of a cloud-first organization.” This has resulted in the rapid growth of another key DX technology—SD-WAN. And rapid is the operative word: research conducted by IHS Markit shows that 74% of firms conducted SD-WAN trials in 2017, and many of those firms are deploying the technology this year.
SD-WAN provides high-performance access to cloud applications for users located away from headquarters, enabling a more agile network and facilitating automation at branch locations to a degree previously not possible. Specific benefits include:
- Direct cloud access. SD-WAN eliminates the need for backhauling—routing all cloud and branch office traffic through the data center. This enables direct access to critical cloud services for all users, regardless of location.
- Better application performance. An SD-WAN can be configured to prioritize business-critical traffic and real-time services like Voice over Internet Protocol (VoIP) and steer it over the most efficient route. Having several options for moving traffic helps reduce packet loss from overloaded circuits and latency due to heavy traffic, improving performance and user experience.
- Increased business agility. Network planners no longer need to plan weeks or months in advance to deploy additional multiprotocol label switching (MPLS) bandwidth for a traditional WAN. In addition, the need to ensure network performance at multiple branch locations no longer inhibits other DX initiatives from moving forward quickly.
- Cost savings. SD-WAN allows traffic to be routed efficiently over multiple channels—including not only existing MPLS circuits but also the public Internet via LTE and broadband.6 This reduces the cost of new MPLS bandwidth.
SD-WAN Can Also Disrupt Network Security
It is hard to argue with the benefits of an SD-WAN network architecture in a world of DX. But SD-WAN also has a glaring disadvantage. Each SD-WAN-enabled site with local Internet access is a further expansion of an organization’s attack surface—and another weak link in the network security chain. This exacerbates an existing problem, since branch locations often have lower levels of security than headquarters even before the introduction of SD-WAN.
Of course, most other DX-inspired technology deployments also expand an organization’s attack surface, and security is often seen as the biggest roadblock to DX initiatives.8 To be successful, every DX initiative—including SD-WAN deployment—must be accompanied by a corresponding SX.
SX Can Make SD-WAN Secure
SX involves rethinking of long-standing principles of enterprise security—including the perimeter-based model, which declines in effectiveness every time another cloud service is rolled out and is completely unworkable with SD-WAN. SX also requires that security should be an integral part of DX planning, rather than an afterthought. For every DX initiative, planning and deployment teams should follow the principle of security by design, security by default.
When it comes to SD-WAN deployment, the network security and network operations functions should share in the decision-making process for a solution, and a security strategy should be in place when the final selection is made. Traditionally, these teams operate in silos—and sometimes function in mild competition with each other. But when these teams work together, they can strategically address the legitimate security concerns surrounding SD-WAN:
- Securing an expanded attack surface created by DX initiatives and the SD-WAN infrastructure itself
- Ensuring that malware that does enter the network does not travel horizontally
- Compensating for the lack of trained IT security staff at some remote locations
- Providing network-wide visibility and centralized security controls for the entire enterprise
Making SD-WAN Successful with SX
SD-WAN offers organizations a great opportunity to deliver tangible value to their branch
networks. Some of the things IT and security leaders need to remember include:
- SD-WAN is a critical DX linchpin for many organizations.
- The business value of SD-WAN is tangible, facilitating clouddelivery to branch offices, providing increased application performance, enhancing business agility, and reducing cost.
- SD-WAN expands the attack surface and can be the weakest security link for many organizations.
- SX is required to make SD-WAN secure.
- Integration is pivotal when it comes to secure SD-WAN.