Organizations are increasingly embracing the functionality and cost saving benefits offered by the blended or disaggregated network. However, current SD-WAN service models contain basic security flaws that threaten to compromise essential adoption.
One of the biggest vulnerabilities is dependency on a vendor for security as an add-on. In the new connected, digital world, organizations need to protect data regardless of status location network; consistency of approach covering service provision and protection of data in transit needs to be considered at the forefront of network design.
Service providers need to ask themselves how they can provide a trustworthy blended network, especially across public Internet and cloud services while reducing the need to deploy infrastructure at every gateway or network ingress point. How can they manage the encryption on encryption challenge? And how can they avoid the fundamental security risk associated with turning encryption off to investigate suspicious activity?
Only in answering these fundamental questions will organizations be able to embrace the inherent benefits of all SDN based solutions without security compromise.
Agility versus security
The battle between achieving business agility and ensuring data in transit security has never been more challenging. Clearly the threat landscape has changed radically in recent years – just take the public announcement by the US Computer Emergency Readiness Team (US CERT) warning of state sponsored cyber-attacks on the US’s critical infrastructure. It is little wonder that recent CIO and CTO spend patterns reveal not only a concern with security, especially in securing the cloud, but also a need to understand what is happening to data and the ability to identify and address threats as they emerge.
Yet, operationally driven moves away from MPLS networking technology towards Software Defined Networking (SDN), most notably for Wide Area Networks (WAN), could be creating security risks, or restrictions on the technology that can be deployed.
Today, SD-WANs are offering an alternative to legacy WANs, offering agility, simplicity and the potential to lower costs. The model not only opens the opportunity to embrace blended communications infrastructures, from copper to Wi-Fi, fibre to satellite, to deliver the most efficient and low-cost solution for the distributed business, but the central management model transforms the excessive management overhead associated with complex legacy WAN infrastructure.
The result of using an SD-WAN is reduced network costs of 30% to 50%, but only if it’s the same vendor end to end solution. For complex networks, networks at scale, or those operating in a High Information Assurance environment, those benefits remain questionable without an innovative approach to enabling third party infrastructure solutions to be deployed—and without a separate security overlay which can remove capacity constraints as well as vendor / network choice dependency.
Current approach (what’s good and not so good)
Many SDN vendors typically offer Layer 3 encryption technology as part of their SD-WAN service offerings: such security is beneficial for networks which have replaced a basic network with no protection. While counter-arguments suggest that encryption is too costly or too difficult to deploy for many enterprises, the reality is that deploying traditional Layer 3 encryption is better than nothing.
But for new large SD-WAN providers who may be offering the solution from a shared orchestration instance, the question has to be asked as to how any enterprise can secure infrastructure operated by another vendor, and even where the orchestration platform is deployed, which presents another security concern. Furthermore, given that one of the most compelling reasons for embracing SD-WANs is the flexibility with which new infrastructure can be connected to support business change—a model that will, by default, result in infrastructure from multiple providers—how can an organization ensure each new connection is also secure?
With organizations increasingly deploying application level encryption, there are also questions regarding performance and throughput. Encryption on encryption is a huge issue affecting both legacy and SD-WANs—with many SD-WAN deployments constrained not by the network bandwidth but the encryption overhead.
Even more concerning is the fact that should an IT team wish to investigate an application or data source, these encryption solutions typically need to be turned off—leaving the organization wide open to attack from waiting hackers.
It is in recognition of these many problems that growing numbers of CIOs and CSOs are pushing the disaggregation agenda, concluding that service and security should be separate and distinct from the management and maintenance of any SD-WAN. This trend reflects a different approach to safeguarding business critical communication infrastructure cost effectively and removing reliance on a single supplier.
The only way to maximize the commercial benefits of SD-WANs and achieve essential security that reflects the emerging threat vectors is to embrace a security overlay model; to find a way to deploy end-to-end Layer 4 encryption across every part of the infrastructure, irrespective of the underpinning network technology.
In addition to meeting the network disaggregation goals of many organizations, a network agnostic encryption solution can also reinforce the centralized management benefits of SD-WANs by providing centralized orchestration. This not only demonstrates how the network is being secured but also provides that essential insight into network activity and its security performance. And, should an application need to be investigated, there is no need to switch off all security protocols—ensuring the company is safeguarded at all times.
SD-WANs potentially offer compelling benefits and in the new fiscal reality today are increasingly the only viable option for distributed organizations, especially given the growing use of Internet based infrastructure and the cloud. However, the result is that organizations have less knowledge about the infrastructure that is being used. Where is the data going? Who owns the network? Which route is being taken? And, critically, who is securing the data—and how?
The less knowledge and control over the infrastructure, the more security control and knowledge an organization requires. It is only by taking that step towards network disaggregation, embracing a truly network agnostic encryption technology that can secure Data in Transit across any IP network, and achieving centralised security orchestration with full data visibility that organizations can confidently embrace SD-WANs and achieve that essential corporate agility without compromise.
This article is published as part of the IDG Contributor Network. Want to Join?