The move to SD-WAN is on. By 2024, 60% of enterprises will have implemented SD-WAN, compared with about 30% in 2020, according to Gartner.
SD-WAN adoption is clearly being driven by the shift to SaaS applications like Office 365, Salesforce CRM and so on. With SD-WAN, users don’t have to connect to the corporate VPN to get the experience they expect from enterprise apps.
What’s not so clear is how secure SD-WAN deployments actually are. All too often security has been a secondary consideration, something to be refined after SD-WAN deployment. And the managed services model many enterprises are adopting adds new complexity to security assurance.
It’s time to pay more attention to SD-WAN security and ask some key questions:
How secure are SD-WAN managed services, really?
What is the cost of SD-WAN security validation?
Are your SD-WAN security and application policies behaving as expected?
This blog helps you address those questions so you can adopt SD-WAN and SD-WAN managed services with confidence.
How secure are SD-WAN managed services, really?
The move to SD-WAN creates a security hole because users can now connect directly to SaaS-based applications, circumventing the corporate network and its security mechanisms. And the explosion of remote working driven by COVID makes that hole a chasm.
For enterprises, SD-WAN has created a security nightmare. It kills the old models of security assurance but doesn’t replace them with anything. You’re now in a distributed environment, but how do you implement distributed security? How do you continuously test and verify SD-WAN security when the network perimeter is dissolving, when every user is basically a branch office, and there is no end to new endpoints?
The answer for many companies: you hire a managed service provider (MSP) and let them handle it. You allow the company that provides your transport layer to upsell you SD-WAN and deliver the security you’re accustomed to.
MSPs will need to move beyond traditional piecemeal, point-in-time testing and assessment practices.
But they’re going through the same growing pains too. Companies need more than an MSP’s vague assurance that their networks are secure—and MSPs need a simpler, more effective way to validate SD-WAN security and performance from end to end.
That means MSPs will need to move beyond traditional point-in-time testing and assessment practices and piecemeal solutions. They must show that they can implement security and performance validation practices that are:
Comprehensive: Security and application layer testing should include all elements of the SD-WAN stack, including physical and virtual endpoints, across all stages of development and deployment and all network application workflows, in the lab and in the live production environment.
Proactive: Security and performance validation should aim to expose weaknesses ahead of the curve, not in response to issues as they are identified.
Continuous: Testing and validation should be performed continuously in the live production environment, not just occasionally in the lab.
Realistic: The ability to assess corner case “what-if” scenarios with actual application transactions and real attack and malware testing enables organizations to obtain accurate results and create more stable and secure SD-WAN environments.
Cutting-edge: Testing, assessment, and validation should leverage the expertise of experienced security professionals, best practices and standards, as well as advanced tools and technologies as they emerge.
Quantifiable: MSPs should perform deep KPI measurement to monitor and track the quality of experience (QoE), per-host statistics, trending, and causality.
When all of the above criteria have been satisfied, MSPs can offer a meaningful answer to the question of how secure the SD-WAN deployment actually is. And they can set themselves apart in an increasingly competitive, crowded marketplace.
What is the cost of SD-WAN security validation?
There are several ways to define “cost” in this context, depending on how you intend to approach SD-WAN security validation. The key options include either doing it yourself or hiring a managed service provide.
The cost of doing it yourself
Most companies don’t spend much time examining this option because the expense is daunting. You need to invest in the leading-edge tools, hardware, software, and threat intelligence feeds to test complex, multi-vendor SD-WAN environments. You also need to pay for the expertise to harness all that advanced technology correctly and effectively. And given the complexity of SD-WAN security validation, that expertise is in short supply (translation: insanely expensive to build or acquire).
On the other side of the coin, you need to consider the costs of doing it wrong. Research shows that the average cost of a data breach in 2020 was $3.86 million. Do you really have the right tools and expertise to provide dependable security validation for an SD-WAN implementation?
There are many other intangible costs, including:
The cost to your company’s reputation if you suffer a security breach, or if performance does not live up to promises or expectation even once.
The price of poor morale due to overworked and under-supported security staff.
The cost of diminished trust and respect for the IT department.
The cost of hiring a managed service provider
The “cost” of an MSP involves more than the price tag for the service. The MSP market has boomed as SD-WAN adoption has spiked, leading to a “Baskin Robbins” problem: there are too many options.
Simply evaluating the offerings of the dozens of MSP contenders can be a time-consuming and expensive proposition. It’s roughly analogous to determining who has the most cost-effective plan for your smart phone. The selection process forces you to weigh myriad options, hidden costs, and oversold capabilities. How do you determine the true cost of getting the security and performance validation you require?
The starting point is to insist on testing and assessment that is comprehensive, proactive, continuous, realistic, cutting-edge, and quantifiable.
Are your security and application policies behaving as expected?
SD-WANs must meet performance and availability requirements for increasingly diverse and distributed workers, including office-based workers, remote staff, business partners, suppliers, and customers across a variety of locations. And that means policy management is much more complex with SD-WANs.
For example, a user in a remote office may be on the office’s Wi-Fi as well as on his or her LTE connection. Based on business policy, this user could use both connections, but only send secure traffic through the LTE connection. Multiply this complexity by the number of SD-WAN endpoints under this scope of mobile users, and you suddenly have billions of policy permutations to be managed.
The centralized policy management capability of SD-WANs helps. But how do you know your policies are actually blocking who they should block and granting access to authorized people?
The short answer: you have to test. But traditional haphazard, point-in-time testing is not sufficient.
Policy testing should include both pre-deployment testing in the lab and continuous post-deployment testing in the production environment. And testing should include specific, real-world deployment configurations to ensure conformance to standards, internal processes and regulations.
A proactive testing approach is also valuable after deployment; however, the approach must carefully consider the impact on the operational performance of devices and networks being assessed.
Looking for more information on SD-WAN security validation capabilities? Learn more about available security solutions, including CyberFlood and SecurityLabs.
Overwhelmed by the move to SD-WAN? Check out our three steps to taming SD-WAN complexity.