Software-defined wide area networking (SD-WAN) is the clear choice when enterprises decide that it’s time to replace a multiprotocol label switching (MPLS) connection in order to gain flexibility, instant application recognition, and automated traffic management. For enterprises that are investing in bandwidth-hungry cloud solutions across a geographically dispersed set of branch locations, SD-WAN solves a lot of challenges.
The mistake that enterprises often make is in not involving the chief information security officer (CISO) early enough in the SD-WAN selection process. SD-WAN offers some great benefits, but it also introduces new vulnerabilities, and having the CISO involved in the selection and implementation process can prevent a lot of headaches down the road.
While it’s obvious that it’s preferable to choose an SD-WAN solution that has security tools baked in – rather than bolting them on later – there are still differences between even the best SD-WAN solutions in terms of security. It’s important to ensure that the tools and features offered best align with your specific goals and security strategy.
For many years, MPLS was a great solution, in part because it was beautifully simple. It provided a direct link from a service provider’s backbone with added encryption for some transactions, and service level agreements were clear and manageable. By placing a firewall in the data center and backhauling traffic through it, security was pretty much covered.
Today, however, MPLS is not agile or flexible enough to support the array of connections and services needed. While MPLS is reliable, it is also expensive when you consider the level of bandwidth required for most cloud solutions. SD-WAN is able to address the complexity that cloud introduces, but it needs new attention to security to protect the network. There are four primary areas of security that need the attention of the CISO:
- In the area of software as a service (SaaS), CISOs need to address authentication and privileges, and they need to inspect traffic for direct internet access. In addition, security needs to be able to keep up with the underlying connectivity as well as monitor personal and internet of things (IoT) traffic. As part of the SD-WAN solution, CISOs will need to prioritize web filtering, anti-malware, and IPS.
- CISOs will also need to determine how to best access applications dispersed across a multi-cloud environment. Each connection to a different cloud or SaaS solution will need to pass through security protocols, policies, and functions while transmitting in real-time for consistent application. CISOs will also need to look for sandboxing capabilities.
- All data that is coming across the network will need to be encrypted, including connections that run through the central data center, SaaS connections, and those between each branch location. Your CISO may prefer an SD-WAN solution that includes support for a virtual private network (VPN) or another strategy that will help manage these connections. You’ll also need a next-generation firewall to support encrypted traffic.
- There’s also your own security strategy to consider. The SD-WAN solution you choose must fit within your broader policies – keeping in mind considerations like being in compliance with regulations in your industry.
Involving your CISO can help you avoid deploying two different SD-WAN solutions (one for connections and one for security), and instead use an integrated strategy that combines security and connectivity into a single solution. This helps your solution continue to adapt to networking changes and provide the right security coverage.
When it’s time to upgrade your network infrastructure, involve your CISO, and you should also involve eXemplify. Contact us to learn more about choosing an SD-WAN solution that doesn’t expose your enterprise to new security risks.