Any SD-WAN project must involve the CISO

istock 1068838170
iStock

Extending advanced services to the WAN Edge of the network can have a serious impact on a security architecture and strategy. News cycles are filled with stories about critical network breaches that began by taking advantage of some neglected element of the network, whether by exploiting a vulnerable IoT device or by hijacking some wireless access point at a remote retail location.

Those stories are almost always the result of an organization failing to have a single, consistent security strategy that can shine a light into every corner of the network. Which is exactly why organizations cannot wait until the analysis and selection of an SD-WAN solution has been completed before asking the security team how they should go about adding protections to this new solution.

When CISOs are engaged in the selection of a Secure SD-WAN solution, they not only enable their organization to build a robust WAN edge, but they can also ensure that those connections don’t become the weak link in the security chain.

Security needs to be part of the SD-WAN strategy

What's needed is a Secure SD-WAN solution that deeply integrates network connectivity functions with advanced security so that they function as a single, integrated system. The CISO and security team are uniquely qualified to not only provide critical analysis of the security capabilities inherent in any solutions under consideration, but also weigh in on the compatibility with security deployed across the rest of the network. When done properly, an SD-WAN solution should enable security teams to extend existing security strategies to the WAN Edge through the SD-WAN solution, rather than trying to wedge a new security solution into an existing security framework.

For example, a Secure SD-WAN solution, especially one that includes direct internet access, needs to ensure that all connections are automatically secured. This requires the implementation of an NGFW, not as a separate appliance, but as a fully integrated solution so that networking and security functionality are seamlessly integrated together.  

Likewise, web applications not only need to be identified and given appropriate connectivity status, such as QoS or weighted queueing, but things like cloud access security brokers (CASB) need to be included to provide in-cloud application assessments and to ensure authorized access to SaaS connections. This helps maintain the integrity of web applications and related data while also preventing the introduction of shadow IT.

And rather than requiring the security team to bolt on security after the fact, a true Secure SD-WAN solution should include a full range of security tools right out of the box that can ensure ultimate WAN edge security. This should start with an NGFW-based appliance that includes full SD-WAN functionality along with all necessary security functions – including IPS, anti-virus/anti-malware, and web filtering, as well as seamless integration with cloud-based services such as web application firewalls, sandboxing, and CASB – as part of a single, fully integrated solution.

In addition, and perhaps most importantly, all of these elements – both the advanced networking functionality and the defense-in-depth security – need to be able to be managed through a single management portal. This enables administrators to see the entire WAN as a single system to see and trouble shoot issues, combined with granular controls that automatically tie WAN connectivity to security functions.

Secure SD-WAN needs to be part of the end-to-end Security Fabric strategy

One of the biggest challenges that security teams face in today’s rapidly expanding IT infrastructure is keeping track of all of the new edges being created by IT teams. It can become impossible to keep pace with digital transformation demands if security teams are constantly forced to try and apply security solutions after the fact. IoT, mobile users, IT/OT integration, hybrid multi-cloud, and the WAN edge are all being introduced in some way or another across most organizations.

When new network elements are created in an ad hoc manner, such as adding SD-WAN, and  the central security team is not included in the architectural discussions from day zero, organizations end up with a hodgepodge of often mismatched security solutions that came with the chosen solution by default. As a result, this new service or solution may not be able to share and correlate essential threat intelligence, enable identical policy enforcement, or even provide consistent functionality with the rest of the security infrastructure. Far too often, by the time the security team is engaged, IT has already introduced critical security gaps into the network that can be expensive and time-consuming to overcome.

This challenge is precisely what a fabric-based architectural strategy was designed to address. With a master strategy in place, each security component is selected based on its ability to provide consistent functionality and enforcement, regardless of form factor (hardware, VM, or cloud), wherever it is deployed. They also need to run on the broadest array of public and private cloud environments possible to give the organization maximum flexibility for building and deploying whatever combination of networked environments is needed. This also ensures that interoperability is fast and easy to establish regardless of how and where organizations decide to expand their networks.

To help with this process, fabric connectors need to ensure that policies and protocols are translated seamlessly and accurately as they move between platforms. This allows each element to interoperate seamlessly to ensure critical threat collection and correlation. A threat detected in one place should be automatically shared across the entire distributed network to trigger a coordinated response.

Just as importantly, these solutions must be designed to function natively in whatever place they are deployed to maximize the use of local APIs and controls. And each of these components needs to also have been optimized to provide maximum performance so that security never interferes with business functions. This can only happen effectively if the CISO and security team are part of the discussion from the onset.

Make Sure You are Part of the SD-WAN Selection Process

From a security standpoint, extending digital transformation efforts to the WAN should be no different than adding new capacity or resources to any other part of the network. SD-WAN connections need to be a natural and seamless extension of the larger security strategy, and with as little overhead and cost as possible. And to make that happen, the CISO needs to be part of the broader IT planning and strategy process.

To achieve this, IT teams may need to be educated – and reeducated – on the need to strictly follow the corporate security fabric strategy. This includes adding the CISO to early strategy meetings where new networking ecosystems are being considered, and engaging with the security team from the very first planning sessions. When done properly, the organization will not only save money and manpower upfront, but perhaps save itself from serious damage later due to flaws inherent in an after-the-fact security implementation.

Fortinet’s Secure SD-WAN solution includes best-of-breed next-generation firewall (NGFW) security, SD-WAN, advanced routing, and WAN optimization capabilities, delivering a security-driven networking WAN edge transformation in a unified offering.

Related:

Copyright © 2019 IDG Communications, Inc.