The structure of many corporate networks is playing into the hands of threat actors. A different network architecture is needed to tip the balance back in favour of security and IT teams.
Wide Area Networks, the workhorse of organisations worldwide, are revealing their age and weaknesses.
Their traditional design, focusing on centralised IT infrastructure, data privacy and operational efficiency, has been tarnished by being prone to security breaches as malicious actors continue to refine their ability to penetrate and move around inside the network.
Some of the critical security issues that impact WANs include increased vulnerability to viruses and malware, susceptibility to phishing scams, data breaches and network compromise.
Australian organisations have experienced more than their fair share of attacks that leverage some of these vectors in the past few months. That has put pressure on CISOs and CIOs to conduct urgent reviews, assurance and due diligence checks on their own infrastructure setups, and to fast-track strategic initiatives and budget to address any shortfalls, perceived or actual.
The traditional response to protecting the WAN – and indeed any core piece of corporate infrastructure – has been to implement layered security protections under a defence-in-depth approach.
While these overlapping protections may limit risk exposure, they can have other consequences, such as introducing latency on time-sensitive applications due to inefficiencies and double-ups in the security solutions being used. Organisations with traditional WANs understand that there’s a fine line to tread between prudent and over-zealous protections.
Layered security protections for the existing WAN are, in a lot of ways, a stopgap measure, because realistically to improve the security posture of the corporate network, the WAN needs to evolve to a new architecture that prioritises security and performance: a network structure where these two attributes are not mutually exclusive.
This is precisely why the future-state target for many organisations is SD-WAN. It offers a software-defined approach to managing a WAN, which improves application performance; offers greater agility; and vastly improves one’s ability to secure their network against a growing range of threats.
ISG research shows the “escalation in enterprise security requirements” is one of the key trends driving organisations in Asia Pacific to transform their infrastructure to be more software-defined.
According to another recent survey, the second most desirable capability of an SD-WAN is that it has “advanced security features”. The question suggests these features should be “integrated” with the SD-WAN, however it is likely that native security capabilities of SD-WAN will make the network technology even more attractive to prospective users.
These trends are set to drive much deeper deployments of SD-WAN technology in Australia and beyond. The Ponemon Institute suggests that 36% of businesses that have not yet migrated to SD-WAN will do so within a year, and another 36% within two years. Only 4% of businesses have no plans for SD-WAN adoption.
What SD-WAN brings to the security table
So, what is it about SD-WAN that makes it more attractive as a secure structure for corporate networks?
SD-WAN uses various services, including MPLS, LTE, broadband Internet, cellular, and satellite, to move large amounts of data around dynamically, swiftly, and in parts. A split tunnel architecture, for example, means half of the traffic is moved through the firewall to the Internet. In contrast, the other half travels straight from one website to another without needing to pass through a security parameter.
This structure brings reduced network costs, improved application performance, resiliency through redundant connectivity types, scalability and agility, and better manageability through dashboards without sacrificing security.
The core of SD-WAN is its centralised control or orchestration platform. This is key to being able to separate the control and data planes. The data plane carries user traffic, which always needs to be encrypted using Secure Sockets Layer, Transport Layer Security, or IPsec VPN tunnels. This is a place where vendors play an essential role in providing methods for encryption and short-rotation key exchanges. The control plane is the messaging path that resides in the routers and switching devices within the SD-WAN. This, too, needs to be encrypted and protected from malware, botnets, and other threats.
SD-WAN’s end-to-end security abilities can regulate access to and from external websites. These can include embedded SSL decryption, enterprise firewall, intrusion prevention, URL filtering, and malware sandboxing. This dynamic, software-based approach reduces traffic that travels through the security system. Since traffic from different applications moves through separate SD-WAN micro-segments, outside threats cannot compromise all application traffic. Its encryption and certificate-based authentication capacity make SD-WAN secure by default during initial deployment.
As a result, security can be applied more flexibly, either as a subscription service within a cloud-delivered SASE (secure access service edge) model or in on-premises embedded capabilities within SD-WAN routers, according to the business and compliance requirements of each enterprise.
