Blog · 14 May 2019

Secure SD-WAN: Security by design

In this series of blogs, we look at how to secure your SD-WAN services, starting with security by design.

Kevin Brown
Managing Director, BT Security

The flexibility, scalability and cost savings of SD-WAN make it highly attractive to global organisations, but it can come with higher risks.

In this series of blogs, we look at how to secure your SD-WAN services, starting with security by design.

Security by design

While moving to SD-WAN brings significant benefits, you are also potentially exposing your business to additional security risks around your network, application availability and performance. Your SD-WAN routers and management platform are directly connected to the internet. Using the internet for traffic flow means you lose control of the data path, your data is flowing in zones of zero trust. And the physical security of your SD-WAN elements becomes more critical.

Purely relying on the inbuilt security of an SD-WAN in many cases will not be sufficient - it is left to the customer to assess their own requirements and what security controls they need, or face the risks of hacks of SD-WAN routers, lateral movement once past them, DDoS attacks or insider threats.

SD-WAN – the wedge between the CIO and CISO?

But in around 80 per cent of the bids we see, customers aren’t actively considering or aware of the risks. SD-WAN is highlighting the tension between CIOs, focussed on supporting the business with technology enabled solutions, and CISOs, concerned with managing information security risks. Both CIO and CISO recognise savings and agility SD-WAN can offer, but it’s solely the CISO’s job to ensure the business remains secure whilst benefits are realised.

In fact, cybercriminals are fully aware of these challenges as well and have an interest in ensuring that IT and security teams remain disconnected. Any digital transformation that is not tightly coordinated between these functions is likely to lead to an increasing amount of vulnerabilities or delays as security considerations are retrospectively implemented, potentially at significant cost compared to having designed the required security in at the start.

Design principles for security

Implementing an SD-WAN proof of concept or solution needs the networking team and security teams to work together. By analysing what you want to achieve, understanding your network and applications and where your crown jewels are, you can work out what you want to protect and how.

Regardless of technology, we need to move away from thinking about data security and network security to thinking about policy, visibility and control of the network underlay, the SD-WAN overlay and the Cloud Security Architecture.

We recommend seven design principles:

  1. Apply security at all layers
  2. Control access through identity
  3. Protect data at rest and in motion
  4. Automate security
  5. Monitor continuously and hunt for threats
  6. Adhere to compliance regulations and laws
  7. Prepare for disaster

SD-WAN security controls

By classifying sites as mission critical, business critical or other business sites, you can design the right security controls for each type of site. For some of our customers, the answer may be to take a hybrid approach, leaving mission critical sites on secure MPLS but migrating other business sites to SD-WAN, or by adding in additional security controls.

General security considerations should also include things like continuous security monitoring for discovery of unusual traffic, vulnerability management/patch management and identity and access management to the SD-WAN controllers and devices.

We embed security controls such as firewalls, identity and access management, intrusion detection and prevention and URL filtering directly into the network, allowing us to provide different security postures across applications and sites depending on what the organisation is trying to protect and where they need protection. 

Network and security can no longer be considered separately. Our in-depth understanding of both means our consultants can help you understand your potential risks around SD-WAN, ensuring you don’t inadvertently expose your organisation, critical assets and data to unknown threats while transforming your network.

Find out more about how to make security integral to your business.