CISOs Should Get Involved Early and Throughout WAN Edge Transformation

By Editorial Team | September 22, 2020

Digital innovation (DI), especially cloud on-ramp projects, is transforming many organizations. For distributed enterprises, this often means remote/branch offices’ network capabilities are becoming increasingly clogged with backhauling bandwidth-heavy applications through a fixed connection. And when it comes to network prioritization, all applications and services are treated the same. With the volume of traffic growing exponentially due to more and more video, voice over internet protocol (VoIP), and cloud applications and services being accessed at branch offices, there is also a direct impact on quality of experience. At the same time, with much of this traffic running over expensive MPLS connections, network costs continue to increase as bandwidth requirements escalate.
 

These factors are prompting organizations to transform their WAN edge infrastructure. Typically taking the lead in these efforts are the network engineering and operations leaders, and SD-WAN is frequently seen as the answer for solving today’s WAN challenges. Specifically, SD-WAN reduces network costs by moving traffic from expensive MPLS to the public internet, while improving network performance (and thus, quality of user experience). Not surprisingly, 40% of organizations plan to adopt SD-WAN by the end of this year.

The growth in traffic resulting from business-critical applications such as video and VoIP is having a significant impact on core networks, while the adoption of Infrastructure-as-a-Service (IaaS) services and Software-as-a-Service (SaaS) applications in the cloud means that direct internet connections need to be agile and responsive. This on-ramp to the cloud from the branch office is transforming how networks are used on a daily basis, off-loading large amounts of previously backhauled traffic to the public network. However, this also becomes a potential pathway for Shadow IT, where new cloud applications and services are deployed without input from the networking team.

Likewise, the downstream implementation of SD-WAN to solve networking problems is often done without adequate input from our security teams. Solutions selected for their connectivity and network functionalities often provide little more than a virtual private network (VPN) and basic firewall for security. Therefore, by the time security teams are engaged, it is too late in the process to ensure security efficacy and cost-efficiency. Overlooking this basic requirement at the beginning of an SD-WAN transition often leads to higher costs that are connected to the need to build and manage an overlay security system. Additionally, this reactive approach degrades the benefits of the SD-WAN deployment due to the failure of many security solutions to function efficiently in a dynamic SD-WAN environment.

To ensure that an SD-WAN solution meets all the right security specifications, security teams must be engaged in the evaluation of SD-WAN solutions from the outset. From numerous conversations with security and business leaders across a variety of industries, I have pinpointed several factors worth consideration that help ensure optimal SD-WAN results:

Understanding the Requirements for a Secure SD-WAN Solution

Organizations adopt SD-WAN for a variety of different reasons. While 72% of organizations list security as the biggest WAN concern, the primary driving factor in making the switch to SD-WAN is the high cost and limited performance of MPLS. As a result, network engineering and operations leaders often select an SD-WAN solution that meets their cost and performance needs, but that fails to meet basic security requirements.

This is a huge problem since many SD-WAN solutions do not have security integrated by default. With a static MPLS and WAN router configuration, all traffic is routed through the main corporate network so they receive the protections of a full stack of core security solutions. Those tools do not exist with SD-WAN. Instead, SD-WAN solutions require the addition of other devices, including a next-generation firewall (NGFW), an intrusion detection system/intrusion prevention system (IDS/IPS) solution, antivirus and anti-malware solutions, web filtering, and sandboxing. Suddenly, in addition to the initial cost of the SD-WAN device itself, network and security teams find themselves purchasing additional security tools, which increases capital expenditures (CapEx). At the same time, management of multiple point solutions ratchet up operating expenses (OpEx). And beyond the additional burden on already overstretched network and security teams, this disaggregated infrastructure also increases risk.

So, what should we look for when it comes to selecting an effective and efficient SD-WAN solution? An essential requirement is fully integrated Layer 3 through Layer 7 protection. Beyond that, the following are critical network and security capabilities that should be part of all stages of evaluation:

  • Application and path awareness. An SD-WAN solution should automatically identify an application based on packet analysis and then prioritize and route them appropriately.
  • Integrated security and compliance. High-throughput encryption, including IPsec VPN, secure sockets layer (SSL), and transport layer security (TLS), combined with deep-packet inspection of that encrypted traffic at network speeds, allow an SD-WAN solution to meet security and compliance needs for connectivity.
  • Optimization. The integrated NGFW should be designed so that the firewall’s functions do not negatively affect WAN path routing.
  • Multi-broadband support. SD-WAN should be capable of using direct connections to the public internet, as well as 3G/4G/LTE/5G for SaaS applications, rather than being limited to an MPLS connection to the core network.
  • Cost-reducing features. Consolidated visibility and management need to be combined with zero-touch deployment to decrease the total cost of ownership (TCO) of operating an SD-WAN network.

To achieve the above, we need to foster a collaborative environment between network and security engineers, including quarterly or monthly review meetings and proactively working to ensure that you are in the loop at the initial stages of any network development plans.

Calculate TCO Projections for Different Solutions Under Consideration

There is much more than consideration of network and security requirements when it comes to SD-WAN. We must also understand its anticipated business outcomes. To achieve that, network speed and reliability must be easily translated into outcomes that resonate with business leaders.

Hardware costs of secure SD-WAN scale with the number of branch locations in the network. An SD-WAN solution with integrated security should only require deployment of a single SD-WAN appliance at each location to securely connect it to the network. To argue this point, we can easily calculate CapEx savings based on the fact that fewer appliances are needed. Rather than having multiple appliances at each location, resulting from deploying an SD-WAN device along with additional overlay security devices, only one integrated device is required. Table 1 shows a small SD-WAN deployment across 30 locations and the potential costs associated with a disaggregated SD-WAN solution and one with a single box. The CapEx outcomes are dramatic. And as most of our organizations have a much larger network of branches, the CapEx savings quickly multiply if the SD-WAN solution is comprised of one appliance.

Sample Hardware Costs of SD-WAN Appliance Without Security Integration

SD-WAN
Table 1: Comparing CapEx savings of SD-WAN appliances based upon Mainstay security strategy impact report. The above pricing is drawn from a Security Strategy Impact report by Mainstay.

Table 2: Comparing OpEx costs of SD-WAN solutions with and without security integration. Note: This value, as broken down in the table above, assumes that appliance support costs are 40% of purchase price for appliances without security integration and 45% of purchase price for those with integrated security. SD-WAN setup effort and ongoing management are calculated at a pay rate of $53 per hour working at each branch for a one-time setup (divided over a three-year period) of 10 hours and 12 hours per year of maintenance.

The costs of an SD-WAN solution are not just limited to CapEx. The more devices there are to manage, the higher the OpEx—as more network and security staff are required to configure and manage the devices, let alone aggregate, correlate, and reconcile data from each. In the example cited above, the setup and maintenance cost savings equal an additional $111,605 per year on average over a three-year period. When CapEx and OpEx savings are added together, the savings rapidly increase.

Evaluate Risk Under Each Scenario

The business case for selecting an SD-WAN solution with integrated security is not limited to TCO, either. An organization with a large number of branch locations has a large attack surface to defend. Failure to protect these branch connections could result in an intrusion that disrupts operations, incurs critical data loss, and/or damages brand reputation.

With a Secure SD-WAN solution in place, an organization’s security infrastructure is located at the network edge. This makes it possible to ensure that all traffic is routed through security appliances without negatively impacting latency and performance. As a result, many potential risks to branch locations are eliminated since malicious content is identified and blocked at the network edge.

In addition, central intelligence provides a common management and orchestration platform for multiple SD-WAN devices deployed at different branch offices, enabling security intelligence to be seamlessly shared between them to ensure a consistent level of threat awareness and protection. Since containing a breach within 30 days has an average cost savings of $1 million, compared with failing to contain a breach within that time frame, choosing an SD-WAN solution with integrated security can provide a significant return on investment (ROI) if it helps you detect and remediate even a single breach more quickly.

Stay Involved, Additional Transformation Around SD-Branch Solutions Requires Your Engagement

While WAN edge transformation often starts with SD-WAN, it often does not end there. A common next step is extending that security into the local area network (LAN) of the branch office. This SD-Branch extension of SD-WAN goes beyond network edge protection to include securing access points and endpoints within branch locations, providing network access control (NAC), and monitoring and securing Internet-of-Things (IoT) devices deployed at the branch. SD-Branch also helps an organization address the challenges associated with limited IT staff at remote offices by enabling the zero-touch provisioning of security on branch networks.

As with SD-WAN, the option of choosing between a solution that fully integrates networking and security—a strategy known as security-driven networking—and one that does not must be in purview. Achieving this requires an active security engagement for fully vetting and evaluating SD-Branch capabilities. When this does not occur, organizations can find themselves with a fragmented branch network and security architecture that impedes risk management and increases TCO.

Just like SD-WAN, there are critical features that need to be considered when comparing SD-Branch solutions:

  • Integrated visibility and management. Security for branch networks must integrate into the existing security fabric, rather than providing a siloed security solution. Single-pane-of-glass visibility and management from the campus to the branch is a requisite for maintaining visibility and control across the extended network.
  • Automated device identification. In the age of IoT, an SD-Branch solution must automatically identify, secure, and segment IoT devices at the moment of network access.
  • Integrated compliance. With the expanding regulatory landscape, the collection of data for compliance reporting must also be centralized and automated. Anything that needs to be manually collected and correlated increases both OpEx and risk.
  • Zero-touch provisioning. Deployment of SD-Branch solution components must not only be seamless but also support plug-and-play zero-touch provisioning.

Secure WAN Edge Transformation

WAN edge transformation offers organizations significant business advantages. But like other DI initiatives, SD-WAN and SD-Branch also present challenges—and security is at the forefront of those. Adding security at the end of the vetting and selection process is a huge mistake, and it can exponentially increase the cost of deploying and maintaining an SD-WAN solution.

Security leaders must be engaged from the very start and participate as a critical stakeholder. Following the recommendations above will enable cybersecurity leaders to play a strategic—and pivotal—role in shaping the decisions behind the evaluation and implementation of SD-WAN and SD-Branch solutions.