CISO on CISO Perspectives
Evolving beyond the traditional WAN architecture with SD-WAN enables organizations to move past MPLS services and open their networks to direct internet access. SD-WAN solutions not only allow organizations to reap the rewards of Software-as-a-Service (SaaS) applications, applications in public clouds, and unified communications, but it ultimately delivers a lower total cost of ownership (TCO).
With Secure SD-WAN, security leaders can meet both business and customer needs to simplify the management and operation of a WAN and deliver multiple real-world business benefits.
Fortinet digitally met with four of Fortinet’s Field CISOs – Courtney Radke, Renee Tarun, Joe Robertson, and Alain Sanchez – to discuss the value of Secure SD-WAN in today’s evolving threat landscape.
Courtney - Businesses have been challenged with finding and retaining talent on technology teams, particularly in specialized network and security roles. This global skills gap underlines the capacity and capability proficiencies, which are the two base pillars of ‘The Five Constraints of Organizational Proficiency.’ These guidelines, adopted by Verizon, are a good way for companies to determine their overall cyber maturity and spell out some of the challenges the businesses encounter when not managed appropriately. One of the biggest, being network and security teams operating independently from each other. When network and security teams are setup in silos, without tight integrations and coordination, it becomes difficult to allocate resources (people, funding, or tools) or prioritize initiatives to reduce risk. This reduces the overall competency of both teams and makes the business more vulnerable.
Renee - Security and networking need to go hand in hand. When building and designing your network, you need to ensure that it is built with security in mind. Otherwise, poorly configured networks increase your risk of exposing your data and systems to a breach. In addition, when doing incident response, you don’t always immediately know if the issue is a security problem like a breach or a performance issue like a failing hard drive. Speed is of the essence when doing incident response to minimize damage and outages. Therefore, it is imperative that the security and networking teams have a strong working relationship to troubleshoot these issues together as quickly as possible.
Joe - I have always thought that the split between networking and security was not necessary; it really is just an artifact of the history of IT. For at least the last twenty years, since the real rise of the internet as a tool of mass utilization, the network has been the route for bad actors to find and attack their targets. With rare exceptions, every probe, every threat, every malware, every attack, crosses the network. So, the network is the logical place for cybersecurity, but not just as a gate or a door where you hope to recognize the bad guy as he tries to sneak in. Security and the network should be conceived together, managed together, and work together. No one can afford a network without security these days, and cybersecurity without a network is an oxymoron. As attackers get better and better at what they do and the sophistication of their attacks grows, it is urgent for the organizations that still have silos between the networking and security teams to tear them down and get everyone cross trained and working together.
Alain - Let’s remember that SD-WAN is primarily a network concept; it means Software-Defined Wide Area Network. In other words, the routing tables are ruled by a policy that is established and updated elsewhere. Despite the enormous benefits of this feature, you end up executing orders that make sense from a performance standpoint, such as send this traffic to this leased line and that one to this public address, but that can rise significantly your exposure if only network criteria are considered. Hence the imperious necessity to run simultaneously a security stack that supports segmentation criteria, traffic analysis, VPN, IPSec to name a few, and enforces the same security policy across all your company. The moment the network tasks prevail, you’re at risk and the security prevails, you reduce performance. From the beginning, Fortinet solved this dilemma by dedicating high performing ASICs to the security stack, enabling sophisticated security tasks to be conducted with marginal loss of performance. This is the exact definition of security-driven networking, the merger of the networking domain with the security domain with no compromise.
Renee - Like many people, I think many CISOs and IT leaders weren’t necessarily prepared for the major shift to remote working that has occurred over the last few months. That has meant looking at technology that can not only scale to accommodate the entire organization but also how to do securely. As CISOs and IT teams look at SD-WAN solutions, they may find that some solutions don’t have the security built in or the basic firewall and VPN solution that is included isn’t sufficient enough from a security perspective. This results in not only additional cost to buy add-on solutions, but also creates an additional management burden for the already overworked IT and security staff. Therefore, it is imperative that they look at solutions that have integrated security features such as next-gen firewalls, intrusion prevention, and encryption.
Joe - Of course, SD-WAN and remote teleworking are not the same thing, but there are strong similarities in the thinking that goes into them. Organizations that I have dealt with that had made a conscious decision to implement Secure SD-WAN seem to most often be those that put security at the top of their remote access to-do lists. In many cases, I have seen the Secure SD-WAN project be the driver for the breaking down of silos that we were just talking about. Where the security and networking teams are integrated, remote teleworking is set up from the get-go with security. It isn’t left to a later date.
Alain - They certainly have learned but sometimes in a hard way. It’s fair to say that remote access architectures were never designed to take on an entire country. Not only business critical applications were accessed from many different places and heterogeneous networks, but also video conferencing, database synchronization, and infrastructure management significantly made the traffic patterns more complex and difficult to predict. We have learned to segment traffic and user privileges in a different way. In this context, automation is becoming more important than ever. Redesigning the authorization levels or enforcing a more granular segmentation are not easy tasks, but they become nightmares when you do not have the ability to fully automate its enforcement across the entire infrastructure. Integration also enabled to load balance dynamically to the traffic and ensure business continuity at critical times. We have also learned to make quick decisions, interact more directly, and as a result the decision that are emerging now empower the edge more, both from a human and machine perspective. Going forward, organizations will have leaner decision processes and more direct engagement practices. Digital innovation is accelerating.
Courtney - The ability to create application specific policies ensures business critical applications both reach their intended destinations over the most appropriate link while also avoiding impact during network events as businesses continue to shift to commodity broadband to reduce cost. These capabilities are crucial any time but especially right now as on-premise work has switched to remote work. Not only is it important to have specific policies based on applications but the ability for application signatures to be “aware” and update when changes are made, such as IP ranges for Microsoft/Office 365, is equally important.
Renee - Organizations are increasingly moving to cloud services. SD-WAN enables direct cloud access at the remote locations, therefore enabling workers to directly access cloud applications regardless of location without burdening the core network with additional traffic to manage and secure. In addition, SD-WAN improves cloud application performance by prioritizing business critical applications and enabling branches to directly communicate to the Internet.
Joe - To me, one of the biggest benefits of SD-WAN has not gotten as much attention as it should: local breakout. SD-WAN is the perfect tool for giving access to SaaS applications to a workforce distributed across many branch offices. Why backhaul all of that Salesforce or Office 365 traffic back to the data center just to head out to the internet? Giving local branch users high-speed broadband into the SaaS’s local access points makes them happy, because they get good response times. It makes the finance folks happy because that’s probably a lot cheaper than sending that traffic across an MPLS network. And if the solution has sufficient cybersecurity safeguards to be a Secure SD-WAN, it makes the security team happy. Everybody wins. Well, everyone except the hackers.
Alain – From a user standpoint, ramping-up the cloud and empowering remote sites are the two sides of one coin. CISOs understand the need to embrace security as one, in the cloud, in the core, and at the edge. You cannot afford to lose visibility of the applications just because they’re running as SaaS across a multi-cloud architecture and you can’t let the cloud provider security policy prevail on your own. Deciding which pattern of prioritization serves your specific business objectives is your responsibility. In this context, a holistic vision of cybersecurity that enables visibility, but also orchestrates the response across hybrid cloud architectures is paramount. Not only does the integrated fabric allow you to see, secure, and act, but it also preserves your freedom of choice. You can always adopt a new cloud provider, repatriate some components in-house, or accelerate your cloud adoption without affecting your ability to designs a cybersecurity strategy of your own.
Courtney - Service providers are in a unique position to utilize SD-WAN as a new business driver and as a business enabler for existing customers. Many service providers were already performing internet/telecom management, hardware procurement, and field service/installation roles for their customers in conjunction with traditional management of network and security operations. This means that many providers were already equipped to enable SD-WAN services for their customers, and those that weren’t could quickly pivot or expand services to do so. The addition of SD-WAN to a service provider’s portfolio opens up the door for other opportunities aimed at ensuring ease of cloud on-ramp, application assurance, and better business continuity without forcing the customer to choose cost over capability.
Renee - Businesses strive for increased performance, better security, and ease of management when it comes to their architectures. SD-WAN can provide all of that with a lower total cost of ownership. In addition, as remote access and cloud adoption become part of the new norm in how we operate, SD-WAN with built in security becomes an important piece of the infrastructure for network and security teams.
Joe - SD-WAN is a natural business for all types of service providers. A large percentage of customers want their SD-WAN to be run as a managed service. This makes sense for two reasons:
Alain - SD-WAN solves the performance-security dilemma, but traditional SD-WAN needs to evolve to integrate security into the equation natively. As the threat becomes more sophisticated, no service provider can afford to trade security against performance or cost. The new SD-WAN has to be secure and advanced. I also certainly do see these as a foundational opportunity for SPs and other types of partners if they integrate superior security to their SD-WAN capabilities.
Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution.
Read more about how FortiGate Secure SD-WAN helped Fortinet optimize network performance in this case study.