Network security is not only a top boardroom priority, but ensuring the protection of corporate data moving from the edge network out to the cloud and back is not an easy task, given today’s complex hybrid-cloud architectures.
Network security matters more than ever, especially given that it is now a major C-level concern for every large and mid-market enterprise. Senior executives have seen too many examples of what can go wrong when defences are breached to be in any doubt about what’s at stake.
A serious security breach has the power to damage a brand or erode shareholder value, reversing in a day a good image that may have taken years to build. It doesn’t end there. In many sectors, regulators have the power to levy major penalties on those who have suffered breaches, particularly if customer data has been compromised. New directives like GDPR are raising the bar further.
With enterprises investing heavily to transform themselves digitally, the threat has in many respects intensified and diversified. Enterprises pursuing a hybrid cloud or multi-cloud strategy, or relying on a software-as-a-service model to give remote workers access to critical applications, perhaps via a mobile device, will be potentially exposing themselves to new threat vectors that must be built into an already long list of security considerations for WAN edge optimization.
A digital enterprise may well have numerous points of vulnerability, and those who would seek to exploit these vulnerabilities are more highly motivated, organised and technically savvy than ever.
Threats can come in the form of DDoS attacks, malware, viruses or industrial espionage. They can affect the functioning of a network or website, or be aimed at the theft of intellectual property or customer data. The question for anyone responsible for network security is not whether such an attack will ever happen, but when. Total prevention may not be possible, so the focus must instead switch to limiting damage where it occurs.
As enterprises look for ways to accelerate their digital transformation journeys and to achieve greater business agility, they must match that by transforming their wide-area network to be more software-driven. By transforming their networking strategy with the right SD-WAN solution, they are not only gaining manageability and control, they are taking a big step toward better network security as well.
The keys to the kingdom
Putting security first means taking a multi-layered approach that is scalable and safe while also being simple to deploy, as well as straightforward to manage via an SD-WAN fabric. Truly secure networks are all about a multi-tiered architecture where multiple checks, authentications and authorizations are required to gain access to the internal network.
A major caution, however, is that not all SD-WAN solutions handle edge security in the same way. On the surface, all seem to offer cost reduction and application awareness, relying on a mechanism of building secure tunnels between sites.
But different SD-WAN solutions take a variety of approaches to important areas, such as key exchange and where the keys are stored. Keys determine who has access to what are crucial to WAN security. Certain SD-WAN models are more exposed and hackable than others, with the handling of keys often effectively allowing criminals to exploit vulnerabilities, especially where the system is directly exposed to the Internet.
Given that cipher keys are so important in encrypting messages, it’s all the more critical that network managers have a way to make them secure and complex enough such that any compromised endpoint cannot reveal the key to hackers. One technique that helps is to have a longer key, of at least 128 bits and preferably 256 bits.
An even more secure solution is to only be able to exchange part of a key and have an algorithm that can validate the partial key using elements that are secret to each device. In this manner, no device has all pieces to reassemble the key. The capture of keys from one device does not therefore provide any usable means for unauthorized access to the enterprise network. Keys do not need to be stored and can be computed with each packet that needs to be encrypted or decrypted.
The networks of yesterday were data centre centric; however, with SaaS and multi-cloud
requirements, site-to-site connectivity from the edge and to the cloud are required.
Branches need not connect back to the corporate data centre to access apps and clouds, in addition to packet inspection and security posture, which resulted in a lousy user experience because of backhauling all traffic to the data center.
What the contemporary enterprise needs is direct Internet access but without security limited branch by branch with different requirements. SD-WAN however allows for all security policies to run at all branches at the same time in the same context as more deterministic network performance.
In some cases it only takes just a portion of security to be CPE and integrated cloud-based security for scaling up and scaling down to workload demands. Cloud security as a service will do that natively, and then you don’t have to worry about sizing compute bespoke for every branch.
Multiple connections to your SD-WAN including private and hybrid connections allow branches to gain direct Internet access (DIA). Managed SD-WAN and cloud security as a service can manage both on-premise and cloud based policies, uniformly.
For extending WAN edge to the cloud, SD-WAN solves the bottleneck from private cloud to public cloud, and when the bigger threat is that once the branch is on the web, the IP of the branch is exposed, and users worry about DDoS attacks and unknown vulnerabilities, it’s security paramount to protect the public window at the edge; there’s no need to throw in line an expensive hardware-oriented at every branch.
Hardware-based platforms do not scale in or out when you have to change a policy or service. SD-WAN is more elastic, paying for only what you need at the time it’s needed, as opposed to over provisioning hardware capacity that my never be used.
An SD-WAN solution that is fit for purpose will also enable visibility and manageability, offering a seamless way to look at security, whether at branch or head office level. Cloud-security-as-a-service will enable this, whether the connection is in the form of the Internet or a private link of some sort.
That and many other capabilities must be embedded within an SD-WAN fabric. Protecting data has always been important – and challenging. Every enterprise has at least some private information, along with a duty to protect that data whether it is intellectual property, financial information, customer subscription information, payment history, or other information that a regulator says must be given maximum protection.
The right SD-WAN solution will give this protection.
Versa Networks President and CEO Kelly Ahuja has more than 20 years of experience in networking and telecoms. He currently serves on the board of directors for two startups in Silicon Valley. Kelly spent 18 years at Cisco deeply involved with the design and deployment of telco networks. He was most recently SVP of Service Provider Business, Products and Solutions at Cisco where he was responsible for developing and managing the service provider segment strategy and portfolio. Kelly held several other senior executive roles at Cisco, including SVP and GM of the Mobility Business Group, Chief Architect for the Service Provider business, and SVP and GM of the Service Provider Routing Technology Group.
Richard van der Draay was in San Jose as a guest of NetEvents