Overcoming the Security Challenges of Software-Defined Networking

Today, more and more organizations are embracing the benefits of hybrid or disaggregated networks in terms of functionality and cost savings. However, current SD-WAN service models contain fundamental security flaws that could hamper adoption.

One of the biggest weaknesses is its reliance on vendor security as an add-on. In the new connected digital world, organizations protect data regardless of the location of their network. A consistent approach covering service provision and protection of transmitted data needs to be considered at the forefront of network design.

[[227905]]

Service providers need to ask themselves some questions: How can they provide reliable hybrid networks, especially between the public internet and cloud services, while reducing the need to deploy infrastructure at every gateway or network entry point. How can they avoid the fundamental security risks associated with encryption to investigate suspicious activity?

Only by answering these fundamental questions can organizations embrace the inherent benefits of all SDN-based solutions without compromising security.

Agility and security

The struggle between achieving business agility and ensuring data security has never been more challenging. Clearly, the threat landscape has changed radically in recent years. The United States Computer Emergency Readiness Team (U.C.U.R.) issued a bulletin stating that critical U.S. infrastructure has been attacked by a number of nation-state-sponsored cyberattacks. Not surprisingly, IT spending patterns not only reveal the security issues facing businesses, but also the need for businesses to understand what is happening with their data and the ability to identify and address threats as they emerge.

However, business drivers moving away from multiprotocol label switching (MPLS) network technology toward software-defined networking (SDN), especially for wide area networks (WANs), may create security risks or limitations on the technologies that can be deployed.

Today, SD-WAN provides an alternative to traditional WAN, offering flexibility, simplicity and the potential to reduce costs. This model not only provides an opportunity to develop hybrid communication infrastructure, from copper to Wi-Fi, from fiber to satellite, to provide efficient and low-cost solutions for distributed businesses, but the central management model transforms the excessive management overhead ASCOC and is accompanied by complex traditional WAN infrastructure.

The result of using SD-WAN is a 30% to 50% reduction in network costs, but only if it is an end-to-end solution from the same vendor. For complex networks, larger networks, or those operating in high information assurance environments, these benefits remain questionable without innovative approaches to deploying third-party infrastructure solutions, and without separate security overlays that eliminate capacity limitations and vendor/network choice dependencies.

Current Practice

Many SDN vendors often offer Layer 3 encryption as part of their SD-WAN service offerings: This type of security is beneficial for replacing a basic network with one that has no protection. While the counterargument is that encryption is too costly or difficult to deploy for many enterprises, the reality is that deploying traditional Layer 3 encryption is better than nothing.

But for new large SD-WAN providers that may offer solutions from a shared orchestration instance, the question that must be asked is: How can enterprises secure infrastructure operated by other vendors, even addressing security issues in the context of deploying an orchestration platform. Furthermore, given that one of the most compelling reasons to adopt SD-WAN is that new infrastructure can be flexibly connected to support business changes. By default, this model results in infrastructure from multiple providers, how can enterprises ensure that each new connection is also secure?

As organizations increasingly deploy encryption at the application level, there are also questions about performance and throughput. Multiple encryption is a significant issue that affects both traditional networks and SD-WANs, and many SD-WAN deployments are not limited by network bandwidth, but rather encryption overhead.

Of greater concern is that if IT teams wish to investigate an application or data source, these encryption solutions often need to be turned off, leaving the business open to hackers.

Network decomposition

Recognizing these issues, more and more CIOs and CSOs are driving the disaggregation agenda and concluding that services and security should be differentiated from the management and maintenance of any SD-WAN. This trend reflects a different approach to protecting business-critical communications infrastructure cost-effectively and eliminating reliance on a single vendor.

The only way to maximize the business benefits of SD-WAN and achieve a foundational level of security that reflects emerging threat vectors is to adopt a security overlay model. Enterprises need to find a way to deploy end-to-end Layer 4 encryption in every part of the infrastructure, regardless of the underlying network technology.

In addition to meeting the network disaggregation goals of many organizations, network-agnostic encryption solutions can also strengthen the centralized management benefits of SD-WAN by providing centralized orchestration. This not only proves the security of the network, but also provides important insights into network activity and its security performance. And, if an application needs to be investigated, there is no need to shut down all security protocols to ensure that the company is always secure.

SD-WAN offers compelling benefits and, in today’s fiscal realities, is increasingly the only viable option for distributed organizations, especially given the increasing use of Internet-based infrastructure and cloud computing. However, the result is that organizations have little visibility into the infrastructure they are using. Where is the data? Who owns the network? Which routes are being taken? And critically, who is protecting the data and how?

The less knowledge and control over the infrastructure, the more security controls and knowledge the organization needs. Only by taking this step towards network disaggregation, having a truly network-agnostic encryption technology that can protect data transmission on any IP network, and achieving centralized security orchestration and comprehensive data visibility, can enterprises confidently embrace SD-WAN and gain the flexibility they need without being vulnerable to cyber attacks.