RSMUS.comSoftware-Defined Wide Area Networks (SD-WAN) are expected to have exponential adoption rates over the coming 18 months, as organizations look to better manage access to applications and users that seem to be everywhere. Providing highly-robust and easily-managed connectivity to branches, data centers and cloud providers, while using lower-cost bandwidth options, are mainstays for high adoption. Keep in mind that many of these features have been around for decades and are just re-packaged under the SD-WAN umbrella. Some of those features include:
1. Encryption using Virtual Private Networks or other tunneling methodologies to create end-to-end overlay between all sites and over all available network transports.
2. Dynamic path selection between transports in either an active/active or active/standby mode.
3. Centralized management of the WAN – yes, this has been around for a long time just not from a cloud offering perspective.
Some newer and more exciting enhancements are really the driving force behind SD-WAN adoption, even for institutions that have existing failover capabilities within their WAN. With these new features come new risks that every institution must understand and manage as part of their SD-WAN solution regardless of in-house or third-party management. Two key features that can take the WAN to new levels but need careful consideration include:
1. Application Awareness and Performance Routing – This feature allows the network to route traffic based on the specific needs of individual applications and the current performance of the underlying network transports. Traditional failover worked well when a line was completely down but could not detect if a line suffered from jitter, packet loss, or high latency. Application awareness found within many SD-WAN solutions allows specific applications to take different paths, depending on the performance of the line in alignment with the performance requirements of the application. This feature opens the door to using multiple low cost broadband options over expensive private forms of connectivity such as MPLS.
2. Localized Branch Internet – As organizations look to deploy more broadband services in place of private connections, the next logical step is allowing remote locations to utilize those direct Internet connections. This can greatly improve performance and user experiences for Internet access and cloud-based applications. This can represent a major change to the traditional centralized Internet connectivity model which made use of firewalls, intrusion prevention, data leak protection and third-party monitoring services.
These two features promise lower costs and a better user experience, therefore creating a win-win situation, but not without risks. Understanding and managing risks are best done prior to deployment, but better late than never. Through the lens of the FFIEC provided Cybersecurity Assessment Tool, institutions looking to deploy SD-WAN should be aware of the risks and expectations as defined by the framework under the following sections:
Inherent Risk Profile
There are a few areas where SD-WAN could impact the inherent risk profile of an institution.
1. Adding Internet service provider (ISP) connections in addition to or in place of private lines can increase risk levels simply by having the connection.
2. Adding additional network hardware or virtual devices to provide SD-WAN services could also increase risk level.
3. Institutions looking to outsource SD-WAN services should review risk levels relative to third parties with access to internal systems.
4. SD-WAN components exposed to public Internet connections are subject to attack. Logging and reporting will be critical to understand any ongoing attempted cyber attacks which could increase risk levels.
Cybersecurity Maturity
Several domains could be impacted by SD-WAN deployments, depending on the features and overall network architecture. The following domain and underlying components should be reviewed to ensure alignment with, at minimum, baseline statements:
Domain 1: Cyber Risk Management and Oversight
Strategy and Policies – Be sure policies and procedures are aligned with SD-WAN technologies to set expectations for hardening, traffic flows, availability, and ongoing maintenance of the technology.
IT Asset Management – Update hardware and software inventories to include the SD-WAN components. Never assume third-party vendors are taking care of this. Request the inventory and software version lists on a regular basis to make sure components are being updated.
Risk Assessment – SD-WAN can introduce major differences in how environments move confidential data over public networks. Make sure the risks are identified and mitigating controls are defined.
Domain 2: Threat Intelligence and Collaboration
Monitoring and Analyzing – Ensure the audit and event logs of public facing SD-WAN components align with the institution’s overall logging and retention policies.
Domain 3: Cybersecurity Controls
Infrastructure Management – When SD-WAN components are used for public connectivity or local Internet offloading, these devices need the same level of care and oversight as a traditional border firewall. Change control, system hardening, and advanced inspection need to be defined or extended to the SD-WAN solution.
Threat and Vulnerability Detection – Make sure SD-WAN devices and public connections are included in the independent audits such as penetration testing and security rule reviews. This is an important consideration to keep in mind when calculating potential cost savings over private lines.
Patch Management – Border device patching is absolutely critical. Ensure a plan is in place for identifying and patching critical vulnerabilities within SD-WAN components.
Domain 4: External Dependency Management
Connections – The network topology can change dramatically with SD-WAN technology. Update network and flow diagrams to reflect the topology. Ensure critical businesses processes and testing procedures include SD-WAN and are tested on a regular basis.
Due Diligence – When working with service providers or MSPs offering SD-WAN, perform reviews of their background, financial condition, stability and security controls.
With all new promising technology comes a level of risk. There can be other risk impact areas beyond what has been identified above, but each institution must review and determine their own risk levels and responses. While SD-WAN will be adopted by many industries, financial institutions will need to address areas of risk and cost that many industries will not, and that knowledge alone could make or break an institutions strategy for SD-WAN technologies within their environment.
If you want to experience true freedom though SD-WAN, contact the professionals at RSM to review your network needs and learn more about your options.
Scott Hermanson
Scott leads the national network and unified communication solutions team, which encompasses network cyber-defense technologies, transport systems and unified communication platforms. Prior to joining RSM in 2003, Scott worked for a software company as a senior network engineer where he was responsible for the design and implementation of data and voice networks to support financial transactions in excess of over $1 million every minute and up to 800,000 online traders. Scott also has an extensive background in network design and architecture. He has designed infrastructures to support both front and back-office financial transactions with a variety of firms. Scott has great discipline in the field of network documentation and operational procedures. He has created web-based systems to capture network-based move, add and change requests, and a live documentation management system. He also has detailed experience for the implementation of network monitoring and management tools from a variety of vendors. In order to accommodate government regulation of financial-based networks, Scott has designed networks for five nines of availability. During his employment with a software company, the core network designed by Scott was able to switch all 800,000 users and over a dozen back-end connections to a remote recovery facility in less than three minutes. Switching services to the remote facility was performed once per month to ensure clients of the business continuance plan.