Software-Defined Wide Area Networks (SD-WAN) are expected to have exponential adoption rates over the coming 18 months, as organizations look to better manage access to applications and users that seem to be everywhere. Providing highly-robust and easily-managed connectivity to branches, data centers and cloud providers, while using lower-cost bandwidth options, are mainstays for high adoption. Keep in mind that many of these features have been around for decades and are just re-packaged under the SD-WAN umbrella. Some of those features include:
1. Encryption using Virtual Private Networks or other tunneling methodologies to create end-to-end overlay between all sites and over all available network transports.
2. Dynamic path selection between transports in either an active/active or active/standby mode.
3. Centralized management of the WAN – yes, this has been around for a long time just not from a cloud offering perspective.
Some newer and more exciting enhancements are really the driving force behind SD-WAN adoption, even for institutions that have existing failover capabilities within their WAN. With these new features come new risks that every institution must understand and manage as part of their SD-WAN solution regardless of in-house or third-party management. Two key features that can take the WAN to new levels but need careful consideration include:
1. Application Awareness and Performance Routing – This feature allows the network to route traffic based on the specific needs of individual applications and the current performance of the underlying network transports. Traditional failover worked well when a line was completely down but could not detect if a line suffered from jitter, packet loss, or high latency. Application awareness found within many SD-WAN solutions allows specific applications to take different paths, depending on the performance of the line in alignment with the performance requirements of the application. This feature opens the door to using multiple low cost broadband options over expensive private forms of connectivity such as MPLS.
2. Localized Branch Internet – As organizations look to deploy more broadband services in place of private connections, the next logical step is allowing remote locations to utilize those direct Internet connections. This can greatly improve performance and user experiences for Internet access and cloud-based applications. This can represent a major change to the traditional centralized Internet connectivity model which made use of firewalls, intrusion prevention, data leak protection and third-party monitoring services.
These two features promise lower costs and a better user experience, therefore creating a win-win situation, but not without risks. Understanding and managing risks are best done prior to deployment, but better late than never. Through the lens of the FFIEC provided Cybersecurity Assessment Tool, institutions looking to deploy SD-WAN should be aware of the risks and expectations as defined by the framework under the following sections:
Inherent Risk Profile
There are a few areas where SD-WAN could impact the inherent risk profile of an institution.
1. Adding Internet service provider (ISP) connections in addition to or in place of private lines can increase risk levels simply by having the connection.
2. Adding additional network hardware or virtual devices to provide SD-WAN services could also increase risk level.
3. Institutions looking to outsource SD-WAN services should review risk levels relative to third parties with access to internal systems.
4. SD-WAN components exposed to public Internet connections are subject to attack. Logging and reporting will be critical to understand any ongoing attempted cyber attacks which could increase risk levels.
Several domains could be impacted by SD-WAN deployments, depending on the features and overall network architecture. The following domain and underlying components should be reviewed to ensure alignment with, at minimum, baseline statements:
Domain 1: Cyber Risk Management and Oversight
Strategy and Policies – Be sure policies and procedures are aligned with SD-WAN technologies to set expectations for hardening, traffic flows, availability, and ongoing maintenance of the technology.
IT Asset Management – Update hardware and software inventories to include the SD-WAN components. Never assume third-party vendors are taking care of this. Request the inventory and software version lists on a regular basis to make sure components are being updated.
Risk Assessment – SD-WAN can introduce major differences in how environments move confidential data over public networks. Make sure the risks are identified and mitigating controls are defined.
Domain 2: Threat Intelligence and Collaboration
Monitoring and Analyzing – Ensure the audit and event logs of public facing SD-WAN components align with the institution’s overall logging and retention policies.
Domain 3: Cybersecurity Controls
Infrastructure Management – When SD-WAN components are used for public connectivity or local Internet offloading, these devices need the same level of care and oversight as a traditional border firewall. Change control, system hardening, and advanced inspection need to be defined or extended to the SD-WAN solution.
Threat and Vulnerability Detection – Make sure SD-WAN devices and public connections are included in the independent audits such as penetration testing and security rule reviews. This is an important consideration to keep in mind when calculating potential cost savings over private lines.
Patch Management – Border device patching is absolutely critical. Ensure a plan is in place for identifying and patching critical vulnerabilities within SD-WAN components.
Domain 4: External Dependency Management
Connections – The network topology can change dramatically with SD-WAN technology. Update network and flow diagrams to reflect the topology. Ensure critical businesses processes and testing procedures include SD-WAN and are tested on a regular basis.
Due Diligence – When working with service providers or MSPs offering SD-WAN, perform reviews of their background, financial condition, stability and security controls.
With all new promising technology comes a level of risk. There can be other risk impact areas beyond what has been identified above, but each institution must review and determine their own risk levels and responses. While SD-WAN will be adopted by many industries, financial institutions will need to address areas of risk and cost that many industries will not, and that knowledge alone could make or break an institutions strategy for SD-WAN technologies within their environment.