Ensuring employees operate securely regardless of location has grown in importance over the last several years as the number of people working remotely has exploded. These workers are most likely operating within a software-defined wide area network (SD-WAN). They use SD-WAN to work with data that is now processed more and more in many different cloud services.
While these networks come with built-in safeguards, security personnel should be familiar with the extra steps needed to provide protection to all users and also threat actors are likely to use the SD-WAN as a pathway when launching an attack. Securing user activity and cloud services while providing a consistent user experience is the heart of the problem.
To start off, no discussion on identifying, assessing, and managing the risks associated as well as safeguarding SD-WAN can take place without a basic understanding of exactly what we mean by SD-WAN.
But, that definition will vary depending upon who is asked. It's one of those topics that you can answer a few different ways depending on your perspective. If you're a user, a network engineer or a network architect, you're going to answer one way. However, if you're a vendor, you're probably going to have a different answer, and if you are a security professional, the answer will yet again differ. But that's OK; there are different ways of understanding SD-WAN, and we are going to cover them all.
For example, IBM defines SD-WAN as a virtualized WAN architecture that abstracts and centralizes the management of smaller and otherwise disconnected WAN networks, allowing an organization to share data and applications across branch offices, remote workers, and authorized devices that span vast geographical distances and multiple telecom infrastructures.
Meanwhile, VMWare says SD-WAN is the application of software-based network technologies that virtualize WAN connections. It decouples network software services from the underlying hardware to create a virtualized network overlay. Enabling users anywhere to connect to applications anywhere, SD-WAN offers flexibility, simplicity, performance, security, and cloud scale.
However, at the end of the day, the reason SD-WAN exists is to support your organization's mission, support the quality of the end-user experience, and make the quality of the end-user experience consistent, reliable, and definable regardless of where that user actually sits. This endeavor may sound simple in practice, but when added to handling the entire infrastructure and its myriad ways and methods of computing, it becomes extremely challenging.
So, with a basic definition of SD-WAN on the table, let's move on.
Step 1. Demystify and seek to understand your SD-WAN
The first step is to understand the "why" of your architecture. Understanding why this architecture is in place within the organization is very important. The why will answer why the configurations were constructed in this specific manner and why your network teams have decided to take one route versus another.
Once we answer the "why" questions, the next topic is "what." You must understand the "what" about the architecture in question by obtaining all the documentation available and then ask questions to the right people.
Some questions to ask are what kind of connectivity exists in different locations, who manages this area, and what types of traffic are going over the wire. Inventory the major solutions and vendors used to implement the SD-WAN architecture.
This stage can be time-consuming, possibly taking weeks if you have a very large network.
Step 2. Let's Discuss Risk
Once this knowledge is absorbed, you will have a better idea of how the SD-WAN operates, which is essential because bad guys, unfortunately, will be using it as a conduit. Threat actors are going to be going across your SD-WAN in some way. They are coming in from the Internet and will be inside your connections, going to your cloud services, going to your end users, and making their way to their computers.
But let's not cry wolf. There are many security features available within SD-WAN solutions that help manage that risk. Still, it's also important to understand the risk level and what types of risks exist so that you can help mitigate those as much as possible.
First, list all of the negative things you want to prevent from happening. A good place to start using some fundamental cybersecurity concepts:
- Communications across the SD-WAN at any point are intercepted by malicious parties (breach of confidentiality)
- Application-layer data can be accessed and altered in different locations without detection and with unknown consequences (breach of integrity)
- The architecture has single points of failure, such as with transport links, that can succumb to attacks that can result in services not being available for the end user (breach of availability)
A significant point I want to raise is that a security manager must realize that the word "Any" when used in the context of SD-WAN comes with a caveat. It's "Any" that is needed for official business purposes, but just because the organization wants to optimize the network for user experience by maximizing flexibility does not mean you must allow malicious or potentially harmful things to happen. This is where others might start disagreeing with you, but they're wrong.
Please click the above image for additional detailed information on defending your SD-WAN.
Step 3. Assessing the Risks
To assess your risk level, start with the notes taken when you identified the risks in your environment and then pull out the handy list of solutions used to implement the SD-WAN created in Step 1.
Ask what security capabilities exist in those technologies to prevent or detect the type of malicious activity you are concerned about. Then, in the same conversation, ask what security capabilities your organization own and which of those are in fact enabled. Continue with this process until you've walked through all the technologies in use and covered all parts of the SD-WAN architecture. Again, this can be a time-consuming process, but it is arguably the most important thing you can do. This is the stage where you start making some traction!
Finally, don't forget physical security controls, administrative controls (e.g., privileged SD-WAN account management, backup/recovery, etc.) and contract SLAs if you depend on a managed service for your security or management.
Step 4. Managing the Risk
List the gaps - List areas where you believe the controls are insufficient to control the identified risks and make sure to document why you think these are, in fact, gaps. For example, is it because controls are either not implemented or partially implemented for a risk your company’s security policy requires? Ask for the opinion of your network team. They should agree if there's a gap but may not agree it's an actionable gap. That's OK; it's not their job to accept risk.
Rank the gaps - Assign a risk rating to the gap. Note that this can be pretty subjective but use your judgment and knowledge of the company. What jumps out to you as being a critical gap? Example – no encryption across any of the Transport circuits over the open Internet.
Make an action plan – This activity may or may not fall to you, depending on your job responsibilities. Many options include accepting the risk (but documenting it), remediating the risk, mitigating the risk, or transferring the risk, to a cyber insurance company. Sometimes this option makes sense because it would cost more to mitigate the risk than just paying for an insurance policy.
Remember - Leave no risks behind, and never ignore them.
Congratulations! You've done a lot of hard work and have covered more ground than the vast majority of your peers in the industry when it comes to securing their SD-WAN.
However, this is not the end. Evaluate how "sticky" the controls are and how strong the administrative processes are. The review you just did is, unfortunately, just a point in time. Develop a plan for follow-up and keep on top of agreed-upon action items.