SD-WANs are commonly virtualized and rely heavily on the public Internet, along with a range of private WAN connections. Managing security for SD-WAN is a moving target and a balancing act. The need for secure SD-WAN services has been driven by systemic changes in how enterprise applications and data are delivered, and dramatic shifts in the workplace.
In response, SASE (developed by Gartner in 2019), is redefining SD-WAN security by removing the physical perimeter that has governed security for generations, especially in the enterprise environment. SASE is addressing enterprise security as two major trends unfold. One is a long-term trend where applications and data are moving from the data center into the cloud. That’s been happening for over a decade. Analysts estimate that over half the workloads have already been migrated to public clouds. Simultaneously, the workforce was forced to move from the campus or office into a work-from-home (WFH), or a work-from-anywhere environment. That is having dramatic implications.
Both trends were accelerated by Covid-19 in 2020, and the WFH environment in particular creates a problem for enterprise CSOs who are attempting to maintain order and security, even though the network is not under their control. Home networks are particularly troubling to CIO/CSOs, which may not be readily managed by IT and expose a myriad of new vulnerabilities.
SASE is a distributed security architecture envisioned to address the cloud-centric world. Instead of assuming a physical perimeter, SASE up-levels the protection to secure users and applications as opposed to subnetworks and IP resources.
In the SASE architecture, security functions are deployed into the cloud, and specifically at the edge. Users request access via connections to the cloud, no matter where in the world they are located. Once access is granted, the user’s identity, role, and context is considered prior to be permitted to access applications and data. Should the context change, access privileges may be changed as well. All such decisions are made independent of the physical location, network, etc.
SASE is predicated on a companion technology called Zero Trust and Zero Trust Network Access (ZTNA). Zero Trust eliminates the notion of trust, necessitating that access must be granted for each application transaction. In other words, every time something is accessed, both inside and outside an organization’s perimeter, ZTNA dynamically assesses whether that user has the privileges, the context is appropriate, as their identity is authenticated, and whether they have vetted access to the specific data requested.
Learn more about SASE and Zero Trust
The MEF has a number projects underway in response to the SASE wave. One is the SASE service definition or service framework project. The other is the Zero Trust framework. Both projects were recently approved and are ramping up. They provide an opportunity for MEF to enhance its posture in security. These are complimentary to the MEF Application Security for SD-WAN project, which defines a selection of the security functions that will be deployed in a SASE architecture.
Spirent is the leading testing contributor to the MEF. MEF selected Spirent as the Authorized Certificate Test Partner for SD-WAN, and in turn we drove creation of the SD-WAN certification program. Presently, we lead the MEF security testing and certification incubation group, which is exploring the MEF’s first security certification. We are also assessing the MEF security standards to channel feedback to the standardization process. For SD-WAN, this proactive response led to the establishment of the MEF SD-WAN Service Readiness Testing (SRT) project, which enables operators to validate new sites and connectivity prior to service activation.
In the meanwhile, a sound security testing strategy and capability that comprehensively addresses all the layers is crucial for SD-WAN success. This approach must strike the proper balance between performance impact and security efficacy. Moreover, a multi-layer testing strategy that addresses the entire service delivery lifecycle is essential to enable SD-WAN managed service providers to effectively deliver managed SD-WAN and security service in the multi-cloud environment.
A sound security testing strategy and capability that comprehensively addresses all the layers is crucial for SD-WAN success. This approach must strike the proper balance between performance impact and security efficacy.
Spirent recommends an SD-WAN testing approach that blends both network and security testing methodologies. It should leverage best practices drawn from years of experience, with the mandate of security over everything. This should include emulation of hyperrealism of test traffic for performance and security validation, with no distinction of what is developed as pilot in a lab, involved in deployment, or operates on live networks. The testing approach should also leverage CI/CD and next-gen test and lab automation to assure optimized quality and address impacts on time to test and Capex/Opex considerations.
Empowering the realization of SD-WAN’s promise
SD-WAN ushers in a new era of cloud-based services, which tailor the network to the application demands. However, migration to the cloud incurs challenges of reliable interoperability and inherent inefficiences. This includes new risks and vulnerabilities as the potential attack surface increases dramatically with an explosion in endpoints and increased use of publicly accessible networks. Taming the complexity of SD-WAN services is further complicated by the virtualization of SD-WAN endpoints and controllers, which introduce a new set of challenges. Any organization attempting to address these complexities on their own, without a deep bench of expertise and technology capabilities, face serious challenges. Having a vendor-neutral partner to tame the risks of SD-WAN is essential to success.
For additional details on how Spirent's SD-WAN Test/Validation/Assurance approach may benefit both MSPs and their vendors, download the new SD-WAN eBook Paving the Way to Secure SD-WAN.