When Making SD-WAN Plans, Don't Shirk Security
DENVER -- NFV & Carrier SDN -- If you embark on SD-WAN plans and don't factor security requirements into the early stages of the process, you do so at your own peril.
That was a key message here last week from John Isch, a keynoter who serves as practice director of network and voice center of excellence at Orange Business Services .
Isch said it's critical to insert security (how it looks today and how it's expected to look years down the road) into the discussion from the get-go and avoid any delay-inducing surprises that could unexpectedly crop up well into the process, or even near the end of it.
And that comes from experience, as he recalled getting three meetings into a project only to find that it was time wasted, as those talks were irrelevant because the SD-WAN network needed to be in complete sync with the company's security policies.
The security elements of SD-WAN services "can change the design of your overall network dramatically," he stressed. He noted earlier that customers tell him that the majority of their traffic (55% on the low side, and as much as 95%) is destined for the Internet.
And that security vetting spans not just the SD-WAN system, including components such as log retention for user traffic, but also user security. The use of "zero-touch provisioning," for example, must match up with the security requirements, he said.
But he's a realist about the challenge, as it can be difficult to get the IT and security people in the same room, as they typically have different requirements and divergent views. While IT tends to emphasize simplicity and visibility, security people are more interested in exposing only what is absolutely necessary, Isch explained.
And the security issue is only amplified when working with global multi-nationals that are using a multitude of firewalls, he added. Among the example is China's "Great Fire Wall," whose mere existence is not even acknowledged by that country's government.
"You can't petition the government if something doesn't work, because it's not really there…even though we all know it's there," he said.
Security was also a topic of a follow-on panel focused on future business models for SD-WAN. And some said that the message that security needs to be part of early discussions is being heeded.
For Comcast Business , security has become a "big deal" for every SD-WAN customer, Jeff Lewis, the unit's VP of data product management, said.
"Our customers are absolutely requiring security," added Kevin Sahim, VP of engineering (managed services) at GTT Communications Inc. . "Security is going to maintain... a high profile."
Sahim said security is also being redefined in the SD-WAN era. "It's no longer edge or perimeter-based security; it's fabric security," he said.
But sometimes it's almost impossible to stay ahead of that requirement, as separate security departments are sometimes brought in after the fact to ensure that new systems meet the security constraints they have for legacy systems.
"Even if a new solution could potentially be more secure, oftentimes, matching what they have today is a first step," Aaron Tomosky, director of solutions consulting at QOS Networks, said.
Once you're able to blaze the necessary inroads with the security department, only then are you free to improve or make changes to those security systems going forward, he added.
— Jeff Baumgartner, Senior Editor, Light Reading