The adoption of Software Defined Wide Area Networks (SD-WAN) has exploded in recent years as companies embrace the lower costs and flexibility to accelerate digital transformation. Yet SD-WAN deployments do not offer the assurances demanded by organisations operating within regulated industries. Standard SD-WAN deployments do not ensure the integrity of sensitive data as it travels across the network environment – leaving organisations with the choice of either leaving data unprotected and vulnerable to malicious actors or remaining with expensive legacy WAN deployments. Neither approach is sustainable.
Even worse, new research bears evidence that the true business impact of data loss is not understood and businesses are expecting service providers to bear the financial brunt of a breach – a situation accepted by the providers. Critically, despite ever tightening regulatory focus on data assurance, the market remains focused on network security, adding to the risk of breach.
As Paul German, CEO, Certes Networks explains, it is now critical to reassess where the perceived responsibility lies in the event of a data breach; to clearly understand the security functions organisations with SD-WAN are currently able to enact, and the gaps that still exist, if the industry is to improve confidence and achieve high assurance data.
The speed with which SD-WAN adoption has become ubiquitous underlines the acceleration in digital transformation across the world. New, independent research commissioned by Certes Networks shows that 91% of respondent companies confirm they have either started or finished SD-WAN implementation. Over half of respondents cite bandwidth efficiency as the key driver for SD-WAN implementation, followed by significant application performance improvement (47%), long term savings (45%) and WAN simplification (44%).
However, a quarter (25%) consider not sacrificing security and data privacy as a driver for implementation, which suggests a widespread lack of understanding, awareness and risk assessment surrounding current security postures. SD-WAN is not a data assurance technology – and for organisations operating in high assurance industries, standard deployments cannot meet regulatory requirements for data integrity, an increasingly vital consideration in an era of rapidly escalating security breaches – including the growing threat of cyber war.
Moreover, the research highlighted widespread confusion regarding regulatory compliance. Despite 96% being confident that regulatory requirements do provide sufficient support and guidance to protect against breaches, almost three quarters (72%) also believe there are risks involved in adopting an approach that focuses primarily on compliance first. 48% believe the main risk is that security regulations lag behind hackers’ abilities, with 45% saying a threat assessment based on historical and industry data is not done and 42% believing it is a guideline on how to breach.
Clearly, on the one hand, there is a fear that regulation doesn’t go far enough. On the other, organisations are either wilfully or unintentionally overlooking the assurance limitations of SD-WAN in order to maximise the operational and cost benefits.
This research also confirms that not enough companies appreciate the data assurance limitations associated with SD-WAN. Yes, two fifths (39%) highlight concerns that unprotected data is lying within a protected network, but only a quarter (24%) say that SD-WAN security is not enough and that a data breach in one area could affect the entire organisation, and only 22% flag the lack of onsite security features.
There is good reason for the need for more confidence in the security posture. While a SD-WAN overlay looks private, there is still a public internet connection plugged in to a business that holds both sensitive and non-sensitive data. There is a very real risk that a regulated business could inadvertently end up with sensitive data on the public internet, through configuration errors or software bugs, and incur a significant regulatory breach in the process.
Furthermore, any businesses that partner with or supply to regulated industries – especially utilities and government – are becoming key targets for hackers looking for another route into organisations that have already deployed a high assurance data security model. Adding the sheer flexibility in cloud deployments, the use of local break-out to push day-to-day data created in SaaS tools such as Office365 or Salesforce directly onto the Internet rather than directed to the corporate data centre further adds to the risk. What happens if the local break-out policy accidentally includes sensitive data?
Despite (or perhaps because of) the acknowledged risks, too many organisations are handing over responsibility to an IT Service Provider (ITSP) or Managed Services Provider (MSP) – and expecting the provider to pick up the financial cost should a data breach occur. Almost 50% of survey respondents confirm that third party organisations are employed to deliver security policies. Businesses expect ITSPs to cover 48% of the costs in the event of a data breach – but 73% of ITSPs also consider themselves responsible for paying fines and damages, and believe they should pay 51% of the costs.
Moreover, far too many companies are failing to take into account the long-term business significance of a data breach. 40% say the financial impact in the long term is not considered, and only 33% consider the long-term business impact of data loss.
Simply relying on a contractual agreement for financial remuneration therefore totally misses the fundamental operational risk associated with inadequately assured SD-WANs. But this approach also highlights the confusion between network security and data assurance that dominates the industry, especially within high assurance markets. Companies need to take ownership of their data. Yes, an MSP or ITSP running the SD-WAN will put in place standards to secure the network infrastructure – but who is protecting the data and how?
This continued focus on network security rather than assuring vital data is at odds with the goal of regulators. Security regulation is totally focused on data assurance, on safeguarding essential information assets. The solutions traditionally deployed to comply with regulation, however, are about network security, a misguided focus that has left data unassured.
So how can organisations maximise the benefits of SD-WAN and retain control over their sensitive data?
High Assurance SD-WAN introduces an overlay technology that specifically targets the segmentation and protection of sensitive data within regulated organisations by using crypto-segmentation to ensure its integrity and confidentiality. The overlay approach supports the regulatory demand for separation of duties: the network team can configure the SD-WAN, while the data protection team uses fine-grained policies to define the way data is handled across the network with ownership linked to specific encryption keys. The underlying network has no visibility of either the data or its classification nor is it impacted in terms of performance of operational visibility.
Critically, it provides an organisation with control over the assurance of its data. With High Assurance SD-WAN, organisations no longer have to entrust the ITSP with responsibility for data assurance. Whether the network is public or private, trusted or untrusted, is irrelevant: the organisation’s data protection team simply needs to define the policy and maintain ownership of the cryptographic keys, resulting in the confidence that data is always protected wherever it goes.
There remains a massive disconnect between the current focus of security postures and the reality of the risk exposure. Yet, organisations cannot afford to embrace the flexibility and business benefits of SD-WAN without considering data assurance. They can no longer afford to hand over responsibility for implementing and delivering their security posture. A mindset shift is now imperative. The concepts of ‘security’ and ‘assurance’ have been confused and misused for decades.
It is only once the responsibility for data assurance is understood by all parties – MSPs and ITSPs included – that the correct steps will be taken to maximise the power of SD-WAN to accelerate business change while mitigating the risk down to the lowest acceptable level.